(→Current status: add devel list thread link) |
m (Add trackers) |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Deprecate openssl1.1 package = | = Deprecate openssl1.1 package = | ||
== Summary == | == Summary == | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | ||
We are going to deprecate openssl1.1 package | We are going to deprecate openssl1.1 package following the guidelines for deprecated packages: | ||
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/. | |||
== Owner == | == Owner == | ||
Line 27: | Line 20: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF37]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Line 45: | Line 38: | ||
--> | --> | ||
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/UVULTXPNVB727L4EYPX66C54WWJA46VB/ Devel list thread] | * [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/UVULTXPNVB727L4EYPX66C54WWJA46VB/ Devel list thread] | ||
* FESCo issue: | * FESCo issue: [https://pagure.io/fesco/issue/2821 #2821] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2108694 #2108694] | ||
* Release notes tracker: | * Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/863 #863] | ||
== Detailed Description == | == Detailed Description == | ||
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we want to ensure that no new products relying on it will appear in Fedora. | In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL in 2023, we want to ensure that no new products relying on it will appear in Fedora. | ||
== Feedback == | == Feedback == | ||
Line 62: | Line 55: | ||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
# | # mark package as deprecated | ||
# provide assistance in migration to other developers | # provide assistance in migration to other developers | ||
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
# Patch their packages to work with OpenSSL 3.0 | # Patch their packages to work with OpenSSL 3.0 | ||
# | # Python 2.7 maintatiners should consider either migration to 3.0 or removing the tls support. | ||
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
Line 108: | Line 100: | ||
== Dependencies == | == Dependencies == | ||
As we just mark package as deprecated, no dependency changes happen immediately. | |||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
== Contingency Plan == | == Contingency Plan == |
Latest revision as of 17:37, 19 July 2022
Deprecate openssl1.1 package
Summary
We are going to deprecate openssl1.1 package following the guidelines for deprecated packages: https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/.
Owner
- Name: Dmitry Belyavskiy
- Email: dbelyavs@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-19
- Devel list thread
- FESCo issue: #2821
- Tracker bug: #2108694
- Release notes tracker: #863
Detailed Description
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL in 2023, we want to ensure that no new products relying on it will appear in Fedora.
Feedback
Benefit to Fedora
This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.
It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.
Scope
- Proposal owners:
- mark package as deprecated
- provide assistance in migration to other developers
- Other developers:
- Patch their packages to work with OpenSSL 3.0
- Python 2.7 maintatiners should consider either migration to 3.0 or removing the tls support.
- Release engineering: #Releng issue number
This feature doesn't require coordination with release engineering.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
As Crypto Policy support is removed from openssl1.1, applications will need to adjust the configuration files if they contain the line "PROFILE=SYSTEM" according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies
How To Test
Regular application tests should catch the regressions caught by these changes.
User Experience
Dependencies
As we just mark package as deprecated, no dependency changes happen immediately.
Contingency Plan
Revert the shipped configuration
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
TBW