I support deprecating openssl1.1. We definitely shouldn’t be adding any
new packages that depend on it.
However, dropping the -devel package is almost as drastic as simply
retiring the OpenSSL 1.1 package altogether. Grepping spec files for
'BuildRequires:.*openssl1' turns up the following packages that would
immediately FTBFS:
- anope
- baresip
- botan2
- ceph
- chatty
- dotnet3.1
- dsniff
- eggdrop
- erlang
- kf5-kdelibs4support
- libasr
- libqxt-qt5
- libre
- libretls
- lua-sec
- nginx
- nodejs
- opensmtpd
- partclone
- pypy3.8
- pypy
- python2.7
- python3.6
- python3.7
- python-uamqp
- qt
- radsecproxy
- rpki-client
- ssldump
- tcltls
- thc-ipv6
- unrealircd
- w3m
- znc
Some of these have pretty large trees of dependent packages. I don’t
think we’re ready for all of these packages to go FTBFS, preventing them
from rebuilding or providing updates, until somebody figures out how to
port them to OpenSSL 3.0. In a lot of cases, the maintainers of these
packages in Fedora won’t be able to develop the necessary patches alone,
so dropping the -devel packages would be playing hardball with the wrong
people.
I’m sympathetic to the importance of retaining momentum toward
openssl1.1 retirement rather than letting the compatibility package
linger indefinitely, but I think right now—nine months after OpenSSL 3.0
was released—this momentum should be in the form of *assisting* these
maintainers and upstreams in porting their packages, rather than in the
form of forcing them to figure out an emergency patch.
In general, omitting -devel packages as an intermediate step between
deprecation and retirement is not a practice I would like to see
proliferate in Fedora. Packages that can be used but not built from
source are defects in an open distribution, and we should avoid creating
them intentionally.
– Ben Beasley
On 6/24/22 05:19, Daniel P. Berrangé wrote:
> On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
>> On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok <mhroncok(a)redhat.com> wrote:
>>
>>> On 22. 06. 22 21:05, Vipul Siddharth wrote:
>>>> We are going to deprecate openssl1.1 package, stop shipping the
>>>> corresponding devel package, and stop respecting crypto policies in
>>>> openssl1.1 package itself.
>>> +1 to deprecating it
>>>
>> Great!
>>
>> -1 to stop shipping the devel package, this would mean we cannot build at
>>> least:
>>>
>>> - Python 2.7
>>> despite our long term efforts, many things still need that, e.g. gimp,
>>> firefox (some builds do, then some don't), thunderbird etc., see
>>>
https://fedora.portingdb.xyz/
>>>
>>> Or Python 3.6 (shipped for developers targeting RHEL 7/8).
>>>
>>> As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please
>>> leave the
>>> devel package?
>>>
>> I'm not sure that if we don't remove the devel package, we will provide
>> strong enough motivation to get rid of the deprecating packages.
> If the openssl maintainers really strongly want to remove the
> devel pacakge, then don't call this deprecation because that
> is misleading. Call this purging openssl1.1 from the entire
> distro, such that it can only be used by 3rd party apps who
> have previously compiled against older Fedora openssl-devel.
> Be open about fact that this will cause FTBFS for any Fedora
> packages that stil uses openssl1 and their removal from the
> distro if they can't port to openssl3 very quickly.
>
> With regards,
> Daniel