On Tue, Aug 3, 2021 at 10:42 AM Simo Sorce <simo@xxxxxxxxxx> wrote:
>
> On Tue, 2021-08-03 at 07:52 -0400, Neal Gompa wrote:
> > On Tue, Aug 3, 2021 at 7:10 AM Simo Sorce <simo@xxxxxxxxxx> wrote:
> > >
> > > On Tue, 2021-08-03 at 06:50 -0400, Neal Gompa wrote:
> > > > On Tue, Aug 3, 2021 at 5:59 AM Simo Sorce <simo@xxxxxxxxxx> wrote:
> > > > >
> > > > > On Mon, 2021-08-02 at 17:43 -0400, Neal Gompa wrote:
> > > > > > On Mon, Aug 2, 2021 at 5:39 PM Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote:
> > > > > > >
> > > > > > > On Mon, Aug 2, 2021 at 11:11 AM Simo Sorce <simo@xxxxxxxxxx> wrote:
> > > > > > > >
> > > > > > > > I think at this stage it may be safer to defer to F36, and land OpenSSL
> > > > > > > > 3.0 in rawhide right after F35 forks out.
> > > > > > > >
> > > > > > >
> > > > > > > I'm generally in agreement here; I think it's too much risk too late
> > > > > > > in the cycle. Could you re-propose the Change for F36?
> > > > > >
> > > > > > I'm not sure I agree, but the Change owners can request the proposal
> > > > > > to be deferred to F36, which I *personally* would accept if
> > > > > > they intended to import OpenSSL 3.0 into Rawhide *right* after
> > > > > > branching. No more delaying it since it's clearly being done in RHEL
> > > > > > (which is already super-backwards to begin with). This Change has
> > > > > > already been deferred once (it was originally planned for F34). I
> > > > > > don't want it deferred again without a plan to work on it *in Fedora*.
> > > > > >
> > > > > > Otherwise, just abandon the Change entirely.
> > > > >
> > > > > Neal,
> > > > > you are addressing this as if the OpenSSL maintainers are being
> > > > > capricious.
> > > > >
> > > > > We deferred the introduction of OpenSSL 3.0 in Fedora because we did
> > > > > not want a mess in a distribution that is actually used, out of concern
> > > > > for our users.
> > > > >
> > > > > We can "dump" OpenSSL 3.0 in Fedora at any time, but we consciously
> > > > > choose not to as to avoid pain for users. We cannot drop the Change
> > > > > because we have to introduce OpenSSL 3.0 at some point, we just want to
> > > > > introduce it when it's right for Fedora.
> > > > >
> > > >
> > > > My irritation comes from the lack of communication from the Change
> > > > owner. This Change has already been deferred once (for good reason,
> > > > mind you). I'm annoyed that this is being deferred again because this
> > > > time the Change owner hasn't said *anything* at all. Everyone else
> > > > seems to be speaking (even Florian, which confuses me). I wouldn't
> > > > mind the Change being deferred again for solid technical reasons, but
> > > > I don't know how to trust that this Change is ever going to get done
> > > > because zero work happened and zero communication happened.
> > >
> > > The fact work isn't visible, doesn't mean nothing happened.
> > >
> >
> > To most people, it appears that nothing has happened, yes. It would
> > have been nice to know that stuff happened.
>
>
> Lemme push back on you right here.
>
> Did you express interest in this change before?
> Did you write to Sahana when you realized you had not seen the
> communication you wanted?
>
Hm, that's fair. I should have written to Sahana before this point. I
had privately asked about this before months ago, but I should have
followed up again last month when I saw the MRs landing in CentOS
Stream 9. That is definitely my bad.
> > > That said, upstream broke the ABI between alpha and beta1 so we are
> > > very happy that we "have done nothing" in Fedora and delayed the
> > > change.
> > >
> >
> > Sure, but the Change proposal[1] explicitly says that the work would
> > start *after* the beta release in June. The beta release came out June
> > 17[2], and nothing happened afterward in Fedora, presumably because
> > Sahana was working on rebasing to it in CentOS Stream 9, which
> > completed a month later[3]. Note that now Beta 2 came out a week
> > ago[4], which seems to carry *some* ABI stability (which is a surprise
> > to me, honestly...).
> >
> > From my naive point of view, once that rebase work was complete, I
> > would have expected the same effort to land in Fedora, since we
> > already had the openssl1.1 compatibility package created a year
> > ago[5]. Then we could have integrated it as part of the mass build
> > last week instead of needing a targeted rebuild for it in a side-tag.
>
> It would have been nice, but also a disaster to rush changes into
> Fedora. There was also no strong need.
