Revision as of 15:22, 17 October 2023

Removing OpenSSL 1.1 package

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

We are going to remove the openssl11 package from Fedora 40.

Owner

Name: Dmitry Belyavskiy

Email: dbelyavs@redhat.com

Current status

Targeted release: Fedora Linux 40
Last updated: 2023-10-17
[<will be assigned by the Wrangler> devel thread]
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. The package was marked as deprecated in F37.

OpenSSL 1.1.1 has reached EOL in September 2023. We want to remove it from Fedora.

Feedback

Benefit to Fedora

This proposal ensures than no new packages in Fedora will use the deprecated OpenSSL version that will cause an overall increase of security/stability.

It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.

Scope

Proposal owners: provide assistance in migration to other developers.

Other developers: Patch their packages to work with OpenSSL 3.0.

Release engineering: This feature doesn't require coordination with release engineering.

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with Community Initiatives:

Upgrade/compatibility impact

3rd-party packages depending on OpenSSL 1.1.1 should be replaced with new versions using new OpenSSL 3.0+.

How To Test

OpenSSL 1.1 should not be available to install from Fedora repository. No packages should depend on OpenSSL 1.1.1.

User Experience

Shouldn't be affected.

Dependencies

We have found at least the following packages depending on OpenSSL 1.1:

gloo-0.5.0^git20230824.01a0c81-6.fc40.src.rpm
opensmtpd-6.8.0p2-12.fc39.src.rpm
python3.6-3.6.15-20.fc39.src.rpm

Contingency Plan

None.

Contingency mechanism: (What to do? Who will do it?) Package owners should update their packages to remove the dependency
Contingency deadline: beta freeze
Blocks release? Yes

Documentation

Should be mentioned in Release Notes.

Release Notes

openssl1.1 package is removed and should not be used by any packages.

@@ Line 1: / Line 1: @@
-{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
-{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
-{{admon/tip | Report issues | To report an issue with this template, file an issue in the [https://pagure.io/fedora-pgm/pgm_docs pgm_docs repo].}}
 <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
-= Change Proposal Name Removing OpenSSL 1.1 package =
+= Removing OpenSSL 1.1 package =
 {{Change_Proposal_Banner}}
@@ Line 13: / Line 7: @@
 == Summary ==
 <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
-We are going to remove the openssl11 package from Fedora 40
+We are going to remove the openssl11 package from Fedora 40.
 == Owner ==
@@ Line 61: / Line 55: @@
 == Scope ==
-* Proposal owners:
+* Proposal owners: provide assistance in migration to other developers.
-  provide assistance in migration to other developers
-* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+* Other developers: Patch their packages to work with OpenSSL 3.0.
-  Patch their packages to work with OpenSSL 3.0
-* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+* Release engineering: This feature doesn't require coordination with release engineering.
-This feature doesn't require coordination with release engineering.
 * Policies and guidelines: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
@@ Line 77: / Line 68: @@
 == Upgrade/compatibility impact ==
-rd-party packages depending on OpenSSL 1.1.1 should be replaced with new versions using new OpenSSL 3.0+
+rd-party packages depending on OpenSSL 1.1.1 should be replaced with new versions using new OpenSSL 3.0+.
 == How To Test ==
-OpenSSL 1.1 should not be available to install from Fedora repository.
+OpenSSL 1.1 should not be available to install from Fedora repository. No packages should depend on OpenSSL 1.1.1.
-No packages should depend on OpenSSL 1.1.1
 == User Experience ==
-Shouldn't be affected
+Shouldn't be affected.
 == Dependencies ==
 We have found at least the following packages depending on OpenSSL 1.1:
-gloo-0.5.0^git20230824.01a0c81-6.fc40.src.rpm
+* gloo-0.5.0^git20230824.01a0c81-6.fc40.src.rpm
-opensmtpd-6.8.0p2-12.fc39.src.rpm
+* opensmtpd-6.8.0p2-12.fc39.src.rpm
-python3.6-3.6.15-20.fc39.src.rpm
+* python3.6-3.6.15-20.fc39.src.rpm
 == Contingency Plan ==
@@ Line 102: / Line 92: @@
 == Documentation ==
-Should be mentioned in Release Notes
+Should be mentioned in Release Notes.
 == Release Notes ==

Search

Changes/RemoveOpensslCompat: Difference between revisions