On Tue, 2021-08-03 at 07:52 -0400, Neal Gompa wrote:
> On Tue, Aug 3, 2021 at 7:10 AM Simo Sorce <simo@xxxxxxxxxx> wrote:
> >
> > On Tue, 2021-08-03 at 06:50 -0400, Neal Gompa wrote:
> > > On Tue, Aug 3, 2021 at 5:59 AM Simo Sorce <simo@xxxxxxxxxx> wrote:
> > > >
> > > > On Mon, 2021-08-02 at 17:43 -0400, Neal Gompa wrote:
> > > > > On Mon, Aug 2, 2021 at 5:39 PM Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote:
> > > > > >
> > > > > > On Mon, Aug 2, 2021 at 11:11 AM Simo Sorce <simo@xxxxxxxxxx> wrote:
> > > > > > >
> > > > > > > I think at this stage it may be safer to defer to F36, and land OpenSSL
> > > > > > > 3.0 in rawhide right after F35 forks out.
> > > > > > >
> > > > > >
> > > > > > I'm generally in agreement here; I think it's too much risk too late
> > > > > > in the cycle. Could you re-propose the Change for F36?
> > > > >
> > > > > I'm not sure I agree, but the Change owners can request the proposal
> > > > > to be deferred to F36, which I *personally* would accept if
> > > > > they intended to import OpenSSL 3.0 into Rawhide *right* after
> > > > > branching. No more delaying it since it's clearly being done in RHEL
> > > > > (which is already super-backwards to begin with). This Change has
> > > > > already been deferred once (it was originally planned for F34). I
> > > > > don't want it deferred again without a plan to work on it *in Fedora*.
> > > > >
> > > > > Otherwise, just abandon the Change entirely.
> > > >
> > > > Neal,
> > > > you are addressing this as if the OpenSSL maintainers are being
> > > > capricious.
> > > >
> > > > We deferred the introduction of OpenSSL 3.0 in Fedora because we did
> > > > not want a mess in a distribution that is actually used, out of concern
> > > > for our users.
> > > >
> > > > We can "dump" OpenSSL 3.0 in Fedora at any time, but we consciously
> > > > choose not to as to avoid pain for users. We cannot drop the Change
> > > > because we have to introduce OpenSSL 3.0 at some point, we just want to
> > > > introduce it when it's right for Fedora.
> > > >
> > >
> > > My irritation comes from the lack of communication from the Change
> > > owner. This Change has already been deferred once (for good reason,
> > > mind you). I'm annoyed that this is being deferred again because this
> > > time the Change owner hasn't said *anything* at all. Everyone else
> > > seems to be speaking (even Florian, which confuses me). I wouldn't
> > > mind the Change being deferred again for solid technical reasons, but
> > > I don't know how to trust that this Change is ever going to get done
> > > because zero work happened and zero communication happened.
> >
> > The fact work isn't visible, doesn't mean nothing happened.
> >
>
> To most people, it appears that nothing has happened, yes. It would
> have been nice to know that stuff happened.
Lemme push back on you right here.
Did you express interest in this change before?
Did you write to Sahana when you realized you had not seen the
communication you wanted?
> > That said, upstream broke the ABI between alpha and beta1 so we are
> > very happy that we "have done nothing" in Fedora and delayed the
> > change.
> >
>
> Sure, but the Change proposal[1] explicitly says that the work would
> start *after* the beta release in June. The beta release came out June
> 17[2], and nothing happened afterward in Fedora, presumably because
> Sahana was working on rebasing to it in CentOS Stream 9, which
> completed a month later[3]. Note that now Beta 2 came out a week
> ago[4], which seems to carry *some* ABI stability (which is a surprise
> to me, honestly...).
>
> From my naive point of view, once that rebase work was complete, I
> would have expected the same effort to land in Fedora, since we
> already had the openssl1.1 compatibility package created a year
> ago[5]. Then we could have integrated it as part of the mass build
> last week instead of needing a targeted rebuild for it in a side-tag.
