Re: F41 Change Proposal: Disable openSSL Engine Support (system-wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Mar 20, 2024 at 02:35:21PM +0100, Dmitry Belyavskiy wrote:
> > > == Benefit to Fedora ==
> > > We get rid of deprecated functionality and enforce using up-to-date
> > > API. Engine support is deprecated in OpenSSL upstream, and after
> > > provider migration caused some deficiencies with engine support. No
> > > new features will be added to the engine. So we reduce the maintenance
> > > burden and potentially attack surface.
> >
> > What is upstream's intention with the 'engine' feature deprecation ?
> >
> > Are they going actively remove this functionality after some
> > period of deprecation ? If so what's upstream timeframe, and
> > should Fedora just wait for that, rather than jumping the
> > gun ?
> >
> 
> As I understand, upstream is going to remove engines but it wouldn't happen
> before OpenSSL 4.0
> I don't think Fedora should wait for that. We definitely want to land
> no-engine in RHEL10 so Fedora should be ready for that.

Sorry, but the idea to drop symbols without changing the SONAME
must be rejected. If upstream plans to drop the symbols for 4.0, then
that is OK, assuming that the SONAME is bumped then.

We can try to rebuild distro packages, but we do not control everything
that is built by users. Removing symbols without bumping SONAME will
break user programs.

> > Should we not preserve the ENGINE_* symbols, but turn
> > their impl into either a no-op, or reporting a runtime
> > error, as appropriate for each API.
> 
> All 100+ symbols? I don't think providing non-working stubs would be a good
> idea...

If we were to do this, this would be the least bad option.
It's not that much work to generate a 100 stubs of the form
  ENGINE* ENGINE_by_id(const char*) { return NULL; }

But I don't think we should do the removal at all.

Zbyszek
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux