Wiki - https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
We disable building the packages using ENGINE API in OpenSSL without
breaking ABI.

== Owner ==
* Name: [[User:Dbelyavs| Dmitry Belyavskiy]]
* Email: dbely...@redhat.com


== Detailed Description ==
We are going to deprecate OpenSSL engine support. Engines are not FIPS
compatible and corresponding API is deprecated since OpenSSL 3.0. The
engine functionality we are aware of (PKCS#11, TPM) is either covered
by providers or will be covered soon.

We don't plan to remove the API from libcrypto.so. We are going to
prevent creating the new packages dependent on OpenSSL ENGINE API and
remove ENGINE dependencies from the existing packages.

During discussion of the previous proposal - to completely remove the
ENGINE API - there were many relevant arguments why it shouldn't be
done. We agree with them but still want to deprecate the ENGINE
support to simplify removing it in the earliest release when it's
feasible.

== Feedback ==


== Benefit to Fedora ==
We get rid of deprecated functionality and enforce using up-to-date
API. Engine support is deprecated in OpenSSL upstream, and after
provider migration caused some deficiencies with engine support. No
new features will be added to engine. So we reduce maintenance burden
and potentially attack surface.

It follows approach planned for CentOS 10.

== Scope ==
* Proposal owners: maintainers of packages enumerated here:
https://clang.fedorapeople.org/c10s-engine-users/ plus probably owners
of some Fedora-only packages

For most of the packages the maintainers will just have to rebuild
their packages after the OpenSSL change lands in compose. For  several
packages some patches should be implemented to prevent compilation
errors.

* Other developers: -

* Release engineering: [https://pagure.io/releng/issues #Releng issue number]
This change probably requires mass-rebuild.


* Policies and guidelines: We need reject/modify packages providing
OpenSSL engines

* Trademark approval: N/A (not needed for this Change)


* Alignment with Community Initiatives:

== Upgrade/compatibility impact ==
None. Users will be encouraged to switch their configurations to use
providers instead but existing engines will continue working.



== How To Test ==
OpenSSL libcrypto.so exports the same ENGINE_* symbols as for f40.
Applications relying on the ENGINE API can't be built but still work.




== User Experience ==
Users will be encouraged to reconfigure systems to providers if they
use engines. No other changes are expected.


== Dependencies ==
In theory, all OpenSSL-dependent packages. In practice, only those
that explicitly use ENGINE api.




== Contingency Plan ==
Returning the engine header file to allow old applications to be built.

* Contingency mechanism: (What to do?  Who will do it?) rebuild
OpenSSL and dependent packages
* Contingency deadline: beta freeze?
* Blocks release? Yes


== Documentation ==
TBD



== Release Notes ==
TBD


-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-annou...@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel-annou...@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to