https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself. == Owner == * Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]] * Email: dbelyavs@xxxxxxxxxx == Detailed Description == In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we want to ensure that no new products relying on it will appear in Fedora. == Benefit to Fedora == This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series. It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published. == Scope == * Proposal owners: ** Remove devel package ** eliminate crypto policy support from the main package ** provide assistance in migration to other developers * Other developers: ** Patch their packages to work with OpenSSL 3.0 ** Fedora/RHEL distributions provide some syntax sugar related to https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the packages still relying to openssl1.1 the syntax provided by crypto policies will no longer be supported. The changes implemented according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies (e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites configuration) should be removed. * Release engineering: This feature doesn't require coordination with release engineering. * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == As Crypto Policy support is removed from openssl1.1, applications will need to adjust the configuration files if they contain the line "PROFILE=SYSTEM" according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies == How To Test == Regular application tests should catch the regressions caught by these changes. == Dependencies == No packages should depend on openssl1.1-devel packages that is eliminated. == Contingency Plan == Revert the shipped configuration Contingency deadline: TBD == Documentation == TBW == Release Notes == TBW -- Vipul Siddharth He/His/Him FPgM team member _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
