On Wed, 2021-09-15 at 14:29 +0000, Davide Cavalca wrote: > On Tue, 2021-09-14 at 13:36 +0200, Lennart Poettering wrote: > > Heya! > > > > Some of the systemd developers have been discussing switching > > systemd's crypto libraries to be exclusively OpenSSL 3.0, and drop > > support for older OpenSSL versions, as well as any GNUTLS/libgcrypt > > support. As you might have noticed OpenSSL 3.0 has been released > > recently, and for the first time resolves the GPL2 license > > incompatibility mess comprehensively, which opens this door to us. > > > > I personally care a lot about reducing the combinatorial explosion of > > deps a bit, and keeping our tree as maintainable as we can, with a > > single implementation of everything, not multiple, and no abstraction > > layers and such, and thus removing any compat kludges for other > > libraries or other library versions. > > > > Now, before we make a decision on this, I'd like to collect feedback > > on such a move. I know that there are some people who backpart new > > systemd onto old distros. How big would the pain be require porting > > OpenSSL 3, too, at the same time? > > This will be an issue for CentOS Stream 8, among others. We ship a > backport of the latest systemd (and dailies from the github master) for > it as part of the CentOS Hyperscale SIG > (https://wiki.centos.org/SpecialInterestGroup/Hyperscale). C8 currently > ships OpenSSL 1.1.1k, and given that this is a package from base it's > unlikely to get bumped throughout the lifecycle of the distro. We could > theoretically build OpenSSL 3 as part of Hyperscale, but that would > require rebuilding half the distribution, which is obviously not > practical. We might be able to build and ship a coinstallable private > OpenSSL 3 build just for systemd, but I don't know how technically > feasible that'll be in practice, and it'll definitely be a pain to > maintain and likely bring along some security fun. To close the loop on this -- Michel (in CC) has built a coinstallable openssl3 package in EPEL 8: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-ff6e908f7e This should make it possible to continue backporting systemd on CentOS Stream 8 even after the move to openssl3. Cheers Davide
Re: [RFC] Switching to OpenSSL 3?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [RFC] Switching to OpenSSL 3?
- From: Davide Cavalca <dcavalca@xxxxxx>
- Date: Thu, 18 Nov 2021 21:42:17 +0000
- Accept-language: en-US
- Cc: Michel Salim <michel@xxxxxx>
- In-reply-to: <d8f3442c6585e688d2de51a922f36116c6be87b0.camel@fb.com>
- References: <YUCJO0q3Iae9ZApm@gardel-login> <d8f3442c6585e688d2de51a922f36116c6be87b0.camel@fb.com>
- User-agent: Evolution 3.42.1 (3.42.1-1.fc35)
- References:
- [RFC] Switching to OpenSSL 3?
- From: Lennart Poettering
- Re: [RFC] Switching to OpenSSL 3?
- From: Davide Cavalca
- [RFC] Switching to OpenSSL 3?
- Prev by Date: Re: Systemd setup DSA interfaces in port mode and bond them together?
- Next by Date: Re: Systemd setup DSA interfaces in port mode and bond them together?
- Previous by thread: Re: [RFC] Switching to OpenSSL 3?
- Next by thread: Re: [RFC] Switching to OpenSSL 3?
- Index(es):
 |