On Tue, 2021-09-14 at 13:36 +0200, Lennart Poettering wrote: > Heya! > > Some of the systemd developers have been discussing switching > systemd's crypto libraries to be exclusively OpenSSL 3.0, and drop > support for older OpenSSL versions, as well as any GNUTLS/libgcrypt > support. As you might have noticed OpenSSL 3.0 has been released > recently, and for the first time resolves the GPL2 license > incompatibility mess comprehensively, which opens this door to us. > > I personally care a lot about reducing the combinatorial explosion of > deps a bit, and keeping our tree as maintainable as we can, with a > single implementation of everything, not multiple, and no abstraction > layers and such, and thus removing any compat kludges for other > libraries or other library versions. > > Now, before we make a decision on this, I'd like to collect feedback > on such a move. I know that there are some people who backpart new > systemd onto old distros. How big would the pain be require porting > OpenSSL 3, too, at the same time? This will be an issue for CentOS Stream 8, among others. We ship a backport of the latest systemd (and dailies from the github master) for it as part of the CentOS Hyperscale SIG (https://wiki.centos.org/SpecialInterestGroup/Hyperscale). C8 currently ships OpenSSL 1.1.1k, and given that this is a package from base it's unlikely to get bumped throughout the lifecycle of the distro. We could theoretically build OpenSSL 3 as part of Hyperscale, but that would require rebuilding half the distribution, which is obviously not practical. We might be able to build and ship a coinstallable private OpenSSL 3 build just for systemd, but I don't know how technically feasible that'll be in practice, and it'll definitely be a pain to maintain and likely bring along some security fun. The same issue applies to CentOS 7, though we've stopped building backports for that past 246 so we're not directly impacted there. Now, that good news is that this won't be an issue at all for CentOS Stream 9, as they've just rebased to 3.0.0 last week (https://gitlab.com/redhat/centos-stream/rpms/openssl). Cheers Davide
Re: [RFC] Switching to OpenSSL 3?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [RFC] Switching to OpenSSL 3?
- From: Davide Cavalca <dcavalca@xxxxxx>
- Date: Wed, 15 Sep 2021 14:29:54 +0000
- Accept-language: en-US
- In-reply-to: <YUCJO0q3Iae9ZApm@gardel-login>
- References: <YUCJO0q3Iae9ZApm@gardel-login>
- User-agent: Evolution 3.40.4 (3.40.4-1.fc34)
- Follow-Ups:
- Re: [RFC] Switching to OpenSSL 3?
- From: Davide Cavalca
- Re: [RFC] Switching to OpenSSL 3?
- References:
- [RFC] Switching to OpenSSL 3?
- From: Lennart Poettering
- [RFC] Switching to OpenSSL 3?
- Prev by Date: Re: Preferred way to recurse over a directory?
- Next by Date: Re: [RFC] Switching to OpenSSL 3?
- Previous by thread: Re: [RFC] Switching to OpenSSL 3?
- Next by thread: Re: [RFC] Switching to OpenSSL 3?
- Index(es):
 |