>
> We are aware of exactly ZERO packages clamoring to get OpenSSL 3.0 in
> Fedora right now.
>
Honestly? The reason I want OpenSSL 3.0 is the license change. I don't
really care about anything else.
>
> > For what it's worth, there seem to be 633 source packages that produce
> > 940 binary packages that link to OpenSSL, so it's not *that* crazy to
> > do a targeted rebuild:
> >
> > > ngompa@localhost ~> sudo dnf -q repoquery --qf "%{SOURCERPM}" --whatdepends openssl-libs --latest=1 --exclude=\*.i686 | wc -l
> > > 633
> > > ngompa@localhost ~> sudo dnf -q repoquery --whatdepends openssl-libs --latest=1 --exclude=\*.i686 | wc -l
> > > 940
>
> It is crazy, with a lot less packages we had a lot of work in
> Centos9/RHEL9, all that work is going to benefit Fedora for once,
> hopefully, but it is still work that needs to be done.
>
> We did not want to throw work on maintainers without knowing there are
> good solutions, especially at the last minute.
>
That's fair.
> > Basically, my problem is that I don't think Sahana was prepared on how
> > to handle doing this work properly and they just need to be aware that
> > communication is extremely important when doing stuff like this.
> > Sahara took this over from Tomáš Mráz, who left Red Hat to work for
> > the OpenSSL Foundation on OpenSSL full-time. In that transfer, I don't
> > think anyone educated Sahana on how to handle Fedora Changes.
>
>
> My problem is that you are throwing baseless accusations, and for no
> good reason.
> *nothing* happened, it means we did not destabilize Fedora, nor caused
> unnecessary work to anyone. sure we did not go around telling everyone
> that nothing was happening, sorry but "Big deal!".
>
> Communication is important if we are going to break stuff, but luckily
> we decided to do a lot of legwork bfore throwing stuff in,
> unfortunately all this work and the delays upstream meant we ultimately
> decided it was more prudent to delay the change in Fedora. I call this
> handling the change very appropriately, and I think you should
> apologize to Sahana.
>
> > However, regardless of all the previous mistakes,
>
> What mistakes?
>
I'm not actually sure what I meant here. I thought I deleted that when
drafting it. Oops.
>
> > I still don't think
> > that OpenSSL 3.0 necessarily needs to be skipped for Fedora Linux 35
> > based on all that.
>
> So you now think you can make better choices than the maintainers and
> people that closely worked on this?
>
Of course not.
> > What *would* concern me is OpenSSL 3.0's own
> > release schedule, or rather the lack of one.
>
> Oh boy, like we do not have this problem with like 98% of the Open
> Source projects we use in Fedora? Why is OpenSSL special now?
>
It's special because we as a distribution made it special by making it
a requirement for RPM to function. OpenSSL infamously didn't offer a
stable ABI across releases, so I'm cognizant of that issue potentially
plaguing us if we released with a beta release and there was an ABI
break between beta and stable. I couldn't find any documentation of
what stage they finalized the ABI at for releases.
> > It is unclear when
> > OpenSSL 3.0 final is supposed to be released. Digging into the
> > upstream project information, it seems like there's not much left[6].
> > But I'm unsure if they do relatively fixed milestones or very fluid
> > milestones. That's also combined with no estimates of when OpenSSL 3.0
> > final is supposed to be released, at least none that I can find.
>
>
> This is exactly why we have been very cautios and not cavalier with
> this change. We planned, we worked on it, and ultimately quitely
> decided to postpone instead of inflicting a lot of pain on our
> developers and users. I call this considerate, and not a mistake.
>
> Yeah we did not constantly tell you "not yet", "not yet", "not yet".
>
> Sorry if we've been busy, but accusing people of nefarious behavior for
> nothing, is not exactly friendly.
>
> Thanks for your understanding ... or lack thereof.
>
I am not accusing anyone of nefarious behavior. What I am saying is
that absent any communication, the whole thing looks very weird.
It seemed like from my naive view, it seemed like all that stuff was
already getting done fairly aggressively in CentOS Stream and nothing
was happening in Fedora for an approved Change that was already
delayed once.
The inversion for development is a smell that I am very sensitive to,
as the last time that happened, things went very badly. I also don't
want Changes going in where people aren't prepared to communicate as a
Change is being implemented. I've personally been burned by this on
multiple separate occasions and I'm extremely sensitive to that.
Sahana, if I've offended or insulted you, I'm *extremely* sorry. I am
just trying to make sense of a weird situation and I'm probably not
taking it very well.
--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