It would have been nice, but also a disaster to rush changes into
Fedora. There was also no strong need.
We are aware of exactly ZERO packages clamoring to get OpenSSL 3.0 in
Fedora right now.
> For what it's worth, there seem to be 633 source packages that produce
> 940 binary packages that link to OpenSSL, so it's not *that* crazy to
> do a targeted rebuild:
>
> > ngompa@localhost ~> sudo dnf -q repoquery --qf "%{SOURCERPM}" --whatdepends openssl-libs --latest=1 --exclude=\*.i686 | wc -l
> > 633
> > ngompa@localhost ~> sudo dnf -q repoquery --whatdepends openssl-libs --latest=1 --exclude=\*.i686 | wc -l
> > 940
It is crazy, with a lot less packages we had a lot of work in
Centos9/RHEL9, all that work is going to benefit Fedora for once,
hopefully, but it is still work that needs to be done.
We did not want to throw work on maintainers without knowing there are
good solutions, especially at the last minute.
> Basically, my problem is that I don't think Sahana was prepared on how
> to handle doing this work properly and they just need to be aware that
> communication is extremely important when doing stuff like this.
> Sahara took this over from Tomáš Mráz, who left Red Hat to work for
> the OpenSSL Foundation on OpenSSL full-time. In that transfer, I don't
> think anyone educated Sahana on how to handle Fedora Changes.
My problem is that you are throwing baseless accusations, and for no
good reason.
*nothing* happened, it means we did not destabilize Fedora, nor caused
unnecessary work to anyone. sure we did not go around telling everyone
that nothing was happening, sorry but "Big deal!".
Communication is important if we are going to break stuff, but luckily
we decided to do a lot of legwork bfore throwing stuff in,
unfortunately all this work and the delays upstream meant we ultimately
decided it was more prudent to delay the change in Fedora. I call this
handling the change very appropriately, and I think you should
apologize to Sahana.
> However, regardless of all the previous mistakes,
What mistakes?
> I still don't think
> that OpenSSL 3.0 necessarily needs to be skipped for Fedora Linux 35
> based on all that.
So you now think you can make better choices than the maintainers and
people that closely worked on this?
> What *would* concern me is OpenSSL 3.0's own
> release schedule, or rather the lack of one.
Oh boy, like we do not have this problem with like 98% of the Open
Source projects we use in Fedora? Why is OpenSSL special now?
> It is unclear when
> OpenSSL 3.0 final is supposed to be released. Digging into the
> upstream project information, it seems like there's not much left[6].
> But I'm unsure if they do relatively fixed milestones or very fluid
> milestones. That's also combined with no estimates of when OpenSSL 3.0
> final is supposed to be released, at least none that I can find.
This is exactly why we have been very cautios and not cavalier with
this change. We planned, we worked on it, and ultimately quitely
decided to postpone instead of inflicting a lot of pain on our
developers and users. I call this considerate, and not a mistake.
Yeah we did not constantly tell you "not yet", "not yet", "not yet".
Sorry if we've been busy, but accusing people of nefarious behavior for
nothing, is not exactly friendly.
Thanks for your understanding ... or lack thereof.
Simo.
> [1]: https://fedoraproject.org/wiki/Changes/OpenSSL3.0
> [2]: https://www.openssl.org/blog/blog/2021/06/17/OpenSSL3.0ReleaseCandidate/
> [3]: https://gitlab.com/redhat/centos-stream/rpms/openssl/-/merge_requests/15
> [4]: https://github.com/openssl/openssl/releases/tag/openssl-3.0.0-beta2
> [5]: https://src.fedoraproject.org/rpms/openssl1.1
> [6]: https://github.com/openssl/openssl/milestone/15
>
>
>
> --
> 真実はいつも一つ!/ Always, there's only one truth!
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
