Latest revision as of 17:37, 19 July 2022

Deprecate openssl1.1 package

Summary

We are going to deprecate openssl1.1 package following the guidelines for deprecated packages: https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/.

Owner

Name: Dmitry Belyavskiy
Email: dbelyavs@redhat.com

Current status

Targeted release: Fedora Linux 37
Last updated: 2022-07-19
Devel list thread
FESCo issue: #2821
Tracker bug: #2108694
Release notes tracker: #863

Detailed Description

In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL in 2023, we want to ensure that no new products relying on it will appear in Fedora.

Feedback

Benefit to Fedora

This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.

It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.

Scope

Proposal owners:

mark package as deprecated
provide assistance in migration to other developers

Other developers:

Patch their packages to work with OpenSSL 3.0
Python 2.7 maintatiners should consider either migration to 3.0 or removing the tls support.

Release engineering: #Releng issue number

This feature doesn't require coordination with release engineering.

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with Objectives:

Upgrade/compatibility impact

As Crypto Policy support is removed from openssl1.1, applications will need to adjust the configuration files if they contain the line "PROFILE=SYSTEM" according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies

How To Test

Regular application tests should catch the regressions caught by these changes.

User Experience

Dependencies

As we just mark package as deprecated, no dependency changes happen immediately.

Contingency Plan

Revert the shipped configuration

Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
Contingency deadline: N/A (not a System Wide Change)
Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

TBW

Release Notes

@@ Line 1: / Line 1: @@
-{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
-{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
-<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
 = Deprecate openssl1.1 package =
-{{Change_Proposal_Banner}}
 == Summary ==
 <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
-We are going to deprecate openssl1.1 package, stop shipping the corresponding devel package, and stop respecting crypto policies in openssl1.1 package itself.
+We are going to deprecate openssl1.1 package following the guidelines for deprecated packages:
+https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/.
 == Owner ==
@@ Line 27: / Line 20: @@
 == Current status ==
-[[Category:ChangePageIncomplete]]
+[[Category:ChangeAcceptedF37]]
 <!-- When your change proposal page is completed and ready for review and announcement -->
 <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
@@ Line 44: / Line 37: @@
 ON_QA -> change is fully code complete
 -->
-* FESCo issue: <will be assigned by the Wrangler>
+* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/UVULTXPNVB727L4EYPX66C54WWJA46VB/ Devel list thread]
-* Tracker bug: <will be assigned by the Wrangler>
+* FESCo issue: [https://pagure.io/fesco/issue/2821 #2821]
-* Release notes tracker: <will be assigned by the Wrangler>
+* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2108694 #2108694]
+* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/863 #863]
 == Detailed Description ==
-In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we want to ensure that no new products relying on it will appear in Fedora.
+In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL in 2023, we want to ensure that no new products relying on it will appear in Fedora.
 == Feedback ==
@@ Line 55: / Line 49: @@
 == Benefit to Fedora ==
-This proposal ensures than no new packages in Fedora will rely on the deprecating OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
+This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
+It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.
 == Scope ==
 * Proposal owners:
-# Remove devel package
+# mark package as deprecated
-# eliminate crypto policy support from the main package
 # provide assistance in migration to other developers
 * Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 # Patch their packages to work with OpenSSL 3.0
-# For the packages still relying to openssl1.1 the changes implemented according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies (e.g. using "PROFILE=SYSTEM" as default configuration) should be removed.
+# Python 2.7 maintatiners should consider either migration to 3.0 or removing the tls support.
 * Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
@@ Line 105: / Line 100: @@
 == Dependencies ==
-No packages should depend on openssl1.1-devel packages that is eliminated.
+As we just mark package as deprecated, no dependency changes happen immediately.
 <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 == Contingency Plan ==

Search

Changes/DeprecateOpensslCompat: Difference between revisions