RE: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Stewart Smith via devel]

Ben Beasley  writes:
> I support deprecating openssl1.1. We definitely shouldn’t be adding any
> new packages that depend on it.
>
> However, dropping the -devel package is almost as drastic as simply
> retiring the OpenSSL 1.1 package altogether. Grepping spec files for
> 'BuildRequires:.*openssl1' turns up the following packages that would
> immediately FTBFS:
>
> - anope
> - baresip
> - botan2
> - ceph
> - chatty
> - dotnet3.1
> - dsniff
> - eggdrop
> - erlang
> - kf5-kdelibs4support
> - libasr
> - libqxt-qt5
> - libre
> - libretls
> - lua-sec
> - nginx

The openssl11-devel BuildRequires in ngnix is in a conditional and has
been building with OpenSSL 3 for a while.

%if 0%{?fedora} || 0%{?rhel} >= 8
BuildRequires: openssl-devel
%else
BuildRequires: openssl11-devel
%endif


> - nodejs

Similarly for nodejs, openssl11 is conditional on building for RHEL.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 23. 06. 22 19:13, Miro Hrončok wrote:
$ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires 
openssl1.1-devel | grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} 
--whatrequires openssl-devel | grep src$ | sort)

...
pypy-0:7.3.9-1.fc37.src


https://foss.heptapod.net/pypy/pypy/-/issues/3643
https://src.fedoraproject.org/rpms/pypy/pull-request/30


pypy3.7-0:7.3.9-1.3.7.fc37.src


https://src.fedoraproject.org/rpms/pypy3.7/pull-request/28


pypy3.8-0:7.3.9-1.3.8.fc37.src


https://src.fedoraproject.org/rpms/pypy3.8/pull-request/18


python-uamqp-0:1.5.3-2.fc37.src


https://src.fedoraproject.org/rpms/python-uamqp/pull-request/1


python2.7-0:2.7.18-22.fc37.src


https://src.fedoraproject.org/rpms/python2.7/pull-request/36


python3.6-0:3.6.15-9.fc37.src
python3.7-0:3.7.13-2.fc37.src


TBD

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Charalampos Stratakis]

On Fri, Jul 1, 2022 at 5:12 PM Charalampos Stratakis 
wrote:

>
>
> On Fri, Jul 1, 2022 at 4:54 PM Christian Heimes 
> wrote:
>
>> Here you are, have fun!
>>
>>
>> https://github.com/python/cpython/compare/2.7...tiran:cpython:2.7.18-openssl3?expand=1
>>
>> $ ./python -c "import sys; print sys.version"
>> 2.7.18 (heads/2.7.18-openssl3:a2e3d7995ce, Jul  1 2022, 16:51:37)
>> [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
>>
>> $ ./python Lib/test/ssltests.py
>> OpenSSL 3.0.3 3 May 2022
>> Using random seed 4979488
>> Run tests sequentially
>> 0:00:00 load avg: 1.64 [ 1/13] test_ensurepip
>> 0:00:00 load avg: 1.64 [ 2/13] test_ssl
>> 0:00:07 load avg: 2.33 [ 3/13] test_hmac
>> 0:00:07 load avg: 2.33 [ 4/13] test_ftplib
>> 0:00:08 load avg: 2.33 [ 5/13] test_urllib2_localnet
>> 0:00:09 load avg: 2.33 [ 6/13] test_smtplib
>> 0:00:09 load avg: 2.33 [ 7/13] test_smtpnet
>> 0:00:10 load avg: 2.33 [ 8/13] test_hashlib
>> 0:00:10 load avg: 2.33 [ 9/13] test_httplib
>> 0:00:12 load avg: 2.14 [10/13] test_xmlrpc
>> 0:00:15 load avg: 2.14 [11/13] test_imaplib
>> Resource 'cyrus.andrew.cmu.edu' is not available
>> Resource 'cyrus.andrew.cmu.edu' is not available
>> Resource 'cyrus.andrew.cmu.edu' is not available
>> Resource 'cyrus.andrew.cmu.edu' is not available
>> Resource 'cyrus.andrew.cmu.edu' is not available
>> Resource 'cyrus.andrew.cmu.edu' is not available
>> 0:00:16 load avg: 2.13 [12/13] test_poplib
>> 0:00:18 load avg: 2.13 [13/13] test_nntplib
>>
>> == Tests result: SUCCESS ==
>>
>> All 13 tests OK.
>>
>> Total duration: 18 sec 495 ms
>> Tests result: SUCCESS
>> ___
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>
> Will try it and do an impact check for the packages depending on python2.7.
>
> --
> Regards,
>
> Charalampos Stratakis
> Senior Software Engineer
> Python Maintenance Team, Red Hat
>

Draft PR: https://src.fedoraproject.org/rpms/python2.7/pull-request/36

Copr impact check:
https://copr.fedorainfracloud.org/coprs/cstratak/python2.7-openssl3/builds/

I won't have time to get back to it till late next week, however there are
instructions in copr for getting the mock config for anyone who wants to
experiment.

-- 
Regards,

Charalampos Stratakis
Senior Software Engineer
Python Maintenance Team, Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Charalampos Stratakis]

On Fri, Jul 1, 2022 at 4:54 PM Christian Heimes  wrote:

> Here you are, have fun!
>
>
> https://github.com/python/cpython/compare/2.7...tiran:cpython:2.7.18-openssl3?expand=1
>
> $ ./python -c "import sys; print sys.version"
> 2.7.18 (heads/2.7.18-openssl3:a2e3d7995ce, Jul  1 2022, 16:51:37)
> [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
>
> $ ./python Lib/test/ssltests.py
> OpenSSL 3.0.3 3 May 2022
> Using random seed 4979488
> Run tests sequentially
> 0:00:00 load avg: 1.64 [ 1/13] test_ensurepip
> 0:00:00 load avg: 1.64 [ 2/13] test_ssl
> 0:00:07 load avg: 2.33 [ 3/13] test_hmac
> 0:00:07 load avg: 2.33 [ 4/13] test_ftplib
> 0:00:08 load avg: 2.33 [ 5/13] test_urllib2_localnet
> 0:00:09 load avg: 2.33 [ 6/13] test_smtplib
> 0:00:09 load avg: 2.33 [ 7/13] test_smtpnet
> 0:00:10 load avg: 2.33 [ 8/13] test_hashlib
> 0:00:10 load avg: 2.33 [ 9/13] test_httplib
> 0:00:12 load avg: 2.14 [10/13] test_xmlrpc
> 0:00:15 load avg: 2.14 [11/13] test_imaplib
> Resource 'cyrus.andrew.cmu.edu' is not available
> Resource 'cyrus.andrew.cmu.edu' is not available
> Resource 'cyrus.andrew.cmu.edu' is not available
> Resource 'cyrus.andrew.cmu.edu' is not available
> Resource 'cyrus.andrew.cmu.edu' is not available
> Resource 'cyrus.andrew.cmu.edu' is not available
> 0:00:16 load avg: 2.13 [12/13] test_poplib
> 0:00:18 load avg: 2.13 [13/13] test_nntplib
>
> == Tests result: SUCCESS ==
>
> All 13 tests OK.
>
> Total duration: 18 sec 495 ms
> Tests result: SUCCESS
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>

Will try it and do an impact check for the packages depending on python2.7.

-- 
Regards,

Charalampos Stratakis
Senior Software Engineer
Python Maintenance Team, Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Christian Heimes]

Here you are, have fun!

https://github.com/python/cpython/compare/2.7...tiran:cpython:2.7.18-openssl3?expand=1

$ ./python -c "import sys; print sys.version"
2.7.18 (heads/2.7.18-openssl3:a2e3d7995ce, Jul  1 2022, 16:51:37) 
[GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]

$ ./python Lib/test/ssltests.py 
OpenSSL 3.0.3 3 May 2022
Using random seed 4979488
Run tests sequentially
0:00:00 load avg: 1.64 [ 1/13] test_ensurepip
0:00:00 load avg: 1.64 [ 2/13] test_ssl
0:00:07 load avg: 2.33 [ 3/13] test_hmac
0:00:07 load avg: 2.33 [ 4/13] test_ftplib
0:00:08 load avg: 2.33 [ 5/13] test_urllib2_localnet
0:00:09 load avg: 2.33 [ 6/13] test_smtplib
0:00:09 load avg: 2.33 [ 7/13] test_smtpnet
0:00:10 load avg: 2.33 [ 8/13] test_hashlib
0:00:10 load avg: 2.33 [ 9/13] test_httplib
0:00:12 load avg: 2.14 [10/13] test_xmlrpc
0:00:15 load avg: 2.14 [11/13] test_imaplib
Resource 'cyrus.andrew.cmu.edu' is not available
Resource 'cyrus.andrew.cmu.edu' is not available
Resource 'cyrus.andrew.cmu.edu' is not available
Resource 'cyrus.andrew.cmu.edu' is not available
Resource 'cyrus.andrew.cmu.edu' is not available
Resource 'cyrus.andrew.cmu.edu' is not available
0:00:16 load avg: 2.13 [12/13] test_poplib
0:00:18 load avg: 2.13 [13/13] test_nntplib

== Tests result: SUCCESS ==

All 13 tests OK.

Total duration: 18 sec 495 ms
Tests result: SUCCESS
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Christian Heimes]

> Hi Richard,
> porting Python 2.7 to openssl 3.0 doesn't really make sense to me.
> 
> We ship Python 2.7 so that developers can test code that needs to work 
> on Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora 
> aims to be a developer-friendly distro and so we want to provide the 
> tools to do that. Even if it's possible to port Python 2.7 to openssl 
> 3.0 safely with reasonable effort, which I doubt, it would lead to a 
> different Python 2.7, which would no longer work as a testing ground for 
> people developing for old deployments.

Hi Tomáš,

Charalampos pinged me and asked me to look into this thread. For those who are 
not familiar with me, I'm a CPython core developer and primary maintainer of 
the ssl and hashlib module. In the past I have ported Python to OpenSSL 1.1.0 
and OpenSSL 3.0.

At first I also thought that it would be a lot of work to port Python 2.7 to 
OpenSSL 3.0. It turns out that most tests are actually passing. The Debian 
downstream patches address the remaining issue. 

- 
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-compatibility.diff
 fixes version number comparison and a different representation of IPv6 
addresses in 3.0.
- 
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-data.diff
 fixes error messages. OpenSSL 3.0 uses different error numbers than 1.1.
- 
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-load-verify-error.diff
 fixes a problem with error handling when loading certs
- 
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-version.diff
 resolves another issue with version number formats

All four patches are originally written by me and covered by PSF license.

- 
https://salsa.debian.org/cpython-team/python2/-/blob/master/debian/patches/openssl3-tests-tlsv1.diff
 changes tests to use latest TLS version instead of TLS 1.0. The change is 
based on another upstream change by me.

You also have to disable openssl/opensslv.h parsing in setup.py. The code is 
not clever enough to understand OpenSSL 3.0's opensslv.h.

In my humble opinion this would make Python 2.7 work sufficient enough with 
OpenSSL 3.0. I wouldn't trust it with mission critical production code. But 
it's ok enough for CI. Yes, Python 2.7 with OpenSSL 3.0 will behave differently 
than Python 2.7 with OpenSSL 1.1.1, e.g. some old ciphers and TLS versions may 
not work. But that's ok. Nobody should use TLS 1.0 in 2022 any more.

Anyhow it is still too early to drop openssl1.1-devel in Fedora 37. I recommend 
to mark it as deprecated in F37 and drop it in a later release.

Christian
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Robbie Harwood]

Charalampos Stratakis  writes:

> So I presume then that python2.7 in Debian works flawlessly with
> OpenSSL 3.0.0, no regressions, no security issues and no ABI problems
> right?

I'm hearing hostility from you and I don't know why.  From your sarcasm,
I take it to mean that no, you haven't looked.

So my original question of "can we adapt this to Fedora" still stands.
I'm confused that you're asking me to do this legwork for you, given I
neither represent Debian in any way nor am I a Python developer, but
since it's not hard to check...

https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=python2.7
here is the Debian bugtracker for python2.7.  The only openssl bug
present there is
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954418 (i.e., upstream
https://bugs.python.org/issue40018 ) which, as it affects python3
versions as well, isn't relevant to this discussion.

https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches
here is the patches Debian carries for python2.7.  All but one of them
are backports from upstream, mostly by Christian Heimes
.  Commit logs say that the backport was performed
by Stefano Rivera , and applied by Matthias Klose
.  If it were me in your shoes, I would ask them how
things have gone and for any pointers in potentially applying the
backport yourself.

Be well,
--Robbie


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Richard W.M. Jones]

On Thu, Jun 30, 2022 at 01:52:34PM -0400, Demi Marie Obenour wrote:
> On 6/30/22 13:11, Charalampos Stratakis wrote:
> > So I presume then that python2.7 in Debian works flawlessly with OpenSSL
> > 3.0.0, no regressions, no security issues and no ABI problems right?
>
> What about stubbing out all networking in Python 2.7?  I believe
> that the only users of Python 2.7 in Fedora are various build
> scripts, and those are all entirely offline.  If so, nothing would
> break if the ssl module was replaced by a stub module that threw an
> exception when any of its functions was called.  Using an EOL
> version of Python in a network-facing program is a bad idea anyway.

This sounds like one of the better ideas to come out of this thread,
and should be done regardless of the other stuff.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Demi Marie Obenour]

On 6/30/22 13:11, Charalampos Stratakis wrote:
> So I presume then that python2.7 in Debian works flawlessly with OpenSSL
> 3.0.0, no regressions, no security issues and no ABI problems right?
What about stubbing out all networking in Python 2.7?  I believe that
the only users of Python 2.7 in Fedora are various build scripts,
and those are all entirely offline.  If so, nothing would break if
the ssl module was replaced by a stub module that threw an exception
when any of its functions was called.  Using an EOL version of Python
in a network-facing program is a bad idea anyway.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Charalampos Stratakis]

So I presume then that python2.7 in Debian works flawlessly with OpenSSL
3.0.0, no regressions, no security issues and no ABI problems right?

On Thu, Jun 30, 2022 at 5:13 PM Robbie Harwood  wrote:

> Charalampos Stratakis  writes:
>
> > Unfortunately that effort is moot, it's really not possible to make
> > python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python
> > versions are not 100% compatible for various reasons.
> >
> > In trying to make it compatible there are also ABI changes introduced,
> > it's not only about having the tests pass. The ssl module is already
> > complex enough in backporting changes from the master Python branch to
> > previous 3.x versions, doing that for 2.7 without a full fledged
> > effort from SSL and the Python C API experts guarantee there's gonna
> > be regressions. And that's not even taking into account the security
> > implications of randomly cherry-picking commits just to have the
> > package compile.
>
> I'm having trouble understanding this because Debian seems to have
> carried out what you're saying is impossible: in testing, they ship a
> python2.7 that appears to be using openssl 3, and do not ship openssl
> 1.1 at all.  There are also a handful of clearly openssl 3-related
> patches in their tree
> https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches
>
> Have folks looked at how they do this, and whether we could adapt it to
> Fedora?
>
> Be well,
> --Robbie
>


-- 
Regards,

Charalampos Stratakis
Senior Software Engineer
Python Maintenance Team, Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Robbie Harwood]

Charalampos Stratakis  writes:

> Unfortunately that effort is moot, it's really not possible to make
> python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python
> versions are not 100% compatible for various reasons.
>
> In trying to make it compatible there are also ABI changes introduced,
> it's not only about having the tests pass. The ssl module is already
> complex enough in backporting changes from the master Python branch to
> previous 3.x versions, doing that for 2.7 without a full fledged
> effort from SSL and the Python C API experts guarantee there's gonna
> be regressions. And that's not even taking into account the security
> implications of randomly cherry-picking commits just to have the
> package compile.

I'm having trouble understanding this because Debian seems to have
carried out what you're saying is impossible: in testing, they ship a
python2.7 that appears to be using openssl 3, and do not ship openssl
1.1 at all.  There are also a handful of clearly openssl 3-related
patches in their tree
https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches

Have folks looked at how they do this, and whether we could adapt it to
Fedora?

Be well,
--Robbie


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Ben Beasley]

I agree (vigorously and in detail) with Fabio’s message.

– Ben Beasley

On Wed, Jun 29, 2022, at 12:42 PM, Fabio Valentini wrote:
> On Wed, Jun 29, 2022 at 5:46 PM Dmitry Belyavskiy  wrote:
>>
>> On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok  wrote:
>>>
>>> Please don't remove the devel package if you aim for deprecation. As other 
>>> have
>>> said, removing the devel package is essentially retirement, not deprecation.
>>
>> OK, it's not a problem to deprecate the package in the sense of  
>> https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/
>
> I agree with Miro.If you want to ensure no new packages start
> depending on openssl1.1, then adding "Provides: deprecated()" (to both
> the openssl1.1 and openssl1.1-devel packages) is exactly what you
> want. fedora-review includes a check that prints a warning when a
> package depends on something that has "Provides: deprecated()", so no
> new packages should ever be added to Fedora that depend on something
> that is deprecated.
>
> Removing a (sub-)package is not a "deprecation", because it already
> breaks dependent packages, and *does not* give any advance warning to
> affected people, which a deprecation is supposed to provide.
>
>> But we still want to get rid of it.
>
> I understand this goal, but starting with a deprecation means that
> this will be a two-step process:
>
> 1) deprecate openssl1.1 and openssl1.1 packages (adding "Provides:
> deprecated()" to them): this ensures no new packages depend on them
> (fine to do that for Fedora 37)
> 2) once no Fedora packages (only third-party binaries) depend on
> openssl1.1, you *can* drop openssl1.1-devel (too early in Fedora 37,
> target 38 or 39 instead?, see EOL dates listed below)
>
> Dropping openssl1.1-devel (and keeping openssl1.1) *before* all
> official Fedora components have been ported to openssl 3 is
> essentially making them hang by the thinnest of threads - the packages
> will fail to build, but still be *installable* - if only for so long.
>
> These packages will also start to fail to install after any soname
> bump (or another similar change) in their dependency trees - because
> they won't be able to be rebuilt for that (unrelated) change, because
> openssl1.1-devel is gone. It will also block any critical / security
> updates for affected packages, which is certainly not what we want.
>
> So, please, don't remove the openssl1.1-devel package while there's
> still Fedora packages that depend on it. I assume openssl1.1 itself
> will be kept for some time, to provide support for third-party
> applications that require it? So keeping the -devel package around
> does not create any additional work for you, but it will make life for
> maintainers of dependent packages much easier, until they can switch
> their packages to OpenSSL 3.
>
>>> > I don't think that the community really requires support for this package 
>>> > for 7
>>> > years after its upstream sunset.
>>>
>>> OpenSSL 3 was introduced in Fedora 36, that has *just* been released this 
>>> year.
>>> This is a change proposal for Fedora 37, that is half a year after, not 7 
>>> years :/
>>
>>
>> Well, speaking about 7 years, I mean the idea to support the compat package 
>> synchronously with RHEL 8.
>> I'd like to retire this package not later than, well, a release after 
>> OpenSSL 1.1.1 EOL.
>
> According to the OpenSSL website
> (https://www.openssl.org/policies/releasestrat.html) OpenSSL 1.1.1
> will be supported until 2023-09-11.
> Fedora 37 will be EOL at around 2023-11-14
> (https://fedorapeople.org/groups/schedule/f-39/f-39-key-tasks.html),
> so OpenSSL 1.1.1 will still be officially supported for most of its
> lifecycle - I don't see why it already needs to be removed in Fedora
> 37.
>
> This alignment of EOL dates make me wonder whether the removal of
> openssl1.1(-devel) should be targeted at Fedora 38 (more than half its
> supported lifetime is after OpenSSL 1.1.1 is EOL) or Fedora 39
> (released after OpenSSL 1.1.1 is EOL) instead, but Fedora 37 seems too
> early for a *removal*, but officially deprecating it in Fedora 37
> sounds very reasonable to me.
>
> Fabop
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: 

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Charalampos Stratakis]

And I would very much prefer to remedy the issue of having packages still
relying on python2 rather than thinking about removing OpenSSL 1.1.1 that's
still supported upstream and many packages depend on it.

On Thu, Jun 30, 2022 at 3:29 PM Charalampos Stratakis 
wrote:

> Unfortunately that effort is moot, it's really not possible to make
> python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python
> versions are not 100% compatible for various reasons.
>
> In trying to make it compatible there are also ABI changes introduced,
> it's not only about having the tests pass. The ssl module is already
> complex enough in backporting changes from the master Python branch to
> previous 3.x versions, doing that for 2.7 without a full fledged effort
> from SSL and the Python C API experts guarantee there's gonna be
> regressions. And that's not even taking into account the security
> implications of randomly cherry-picking commits just to have the package
> compile.
>
> On Wed, Jun 29, 2022 at 5:12 PM Dmitry Belyavskiy 
> wrote:
>
>> Dear colleagues,
>>
>> If I correctly follow the discussion, the biggest show-stopper is Python
>> 2.*, which has some incomplete patches to deal with OpenSSL 3.0.
>> If we assist you in moving these patches forward, can we get rid of the
>> devel package and leave the compat package only for 3rd-party packages?
>>
>> I don't think that the community really requires support for this package
>> for 7 years after its upstream sunset.
>>
>> Many thanks!
>>
>> On Tue, Jun 28, 2022 at 4:06 PM Miro Hrončok  wrote:
>>
>>> On 27. 06. 22 13:27, Richard W.M. Jones wrote:
>>> > ==
>>> > FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
>>> > --
>>> > Traceback (most recent call last):
>>> >File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382,
>>> in test_openssl_version
>>> >  (s, t))
>>> > AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
>>>
>>> Might be https://github.com/python/cpython/issues/90272
>>>
>>> --
>>> Miro Hrončok
>>> --
>>> Phone: +420777974800
>>> IRC: mhroncok
>>> ___
>>> devel mailing list -- devel@lists.fedoraproject.org
>>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
>>> Do not reply to spam on the list, report it:
>>> https://pagure.io/fedora-infrastructure
>>>
>>
>>
>> --
>> Dmitry Belyavskiy
>> ___
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>
>
> --
> Regards,
>
> Charalampos Stratakis
> Senior Software Engineer
> Python Maintenance Team, Red Hat
>


-- 
Regards,

Charalampos Stratakis
Senior Software Engineer
Python Maintenance Team, Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Charalampos Stratakis]

Unfortunately that effort is moot, it's really not possible to make
python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python
versions are not 100% compatible for various reasons.

In trying to make it compatible there are also ABI changes introduced, it's
not only about having the tests pass. The ssl module is already complex
enough in backporting changes from the master Python branch to previous 3.x
versions, doing that for 2.7 without a full fledged effort from SSL and the
Python C API experts guarantee there's gonna be regressions. And that's not
even taking into account the security implications of randomly
cherry-picking commits just to have the package compile.

On Wed, Jun 29, 2022 at 5:12 PM Dmitry Belyavskiy 
wrote:

> Dear colleagues,
>
> If I correctly follow the discussion, the biggest show-stopper is Python
> 2.*, which has some incomplete patches to deal with OpenSSL 3.0.
> If we assist you in moving these patches forward, can we get rid of the
> devel package and leave the compat package only for 3rd-party packages?
>
> I don't think that the community really requires support for this package
> for 7 years after its upstream sunset.
>
> Many thanks!
>
> On Tue, Jun 28, 2022 at 4:06 PM Miro Hrončok  wrote:
>
>> On 27. 06. 22 13:27, Richard W.M. Jones wrote:
>> > ==
>> > FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
>> > --
>> > Traceback (most recent call last):
>> >File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in
>> test_openssl_version
>> >  (s, t))
>> > AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
>>
>> Might be https://github.com/python/cpython/issues/90272
>>
>> --
>> Miro Hrončok
>> --
>> Phone: +420777974800
>> IRC: mhroncok
>> ___
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>
>
> --
> Dmitry Belyavskiy
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 
Regards,

Charalampos Stratakis
Senior Software Engineer
Python Maintenance Team, Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 29. 06. 22 17:45, Dmitry Belyavskiy wrote:
OK, it's not a problem to deprecate the package in the sense of 
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/ 


But we still want to get rid of it.


Consider also not allowing packages to use openss1.1-devel unless they have a 
FESCo exception.


See e.g. https://fedoraproject.org/wiki/Changes/RetirePython2#FESCo_exceptions

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Maxwell G via devel]

On Wednesday, June 29, 2022 11:49:07 AM CDT Miro Hrončok wrote:
> Now you are mixing the two kinda together in a weird way. The change is
> called "deprecation" but is in fact "incomplete retirement".
I agree. There seems to be a recent trend of Changes confusing the difference 
between deprecations and removals. If something is being removed, even 
partially, it is a removal, not a deprecation. As other commenters have 
mentioned, in the Fedora context[1], deprecating a package entails adding 
`Provides: deprecated()` and submitting a Change proposal before doing so if 
it's not a leaf package.

[1]: 
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/

-- 
Thanks,

Maxwell G (@gotmax23)
Pronouns: He/Him/His

signature.asc
Description: This is a digitally signed message part.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 29. 06. 22 17:45, Dmitry Belyavskiy wrote:

Dear Miro,

On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok > wrote:


On 29. 06. 22 17:11, Dmitry Belyavskiy wrote:
 > Dear colleagues,
 >
 > If I correctly follow the discussion, the biggest show-stopper is Python
2.*,
 > which has some incomplete patches to deal with OpenSSL 3.0.

We would also need it in for Python 3.6 and pypys.


Are RHEL 9 patches for Python 3 series relevant in this case?


Not at all. RHEL 9 is python3.9 and that runs on OpenSSL 3 in both RHEL 9 and 
all supported Fedoras.



 > If we assist you in moving these patches forward, can we get rid of the
devel
 > package and leave the compat package only for 3rd-party packages?

Please don't remove the devel package if you aim for deprecation. As other
have
said, removing the devel package is essentially retirement, not deprecation.


OK, it's not a problem to deprecate the package in the sense of 
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/ 


But we still want to get rid of it.


Right. But it makes sense to say:

Fedora 37: openssl1.1 is deprecated
Fedora XY: openssl1.1 is retired

Now you are mixing the two kinda together in a weird way. The change is called 
"deprecation" but is in fact "incomplete retirement".


See e.g.:

Deprecation: https://fedoraproject.org/wiki/Changes/DeprecateNose
Retirement: https://fedoraproject.org/wiki/Changes/RetirePython3.7


 > I don't think that the community really requires support for this
package for 7
 > years after its upstream sunset.

OpenSSL 3 was introduced in Fedora 36, that has *just* been released this
year.
This is a change proposal for Fedora 37, that is half a year after, not 7
years :/


Well, speaking about 7 years, I mean the idea to support the compat package 
synchronously with RHEL 8.


Now I understand what you mean but I still don't understand what is the biggest 
trouble. You do maintain this in RHEL 8, don't you?


I'd like to retire this package not later than, well, a release after OpenSSL 
1.1.1 EOL.


Is that happening on some known schedule or is it an event that will eventually 
happen but we don't know when?


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Fabio Valentini]

On Wed, Jun 29, 2022 at 5:46 PM Dmitry Belyavskiy  wrote:
>
> On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok  wrote:
>>
>> Please don't remove the devel package if you aim for deprecation. As other 
>> have
>> said, removing the devel package is essentially retirement, not deprecation.
>
> OK, it's not a problem to deprecate the package in the sense of  
> https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/

I agree with Miro.If you want to ensure no new packages start
depending on openssl1.1, then adding "Provides: deprecated()" (to both
the openssl1.1 and openssl1.1-devel packages) is exactly what you
want. fedora-review includes a check that prints a warning when a
package depends on something that has "Provides: deprecated()", so no
new packages should ever be added to Fedora that depend on something
that is deprecated.

Removing a (sub-)package is not a "deprecation", because it already
breaks dependent packages, and *does not* give any advance warning to
affected people, which a deprecation is supposed to provide.

> But we still want to get rid of it.

I understand this goal, but starting with a deprecation means that
this will be a two-step process:

1) deprecate openssl1.1 and openssl1.1 packages (adding "Provides:
deprecated()" to them): this ensures no new packages depend on them
(fine to do that for Fedora 37)
2) once no Fedora packages (only third-party binaries) depend on
openssl1.1, you *can* drop openssl1.1-devel (too early in Fedora 37,
target 38 or 39 instead?, see EOL dates listed below)

Dropping openssl1.1-devel (and keeping openssl1.1) *before* all
official Fedora components have been ported to openssl 3 is
essentially making them hang by the thinnest of threads - the packages
will fail to build, but still be *installable* - if only for so long.

These packages will also start to fail to install after any soname
bump (or another similar change) in their dependency trees - because
they won't be able to be rebuilt for that (unrelated) change, because
openssl1.1-devel is gone. It will also block any critical / security
updates for affected packages, which is certainly not what we want.

So, please, don't remove the openssl1.1-devel package while there's
still Fedora packages that depend on it. I assume openssl1.1 itself
will be kept for some time, to provide support for third-party
applications that require it? So keeping the -devel package around
does not create any additional work for you, but it will make life for
maintainers of dependent packages much easier, until they can switch
their packages to OpenSSL 3.

>> > I don't think that the community really requires support for this package 
>> > for 7
>> > years after its upstream sunset.
>>
>> OpenSSL 3 was introduced in Fedora 36, that has *just* been released this 
>> year.
>> This is a change proposal for Fedora 37, that is half a year after, not 7 
>> years :/
>
>
> Well, speaking about 7 years, I mean the idea to support the compat package 
> synchronously with RHEL 8.
> I'd like to retire this package not later than, well, a release after OpenSSL 
> 1.1.1 EOL.

According to the OpenSSL website
(https://www.openssl.org/policies/releasestrat.html) OpenSSL 1.1.1
will be supported until 2023-09-11.
Fedora 37 will be EOL at around 2023-11-14
(https://fedorapeople.org/groups/schedule/f-39/f-39-key-tasks.html),
so OpenSSL 1.1.1 will still be officially supported for most of its
lifecycle - I don't see why it already needs to be removed in Fedora
37.

This alignment of EOL dates make me wonder whether the removal of
openssl1.1(-devel) should be targeted at Fedora 38 (more than half its
supported lifetime is after OpenSSL 1.1.1 is EOL) or Fedora 39
(released after OpenSSL 1.1.1 is EOL) instead, but Fedora 37 seems too
early for a *removal*, but officially deprecating it in Fedora 37
sounds very reasonable to me.

Fabop
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Dmitry Belyavskiy]

Dear Miro,

On Wed, Jun 29, 2022 at 5:27 PM Miro Hrončok  wrote:

> On 29. 06. 22 17:11, Dmitry Belyavskiy wrote:
> > Dear colleagues,
> >
> > If I correctly follow the discussion, the biggest show-stopper is Python
> 2.*,
> > which has some incomplete patches to deal with OpenSSL 3.0.
>
> We would also need it in for Python 3.6 and pypys.
>

Are RHEL 9 patches for Python 3 series relevant in this case?

> If we assist you in moving these patches forward, can we get rid of the
> devel
> > package and leave the compat package only for 3rd-party packages?
>
> Please don't remove the devel package if you aim for deprecation. As other
> have
> said, removing the devel package is essentially retirement, not
> deprecation.
>

OK, it's not a problem to deprecate the package in the sense of
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/
But we still want to get rid of it.

> I don't think that the community really requires support for this package
> for 7
> > years after its upstream sunset.
>
> OpenSSL 3 was introduced in Fedora 36, that has *just* been released this
> year.
> This is a change proposal for Fedora 37, that is half a year after, not 7
> years :/
>

Well, speaking about 7 years, I mean the idea to support the compat package
synchronously with RHEL 8.
I'd like to retire this package not later than, well, a release after
OpenSSL 1.1.1 EOL.

-- 
Dmitry Belyavskiy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 29. 06. 22 17:11, Dmitry Belyavskiy wrote:

Dear colleagues,

If I correctly follow the discussion, the biggest show-stopper is Python 2.*, 
which has some incomplete patches to deal with OpenSSL 3.0.


We would also need it in for Python 3.6 and pypys.

If we assist you in moving these patches forward, can we get rid of the devel 
package and leave the compat package only for 3rd-party packages?


Please don't remove the devel package if you aim for deprecation. As other have 
said, removing the devel package is essentially retirement, not deprecation.


I don't think that the community really requires support for this package for 7 
years after its upstream sunset.


OpenSSL 3 was introduced in Fedora 36, that has *just* been released this year. 
This is a change proposal for Fedora 37, that is half a year after, not 7 years :/


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Dmitry Belyavskiy]

Dear colleagues,

If I correctly follow the discussion, the biggest show-stopper is Python
2.*, which has some incomplete patches to deal with OpenSSL 3.0.
If we assist you in moving these patches forward, can we get rid of the
devel package and leave the compat package only for 3rd-party packages?

I don't think that the community really requires support for this package
for 7 years after its upstream sunset.

Many thanks!

On Tue, Jun 28, 2022 at 4:06 PM Miro Hrončok  wrote:

> On 27. 06. 22 13:27, Richard W.M. Jones wrote:
> > ==
> > FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
> > --
> > Traceback (most recent call last):
> >File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in
> test_openssl_version
> >  (s, t))
> > AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))
>
> Might be https://github.com/python/cpython/issues/90272
>
> --
> Miro Hrončok
> --
> Phone: +420777974800
> IRC: mhroncok
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>


-- 
Dmitry Belyavskiy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 27. 06. 22 13:27, Richard W.M. Jones wrote:

==
FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
--
Traceback (most recent call last):
   File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in 
test_openssl_version
 (s, t))
AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))


Might be https://github.com/python/cpython/issues/90272

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Clemens Lang]

Richard W.M. Jones  wrote:


I somehow thought that loading the legacy provider would be the same
as the LEGACY crypto policy, except just for Python 2.7 rather than
for the entire system.


It’s a common misconception. So common that I recently wrote a blog post to
explain the difference:

 
https://www.redhat.com/en/blog/legacy-cryptography-fedora-36-and-red-hat-enterprise-linux-9



Setting the whole system crypto-policy to LEGACY (and reverting the
code for loading the legacy provider) fixes almost everything.


Thanks for testing and confirming that. In that case, it’s really just a
case of running the test with a separate OpenSSL configuration file that
applies weaker defaults.


HTH,
Clemens

--
Clemens Lang
RHEL Crypto Team
Red Hat


___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Richard W.M. Jones]

On Mon, Jun 27, 2022 at 11:15:01AM +0200, Clemens Lang wrote:
> Hi,
> 
> Richard W.M. Jones  wrote:
> 
> >On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:
> >>On 27/06/2022 08:53, Richard W.M. Jones wrote:
> >>>On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
> Dear Richard,
> 
> If the only problem is legacy (and unsafe) ciphersuites,
> loading the legacy
> provider will solve this problem.
> >>>
> >>>Any clues on how to do that?
> >>
> >>https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
> >
> >Results unclear.  Loading legacy + default doesn't seem to give any
> >errors, but I still see the same errors in the tests.  I might be
> >loading these providers in the wrong way however.
> >
> >The code is here:
> >https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3
> 
> Two comments:
> 
> Most of your failures are "no suitable signature algorithm” and “no shared
> ciphers”. I suspect those might instead be caused by increased minimum TLS
> versions enforced by the crypto-policy. Did you try running those tests in
> the LEGACY crypto-policy? If that’s the issue, you don’t need to load the
> legacy provider, and doing so doesn’t actually help.

I somehow thought that loading the legacy provider would be the same
as the LEGACY crypto policy, except just for Python 2.7 rather than
for the entire system.

Setting the whole system crypto-policy to LEGACY (and reverting the
code for loading the legacy provider) fixes almost everything.  The
remaining errors are real, but minor problems with my patch series:

==
ERROR: test_load_verify_cadata (test.test_ssl.ContextTests)
--
Traceback (most recent call last):
  File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 1033, in 
test_load_verify_cadata
ctx.load_verify_locations(cadata=cacert_der)
SSLError: unknown error (_ssl.c:2989)

==
FAIL: test_openssl_version (test.test_ssl.BasicSocketTests)
--
Traceback (most recent call last):
  File "/home/rjones/d/cpython-2.7/Lib/test/test_ssl.py", line 382, in 
test_openssl_version
(s, t))
AssertionError: ('OpenSSL 3.0.3 3 May 2022', (3, 0, 0, 3, 0))


Anyhow, I'm not really working on this, but it does seem possible that
for someone who wants to fix this and cares about Python and OpenSSL
it wouldn't be too difficult to do the backport.

> I know the OpenSSL upstream documentation says so, but please don’t load the
> legacy provider into the NULL OSSL_LIB_CTX. Doing so activates the legacy
> provider for all code in the same address space by default. This means, for
> example, that applications that embed a Python interpreter will inherit its
> use of the legacy provider, even if they don’t want to. See [1] for further
> discussion of this issue, and examples on how to avoid it.
> 
>  [1] https://github.com/lsh123/xmlsec/issues/339

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Clemens Lang]

Hi,

Richard W.M. Jones  wrote:


On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:

On 27/06/2022 08:53, Richard W.M. Jones wrote:

On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:

Dear Richard,

If the only problem is legacy (and unsafe) ciphersuites, loading the  
legacy

provider will solve this problem.


Any clues on how to do that?


https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers


Results unclear.  Loading legacy + default doesn't seem to give any
errors, but I still see the same errors in the tests.  I might be
loading these providers in the wrong way however.

The code is here:
https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3


Two comments:

Most of your failures are "no suitable signature algorithm” and “no shared
ciphers”. I suspect those might instead be caused by increased minimum TLS
versions enforced by the crypto-policy. Did you try running those tests in
the LEGACY crypto-policy? If that’s the issue, you don’t need to load the
legacy provider, and doing so doesn’t actually help.

I know the OpenSSL upstream documentation says so, but please don’t load the
legacy provider into the NULL OSSL_LIB_CTX. Doing so activates the legacy
provider for all code in the same address space by default. This means, for
example, that applications that embed a Python interpreter will inherit its
use of the legacy provider, even if they don’t want to. See [1] for further
discussion of this issue, and examples on how to avoid it.

 [1] https://github.com/lsh123/xmlsec/issues/339


HTH,
Clemens

--
Clemens Lang
RHEL Crypto Team
Red Hat


___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Tom Hughes via devel]

On 27/06/2022 10:02, Richard W.M. Jones wrote:

On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:

On 27/06/2022 08:53, Richard W.M. Jones wrote:

On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:

Dear Richard,

If the only problem is legacy (and unsafe) ciphersuites, loading the legacy
provider will solve this problem.


Any clues on how to do that?


https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers


Results unclear.  Loading legacy + default doesn't seem to give any
errors, but I still see the same errors in the tests.  I might be
loading these providers in the wrong way however.

The code is here:
https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3


That looks about right, or at last it looks very similar to
what I did elsewhere.

Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Richard W.M. Jones]

On Mon, Jun 27, 2022 at 09:11:29AM +0100, Tom Hughes wrote:
> On 27/06/2022 08:53, Richard W.M. Jones wrote:
> >On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
> >>Dear Richard,
> >>
> >>If the only problem is legacy (and unsafe) ciphersuites, loading the legacy
> >>provider will solve this problem.
> >
> >Any clues on how to do that?
> 
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers

Results unclear.  Loading legacy + default doesn't seem to give any
errors, but I still see the same errors in the tests.  I might be
loading these providers in the wrong way however.

The code is here:
https://github.com/rwmjones/cpython/commits/python-2.7-openssl-3

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Tom Hughes via devel]

On 27/06/2022 08:53, Richard W.M. Jones wrote:

On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:

Dear Richard,

If the only problem is legacy (and unsafe) ciphersuites, loading the legacy
provider will solve this problem.


Any clues on how to do that?


https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers

Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Richard W.M. Jones]

On Fri, Jun 24, 2022 at 01:20:27PM +0200, Dmitry Belyavskiy wrote:
> Dear Richard,
> 
> If the only problem is legacy (and unsafe) ciphersuites, loading the legacy
> provider will solve this problem.

Any clues on how to do that?

Rich.

> On Fri, Jun 24, 2022 at 1:11 PM Richard W.M. Jones  wrote:
> 
> On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
> > python2.7-0:2.7.18-22.fc37.src
> 
> Vaguely seeing if it's feasible to backport the OpenSSL 3 support to
> Python 2.7.  This branch gets quite far:
> 
> https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
> 
> Only one test fails, test_ssl (obviously), but it does only appear to
> fail where it tests obsolete ciphers.  I looked into fixing the test,
> but the upstream version of this test has changed a great deal, with a
> whole mechanism for skipping unsupported ciphers.
> 
> Remaining test failures in detail below.
> 
> Rich.
> 
> --
> 
> running build
> running build_ext
> warning: openssl 0x is too old for _hashlib
> building dbm using ndbm
> 
> Python build finished, but the necessary bits to build these modules were
> not found:
> _hashlib           bsddb185           dl             
> imageop            sunaudiodev                       
> To find the necessary bits, look in setup.py in detect_modules() for the
> module's name.
> 
> running build_scripts
> find ./Lib -name '*.py[co]' -print | xargs rm -f
> ./python -Wd -3 -E -tt  ./Lib/test/regrtest.py -v test_ssl
> == CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022,
> 12:05:45) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
> == 
>  
> Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide
> little-endian
> ==   /home/rjones/d/cpython-2.7/build/test_python_641493
> == CPU count: 24
> Run tests sequentially
> 0:00:00 load avg: 0.09 [1/1] test_ssl
> test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0)
>           under Linux ('Fedora', '37', 'Rawhide')
>           HAS_SNI = True
>           OP_ALL = 0x8050
>           OP_NO_TLSv1_1 = 0x1000
> test__create_stdlib_context (test.test_ssl.ContextTests) ... ok
> test__https_verify_certificates (test.test_ssl.ContextTests) ... ok
> test__https_verify_envvar (test.test_ssl.ContextTests) ... ok
> test_cert_store_stats (test.test_ssl.ContextTests) ... ok
> test_check_hostname (test.test_ssl.ContextTests) ... ok
> test_ciphers (test.test_ssl.ContextTests) ... ok
> test_constructor (test.test_ssl.ContextTests) ... ok
> test_create_default_context (test.test_ssl.ContextTests) ... ok
> test_get_ca_certs (test.test_ssl.ContextTests) ... ok
> test_load_cert_chain (test.test_ssl.ContextTests) ... ok
> test_load_default_certs (test.test_ssl.ContextTests) ... ok
> test_load_default_certs_env (test.test_ssl.ContextTests) ... ok
> test_load_default_certs_env_windows (test.test_ssl.ContextTests) ...
> skipped 'Windows specific'
> test_load_dh_params (test.test_ssl.ContextTests) ... ok
> test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR
> test_load_verify_locations (test.test_ssl.ContextTests) ... ok
> test_options (test.test_ssl.ContextTests) ... ok
> test_protocol (test.test_ssl.ContextTests) ... ok
> test_session_stats (test.test_ssl.ContextTests) ... ok
> test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok
> test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok
> test_sni_callback (test.test_ssl.ContextTests) ... ok
> test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok
> test_verify_flags (test.test_ssl.ContextTests) ... ok
> test_verify_mode (test.test_ssl.ContextTests) ... ok
> test_sslwrap_simple (test.test_ssl.BasicTests) ... ok
> test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok
> test_asn1object (test.test_ssl.BasicSocketTests) ... ok
> test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok
> test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ...
> skipped 'locale-specific month name needs to be different from C locale'
> test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok
> test_constants (test.test_ssl.BasicSocketTests) ... ok
> test_empty_cert (test.test_ssl.BasicSocketTests)
> Wrapping with an empty cert file ... ok
> test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped
> 'Windows specific'
> test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows
> specific'
> test_errors (test.test_ssl.BasicSocketTests) ... ok
> test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok
> test_malformed_cert (test.test_ssl.BasicSocketTests)
> 

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Omair Majid]

Hi,

Ben Beasley  writes:

> However, dropping the -devel package is almost as drastic as simply
> retiring the OpenSSL 1.1 package altogether. Grepping spec files for
> 'BuildRequires:.*openssl1' turns up the following packages that would
> immediately FTBFS:
> ...
> - dotnet3.1
> ...

This package is already dropped from Rawhide. Upstream will drop all
support for .NET Core 3.1 (dotnet3.1) at the end of this year [1]. The
next version, .NET 6 (packaged as dotnet6.0), already builds and runs
against OpenSSL 3.0 as well.

[1] 
https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core#lifecycle

Omair

--
PGP Key: B157A9F0 (http://pgp.mit.edu/)
Fingerprint = 9DB5 2F0B FD3E C239 E108  E7BD DF99 7AF8 B157 A9F0
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Maxwell G via devel]

Jun 24, 2022 1:59:40 PM Jason Tibbitts :

> When a package is deprecated, the intent is that no new dependencies on
> any deprecated package would appear in the distribution, either by new
> packages or from existing packages adding dependencies.  Of course, I
> don't know what actually checks this; it's not particularly common to
> deprecate packages.
FedoraReview checks for deprecated dependencies. I don't think there's any 
process to make sure that existing packages don't start depending on deprecated 
packages.
--
Thanks,

Maxwell G (@gotmax23)
Pronouns: He/Him/His


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Demi Marie Obenour]

On 6/23/22 08:51, Miro Hrončok wrote:
> On 23. 06. 22 11:43, Richard W.M. Jones wrote:
>> I think this is the correct incantation ...
>>
>> # dnf repoquery --disablerepo=\* --enablerepo=rawhide-source --arch=src 
>> --whatrequires openssl1.1-devel
>> Last metadata expiration check: 0:01:31 ago on Thu 23 Jun 2022 10:37:46 BST.
>> botan2-0:2.19.1-2.fc37.src
>> chatty-0:0.6.3-1.fc37.src
>> erlang-0:24.3.4.1-1.fc37.src
>> pypy-0:7.3.9-1.fc37.src
>> pypy3.7-0:7.3.9-1.3.7.fc37.src
>> pypy3.8-0:7.3.9-1.3.8.fc37.src
>> python-uamqp-0:1.5.3-2.fc37.src
>> python2.7-0:2.7.18-22.fc37.src
>> python3.6-0:3.6.15-9.fc37.src
>> python3.7-0:3.7.13-2.fc37.src
> 
> Not quite the right incantation, because it leaves out anything that does not 
> BuildRequire explicitly the string openssl1.1-devel but rather some of its 
> virtual provides. Here you go:
> 
> $ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | 
> grep src$
> GoldenCheetah-1:3.6-0.16.20220520gita5d6468.fc37.src
> R-websocket-0:1.4.0-5.fc36.src
> argyllcms-0:2.3.0-2.fc36.src
> axel-0:2.17.11-2.fc37.src
> bigloo-0:4.4c-4.4.fc37.src
> blender-1:3.2.0-3.fc37.src
> boinc-client-0:7.18.1-3.fc37.src
> botan2-0:2.19.1-2.fc37.src
> cairo-dock-plug-ins-0:3.4.1-41.20210730gitf24f769.fc37.3.src
> casync-0:2-17.gitb3337dd.fc36.src
> chatty-0:0.6.3-1.fc37.src
> cpprest-0:2.10.18-5.fc36.src
> cryfs-0:0.11.2-3.fc37.src
> ddnet-0:15.9.1-1.fc37.src
> dmg2img-0:1.6.7-14.20170502.git.f16f247.fc36.src
> efitools-0:1.9.2-7.fc36.src
> eiskaltdcpp-0:2.4.2-6.fc37.src
> erlang-0:24.3.4.1-1.fc37.src
> fragments-0:1.5-4.fc36.src
> freerdp-2:2.7.0-1.fc37.src
> fuse-encfs-0:1.9.5-13.fc37.src
> gnupg-pkcs11-scd-0:0.10.0-1.fc37.src
> grpc-0:1.46.3-7.fc37.src
> guacamole-server-0:1.4.0-3.fc37.src
> hexchat-0:2.16.0-5.fc37.src
> jimtcl-0:0.81-3.fc36.src
> kcov-0:39-3.fc36.src
> kde-runtime-0:17.08.3-24.fc36.src
> kf5-kitinerary-0:22.04.1-2.fc37.src
> lgogdownloader-0:3.8-4.fc37.src
> libdigidocpp-0:3.14.7-1.fc36.src
> libfido2-0:1.11.0-1.fc37.src
> liboauth2-0:1.4.4-1.fc36.src
> libpreludedb-0:5.2.0-9.fc37.src
> libquentier-0:0.5.0-11.fc36.src
> librepo-0:1.14.3-2.fc37.src
> librhsm-0:0.0.3-7.fc36.src
> libshout-0:2.4.3-6.fc36.src
> libvncserver-0:0.9.13-12.fc36.src
> libzypp-0:17.25.6-5.fc36.src
> megatools-0:1.11.0-6.fc37.src
> mtxclient-0:0.7.0-2.fc37.src
> mumble-0:1.3.4-8.fc36.src
> newsboat-0:2.27-2.fc37.src
> nheko-0:0.9.3-2.fc37.src
> normaliz-0:3.9.3-1.fc37.src
> openarc-0:1.0.0-0.13.Beta3.fc37.src
> openfortivpn-0:1.17.0-4.fc36.src
> opensips-0:3.2.6-2.fc37.src
> osslsigncode-0:2.3-2.fc37.src
> p11-remote-0:0.3-13.fc36.src
> perl-Crypt-OpenSSL-EC-0:1.32-9.fc37.src
> perl-Crypt-SSLeay-0:0.72-36.fc37.src
> pl-0:8.4.3-1.fc37.src
> psi-plus-1:1.5.1625-1.fc37.src
> pypy-0:7.3.9-1.fc37.src
> pypy3.7-0:7.3.9-1.3.7.fc37.src
> pypy3.8-0:7.3.9-1.3.8.fc37.src
> python-uamqp-0:1.5.3-2.fc37.src
> python2.7-0:2.7.18-22.fc37.src
> python3.6-0:3.6.15-9.fc37.src
> python3.7-0:3.7.13-2.fc37.src
> qca-0:2.3.4-2.fc36.src
> qca-qt4-0:2.2.1-18.fc37.src
> qdigidoc-0:4.2.9-2.fc36.src
> qt5-qtlocation-0:5.15.4-1.fc37.src
> qt6-qtpositioning-0:6.3.0-2.fc37.src
> quentier-0:0.5.0-6.fc35.src
> radare2-0:5.6.8-1.fc37.src
> retroarch-0:1.10.3-1.fc37.src
> rizin-0:0.3.4-1.fc36.1.src
> rstudio-0:2022.02.3+492-1.fc37.src
> rust-0:1.61.0-2.fc37.src
> rust-openssl-sys-0:0.9.72-2.fc36.src
> rust-zincati-0:0.0.24-4.fc37.src
> s3fs-fuse-0:1.91-1.fc37.src
> sagemath-0:9.6-1.fc37.src
> scribus-0:1.5.8-3.fc37.src
> seadrive-daemon-0:2.0.16-4.fc37.src
> seadrive-gui-0:2.0.16-2.fc36.src
> seafile-0:8.0.6-2.fc37.src
> seafile-client-0:8.0.6-1.fc37.src
> shairport-sync-0:3.3.9-2.fc36.src
> sipp-0:3.6.0-9.fc36.src
> sleef-0:3.5.1-16.fc36.src
> sqlcipher-0:4.4.3-4.fc36.src
> srain-0:1.4.0-2.fc37.src
> the_foundation-0:1.4.0-1.fc37.src
> tpm2-tools-0:5.2-2.fc36.src
> webextension-token-signing-0:1.1.5-1.fc36.src
> websocketpp-0:0.8.2-7.fc36.src
> wimlib-0:1.13.5-1.fc36.src
> xmlrpc-c-0:1.51.0-14.fc36.src
> xmlsec1-0:1.2.34-1.fc37.src
> xorg-x11-server-Xwayland-0:22.1.2-1.fc37.src
> xrdp-1:0.9.19-1.fc37.src
> zchunk-0:1.2.2-1.fc37.src

PyPy at least is self-hosting and can be built using an existing PyPy
installation instead of relying on CPython.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Jason Tibbitts]

> Felix Schwarz  writes:

> imho removing the devel packages is basically the same as removing
> openssl1.1 entirely. To me the idea of "deprecation" is to warn users
> that something is going away WITHOUT removing functionality
> immediately.

I just wanted to note, since I haven't noticed it elsewhere in this
thread, that "deprecation" for a Fedora package has a specific meaning
as described in
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/

When a package is deprecated, the intent is that no new dependencies on
any deprecated package would appear in the distribution, either by new
packages or from existing packages adding dependencies.  Of course, I
don't know what actually checks this; it's not particularly common to
deprecate packages.

 - J<
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Ben Beasley]

I support deprecating openssl1.1. We definitely shouldn’t be adding any 
new packages that depend on it.


However, dropping the -devel package is almost as drastic as simply 
retiring the OpenSSL 1.1 package altogether. Grepping spec files for 
'BuildRequires:.*openssl1' turns up the following packages that would 
immediately FTBFS:


- anope
- baresip
- botan2
- ceph
- chatty
- dotnet3.1
- dsniff
- eggdrop
- erlang
- kf5-kdelibs4support
- libasr
- libqxt-qt5
- libre
- libretls
- lua-sec
- nginx
- nodejs
- opensmtpd
- partclone
- pypy3.8
- pypy
- python2.7
- python3.6
- python3.7
- python-uamqp
- qt
- radsecproxy
- rpki-client
- ssldump
- tcltls
- thc-ipv6
- unrealircd
- w3m
- znc

Some of these have pretty large trees of dependent packages. I don’t 
think we’re ready for all of these packages to go FTBFS, preventing them 
from rebuilding or providing updates, until somebody figures out how to 
port them to OpenSSL 3.0. In a lot of cases, the maintainers of these 
packages in Fedora won’t be able to develop the necessary patches alone, 
so dropping the -devel packages would be playing hardball with the wrong 
people.


I’m sympathetic to the importance of retaining momentum toward 
openssl1.1 retirement rather than letting the compatibility package 
linger indefinitely, but I think right now—nine months after OpenSSL 3.0 
was released—this momentum should be in the form of *assisting* these 
maintainers and upstreams in porting their packages, rather than in the 
form of forcing them to figure out an emergency patch.


In general, omitting -devel packages as an intermediate step between 
deprecation and retirement is not a practice I would like to see 
proliferate in Fedora. Packages that can be used but not built from 
source are defects in an open distribution, and we should avoid creating 
them intentionally.


– Ben Beasley

On 6/24/22 05:19, Daniel P. Berrangé wrote:

On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:

On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok  wrote:


On 22. 06. 22 21:05, Vipul Siddharth wrote:

We are going to deprecate openssl1.1 package, stop shipping the
corresponding devel package, and stop respecting crypto policies in
openssl1.1 package itself.

+1 to deprecating it


Great!

-1 to stop shipping the devel package, this would mean we cannot build at

least:

- Python 2.7
despite our long term efforts, many things still need that, e.g. gimp,
firefox (some builds do, then some don't), thunderbird etc., see
https://fedora.portingdb.xyz/

Or Python 3.6 (shipped for developers targeting RHEL 7/8).

As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please
leave the
devel package?


I'm not sure that if we don't remove the devel package, we will provide
strong enough motivation to get rid of the deprecating packages.

If the openssl maintainers really strongly want to remove the
devel pacakge, then don't call this deprecation because that
is misleading. Call this purging openssl1.1 from the entire
distro, such that it can only be used by 3rd party apps who
have previously compiled against older Fedora openssl-devel.
Be open about fact that this will cause FTBFS for any Fedora
packages that stil uses openssl1 and their removal from the
distro if they can't port to openssl3 very quickly.

With regards,
Daniel

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 24. 06. 22 17:39, Simo Sorce wrote:

Not forever, just until Python 2.7 is removed :D

Seriously thou, my proposal is:

   - deprecate it now
   - announce it goes away when RHEL 8 maintenance support ends

Following the guidelines for deprecated packages:
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/

# This is when RHEL 8 maintenance support is expected to end
#https://access.redhat.com/support/policy/updates/errata
# The life-cycle time spans and dates are subject to adjustment
Provides: deprecated() = 20290531

You are going to support OpenSSL 1.1 in RHEL 8 until that day anyway.

This is also when we plan to remove Python 3.6:
https://lists.fedoraproject.org/archives/list/python-de...@lists.fedoraproject.org/thread/W74WYEVGYAE57KVLCG73I75LZYKKUMXS/

And if Python 2.7 isn't removed by then, we can rip it out together with
OpenSSL 1.1 in Fedora 50.


Are you going to maintain it till Fedora 50 in the meantime?


That is a very good question. No I won't. I am a member of a Red Hat team that 
maintains Python in RHEL and Fedora Linux, including a very old legacy Python 
version without upstream support. I merely expect the same treatment from the 
OpenSSL maintainers who proposed this change proposal (I assumed they are the 
RHEL OpenSSL maintainers, correct me if they are not).


I understand that I cannot *make* anybody maintain what they don't want. I am 
merely suggesting a solution that I consider good for the distro. I believe the 
RHEL OpenSSL maintainers who already need to maintain 1.1 at least until RHEL 8 
goes EOL are much better equipped to maintain it in Fedora than I am.


But as said elsewhere, when it comes to that, we would be either forced to 
bundle OpenSSL 1.1 (and well, maintain it) or to get rid of Python 2.


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Nico Kadel-Garcia]

On Fri, Jun 24, 2022 at 5:14 AM Dmitry Belyavskiy  wrote:
>
>
>
> On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok  wrote:
>>
>> On 22. 06. 22 21:05, Vipul Siddharth wrote:
>> > We are going to deprecate openssl1.1 package, stop shipping the
>> > corresponding devel package, and stop respecting crypto policies in
>> > openssl1.1 package itself.
>>
>> +1 to deprecating it
>
>
> Great!

Please don't stop shipping the devel package while still shipping the
old library package. RHEL has been doing that with python3-ldb-devel,
and python3-talloc-devel, and used to do that with lmdb-devel, and
it's been... infuriating, especially since Red Hat and CentOS kept
them around for internal use in their build environments, they just
neglected to include them in the published operating. It wasn't
*exactly* a GPL violation, since they continued to provide SRPMs, but
it was quite irksome.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Simo Sorce]

On Fri, 2022-06-24 at 11:42 +0200, Miro Hrončok wrote:
> On 24. 06. 22 11:23, Dmitry Belyavskiy wrote:
> > 
> > 
> > On Fri, Jun 24, 2022 at 11:20 AM Daniel P. Berrangé  > > wrote:
> > 
> > On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
> >  > On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok  > > wrote:
> >  >
> >  > > On 22. 06. 22 21:05, Vipul Siddharth wrote:
> >  > > > We are going to deprecate openssl1.1 package, stop shipping the
> >  > > > corresponding devel package, and stop respecting crypto policies 
> > in
> >  > > > openssl1.1 package itself.
> >  > >
> >  > > +1 to deprecating it
> >  > >
> >  >
> >  > Great!
> >  >
> >  > -1 to stop shipping the devel package, this would mean we cannot 
> > build at
> >  > > least:
> >  > >
> >  > > - Python 2.7
> >  > >    despite our long term efforts, many things still need that, 
> > e.g. gimp,
> >  > > firefox (some builds do, then some don't), thunderbird etc., see
> >  > > https://fedora.portingdb.xyz/ 
> >  > >
> >  > > Or Python 3.6 (shipped for developers targeting RHEL 7/8).
> >  > >
> >  > > As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we 
> > please
> >  > > leave the
> >  > > devel package?
> >  > >
> >  >
> >  > I'm not sure that if we don't remove the devel package, we will 
> > provide
> >  > strong enough motivation to get rid of the deprecating packages.
> > 
> > If the openssl maintainers really strongly want to remove the
> > devel pacakge, then don't call this deprecation because that
> > is misleading. Call this purging openssl1.1 from the entire
> > distro, such that it can only be used by 3rd party apps who
> > have previously compiled against older Fedora openssl-devel.
> > Be open about fact that this will cause FTBFS for any Fedora
> > packages that stil uses openssl1 and their removal from the
> > distro if they can't port to openssl3 very quickly.
> > 
> > Do I correctly understand that the situation with Python is the most 
> > problematic?
> > Are we able to solve it somehow?
> > 
> > What I'm afraid of is that if we just declare the deprecation, we will stay 
> > with this package forever.
> 
> Not forever, just until Python 2.7 is removed :D
> 
> Seriously thou, my proposal is:
> 
>   - deprecate it now
>   - announce it goes away when RHEL 8 maintenance support ends
> 
> Following the guidelines for deprecated packages:
> https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/
> 
># This is when RHEL 8 maintenance support is expected to end
># https://access.redhat.com/support/policy/updates/errata
># The life-cycle time spans and dates are subject to adjustment
>Provides: deprecated() = 20290531
> 
> You are going to support OpenSSL 1.1 in RHEL 8 until that day anyway.
> 
> This is also when we plan to remove Python 3.6:
> https://lists.fedoraproject.org/archives/list/python-de...@lists.fedoraproject.org/thread/W74WYEVGYAE57KVLCG73I75LZYKKUMXS/
> 
> And if Python 2.7 isn't removed by then, we can rip it out together with 
> OpenSSL 1.1 in Fedora 50.
> 

Are you going to maintain it till Fedora 50 in the meantime?

Simo.

> -- 
> Miro Hrončok
> -- 
> Phone: +420777974800
> IRC: mhroncok
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc


___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Daniel P . Berrangé]

On Fri, Jun 24, 2022 at 02:06:14PM +0200, Tomáš Orsava wrote:
> Hi Richard,
> porting Python 2.7 to openssl 3.0 doesn't really make sense to me.
> 
> We ship Python 2.7 so that developers can test code that needs to work on
> Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora aims to
> be a developer-friendly distro and so we want to provide the tools to do
> that. Even if it's possible to port Python 2.7 to openssl 3.0 safely with
> reasonable effort, which I doubt, it would lead to a different Python 2.7,
> which would no longer work as a testing ground for people developing for old
> deployments.

IMHO that's not a very compelling use case. Python 2.7 on Fedora
is already quite different from RHEL in terms of crypto, simply by
virtue of Fedora having quite different crypto-policies applied.

If people want to test compatibility with older RHEL/CentOS from
their Fedora dev machine, then containers are the answer and will
give much higher confidence level. Containers already dominate in
cases where people want to test software against different OS,
without having the burden of maintaining a full VM.

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Tomáš Orsava]

Hi Richard,
porting Python 2.7 to openssl 3.0 doesn't really make sense to me.

We ship Python 2.7 so that developers can test code that needs to work 
on Python 2.7 in various deployments like old CentOS/RHEL/etc. Fedora 
aims to be a developer-friendly distro and so we want to provide the 
tools to do that. Even if it's possible to port Python 2.7 to openssl 
3.0 safely with reasonable effort, which I doubt, it would lead to a 
different Python 2.7, which would no longer work as a testing ground for 
people developing for old deployments.


Tomáš

On 6/24/22 13:11, Richard W.M. Jones wrote:

On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:

python2.7-0:2.7.18-22.fc37.src

Vaguely seeing if it's feasible to backport the OpenSSL 3 support to
Python 2.7.  This branch gets quite far:

https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3

Only one test fails, test_ssl (obviously), but it does only appear to
fail where it tests obsolete ciphers.  I looked into fixing the test,
but the upstream version of this test has changed a great deal, with a
whole mechanism for skipping unsupported ciphers.

Remaining test failures in detail below.

Rich.

--

running build
running build_ext
warning: openssl 0x is too old for _hashlib
building dbm using ndbm

Python build finished, but the necessary bits to build these modules were not 
found:
_hashlib   bsddb185   dl
imageopsunaudiodev
To find the necessary bits, look in setup.py in detect_modules() for the 
module's name.

running build_scripts
find ./Lib -name '*.py[co]' -print | xargs rm -f
./python -Wd -3 -E -tt  ./Lib/test/regrtest.py -v test_ssl
== CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022, 12:05:45) 
[GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
==   
Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide
 little-endian
==   /home/rjones/d/cpython-2.7/build/test_python_641493
== CPU count: 24
Run tests sequentially
0:00:00 load avg: 0.09 [1/1] test_ssl
test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0)
   under Linux ('Fedora', '37', 'Rawhide')
   HAS_SNI = True
   OP_ALL = 0x8050
   OP_NO_TLSv1_1 = 0x1000
test__create_stdlib_context (test.test_ssl.ContextTests) ... ok
test__https_verify_certificates (test.test_ssl.ContextTests) ... ok
test__https_verify_envvar (test.test_ssl.ContextTests) ... ok
test_cert_store_stats (test.test_ssl.ContextTests) ... ok
test_check_hostname (test.test_ssl.ContextTests) ... ok
test_ciphers (test.test_ssl.ContextTests) ... ok
test_constructor (test.test_ssl.ContextTests) ... ok
test_create_default_context (test.test_ssl.ContextTests) ... ok
test_get_ca_certs (test.test_ssl.ContextTests) ... ok
test_load_cert_chain (test.test_ssl.ContextTests) ... ok
test_load_default_certs (test.test_ssl.ContextTests) ... ok
test_load_default_certs_env (test.test_ssl.ContextTests) ... ok
test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 
'Windows specific'
test_load_dh_params (test.test_ssl.ContextTests) ... ok
test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR
test_load_verify_locations (test.test_ssl.ContextTests) ... ok
test_options (test.test_ssl.ContextTests) ... ok
test_protocol (test.test_ssl.ContextTests) ... ok
test_session_stats (test.test_ssl.ContextTests) ... ok
test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok
test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok
test_sni_callback (test.test_ssl.ContextTests) ... ok
test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok
test_verify_flags (test.test_ssl.ContextTests) ... ok
test_verify_mode (test.test_ssl.ContextTests) ... ok
test_sslwrap_simple (test.test_ssl.BasicTests) ... ok
test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok
test_asn1object (test.test_ssl.BasicSocketTests) ... ok
test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok
test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 
'locale-specific month name needs to be different from C locale'
test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok
test_constants (test.test_ssl.BasicSocketTests) ... ok
test_empty_cert (test.test_ssl.BasicSocketTests)
Wrapping with an empty cert file ... ok
test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows 
specific'
test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific'
test_errors (test.test_ssl.BasicSocketTests) ... ok
test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok
test_malformed_cert (test.test_ssl.BasicSocketTests)
Wrapping with a badly formatted certificate (syntax error) ... ok
test_malformed_key (test.test_ssl.BasicSocketTests)
Wrapping with a badly formatted key (syntax error) ... ok
test_match_hostname (test.test_ssl.BasicSocketTests) ... ok

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Richard W.M. Jones]

On Fri, Jun 24, 2022 at 01:37:16PM +0200, Miro Hrončok wrote:
> On 24. 06. 22 13:11, Richard W.M. Jones wrote:
> >On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
> >>python2.7-0:2.7.18-22.fc37.src
> >
> >Vaguely seeing if it's feasible to backport the OpenSSL 3 support to
> >Python 2.7.  This branch gets quite far:
> >
> >https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
> >
> >Only one test fails, test_ssl (obviously), but it does only appear to
> >fail where it tests obsolete ciphers.  I looked into fixing the test,
> >but the upstream version of this test has changed a great deal, with a
> >whole mechanism for skipping unsupported ciphers.
> 
> Richard, have you seen the list of PRs and dependencies in
> https://github.com/python/cpython/issues/83001 ?

I did!  It was very long so I went with cherry picking patches and
hoping for the best, with mixed results ...

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 24. 06. 22 13:11, Richard W.M. Jones wrote:

On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:

python2.7-0:2.7.18-22.fc37.src


Vaguely seeing if it's feasible to backport the OpenSSL 3 support to
Python 2.7.  This branch gets quite far:

https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3

Only one test fails, test_ssl (obviously), but it does only appear to
fail where it tests obsolete ciphers.  I looked into fixing the test,
but the upstream version of this test has changed a great deal, with a
whole mechanism for skipping unsupported ciphers.


Richard, have you seen the list of PRs and dependencies in 
https://github.com/python/cpython/issues/83001 ?


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Dmitry Belyavskiy]

Dear Richard,

If the only problem is legacy (and unsafe) ciphersuites, loading the legacy
provider will solve this problem.

On Fri, Jun 24, 2022 at 1:11 PM Richard W.M. Jones 
wrote:

> On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
> > python2.7-0:2.7.18-22.fc37.src
>
> Vaguely seeing if it's feasible to backport the OpenSSL 3 support to
> Python 2.7.  This branch gets quite far:
>
> https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3
>
> Only one test fails, test_ssl (obviously), but it does only appear to
> fail where it tests obsolete ciphers.  I looked into fixing the test,
> but the upstream version of this test has changed a great deal, with a
> whole mechanism for skipping unsupported ciphers.
>
> Remaining test failures in detail below.
>
> Rich.
>
> --
>
> running build
> running build_ext
> warning: openssl 0x is too old for _hashlib
> building dbm using ndbm
>
> Python build finished, but the necessary bits to build these modules were
> not found:
> _hashlib   bsddb185   dl
> imageopsunaudiodev
> To find the necessary bits, look in setup.py in detect_modules() for the
> module's name.
>
> running build_scripts
> find ./Lib -name '*.py[co]' -print | xargs rm -f
> ./python -Wd -3 -E -tt  ./Lib/test/regrtest.py -v test_ssl
> == CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022,
> 12:05:45) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
> ==
>  
> Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide
> little-endian
> ==   /home/rjones/d/cpython-2.7/build/test_python_641493
> == CPU count: 24
> Run tests sequentially
> 0:00:00 load avg: 0.09 [1/1] test_ssl
> test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0)
>   under Linux ('Fedora', '37', 'Rawhide')
>   HAS_SNI = True
>   OP_ALL = 0x8050
>   OP_NO_TLSv1_1 = 0x1000
> test__create_stdlib_context (test.test_ssl.ContextTests) ... ok
> test__https_verify_certificates (test.test_ssl.ContextTests) ... ok
> test__https_verify_envvar (test.test_ssl.ContextTests) ... ok
> test_cert_store_stats (test.test_ssl.ContextTests) ... ok
> test_check_hostname (test.test_ssl.ContextTests) ... ok
> test_ciphers (test.test_ssl.ContextTests) ... ok
> test_constructor (test.test_ssl.ContextTests) ... ok
> test_create_default_context (test.test_ssl.ContextTests) ... ok
> test_get_ca_certs (test.test_ssl.ContextTests) ... ok
> test_load_cert_chain (test.test_ssl.ContextTests) ... ok
> test_load_default_certs (test.test_ssl.ContextTests) ... ok
> test_load_default_certs_env (test.test_ssl.ContextTests) ... ok
> test_load_default_certs_env_windows (test.test_ssl.ContextTests) ...
> skipped 'Windows specific'
> test_load_dh_params (test.test_ssl.ContextTests) ... ok
> test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR
> test_load_verify_locations (test.test_ssl.ContextTests) ... ok
> test_options (test.test_ssl.ContextTests) ... ok
> test_protocol (test.test_ssl.ContextTests) ... ok
> test_session_stats (test.test_ssl.ContextTests) ... ok
> test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok
> test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok
> test_sni_callback (test.test_ssl.ContextTests) ... ok
> test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok
> test_verify_flags (test.test_ssl.ContextTests) ... ok
> test_verify_mode (test.test_ssl.ContextTests) ... ok
> test_sslwrap_simple (test.test_ssl.BasicTests) ... ok
> test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok
> test_asn1object (test.test_ssl.BasicSocketTests) ... ok
> test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok
> test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ...
> skipped 'locale-specific month name needs to be different from C locale'
> test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok
> test_constants (test.test_ssl.BasicSocketTests) ... ok
> test_empty_cert (test.test_ssl.BasicSocketTests)
> Wrapping with an empty cert file ... ok
> test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped
> 'Windows specific'
> test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows
> specific'
> test_errors (test.test_ssl.BasicSocketTests) ... ok
> test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok
> test_malformed_cert (test.test_ssl.BasicSocketTests)
> Wrapping with a badly formatted certificate (syntax error) ... ok
> test_malformed_key (test.test_ssl.BasicSocketTests)
> Wrapping with a badly formatted key (syntax error) ... ok
> test_match_hostname (test.test_ssl.BasicSocketTests) ... ok
> test_openssl_version (test.test_ssl.BasicSocketTests) ... FAIL
> test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok
> test_parse_cert (test.test_ssl.BasicSocketTests) ...
> {'issuer': ((('countryName', u'XY'),),
> (('localityName', 

