Hi, > On 22. Jul 2024, at 16:32, Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > On Mon, Jul 22, 2024 at 4:28 PM Clemens Lang <cllang@xxxxxxxxxx> wrote: >> >> Hi Neal, >> >> >>> On 22. Jul 2024, at 15:01, Neal Gompa <ngompa13@xxxxxxxxx> wrote: >>> >>> The CentOS approach isn't a deprecation, it's flat out removal. It's a >>> completely different change. >> >> This isn’t correct. The headers are removed, but the ABI is still present in CentOS Stream, so it is not flat out removal. > > This is arguing about semantics, but probably the difference is that > packages in Fedora really MUST be kept in a state where they can be > rebuilt at any time, and removing the headers breaks that. It doesn't > break existing packages, but as soon as any changes need to be made to > any package that depends on those headers (or just a plain rebuild for > some other change in the distribution, or a mass rebuild), it *is* > equivalent to a removal. There are three cases: (1) packages that are broken now because they don’t yet depend on openssl-devel-engine and do not set OPENSSL_NO_ENGINE. (2) packages that have been fixed by adding -DOPENSSL_NO_ENGINE to CPPFLAGS (3) packages that have been fixed by adding a dependency on openssl-devel-engine If we change OpenSSL to define OPENSSL_NO_ENGINE by default, with an override available, that affects these three cases as follows: (1) now (hopefully, unless it’s an upstream bug) automatically don’t use ENGINEs, build should be fixed (2) no change, continues to build (3) continues to build, but stops using ENGINEs (but the maintainer would get a bug ticket about that from me, and then can set -DFEDORA_OPENSSL_STILL_USE_ENGINES) At no point would a package move to a state where it doesn’t build. (1) and (2) improve the situation for package maintainers. (3) is some extra work, but it’s also not fail-silent due to the ticket. The alternative is doing nothing, which means packages in (1) stay broken and need to be fixed by somebody, and everybody else gets to keep the -DOPENSSL_NO_ENGINE define or dependency on openssl-devel-engine in their specfiles. I think this would be a net improvement over what we currently have, but if others don’t agree, we can also just keep the current state and take it out on the backs of the maintainers that now have to deal with the -DOPENSSL_NO_ENGINE thing. -- Clemens Lang RHEL Crypto Team Red Hat -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue