On Thu, Jun 23, 2022 at 12:35:28AM +0530, Vipul Siddharth wrote: > https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > == Summary == > We are going to deprecate openssl1.1 package, stop shipping the > corresponding devel package, and stop respecting crypto policies in > openssl1.1 package itself. Not respecting crypto policies is needlessly introducing a significant regression. Deprecating something does not usually mean intentionally hobbling its features. I would expect functionality of openssl1.1 that exists today to remain unchanged, until such time as it can be removed from the distro entirely. IOW, by all means we should stop introducing new packages using it, but if something is already using it, we shouldn't change its behaviour. Is removing the -devel package the right approach ? It will certainly stop new packages using it, but when we come to do the next mass rebuild, it will break any existing usage too. What existing packages in the distro still use it, and are we willing to have those packages be dropped after the inevitible FTBFS due to missing -devel packages ? > == Owner == > * Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]] > * Email: dbelyavs@xxxxxxxxxx > > == Detailed Description == > In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new > version with new architecture. We left the openssl1.1 package for the > applications that were unable to switch to the new API/architecture, > 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we > want to ensure that no new products relying on it will appear in > Fedora. > > == Benefit to Fedora == > This proposal ensures than no new packages in Fedora will rely on the > deprecated OpenSSL version that will cause an overall increase of > security/stability, and will reduce the amount of old packages relying > on OpenSSL 1.1 series. > > It will also reduce the maintenance burden for the OpenSSL > maintainers, especially when new CVEs are published. > > == Scope == > * Proposal owners: > ** Remove devel package > ** eliminate crypto policy support from the main package > ** provide assistance in migration to other developers > > * Other developers: > ** Patch their packages to work with OpenSSL 3.0 > ** Fedora/RHEL distributions provide some syntax sugar related to > https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the > packages still relying to openssl1.1 the syntax provided by crypto > policies will no longer be supported. The changes implemented > according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies > (e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites > configuration) should be removed. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
