No edit summary |
(→Current status: add devel list thread link) |
||
Line 44: | Line 44: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/UVULTXPNVB727L4EYPX66C54WWJA46VB/ Devel list thread] | |||
* FESCo issue: <will be assigned by the Wrangler> | * FESCo issue: <will be assigned by the Wrangler> | ||
* Tracker bug: <will be assigned by the Wrangler> | * Tracker bug: <will be assigned by the Wrangler> |
Revision as of 19:10, 22 June 2022
Deprecate openssl1.1 package
Summary
We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
Owner
- Name: Dmitry Belyavskiy
- Email: dbelyavs@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-06-22
- Devel list thread
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we want to ensure that no new products relying on it will appear in Fedora.
Feedback
Benefit to Fedora
This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.
Scope
- Proposal owners:
- Remove devel package
- eliminate crypto policy support from the main package
- provide assistance in migration to other developers
- Other developers:
- Patch their packages to work with OpenSSL 3.0
- Fedora/RHEL distributions provide some syntax sugar related to https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the packages still relying to openssl1.1 the syntax provided by crypto polices will no longer be supported. The changes implemented according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies (e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites configuration) should be removed.
- Release engineering: #Releng issue number
This feature doesn't require coordination with release engineering.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
As Crypto Policy support is removed from openssl1.1, applications will need to adjust the configuration files if they contain the line "PROFILE=SYSTEM" according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies
How To Test
Regular application tests should catch the regressions caught by these changes.
User Experience
Dependencies
No packages should depend on openssl1.1-devel packages that is eliminated.
Contingency Plan
Revert the shipped configuration
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
TBW