On Аўт, 25 лют 2025, Dmitry Belyavskiy wrote:
On Tue, Feb 25, 2025 at 12:04 PM Peter Boy Uni <pboy@xxxxxxxxxxxxx> wrote:
> Am 25.02.2025 um 09:09 schrieb Alexander Bokovoy <abokovoy@xxxxxxxxxx>:
>> ...
>> == Detailed Description ==
>> We are going to build OpenSSL without engine support. Engines are not
>> FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.
>> The engine functionality we are aware of (PKCS#11, TPM) is covered by
>> providers. The package necessary to build engines
>> (openssl-devel-engine) is already declared as deprecated and will be
>> removed. For the applications that still unconditionally refer to
>> openssl/engine.h we will provide a dummy engine.h file
>
> The side effect is that FreeIPA will lose support for DNSSEC until we
> are able to migrate to bind 9.19+ for bind-dyndb-ldap.
>
> ... In Fedora, however,
> this means we'd have to disable DNSSEC completely, even for existing
> deployments.
From the point of view of the Fedora Server Edition Working Group, this is
a no-go!
And what is the reason to not move forward to bind 9.19+?
Please read my email. ;)
Let me repeat.
OpenSSL 4.0 without engine support will be here in, I'd say, F44, and
compat package will not help you to _build_ the packages depending on
engines.
--
Dmitry Belyavskiy
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
