From 430ab98400373a5843f268f7e749ab4122c7b091 Mon Sep 17 00:00:00 2001 From: Richard Ramos Date: Mon, 11 May 2026 08:24:10 -0400 Subject: [PATCH 1/2] feat(p2p) - more commitments --- .../2026q2-nimlibp2p-boringssl-migration.md | 78 +++++++++++++++++++ content/p2p/index.md | 1 + 2 files changed, 79 insertions(+) create mode 100644 content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md diff --git a/content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md b/content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md new file mode 100644 index 0000000000..5f1c34a92c --- /dev/null +++ b/content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md @@ -0,0 +1,78 @@ +--- + +title: nim-libp2p BoringSSL migration +tags: + - "2026q2" + - "p2p" + - "ift" +draft: false +description: Replace BearSSL usage in nim-libp2p with BoringSSL-backed TLS, cryptography, and RNG paths + +--- + +`ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl` + +Replace BearSSL usage in nim-libp2p with BoringSSL-backed TLS, +cryptography, and RNG paths. + +## Description + +nim-libp2p currently depends on both BearSSL and BoringSSL. BearSSL is no +longer actively maintained by its author, while BoringSSL is already required +for QUIC support. This commitment reduces duplicated crypto dependencies by +making nim-libp2p and relevant dependencies, including nim-websocket, agnostic +with respect to the selected TLS backend, then migrating BearSSL-specific +cryptography and RNG usage toward BoringSSL-backed implementations. + +The migration should preserve existing secure transport behavior while +allowing downstream users to select the backend explicitly during the transition. +BearSSL support can remain available behind the backend abstraction until all +call sites have been moved or downstream consumers no longer require it. + +## Task List + +### TLS Backend Abstraction + +* fully qualified name: `ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl:tls-backend-abstraction` +* owner: richard +* status: 40% +* start-date: 2026/05/03 +* end-date: 2026/06/30 + +#### Description + +Make nim-libp2p and nim-websocket independent of a concrete TLS backend. Move +BearSSL-specific transport code behind a small backend selection layer and add +the wiring needed to use BoringSSL where QUIC already requires it. + +#### Deliverables + +- TLS backend selection API or configuration for nim-libp2p users +- nim-websocket changes needed to avoid hard-coding BearSSL +- BoringSSL-backed TLS path available through the shared abstraction +- Compatibility tests covering existing secure websocket and TLS behavior +- Updated dependency documentation describing backend selection and defaults + +### Cryptography and RNG Migration + +* fully qualified name: `ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl:crypto-rng-migration` +* owner: richard +* status: not started +* start-date: 2026/05/01 +* end-date: 2026/06/30 + +#### Description + +Audit direct BearSSL cryptography and RNG usage in nim-libp2p and replace the +first set of call sites with BoringSSL-backed helpers. Prioritize call sites +that are on maintained transports, test utilities, or shared security paths so +the default dependency graph can move away from BearSSL incrementally. + +#### Deliverables + +- Inventory of BearSSL cryptography and RNG call sites in nim-libp2p +- BoringSSL-backed helper APIs for migrated cryptography and RNG operations +- Initial set of BearSSL crypto/RNG call sites migrated to BoringSSL-backed helpers +- Tests proving migrated paths produce compatible behavior +- Follow-up cleanup plan for remaining BearSSL usage + diff --git a/content/p2p/index.md b/content/p2p/index.md index 05994fe352..0b9b3fda5e 100644 --- a/content/p2p/index.md +++ b/content/p2p/index.md @@ -18,6 +18,7 @@ Major future work items on nim-libp2p (also beyond this reporting period are cap ### `ift:` * [[p2p/ift/2026q2-anoncomms-consulting|anoncomms-consulting]] +* [[p2p/ift/2026q2-nimlibp2p-boringssl|nimlibp2p-boringssl-migration]] * [[p2p/ift/2026q2-nimlibp2p-cbindings|nimlibp2p-cbindings]] * [[p2p/ift/2026q2-nimlibp2p-connection-management|nimlibp2p-connection-management]] * [[p2p/ift/2026q2-nimlibp2p-gossipsub-queues|nimlibp2p-gossipsub-queues]] From af3813170475f45e8327656ae6d17cd9b7683d23 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 11 May 2026 14:41:58 +0000 Subject: [PATCH 2/2] fix(p2p): align boringssl roadmap metadata Agent-Logs-Url: https://github.com/vacp2p/roadmap/sessions/4cb527e4-6f1d-4cc8-8d6c-91cd322ddee9 Co-authored-by: richard-ramos <1106587+richard-ramos@users.noreply.github.com> --- content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md | 9 ++++----- content/p2p/index.md | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md b/content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md index 5f1c34a92c..4918805b5f 100644 --- a/content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md +++ b/content/p2p/ift/2026q2-nimlibp2p-boringssl-migration.md @@ -10,7 +10,7 @@ description: Replace BearSSL usage in nim-libp2p with BoringSSL-backed TLS, cryp --- -`ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl` +`ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl-migration` Replace BearSSL usage in nim-libp2p with BoringSSL-backed TLS, cryptography, and RNG paths. @@ -33,9 +33,9 @@ call sites have been moved or downstream consumers no longer require it. ### TLS Backend Abstraction -* fully qualified name: `ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl:tls-backend-abstraction` +* fully qualified name: `ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl-migration:tls-backend-abstraction` * owner: richard -* status: 40% +* status: in progress (40%) * start-date: 2026/05/03 * end-date: 2026/06/30 @@ -55,7 +55,7 @@ the wiring needed to use BoringSSL where QUIC already requires it. ### Cryptography and RNG Migration -* fully qualified name: `ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl:crypto-rng-migration` +* fully qualified name: `ift-ts:p2p:ift:2026q2-nimlibp2p-boringssl-migration:crypto-rng-migration` * owner: richard * status: not started * start-date: 2026/05/01 @@ -75,4 +75,3 @@ the default dependency graph can move away from BearSSL incrementally. - Initial set of BearSSL crypto/RNG call sites migrated to BoringSSL-backed helpers - Tests proving migrated paths produce compatible behavior - Follow-up cleanup plan for remaining BearSSL usage - diff --git a/content/p2p/index.md b/content/p2p/index.md index 0b9b3fda5e..129e859755 100644 --- a/content/p2p/index.md +++ b/content/p2p/index.md @@ -18,7 +18,7 @@ Major future work items on nim-libp2p (also beyond this reporting period are cap ### `ift:` * [[p2p/ift/2026q2-anoncomms-consulting|anoncomms-consulting]] -* [[p2p/ift/2026q2-nimlibp2p-boringssl|nimlibp2p-boringssl-migration]] +* [[p2p/ift/2026q2-nimlibp2p-boringssl-migration|nimlibp2p-boringssl-migration]] * [[p2p/ift/2026q2-nimlibp2p-cbindings|nimlibp2p-cbindings]] * [[p2p/ift/2026q2-nimlibp2p-connection-management|nimlibp2p-connection-management]] * [[p2p/ift/2026q2-nimlibp2p-gossipsub-queues|nimlibp2p-gossipsub-queues]]