Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jun 23, 2022 at 12:35:28AM +0530, Vipul Siddharth wrote:
> https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat
> 
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering Committee.
> 
> == Summary ==
> We are going to deprecate openssl1.1 package, stop shipping the
> corresponding devel package, and stop respecting crypto policies in
> openssl1.1 package itself.

Not respecting crypto policies is needlessly introducing a
significant regression. Deprecating something does not usually
mean intentionally hobbling its features. I would expect functionality
of openssl1.1 that exists today to remain unchanged, until such time
as it can be removed from the distro entirely.

IOW, by all means we should stop introducing new packages using it,
but if something is already using it, we shouldn't change its
behaviour.

Is removing the -devel package the right approach ?  It will
certainly stop new packages using it, but when we come to do the
next mass rebuild, it will break any existing usage too. What
existing packages in the distro still use it, and are we willing
to have those packages be dropped after the inevitible FTBFS due
to missing -devel packages ?

> == Owner ==
> * Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]]
> * Email: dbelyavs@xxxxxxxxxx
> 
> == Detailed Description ==
> In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new
> version with new architecture. We left the openssl1.1 package for the
> applications that were unable to switch to the new API/architecture,
> 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we
> want to ensure that no new products relying on it will appear in
> Fedora.
> 
> == Benefit to Fedora ==
> This proposal ensures than no new packages in Fedora will rely on the
> deprecated OpenSSL version that will cause an overall increase of
> security/stability, and will reduce the amount of old packages relying
> on OpenSSL 1.1 series.
> 
> It will also reduce the maintenance burden for the OpenSSL
> maintainers, especially when new CVEs are published.
> 
> == Scope ==
> * Proposal owners:
> ** Remove devel package
> ** eliminate crypto policy support from the main package
> ** provide assistance in migration to other developers
> 
> * Other developers:
> ** Patch their packages to work with OpenSSL 3.0
> ** Fedora/RHEL distributions provide some syntax sugar related to
> https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the
> packages still relying to openssl1.1 the syntax provided by crypto
> policies will no longer be supported. The changes implemented
> according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies
> (e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites
> configuration) should be removed.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux