Removing OpenSSL 1.1 package
Summary
We are going to remove the openssl11 package from Fedora 40.
Owner
- Name: Dmitry Belyavskiy
- Email: dbelyavs@redhat.com
Current status
- Targeted release: Fedora Linux 40
- Last updated: 2024-01-05
- Announced
- Discussion thread
- FESCo issue: #3101
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. The package was marked as deprecated in F37.
OpenSSL 1.1.1 has reached EOL in September 2023. We want to remove it from Fedora.
Feedback
Benefit to Fedora
This proposal ensures than no new packages in Fedora will use the deprecated OpenSSL version that will cause an overall increase of security/stability.
It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.
Scope
- Proposal owners: provide assistance in migration to other developers.
- Other developers: Patch their packages to work with OpenSSL 3.0.
- Release engineering: This feature doesn't require coordination with release engineering.
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives:
Upgrade/compatibility impact
3rd-party packages depending on OpenSSL 1.1.1 should be replaced with new versions using new OpenSSL 3.0+.
How To Test
OpenSSL 1.1 should not be available to install from Fedora repository. No packages should depend on OpenSSL 1.1.1.
User Experience
Shouldn't be affected.
Dependencies
We have found at least the following packages depending on OpenSSL 1.1:
- chatty-0:0.8.0-1.fc40.src.rpm
- gloo-0.5.0^git20230824.01a0c81-6.fc40.src.rpm
- opensmtpd-6.8.0p2-12.fc39.src.rpm
- python3.6-3.6.15-20.fc39.src.rpm
Contingency Plan
None. We don't have a reason to maintain openssl1.1 anymore.
Formally we could return openssl1.1 back to distro as a contingency plan.
- Contingency mechanism: (What to do? Who will do it?) Package owners should update their packages to remove the dependency
- Contingency deadline: beta freeze
- Blocks release? Yes
Documentation
Should be mentioned in Release Notes.
Release Notes
openssl1.1 package is removed and should not be used by any packages.