liboqs icon indicating copy to clipboard operation
liboqs copied to clipboard
verified publisher icon open-quantum-safe

Set up tooling to monitor upstream repositories

Open SWilson4 opened this issue 6 months ago • 4 comments

It would be good to have a dashboard where we can view a summary of activity on upstream repos (e.g., mlkem-native, PQClean).

See discussion in related issue https://github.com/open-quantum-safe/liboqs/issues/1928#issuecomment-2361286715.

SWilson4 avatar Jun 27 '25 17:06 SWilson4

Hello @dstebila and @SWilson4, If no one is working on this issue, can I please give it a shot?

A few questions on the ask here:

  1. Are all the upstreams we're concerned about, found here? Or is there anything else?
  2. From here and the following comments in the same issue, it looks like the consensus was in Option 3. How would that look? For example, in case of ml-kem, IIUC, the upstream commit referred to is mentioned here. Do we want a list of all changes in the main branch of that repo after that commit? What else should be displayed in the dashboard?

the-c0d3br34k3r avatar Dec 01 '25 04:12 the-c0d3br34k3r

Hi @the-c0d3br34k3r allow me to answer as @SWilson4 has left the project and @dstebila is pretty busy these days on other things,

First of all: Thanks for your interest to contribute. Yes, it'd be great if you'd give this a try. Only question to @xuganyu96 whether he isn't looking into this too as part of his work to revamp "copy-from-upstream" (?).

Otherwise, yes Option 3 looks like the consensus. Your 1) above is right: All Algs are captured in the docs folder and a summary of families in the README.md (but the algs folder is the more thorough doc source), On your 2) I don't think we need to trace all upstream updates since the last time we copied over code. What would be much more important in the dashboard would be indication that an upstream has more current code than liboqs does. Also contained should be a primary contact person for every algorithm that is willing to act on problems that liboqs users make us aware of in a specific algorithm. Ideal would be a "service quality" that we could add in the dashboard next to each algorithm (along the lines/continuum of "unsupported", "best effort", ..., "24x7 emergeny contact" for example) (that was the original idea behind https://github.com/open-quantum-safe/liboqs/issues/1928 which grand-fathered this issue).

baentsch avatar Dec 01 '25 14:12 baentsch

First of all: Thanks for your interest to contribute. Yes, it'd be great if you'd give this a try. Only question to @xuganyu96 whether he isn't looking into this too as part of his work to revamp "copy-from-upstream" (?).

My refactor work will not expand the feature set and so will not cover upstream monitoring.

xuganyu96 avatar Dec 01 '25 19:12 xuganyu96

@baentsch, thanks for clarifying! I'll whip up a PoC web page and we can discuss and develop on that. Another question on that front. Since we store the source of the upstream repos here, Is there any reason we aren't using git submodules for them? That would make it easier to keep track of its state with respect to the original upstream repo using git. If not, we can use the commit reference in .md or .yaml file in the algs folder and lookup the latest state in the upstream repo.

@xuganyu96, thanks for confirming!

the-c0d3br34k3r avatar Dec 03 '25 04:12 the-c0d3br34k3r