Hi, > On 5. Jul 2024, at 12:10, Joe Orton <jorton@xxxxxxxxxx> wrote: > > On Tue, Jul 02, 2024 at 02:05:38PM +0200, Dmitry Belyavskiy wrote: >> In the long-term it would be better to provide a patch fixing build of the >> package. Probably adding -DOPENSSL_NO_ENGINE to build flags will work. >> Engines are deprecated. You should not use engines and should migrate to >> providers. > > I really think this is silly. Looking at the Boost headers they already > conditionalize support for ENGINE *in the way that OpenSSL upstream > intended*. > https://www.boost.org/doc/libs/1_74_0/boost/asio/ssl/detail/openssl_types.hpp > > #if !defined(OPENSSL_NO_ENGINE) > # include <openssl/engine.h> > #endif // !defined(OPENSSL_NO_ENGINE) > > So, no, Boost should not be "fixed". <openssl/configuration-*.h> should > simply "#define OPENSSL_NO_ENGINE" if you want Fedora packages to drop > ENGINE support. We have broken the way Fedora packages consume the > OpenSSL API - it should be reverted, we're just heaping unnecessary work > on other package maintainers. I’m sure Dmitry would be happy to do that if we as a community could agree to no longer support OpenSSL ENGINEs, but it doesn’t seem that this consensus exists in Fedora. This leaves us with deprecating ENGINEs to give package maintainers a transition period. Should we instead cook up a patch that requires packages that still want to continue use of engines to set an additional preprocessor flag? With a patched openssl/engine.h we could probably make a -DOPENSSL_NO_ENGINE_BUT_ACTUALLY_I_REALLY_STILL_WANT_TO_USE_THIS_DEPRECATED_FUNCTIONALITY work. Personally, as the maintainer of stunnel, I also didn’t enjoy the extra busy work this change forced my to do for a package that did already correctly respect OPENSSL_NO_ENGINE. However, the above alternative would have silently disabled engine support, and other package maintainers might not be a fan of that, either. One alternative is fail-loudly with work for maintainers that just want to follow the decision, the other is fail-silent with work for maintainers that want to continue using engines. Which ones is better? -- Clemens Lang RHEL Crypto Team Red Hat -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