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Richard W.M. Jones]

On Thu, Jun 23, 2022 at 10:43:45AM +0100, Richard W.M. Jones wrote:
> python2.7-0:2.7.18-22.fc37.src

Vaguely seeing if it's feasible to backport the OpenSSL 3 support to
Python 2.7.  This branch gets quite far:

https://github.com/rwmjones/cpython/tree/python-2.7-openssl-3

Only one test fails, test_ssl (obviously), but it does only appear to
fail where it tests obsolete ciphers.  I looked into fixing the test,
but the upstream version of this test has changed a great deal, with a
whole mechanism for skipping unsupported ciphers.

Remaining test failures in detail below.

Rich.

--

running build
running build_ext
warning: openssl 0x is too old for _hashlib
building dbm using ndbm

Python build finished, but the necessary bits to build these modules were not 
found:
_hashlib   bsddb185   dl  
imageopsunaudiodev
To find the necessary bits, look in setup.py in detect_modules() for the 
module's name.

running build_scripts
find ./Lib -name '*.py[co]' -print | xargs rm -f
./python -Wd -3 -E -tt  ./Lib/test/regrtest.py -v test_ssl
== CPython 2.7.18 (tags/2.7-3-g1efbb6fd52:1efbb6fd52, Jun 24 2022, 12:05:45) 
[GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
==   
Linux-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64-x86_64-with-fedora-37-Rawhide
 little-endian
==   /home/rjones/d/cpython-2.7/build/test_python_641493
== CPU count: 24
Run tests sequentially
0:00:00 load avg: 0.09 [1/1] test_ssl
test_ssl: testing with 'OpenSSL 3.0.3 3 May 2022' (3, 0, 0, 3, 0)
  under Linux ('Fedora', '37', 'Rawhide')
  HAS_SNI = True
  OP_ALL = 0x8050
  OP_NO_TLSv1_1 = 0x1000
test__create_stdlib_context (test.test_ssl.ContextTests) ... ok
test__https_verify_certificates (test.test_ssl.ContextTests) ... ok
test__https_verify_envvar (test.test_ssl.ContextTests) ... ok
test_cert_store_stats (test.test_ssl.ContextTests) ... ok
test_check_hostname (test.test_ssl.ContextTests) ... ok
test_ciphers (test.test_ssl.ContextTests) ... ok
test_constructor (test.test_ssl.ContextTests) ... ok
test_create_default_context (test.test_ssl.ContextTests) ... ok
test_get_ca_certs (test.test_ssl.ContextTests) ... ok
test_load_cert_chain (test.test_ssl.ContextTests) ... ok
test_load_default_certs (test.test_ssl.ContextTests) ... ok
test_load_default_certs_env (test.test_ssl.ContextTests) ... ok
test_load_default_certs_env_windows (test.test_ssl.ContextTests) ... skipped 
'Windows specific'
test_load_dh_params (test.test_ssl.ContextTests) ... ok
test_load_verify_cadata (test.test_ssl.ContextTests) ... ERROR
test_load_verify_locations (test.test_ssl.ContextTests) ... ok
test_options (test.test_ssl.ContextTests) ... ok
test_protocol (test.test_ssl.ContextTests) ... ok
test_session_stats (test.test_ssl.ContextTests) ... ok
test_set_default_verify_paths (test.test_ssl.ContextTests) ... ok
test_set_ecdh_curve (test.test_ssl.ContextTests) ... ok
test_sni_callback (test.test_ssl.ContextTests) ... ok
test_sni_callback_refcycle (test.test_ssl.ContextTests) ... ok
test_verify_flags (test.test_ssl.ContextTests) ... ok
test_verify_mode (test.test_ssl.ContextTests) ... ok
test_sslwrap_simple (test.test_ssl.BasicTests) ... ok
test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok
test_asn1object (test.test_ssl.BasicSocketTests) ... ok
test_cert_time_to_seconds (test.test_ssl.BasicSocketTests) ... ok
test_cert_time_to_seconds_locale (test.test_ssl.BasicSocketTests) ... skipped 
'locale-specific month name needs to be different from C locale'
test_cert_time_to_seconds_timezone (test.test_ssl.BasicSocketTests) ... ok
test_constants (test.test_ssl.BasicSocketTests) ... ok
test_empty_cert (test.test_ssl.BasicSocketTests)
Wrapping with an empty cert file ... ok
test_enum_certificates (test.test_ssl.BasicSocketTests) ... skipped 'Windows 
specific'
test_enum_crls (test.test_ssl.BasicSocketTests) ... skipped 'Windows specific'
test_errors (test.test_ssl.BasicSocketTests) ... ok
test_get_default_verify_paths (test.test_ssl.BasicSocketTests) ... ok
test_malformed_cert (test.test_ssl.BasicSocketTests)
Wrapping with a badly formatted certificate (syntax error) ... ok
test_malformed_key (test.test_ssl.BasicSocketTests)
Wrapping with a badly formatted key (syntax error) ... ok
test_match_hostname (test.test_ssl.BasicSocketTests) ... ok
test_openssl_version (test.test_ssl.BasicSocketTests) ... FAIL
test_parse_all_sans (test.test_ssl.BasicSocketTests) ... ok
test_parse_cert (test.test_ssl.BasicSocketTests) ... 
{'issuer': ((('countryName', u'XY'),),
(('localityName', u'Castle Anthrax'),),
(('organizationName', u'Python Software Foundation'),),
(('commonName', u'localhost'),)),
 'notAfter': 'Aug 26 14:23:15 2028 GMT',
 'notBefore': u'Aug 29 14:23:15 2018 GMT',
 'serialNumber': u'98A7CF88C74A32ED',
 'subject': ((('countryName', u'XY'),),
 (('localityName', 

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 24. 06. 22 11:23, Dmitry Belyavskiy wrote:



On Fri, Jun 24, 2022 at 11:20 AM Daniel P. Berrangé > wrote:


On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
 > On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok mailto:mhron...@redhat.com>> wrote:
 >
 > > On 22. 06. 22 21:05, Vipul Siddharth wrote:
 > > > We are going to deprecate openssl1.1 package, stop shipping the
 > > > corresponding devel package, and stop respecting crypto policies in
 > > > openssl1.1 package itself.
 > >
 > > +1 to deprecating it
 > >
 >
 > Great!
 >
 > -1 to stop shipping the devel package, this would mean we cannot build at
 > > least:
 > >
 > > - Python 2.7
 > >    despite our long term efforts, many things still need that, e.g. 
gimp,
 > > firefox (some builds do, then some don't), thunderbird etc., see
 > > https://fedora.portingdb.xyz/ 
 > >
 > > Or Python 3.6 (shipped for developers targeting RHEL 7/8).
 > >
 > > As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please
 > > leave the
 > > devel package?
 > >
 >
 > I'm not sure that if we don't remove the devel package, we will provide
 > strong enough motivation to get rid of the deprecating packages.

If the openssl maintainers really strongly want to remove the
devel pacakge, then don't call this deprecation because that
is misleading. Call this purging openssl1.1 from the entire
distro, such that it can only be used by 3rd party apps who
have previously compiled against older Fedora openssl-devel.
Be open about fact that this will cause FTBFS for any Fedora
packages that stil uses openssl1 and their removal from the
distro if they can't port to openssl3 very quickly.

Do I correctly understand that the situation with Python is the most 
problematic?
Are we able to solve it somehow?

What I'm afraid of is that if we just declare the deprecation, we will stay 
with this package forever.


Not forever, just until Python 2.7 is removed :D

Seriously thou, my proposal is:

 - deprecate it now
 - announce it goes away when RHEL 8 maintenance support ends

Following the guidelines for deprecated packages:
https://docs.fedoraproject.org/en-US/packaging-guidelines/deprecating-packages/

  # This is when RHEL 8 maintenance support is expected to end
  # https://access.redhat.com/support/policy/updates/errata
  # The life-cycle time spans and dates are subject to adjustment
  Provides: deprecated() = 20290531

You are going to support OpenSSL 1.1 in RHEL 8 until that day anyway.

This is also when we plan to remove Python 3.6:
https://lists.fedoraproject.org/archives/list/python-de...@lists.fedoraproject.org/thread/W74WYEVGYAE57KVLCG73I75LZYKKUMXS/

And if Python 2.7 isn't removed by then, we can rip it out together with 
OpenSSL 1.1 in Fedora 50.


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Felix Schwarz]

Am 24.06.22 um 11:27 schrieb Florian Weimer:

* Felix Schwarz:


Are these Python 2.7 dependencies only used at build time? In that
case Fedora could maybe announce that openssl1.1 might not get the
full security suport so the burden for openssl1.1 packagers is lower
without removing the functionality?


I'm pretty sure it's used for Python's own HTTPS implementation, among
other things, so it's not really an optional feature (although Python
can be built without it, I believe).


What I meant is: Is Python 2.7 only used as a build dependency? If so, I think 
we might be able to state that Python 2.7 + openssl might get reduced security 
support. At build time we don't have any network access anyway.


I guess it is clear that removing openssl1.1 is not really feasible unless we 
remove Python 2.7.


Felix
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Felix Schwarz]

Am 24.06.22 um 11:23 schrieb Dmitry Belyavskiy:
What I'm afraid of is that if we just declare the deprecation, we will stay with 
this package forever.


Well, RHEL 7 maintenance support 2 phase ends in June 2024. I'd expect that we 
should be able to drop Python 2.7 from Fedora at that point at least (probably 
even before).


And yes, I think removing really important packages like OpenSSL 1 or Python 2.7 
is not an easy task for a general-purpose Linux distribution.


Felix
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 24. 06. 22 11:27, Florian Weimer wrote:

* Felix Schwarz:


Are these Python 2.7 dependencies only used at build time? In that
case Fedora could maybe announce that openssl1.1 might not get the
full security suport so the burden for openssl1.1 packagers is lower
without removing the functionality?


I'm pretty sure it's used for Python's own HTTPS implementation, among
other things, so it's not really an optional feature (although Python
can be built without it, I believe).


It is possible to build Python 2 without the ssl module. HTTPS would indeed not 
work and hence pip would not work. In return, the package would be useless for 
Python developers using virtualenv to test their code that still needs to 
support Python 2.


If openssl1.1-devel goes away, we would likely need to either bundle openssl 
entirely (which is worse than having openssl1.1-devel in Fedora IMHO), or just 
bundle the headers somehow, which just creates a room for breakage with every 
openssl 1.1 update for no added benefit.


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Florian Weimer]

* Felix Schwarz:

> Are these Python 2.7 dependencies only used at build time? In that
> case Fedora could maybe announce that openssl1.1 might not get the
> full security suport so the burden for openssl1.1 packagers is lower
> without removing the functionality?

I'm pretty sure it's used for Python's own HTTPS implementation, among
other things, so it's not really an optional feature (although Python
can be built without it, I believe).

Thanks,
Florian
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Dmitry Belyavskiy]

On Fri, Jun 24, 2022 at 11:20 AM Daniel P. Berrangé 
wrote:

> On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
> > On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok 
> wrote:
> >
> > > On 22. 06. 22 21:05, Vipul Siddharth wrote:
> > > > We are going to deprecate openssl1.1 package, stop shipping the
> > > > corresponding devel package, and stop respecting crypto policies in
> > > > openssl1.1 package itself.
> > >
> > > +1 to deprecating it
> > >
> >
> > Great!
> >
> > -1 to stop shipping the devel package, this would mean we cannot build at
> > > least:
> > >
> > > - Python 2.7
> > >despite our long term efforts, many things still need that, e.g.
> gimp,
> > > firefox (some builds do, then some don't), thunderbird etc., see
> > > https://fedora.portingdb.xyz/
> > >
> > > Or Python 3.6 (shipped for developers targeting RHEL 7/8).
> > >
> > > As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please
> > > leave the
> > > devel package?
> > >
> >
> > I'm not sure that if we don't remove the devel package, we will provide
> > strong enough motivation to get rid of the deprecating packages.
>
> If the openssl maintainers really strongly want to remove the
> devel pacakge, then don't call this deprecation because that
> is misleading. Call this purging openssl1.1 from the entire
> distro, such that it can only be used by 3rd party apps who
> have previously compiled against older Fedora openssl-devel.
> Be open about fact that this will cause FTBFS for any Fedora
> packages that stil uses openssl1 and their removal from the
> distro if they can't port to openssl3 very quickly.
>
> Do I correctly understand that the situation with Python is the most
problematic?
Are we able to solve it somehow?

