I support deprecating openssl1.1. We definitely shouldn’t be adding any
new packages that depend on it.
However, dropping the -devel package is almost as drastic as simply
retiring the OpenSSL 1.1 package altogether. Grepping spec files for
'BuildRequires:.*openssl1' turns up the following packages that would
immediately FTBFS:
- anope
- baresip
- botan2
- ceph
- chatty
- dotnet3.1
- dsniff
- eggdrop
- erlang
- kf5-kdelibs4support
- libasr
- libqxt-qt5
- libre
- libretls
- lua-sec
- nginx
- nodejs
- opensmtpd
- partclone
- pypy3.8
- pypy
- python2.7
- python3.6
- python3.7
- python-uamqp
- qt
- radsecproxy
- rpki-client
- ssldump
- tcltls
- thc-ipv6
- unrealircd
- w3m
- znc
Some of these have pretty large trees of dependent packages. I don’t
think we’re ready for all of these packages to go FTBFS, preventing them
from rebuilding or providing updates, until somebody figures out how to
port them to OpenSSL 3.0. In a lot of cases, the maintainers of these
packages in Fedora won’t be able to develop the necessary patches alone,
so dropping the -devel packages would be playing hardball with the wrong
people.
I’m sympathetic to the importance of retaining momentum toward
openssl1.1 retirement rather than letting the compatibility package
linger indefinitely, but I think right now—nine months after OpenSSL 3.0
was released—this momentum should be in the form of *assisting* these
maintainers and upstreams in porting their packages, rather than in the
form of forcing them to figure out an emergency patch.
In general, omitting -devel packages as an intermediate step between
deprecation and retirement is not a practice I would like to see
proliferate in Fedora. Packages that can be used but not built from
source are defects in an open distribution, and we should avoid creating
them intentionally.
– Ben Beasley
On 6/24/22 05:19, Daniel P. Berrangé wrote:
On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok <mhron...@redhat.com> wrote:
On 22. 06. 22 21:05, Vipul Siddharth wrote:
We are going to deprecate openssl1.1 package, stop shipping the
corresponding devel package, and stop respecting crypto policies in
openssl1.1 package itself.
+1 to deprecating it
Great!
-1 to stop shipping the devel package, this would mean we cannot build at
least:
- Python 2.7
despite our long term efforts, many things still need that, e.g. gimp,
firefox (some builds do, then some don't), thunderbird etc., see
https://fedora.portingdb.xyz/
Or Python 3.6 (shipped for developers targeting RHEL 7/8).
As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please
leave the
devel package?
I'm not sure that if we don't remove the devel package, we will provide
strong enough motivation to get rid of the deprecating packages.
If the openssl maintainers really strongly want to remove the
devel pacakge, then don't call this deprecation because that
is misleading. Call this purging openssl1.1 from the entire
distro, such that it can only be used by 3rd party apps who
have previously compiled against older Fedora openssl-devel.
Be open about fact that this will cause FTBFS for any Fedora
packages that stil uses openssl1 and their removal from the
distro if they can't port to openssl3 very quickly.
With regards,
Daniel
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
