On Thu, Jun 23, 2022 at 12:35:28AM +0530, Vipul Siddharth wrote:
https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
We are going to deprecate openssl1.1 package, stop shipping the
corresponding devel package, and stop respecting crypto policies in
openssl1.1 package itself.
Not respecting crypto policies is needlessly introducing a
significant regression. Deprecating something does not usually
mean intentionally hobbling its features. I would expect functionality
of openssl1.1 that exists today to remain unchanged, until such time
as it can be removed from the distro entirely.
IOW, by all means we should stop introducing new packages using it,
but if something is already using it, we shouldn't change its
behaviour.
Is removing the -devel package the right approach ? It will
certainly stop new packages using it, but when we come to do the
next mass rebuild, it will break any existing usage too. What
existing packages in the distro still use it, and are we willing
to have those packages be dropped after the inevitible FTBFS due
to missing -devel packages ?
== Owner ==
* Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]]
* Email: dbelyavs(a)redhat.com
== Detailed Description ==
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new
version with new architecture. We left the openssl1.1 package for the
applications that were unable to switch to the new API/architecture,
3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we
want to ensure that no new products relying on it will appear in
Fedora.
== Benefit to Fedora ==
This proposal ensures than no new packages in Fedora will rely on the
deprecated OpenSSL version that will cause an overall increase of
security/stability, and will reduce the amount of old packages relying
on OpenSSL 1.1 series.
It will also reduce the maintenance burden for the OpenSSL
maintainers, especially when new CVEs are published.
== Scope ==
* Proposal owners:
** Remove devel package
** eliminate crypto policy support from the main package
** provide assistance in migration to other developers
* Other developers:
** Patch their packages to work with OpenSSL 3.0
** Fedora/RHEL distributions provide some syntax sugar related to
https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the
packages still relying to openssl1.1 the syntax provided by crypto
policies will no longer be supported. The changes implemented
according to
https://fedoraproject.org/wiki/Packaging:CryptoPolicies
(e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites
configuration) should be removed.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|