----- Original Message -----
> From: "Tomas Mraz" <tmraz(a)redhat.com>
> To: "Miro Hrončok" <mhroncok(a)redhat.com>, "Development
discussions
> related to Fedora" <devel(a)lists.fedoraproject.org>
> Cc: "python-maint" <python-maint(a)redhat.com>
> Sent: Tuesday, March 24, 2020 1:22:37 PM
> Subject: Re: Heads up: OpenSSL-1.1.1e coming to Rawhide
>
> On Sun, 2020-03-22 at 17:29 +0100, Miro Hrončok wrote:
> > On 19. 03. 20 17:31, Tomas Mraz wrote:
> > > The new openssl-1.1.1e is coming to Rawhide.
> > >
> > > It reports premature EOF/improper shutdown on TLS connections
> > > more
> > > properly. However this might make some dependencies broken in
> > > build
> > > tests (such as Ruby).
> > >
> > > As I would like to eventually update the openssl also on stable
> > > branches because it brings many bugfixes please consider
> > > bringing
> > > eventual fixes/workarounds in depending packages also there.
> >
> > Packages failing to build:
> >
> >
https://koschei.fedoraproject.org/affected-by/openssl?epoch1=1&versio...
> >
> >
https://koschei.fedoraproject.org/affected-by/openssl-devel?epoch1=1&...
> >
> > That includes Python interpreters.
> >
> > We have Python tests defined in the CI:
> >
> >
https://src.fedoraproject.org/rpms/openssl/blob/master/f/tests/tests_pyth...
> >
> > Why have this upgrade never been tested that way?
>
> I knew there will be actual problems so that is the reason why I
> sent
> the heads up. Next time I'll make sure the CI is run as well, not
> sure
> if it would make any difference in this case apart from maybe I
> would
> open bugs right away?
With the PR workflow on pagure, the CI would be run and we can check
out the issues that might appear on the python side at least, as we
have added the relevant python tests in the openssl pagure repo. So
indeed it would help a lot.
> > Please do not push this to older releases until we fix this.
>
> I will not push it to older releases. Most probably we will revert
> this
> change in upstream 1.1.1 branch and I will update the rawhide build
> with the revert patch as well. Anyway this change is going to stay
> in
> the master branch of OpenSSL (for 3.0.0) so it is a good idea to be
> able to handle it in the dependencies anyway.
>
That would be great actually, thanks for considering it. Pushing this
change for the 3.0.0 version of OpenSSL should provide us with enough
time to iron out everything.
On a side note, is there some upstream CI of OpenSSL where we could
maybe test its integration with Python, or other projects? From the
python upstream CI side, where we use the buildbot software, we
noticed that when the fedora servers running the builds got the
openssl package updated, the tests started failing. Maybe something
similar could be implemented for OpenSSL, depending of course if the
infrastructure is in place.
There is already pyca-cryptography build and testsuite run in the
external tests. Perhaps some more python related stuff could be added
although I am not sure the way it is currently integrated would allow
much bigger testsuites being run.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]