What I'm afraid of is that if we just declare the deprecation, we will stay
with this package forever.

-- 
Dmitry Belyavskiy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Daniel P . Berrangé]

On Fri, Jun 24, 2022 at 11:13:13AM +0200, Dmitry Belyavskiy wrote:
> On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok  wrote:
> 
> > On 22. 06. 22 21:05, Vipul Siddharth wrote:
> > > We are going to deprecate openssl1.1 package, stop shipping the
> > > corresponding devel package, and stop respecting crypto policies in
> > > openssl1.1 package itself.
> >
> > +1 to deprecating it
> >
> 
> Great!
> 
> -1 to stop shipping the devel package, this would mean we cannot build at
> > least:
> >
> > - Python 2.7
> >despite our long term efforts, many things still need that, e.g. gimp,
> > firefox (some builds do, then some don't), thunderbird etc., see
> > https://fedora.portingdb.xyz/
> >
> > Or Python 3.6 (shipped for developers targeting RHEL 7/8).
> >
> > As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please
> > leave the
> > devel package?
> >
> 
> I'm not sure that if we don't remove the devel package, we will provide
> strong enough motivation to get rid of the deprecating packages.

If the openssl maintainers really strongly want to remove the
devel pacakge, then don't call this deprecation because that
is misleading. Call this purging openssl1.1 from the entire
distro, such that it can only be used by 3rd party apps who
have previously compiled against older Fedora openssl-devel.
Be open about fact that this will cause FTBFS for any Fedora
packages that stil uses openssl1 and their removal from the
distro if they can't port to openssl3 very quickly.

With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Felix Schwarz]

Am 24.06.22 um 11:13 schrieb Dmitry Belyavskiy:
I'm not sure that if we don't remove the devel package, we will provide strong 
enough motivation to get rid of the deprecating packages.


imho removing the devel packages is basically the same as removing openssl1.1 
entirely. To me the idea of "deprecation" is to warn users that something is 
going away WITHOUT removing functionality immediately.


And yes, Python 2.7 might be a pain point for packagers but fact is that 
important packages still rely on it. Removing openssl just shifts the burden to 
(many more) packagers who just need Python 2.7 for their packages.


Are these Python 2.7 dependencies only used at build time? In that case Fedora 
could maybe announce that openssl1.1 might not get the full security suport so 
the burden for openssl1.1 packagers is lower without removing the functionality?


Felix
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 24. 06. 22 11:13, Dmitry Belyavskiy wrote:



On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok > wrote:


On 22. 06. 22 21:05, Vipul Siddharth wrote:
 > We are going to deprecate openssl1.1 package, stop shipping the
 > corresponding devel package, and stop respecting crypto policies in
 > openssl1.1 package itself.

+1 to deprecating it


Great!

-1 to stop shipping the devel package, this would mean we cannot build at
least:

- Python 2.7
    despite our long term efforts, many things still need that, e.g. gimp,
firefox (some builds do, then some don't), thunderbird etc., see
https://fedora.portingdb.xyz/ 

Or Python 3.6 (shipped for developers targeting RHEL 7/8).

As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave
the
devel package?


I'm not sure that if we don't remove the devel package, we will provide strong 
enough motivation to get rid of the deprecating packages.


You probably won't. But by breaking it intentionally, you are just shifting the 
problem somewhere else.


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Dmitry Belyavskiy]

On Wed, Jun 22, 2022 at 11:02 PM Miro Hrončok  wrote:

> On 22. 06. 22 21:05, Vipul Siddharth wrote:
> > We are going to deprecate openssl1.1 package, stop shipping the
> > corresponding devel package, and stop respecting crypto policies in
> > openssl1.1 package itself.
>
> +1 to deprecating it
>

Great!

-1 to stop shipping the devel package, this would mean we cannot build at
> least:
>
> - Python 2.7
>despite our long term efforts, many things still need that, e.g. gimp,
> firefox (some builds do, then some don't), thunderbird etc., see
> https://fedora.portingdb.xyz/
>
> Or Python 3.6 (shipped for developers targeting RHEL 7/8).
>
> As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please
> leave the
> devel package?
>

I'm not sure that if we don't remove the devel package, we will provide
strong enough motivation to get rid of the deprecating packages.

-- 
Dmitry Belyavskiy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Gary Buhrmaster]

On Thu, Jun 23, 2022 at 6:09 PM Miro Hrončok  wrote:

> That's complicated. .

And, while I am sure it could be derived,
it seems to me, as previously stated,
that the python's turn into the most
significant dependency chain.

I am all for deprecating openssl 1.1,
and for package reviews rejecting any
new packages that depend on it, and
for (as needed/appropriate) working
with upstream packages to update
their codes for openssl 3.0, but
removing openssl1.1 entirely for
building/use with existing packages
is just a bridge too far today, even as
we do need to keep pushing towards
that target.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 23. 06. 22 19:58, Maxwell G wrote:


Jun 23, 2022 12:14:26 PM Miro Hrončok :


Alrighty, in that case:

$ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel 
| grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} --whatrequires 
openssl-devel | grep src$ | sort)
botan2-0:2.19.1-2.fc37.src
erlang-0:24.3.4.1-1.fc37.src
chatty-0:0.6.3-1.fc37.src
mumble-0:1.3.4-8.fc36.src
pypy-0:7.3.9-1.fc37.src
pypy3.7-0:7.3.9-1.3.7.fc37.src
pypy3.8-0:7.3.9-1.3.8.fc37.src
python-uamqp-0:1.5.3-2.fc37.src
python2.7-0:2.7.18-22.fc37.src
python3.6-0:3.6.15-9.fc37.src
python3.7-0:3.7.13-2.fc37.src

Perhaps it makes sense to query recursively to get a fuller picture? All the 
recursive dependents would also break if their dependencies FTBFS and get 
retired.


That's complicated. Those are source packages and they build various binary 
packages -- we would need to query those. Scripts and web applications are 
build around that, but the results are imperfect. This is the best I can get 
with a "simple" query:


$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1 --recursive
...2526 lines...


But that does not take BuildRequires of BuildRequires into account.

And I have verified openssl1.1 does not provide anything shared with 
openssl(-libs).


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Maxwell G via devel]

Jun 23, 2022 12:14:26 PM Miro Hrončok :

> Alrighty, in that case:
> 
> $ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires 
> openssl1.1-devel | grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} 
> --whatrequires openssl-devel | grep src$ | sort)
> botan2-0:2.19.1-2.fc37.src
> erlang-0:24.3.4.1-1.fc37.src
> chatty-0:0.6.3-1.fc37.src
> mumble-0:1.3.4-8.fc36.src
> pypy-0:7.3.9-1.fc37.src
> pypy3.7-0:7.3.9-1.3.7.fc37.src
> pypy3.8-0:7.3.9-1.3.8.fc37.src
> python-uamqp-0:1.5.3-2.fc37.src
> python2.7-0:2.7.18-22.fc37.src
> python3.6-0:3.6.15-9.fc37.src
> python3.7-0:3.7.13-2.fc37.src
Perhaps it makes sense to query recursively to get a fuller picture? All the 
recursive dependents would also break if their dependencies FTBFS and get 
retired.
--
Thanks,

Maxwell G (@gotmax23)
Pronouns: He/Him/His


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 23. 06. 22 16:37, Jerry James wrote:

On Thu, Jun 23, 2022 at 6:52 AM Miro Hrončok  wrote:

Not quite the right incantation, because it leaves out anything that does not
BuildRequire explicitly the string openssl1.1-devel but rather some of its
virtual provides. Here you go:

$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep 
src$

[snip]

bigloo-0:4.4c-4.4.fc37.src


I was surprised to see this one on the list.  (I maintain this
package.)  The spec file includes:

BuildRequires:  pkgconfig(openssl)

and:

$ dnf --repo=rawhide repoquery --requires bigloo-libs
[snip]
libssl.so.3()(64bit)
libssl.so.3(OPENSSL_3.0.0)(64bit)

The package really is built with openssl 3. Also:

$dnf --repo=rawhide repoquery --provides openssl1.1-devel
openssl1.1-devel = 1:1.1.1o-1.fc37
openssl1.1-devel(x86-32) = 1:1.1.1o-1.fc37
openssl1.1-devel(x86-64) = 1:1.1.1o-1.fc37
pkgconfig(libcrypto) = 1.1.1o
pkgconfig(libssl) = 1.1.1o
pkgconfig(openssl) = 1.1.1o

Both openssl devel packages provide the pkgconfig names, but with
different values, so this repoquery invocation shows too much.


Alrighty, in that case:

$ comm -23 <(repoquery -q --repo=rawhide{,-source} --whatrequires 
openssl1.1-devel | grep src$ | sort) <(repoquery -q --repo=rawhide{,-source} 
--whatrequires openssl-devel | grep src$ | sort)

botan2-0:2.19.1-2.fc37.src
erlang-0:24.3.4.1-1.fc37.src
chatty-0:0.6.3-1.fc37.src
mumble-0:1.3.4-8.fc36.src
pypy-0:7.3.9-1.fc37.src
pypy3.7-0:7.3.9-1.3.7.fc37.src
pypy3.8-0:7.3.9-1.3.8.fc37.src
python-uamqp-0:1.5.3-2.fc37.src
python2.7-0:2.7.18-22.fc37.src
python3.6-0:3.6.15-9.fc37.src
python3.7-0:3.7.13-2.fc37.src

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Jerry James]

On Thu, Jun 23, 2022 at 6:52 AM Miro Hrončok  wrote:
> Not quite the right incantation, because it leaves out anything that does not
> BuildRequire explicitly the string openssl1.1-devel but rather some of its
> virtual provides. Here you go:
>
> $ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | 
> grep src$
[snip]
> bigloo-0:4.4c-4.4.fc37.src

I was surprised to see this one on the list.  (I maintain this
package.)  The spec file includes:

BuildRequires:  pkgconfig(openssl)

and:

$ dnf --repo=rawhide repoquery --requires bigloo-libs
[snip]
libssl.so.3()(64bit)
libssl.so.3(OPENSSL_3.0.0)(64bit)

The package really is built with openssl 3. Also:

$dnf --repo=rawhide repoquery --provides openssl1.1-devel
openssl1.1-devel = 1:1.1.1o-1.fc37
openssl1.1-devel(x86-32) = 1:1.1.1o-1.fc37
openssl1.1-devel(x86-64) = 1:1.1.1o-1.fc37
pkgconfig(libcrypto) = 1.1.1o
pkgconfig(libssl) = 1.1.1o
pkgconfig(openssl) = 1.1.1o

Both openssl devel packages provide the pkgconfig names, but with
different values, so this repoquery invocation shows too much.
-- 
Jerry James
http://www.jamezone.org/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 23. 06. 22 11:43, Richard W.M. Jones wrote:

I think this is the correct incantation ...

# dnf repoquery --disablerepo=\* --enablerepo=rawhide-source --arch=src 
--whatrequires openssl1.1-devel
Last metadata expiration check: 0:01:31 ago on Thu 23 Jun 2022 10:37:46 BST.
botan2-0:2.19.1-2.fc37.src
chatty-0:0.6.3-1.fc37.src
erlang-0:24.3.4.1-1.fc37.src
pypy-0:7.3.9-1.fc37.src
pypy3.7-0:7.3.9-1.3.7.fc37.src
pypy3.8-0:7.3.9-1.3.8.fc37.src
python-uamqp-0:1.5.3-2.fc37.src
python2.7-0:2.7.18-22.fc37.src
python3.6-0:3.6.15-9.fc37.src
python3.7-0:3.7.13-2.fc37.src


Not quite the right incantation, because it leaves out anything that does not 
BuildRequire explicitly the string openssl1.1-devel but rather some of its 
virtual provides. Here you go:


$ repoquery -q --repo=rawhide{,-source} --whatrequires openssl1.1-devel | grep 
src$
GoldenCheetah-1:3.6-0.16.20220520gita5d6468.fc37.src
R-websocket-0:1.4.0-5.fc36.src
argyllcms-0:2.3.0-2.fc36.src
axel-0:2.17.11-2.fc37.src
bigloo-0:4.4c-4.4.fc37.src
blender-1:3.2.0-3.fc37.src
boinc-client-0:7.18.1-3.fc37.src
botan2-0:2.19.1-2.fc37.src
cairo-dock-plug-ins-0:3.4.1-41.20210730gitf24f769.fc37.3.src
casync-0:2-17.gitb3337dd.fc36.src
chatty-0:0.6.3-1.fc37.src
cpprest-0:2.10.18-5.fc36.src
cryfs-0:0.11.2-3.fc37.src
ddnet-0:15.9.1-1.fc37.src
dmg2img-0:1.6.7-14.20170502.git.f16f247.fc36.src
efitools-0:1.9.2-7.fc36.src
eiskaltdcpp-0:2.4.2-6.fc37.src
erlang-0:24.3.4.1-1.fc37.src
fragments-0:1.5-4.fc36.src
freerdp-2:2.7.0-1.fc37.src
fuse-encfs-0:1.9.5-13.fc37.src
gnupg-pkcs11-scd-0:0.10.0-1.fc37.src
grpc-0:1.46.3-7.fc37.src
guacamole-server-0:1.4.0-3.fc37.src
hexchat-0:2.16.0-5.fc37.src
jimtcl-0:0.81-3.fc36.src
kcov-0:39-3.fc36.src
kde-runtime-0:17.08.3-24.fc36.src
kf5-kitinerary-0:22.04.1-2.fc37.src
lgogdownloader-0:3.8-4.fc37.src
libdigidocpp-0:3.14.7-1.fc36.src
libfido2-0:1.11.0-1.fc37.src
liboauth2-0:1.4.4-1.fc36.src
libpreludedb-0:5.2.0-9.fc37.src
libquentier-0:0.5.0-11.fc36.src
librepo-0:1.14.3-2.fc37.src
librhsm-0:0.0.3-7.fc36.src
libshout-0:2.4.3-6.fc36.src
libvncserver-0:0.9.13-12.fc36.src
libzypp-0:17.25.6-5.fc36.src
megatools-0:1.11.0-6.fc37.src
mtxclient-0:0.7.0-2.fc37.src
mumble-0:1.3.4-8.fc36.src
newsboat-0:2.27-2.fc37.src
nheko-0:0.9.3-2.fc37.src
normaliz-0:3.9.3-1.fc37.src
openarc-0:1.0.0-0.13.Beta3.fc37.src
openfortivpn-0:1.17.0-4.fc36.src
opensips-0:3.2.6-2.fc37.src
osslsigncode-0:2.3-2.fc37.src
p11-remote-0:0.3-13.fc36.src
perl-Crypt-OpenSSL-EC-0:1.32-9.fc37.src
perl-Crypt-SSLeay-0:0.72-36.fc37.src
pl-0:8.4.3-1.fc37.src
psi-plus-1:1.5.1625-1.fc37.src
pypy-0:7.3.9-1.fc37.src
pypy3.7-0:7.3.9-1.3.7.fc37.src
pypy3.8-0:7.3.9-1.3.8.fc37.src
python-uamqp-0:1.5.3-2.fc37.src
python2.7-0:2.7.18-22.fc37.src
python3.6-0:3.6.15-9.fc37.src
python3.7-0:3.7.13-2.fc37.src
qca-0:2.3.4-2.fc36.src
qca-qt4-0:2.2.1-18.fc37.src
qdigidoc-0:4.2.9-2.fc36.src
qt5-qtlocation-0:5.15.4-1.fc37.src
qt6-qtpositioning-0:6.3.0-2.fc37.src
quentier-0:0.5.0-6.fc35.src
radare2-0:5.6.8-1.fc37.src
retroarch-0:1.10.3-1.fc37.src
rizin-0:0.3.4-1.fc36.1.src
rstudio-0:2022.02.3+492-1.fc37.src
rust-0:1.61.0-2.fc37.src
rust-openssl-sys-0:0.9.72-2.fc36.src
rust-zincati-0:0.0.24-4.fc37.src
s3fs-fuse-0:1.91-1.fc37.src
sagemath-0:9.6-1.fc37.src
scribus-0:1.5.8-3.fc37.src
seadrive-daemon-0:2.0.16-4.fc37.src
seadrive-gui-0:2.0.16-2.fc36.src
seafile-0:8.0.6-2.fc37.src
seafile-client-0:8.0.6-1.fc37.src
shairport-sync-0:3.3.9-2.fc36.src
sipp-0:3.6.0-9.fc36.src
sleef-0:3.5.1-16.fc36.src
sqlcipher-0:4.4.3-4.fc36.src
srain-0:1.4.0-2.fc37.src
the_foundation-0:1.4.0-1.fc37.src
tpm2-tools-0:5.2-2.fc36.src
webextension-token-signing-0:1.1.5-1.fc36.src
websocketpp-0:0.8.2-7.fc36.src
wimlib-0:1.13.5-1.fc36.src
xmlrpc-c-0:1.51.0-14.fc36.src
xmlsec1-0:1.2.34-1.fc37.src
xorg-x11-server-Xwayland-0:22.1.2-1.fc37.src
xrdp-1:0.9.19-1.fc37.src
zchunk-0:1.2.2-1.fc37.src


--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Richard W.M. Jones]

On Thu, Jun 23, 2022 at 08:17:10AM +0100, Daniel P. Berrangé wrote:
> Is removing the -devel package the right approach ?  It will
> certainly stop new packages using it, but when we come to do the
> next mass rebuild, it will break any existing usage too. What
> existing packages in the distro still use it, and are we willing
> to have those packages be dropped after the inevitible FTBFS due
> to missing -devel packages ?

I think this is the correct incantation ...

# dnf repoquery --disablerepo=\* --enablerepo=rawhide-source --arch=src 
--whatrequires openssl1.1-devel
Last metadata expiration check: 0:01:31 ago on Thu 23 Jun 2022 10:37:46 BST.
botan2-0:2.19.1-2.fc37.src
chatty-0:0.6.3-1.fc37.src
erlang-0:24.3.4.1-1.fc37.src
pypy-0:7.3.9-1.fc37.src
pypy3.7-0:7.3.9-1.3.7.fc37.src
pypy3.8-0:7.3.9-1.3.8.fc37.src
python-uamqp-0:1.5.3-2.fc37.src
python2.7-0:2.7.18-22.fc37.src
python3.6-0:3.6.15-9.fc37.src
python3.7-0:3.7.13-2.fc37.src

As mentioned elsewhere in the thread a few important packages still
depend on Python 2:

# dnf repoquery --disablerepo=\* --enablerepo=rawhide-source --arch=src 
--whatrequires python2-devel
Last metadata expiration check: 0:04:36 ago on Thu 23 Jun 2022 10:37:46 BST.
NFStest-0:2.1.5-13.fc36.src
email2trac-0:2.12.2-9.fc36.src
gimp-2:2.10.30-1.fc37.2.src
gimp-layer-via-copy-cut-0:1.6-21.fc36.src
gimp-resynthesizer-0:2.0.3-8.20190428gitadfa25a.fc36.src
kdissert-0:1.0.7-34.fc36.src
mozjs68-0:68.12.0-5.fc37.src# spidermonkey, used by firefox
pygtk2-0:2.24.0-36.fc36.src
thunderbird-0:91.10.0-1.fc37.src

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Daniel P . Berrangé]

On Thu, Jun 23, 2022 at 12:35:28AM +0530, Vipul Siddharth wrote:
> https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat
> 
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering Committee.
> 
> == Summary ==
> We are going to deprecate openssl1.1 package, stop shipping the
> corresponding devel package, and stop respecting crypto policies in
> openssl1.1 package itself.

Not respecting crypto policies is needlessly introducing a
significant regression. Deprecating something does not usually
mean intentionally hobbling its features. I would expect functionality
of openssl1.1 that exists today to remain unchanged, until such time
as it can be removed from the distro entirely.

IOW, by all means we should stop introducing new packages using it,
but if something is already using it, we shouldn't change its
behaviour.

Is removing the -devel package the right approach ?  It will
certainly stop new packages using it, but when we come to do the
next mass rebuild, it will break any existing usage too. What
existing packages in the distro still use it, and are we willing
to have those packages be dropped after the inevitible FTBFS due
to missing -devel packages ?

> == Owner ==
> * Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]]
> * Email: dbely...@redhat.com
> 
> == Detailed Description ==
> In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new
> version with new architecture. We left the openssl1.1 package for the
> applications that were unable to switch to the new API/architecture,
> 3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we
> want to ensure that no new products relying on it will appear in
> Fedora.
> 
> == Benefit to Fedora ==
> This proposal ensures than no new packages in Fedora will rely on the
> deprecated OpenSSL version that will cause an overall increase of
> security/stability, and will reduce the amount of old packages relying
> on OpenSSL 1.1 series.
> 
> It will also reduce the maintenance burden for the OpenSSL
> maintainers, especially when new CVEs are published.
> 
> == Scope ==
> * Proposal owners:
> ** Remove devel package
> ** eliminate crypto policy support from the main package
> ** provide assistance in migration to other developers
> 
> * Other developers:
> ** Patch their packages to work with OpenSSL 3.0
> ** Fedora/RHEL distributions provide some syntax sugar related to
> https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the
> packages still relying to openssl1.1 the syntax provided by crypto
> policies will no longer be supported. The changes implemented
> according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies
> (e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites
> configuration) should be removed.


With regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Miro Hrončok]

On 22. 06. 22 21:05, Vipul Siddharth wrote:

We are going to deprecate openssl1.1 package, stop shipping the
corresponding devel package, and stop respecting crypto policies in
openssl1.1 package itself.


+1 to deprecating it

-1 to stop shipping the devel package, this would mean we cannot build at least:

- Python 2.7
  despite our long term efforts, many things still need that, e.g. gimp, 
firefox (some builds do, then some don't), thunderbird etc., see 
https://fedora.portingdb.xyz/


Or Python 3.6 (shipped for developers targeting RHEL 7/8).

As long as OpenSSL 1.1 gets security fixes in RHEL 8, could we please leave the 
devel package?



--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Rob Crittenden]

Kevin P. Fleming wrote:
> On 6/22/22 15:05, Vipul Siddharth wrote:
>> == Benefit to Fedora ==
>> This proposal ensures than no new packages in Fedora will rely on the
>> deprecated OpenSSL version that will cause an overall increase of
>> security/stability, and will reduce the amount of old packages relying
>> on OpenSSL 1.1 series.
>>
> This sentence is too long, and as a result I don't think readers will
> understand it the way it was intended. I suggest simplifying to:
> 
> ---
> 
> This proposal ensures that no new packages in Fedora will rely on the
> deprecated OpenSSL version.  That  change will cause an overall increase
> in security/stability, and will reduce the amount of old packages
> relying on OpenSSL 1.1 series.
> 
> ---
> 
> In addition to the wording changes, do you mean 'package-versions' here
> where you say 'packages'? Is a new version of OpenSSH, for example,
> considered a 'new package' for the purposes of this proposal?

As I read this the plan is to drop the devel package from the shipping
repos but it is still available in the buildroot.

But then there is this:

== Dependencies ==
No packages should depend on openssl1.1-devel packages that is eliminated.

But if the devel package is eliminate then doesn't this mean completely
dropping OpenSSL 1.x?

I assume it's a nuanced thing. Can you clarify this?

What about a plan to drop OpenSSL 1.x support entirely. Should that be
included in this or is it out-of-scope. Maybe a look-ahead (e.g " in the
F38-39 series we'll look to kill it entirely.")

What does this mean for reproducible builds if the devel package is not
shipped?

rob
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Kevin P. Fleming]

On 6/22/22 15:05, Vipul Siddharth wrote:

== Benefit to Fedora ==
This proposal ensures than no new packages in Fedora will rely on the
deprecated OpenSSL version that will cause an overall increase of
security/stability, and will reduce the amount of old packages relying
on OpenSSL 1.1 series.

This sentence is too long, and as a result I don't think readers will 
understand it the way it was intended. I suggest simplifying to:


---

This proposal ensures that no new packages in Fedora will rely on the 
deprecated OpenSSL version.  That  change will cause an overall increase 
in security/stability, and will reduce the amount of old packages 
relying on OpenSSL 1.1 series.


---

In addition to the wording changes, do you mean 'package-versions' here 
where you say 'packages'? Is a new version of OpenSSH, for example, 
considered a 'new package' for the purposes of this proposal?


--
Kevin P. Fleming
He/Him/His
Principal Program Manager, RHEL
Red Hat US/Eastern Time Zone
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Vipul Siddharth]

https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
We are going to deprecate openssl1.1 package, stop shipping the
corresponding devel package, and stop respecting crypto policies in
openssl1.1 package itself.

== Owner ==
* Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]]
* Email: dbely...@redhat.com

== Detailed Description ==
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new
version with new architecture. We left the openssl1.1 package for the
applications that were unable to switch to the new API/architecture,
3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we
want to ensure that no new products relying on it will appear in
Fedora.

== Benefit to Fedora ==
This proposal ensures than no new packages in Fedora will rely on the
deprecated OpenSSL version that will cause an overall increase of
security/stability, and will reduce the amount of old packages relying
on OpenSSL 1.1 series.

It will also reduce the maintenance burden for the OpenSSL
maintainers, especially when new CVEs are published.

== Scope ==
* Proposal owners:
** Remove devel package
** eliminate crypto policy support from the main package
** provide assistance in migration to other developers

* Other developers:
** Patch their packages to work with OpenSSL 3.0
** Fedora/RHEL distributions provide some syntax sugar related to
https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the
packages still relying to openssl1.1 the syntax provided by crypto
policies will no longer be supported. The changes implemented
according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies
(e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites
configuration) should be removed.

* Release engineering: This feature doesn't require coordination with
release engineering.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
As Crypto Policy support is removed from openssl1.1, applications will
need to adjust the configuration files if they contain the line
"PROFILE=SYSTEM" according to
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

== How To Test ==
Regular application tests should catch the regressions caught by these changes.

== Dependencies ==
No packages should depend on openssl1.1-devel packages that is eliminated.


== Contingency Plan ==
Revert the shipped configuration
Contingency deadline: TBD

== Documentation ==
TBW

== Release Notes ==
TBW

-- 
Vipul Siddharth
He/His/Him
FPgM team member
___
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

F37 proposal: Deprecate openssl1.1 package (System-Wide Change)

[Vipul Siddharth]

https://fedoraproject.org/wiki/Changes/DeprecateOpensslCompat

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
We are going to deprecate openssl1.1 package, stop shipping the
corresponding devel package, and stop respecting crypto policies in
openssl1.1 package itself.

== Owner ==
* Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]]
* Email: dbely...@redhat.com

== Detailed Description ==
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new
version with new architecture. We left the openssl1.1 package for the
applications that were unable to switch to the new API/architecture,
3rd-party applications, etc. As openssl 1.1 has a predictable EOL, we
want to ensure that no new products relying on it will appear in
Fedora.

== Benefit to Fedora ==
This proposal ensures than no new packages in Fedora will rely on the
deprecated OpenSSL version that will cause an overall increase of
security/stability, and will reduce the amount of old packages relying
on OpenSSL 1.1 series.

It will also reduce the maintenance burden for the OpenSSL
maintainers, especially when new CVEs are published.

== Scope ==
* Proposal owners:
** Remove devel package
** eliminate crypto policy support from the main package
** provide assistance in migration to other developers

* Other developers:
** Patch their packages to work with OpenSSL 3.0
** Fedora/RHEL distributions provide some syntax sugar related to
https://fedoraproject.org/wiki/Packaging:CryptoPolicies. For the
packages still relying to openssl1.1 the syntax provided by crypto
policies will no longer be supported. The changes implemented
according to https://fedoraproject.org/wiki/Packaging:CryptoPolicies
(e.g. using "PROFILE=SYSTEM" as default TLS ciphersuites
configuration) should be removed.

* Release engineering: This feature doesn't require coordination with
release engineering.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
As Crypto Policy support is removed from openssl1.1, applications will
need to adjust the configuration files if they contain the line
"PROFILE=SYSTEM" according to
https://fedoraproject.org/wiki/Packaging:CryptoPolicies

== How To Test ==
Regular application tests should catch the regressions caught by these changes.

== Dependencies ==
No packages should depend on openssl1.1-devel packages that is eliminated.


== Contingency Plan ==
Revert the shipped configuration
Contingency deadline: TBD

== Documentation ==
TBW

== Release Notes ==
TBW

-- 
Vipul Siddharth
He/His/Him
FPgM team member
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure