From Fedora Project Wiki

Revision as of 17:31, 19 July 2022 by Bcotton (talk | contribs) (Change approved by FESCo)

Deprecate openssl1.1 package

Summary

We are going to deprecate openssl1.1 package following the guidelines for deprecated packages: https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/.

Owner


Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-07-19
  • Devel list thread
  • FESCo issue: #2821
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. As openssl 1.1 has a predictable EOL in 2023, we want to ensure that no new products relying on it will appear in Fedora.

Feedback

Benefit to Fedora

This proposal ensures than no new packages in Fedora will rely on the deprecated OpenSSL version that will cause an overall increase of security/stability, and will reduce the amount of old packages relying on OpenSSL 1.1 series.

It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.

Scope

  • Proposal owners:
  1. mark package as deprecated
  2. provide assistance in migration to other developers
  • Other developers:
  1. Patch their packages to work with OpenSSL 3.0
  2. Python 2.7 maintatiners should consider either migration to 3.0 or removing the tls support.

This feature doesn't require coordination with release engineering.

  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

As Crypto Policy support is removed from openssl1.1, applications will need to adjust the configuration files if they contain the line "PROFILE=SYSTEM" according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies



How To Test

Regular application tests should catch the regressions caught by these changes.


User Experience

Dependencies

As we just mark package as deprecated, no dependency changes happen immediately.


Contingency Plan

Revert the shipped configuration

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

TBW

Release Notes