From Fedora Project Wiki
(Announcing the change proposal)
No edit summary
Line 46: Line 46:
* Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior.
* Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] If compat package is provided a mass rebuild should not be necessary.
* Release engineering: [https://pagure.io/releng/issue/9390 Releng issue #9390] If compat package is provided a mass rebuild should not be necessary.
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->

Revision as of 08:15, 8 April 2020

OpenSSL3.0

Summary

The OpenSSL package is rebased to version 3.0 and the dependent packages are rebuilt.

Owner

Current status

  • Targeted release: Fedora 33
  • Last updated: 2020-04-08
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The OpenSSL 3.0 release is going to be a significantly new release with changed ABI however with minimal API changes. That means most of the dependent packages will need just a rebuild to work with the new OpenSSL package. However (at least temporarily) a compat-openssl11 package will be provided along the base package so the operation of the Rawhide is not disrupted.

The OpenSSL 3.0 is still in development now but a first beta release should be done in June. After that time the work on the rebase will start and it should be possible to finish it still with a beta releases. Later releases up to the final one should not be disruptive and they should not break API/ABI.

Benefit to Fedora

This change introduces OpenSSL 3.0 with its significantly reworked internals which allow for better replacement of the crypto implementations via the Crypto Providers concept.

Scope

  • Proposal owners: Provide a compat-openssl11 package, identify dependent packages, provide the rebased openssl package, work with dependent package owners on rebuilds.
  • Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior.
  • Release engineering: Releng issue #9390 If compat package is provided a mass rebuild should not be necessary.
  • Policies and guidelines: No update of packaging guidelines or other policies should be needed.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

If compat-openssl11 package is provided there should be no issues with upgrades.

How To Test

If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly. This should be covered by the comprehensive upstream testsuite of OpenSSL. However many dependent packages also provide good test coverage of OpenSSL functionality.

User Experience

There should be no impact on end-user experience.

Dependencies

There are many packages which depend on libssl or libcrypto from OpenSSL. Most of them should just work after rebuild with the new openssl package. However it is also not critically needed to rebuild everything at once if compat library compat-openssl11 package is provided.

Contingency Plan

If the openssl-3.0 is too unstable before the branching point of Fedora 33 we will not update the package and delay the change to Fedora 34.

If the openssl is already updated but it is found out to be too unstable later we can revert to previous version however a rebuild of all dependencies that were already rebuilt will be needed.

  • Contingency mechanism: Revert package, rebuild updated dependencies.
  • Contingency deadline: Before release
  • Blocks release? No
  • Blocks product? No

Documentation

OpenSSL 3.0 upstream design document

OpenSSL 3.0 release schedule

Release Notes

Fedora 33 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface.