On Tue, Feb 25, 2025 at 12:04 PM Peter Boy Uni <pboy@xxxxxxxxxxxxx> wrote:
> Am 25.02.2025 um 09:09 schrieb Alexander Bokovoy <abokovoy@xxxxxxxxxx>:
>> ...
>> == Detailed Description ==
>> We are going to build OpenSSL without engine support. Engines are not
>> FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.
>> The engine functionality we are aware of (PKCS#11, TPM) is covered by
>> providers. The package necessary to build engines
>> (openssl-devel-engine) is already declared as deprecated and will be
>> removed. For the applications that still unconditionally refer to
>> openssl/engine.h we will provide a dummy engine.h file
>
> The side effect is that FreeIPA will lose support for DNSSEC until we
> are able to migrate to bind 9.19+ for bind-dyndb-ldap.
>
> ... In Fedora, however,
> this means we'd have to disable DNSSEC completely, even for existing
> deployments.
>From the point of view of the Fedora Server Edition Working Group, this is a no-go!
And what is the reason to not move forward to bind 9.19+?
Let me repeat.
OpenSSL 4.0 without engine support will be here in, I'd say, F44, and compat package will not help you to _build_ the packages depending on engines.
Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
