Re: Fedora 33 System-Wide Change proposal: OpenSSL 3.0
On Wed, 2020-04-08 at 10:38 +0200, Miro Hrončok wrote: > On 07. 04. 20 23:31, Ben Cotton wrote: > > * Proposal owners: Provide a compat-openssl11 package, identify > > dependent packages, provide the rebased openssl package, work with > > dependent package owners on rebuilds. > > Thanks for doing this. > > Will compat-openssl11-devel be provided? For how long you intent to > support it? I originally thought that we might be able to do without the -devel subpackage as there are the usual problems with it - such as it being conflicting with the primary openssl-devel package and also potential for unstability in applications that have loaded both old and new OpenSSL into a single process. > E.g. I don't see Python 2 ever supporting openssl 3, that's why I'm > asking. The question is what does this really mean - in theory at least the API should be fully backwards compatible so what builds against openssl 1.1.1 should build against openssl 3. Of course testcases that expect bug-for-bug compatibility might not work as expected. But yeah I am not against providing compat-openssl11-devel for a few releases at least. And I can orphan the package later if someone else wants to maintain it further then. > (Replied this sooner, but accidentally to devel-announce.) > > -- > Miro Hrončok > -- > Phone: +420777974800 > IRC: mhroncok > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 33 System-Wide Change proposal: OpenSSL 3.0
On Wed, Apr 8, 2020 at 8:14 AM Zbigniew Jędrzejewski-Szmek wrote: > > On Tue, Apr 07, 2020 at 05:31:39PM -0400, Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/OpenSSL3.0 > > There was a plan to make the licensing more permissive in 3.0. > Did this happen in the end? > OpenSSL is now under the Apache Software License version 2.0 with no exceptions. -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 33 System-Wide Change proposal: OpenSSL 3.0
On Tue, Apr 07, 2020 at 05:31:39PM -0400, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/OpenSSL3.0 There was a plan to make the licensing more permissive in 3.0. Did this happen in the end? Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 33 System-Wide Change proposal: OpenSSL 3.0
On 07. 04. 20 23:31, Ben Cotton wrote: * Proposal owners: Provide a compat-openssl11 package, identify dependent packages, provide the rebased openssl package, work with dependent package owners on rebuilds. Thanks for doing this. Will compat-openssl11-devel be provided? For how long you intent to support it? E.g. I don't see Python 2 ever supporting openssl 3, that's why I'm asking. (Replied this sooner, but accidentally to devel-announce.) -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Fedora 33 System-Wide Change proposal: OpenSSL 3.0
https://fedoraproject.org/wiki/Changes/OpenSSL3.0 == Summary == The OpenSSL package is rebased to version 3.0 and the dependent packages are rebuilt. == Owner == * Name: [[User:Tmraz| Tomáš Mráz]] * Email: == Detailed Description == The OpenSSL 3.0 release is going to be a significantly new release with changed ABI however with minimal API changes. That means most of the dependent packages will need just a rebuild to work with the new OpenSSL package. However (at least temporarily) a compat-openssl11 package will be provided along the base package so the operation of the Rawhide is not disrupted. The OpenSSL 3.0 is still in development now but a first beta release should be done in June. After that time the work on the rebase will start and it should be possible to finish it still with a beta releases. Later releases up to the final one should not be disruptive and they should not break API/ABI. == Benefit to Fedora == This change introduces OpenSSL 3.0 with its significantly reworked internals which allow for better replacement of the crypto implementations via the [https://www.openssl.org/docs/OpenSSL300Design.html Crypto Providers] concept. == Scope == * Proposal owners: Provide a compat-openssl11 package, identify dependent packages, provide the rebased openssl package, work with dependent package owners on rebuilds. * Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior. * Release engineering: [https://pagure.io/releng/issues #Releng issue number] If compat package is provided a mass rebuild should not be necessary. * Policies and guidelines: No update of packaging guidelines or other policies should be needed. * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == If compat-openssl11 package is provided there should be no issues with upgrades. == How To Test == If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly. This should be covered by the comprehensive upstream testsuite of OpenSSL. However many dependent packages also provide good test coverage of OpenSSL functionality. == User Experience == There should be no impact on end-user experience. == Dependencies == There are many packages which depend on libssl or libcrypto from OpenSSL. Most of them should just work after rebuild with the new openssl package. However it is also not critically needed to rebuild everything at once if compat library compat-openssl11 package is provided. == Contingency Plan == If the openssl-3.0 is too unstable before the branching point of Fedora 33 we will not update the package and delay the change to Fedora 34. If the openssl is already updated but it is found out to be too unstable later we can revert to previous version however a rebuild of all dependencies that were already rebuilt will be needed. * Contingency mechanism: Revert package, rebuild updated dependencies. * Contingency deadline: Before release * Blocks release? No * Blocks product? No == Documentation == [https://www.openssl.org/docs/OpenSSL300Design.html OpenSSL 3.0 upstream design document] [https://www.openssl.org/policies/releasestrat.html OpenSSL 3.0 release schedule] == Release Notes == Fedora 33 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface. -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Fedora 33 System-Wide Change proposal: OpenSSL 3.0
https://fedoraproject.org/wiki/Changes/OpenSSL3.0 == Summary == The OpenSSL package is rebased to version 3.0 and the dependent packages are rebuilt. == Owner == * Name: [[User:Tmraz| Tomáš Mráz]] * Email: == Detailed Description == The OpenSSL 3.0 release is going to be a significantly new release with changed ABI however with minimal API changes. That means most of the dependent packages will need just a rebuild to work with the new OpenSSL package. However (at least temporarily) a compat-openssl11 package will be provided along the base package so the operation of the Rawhide is not disrupted. The OpenSSL 3.0 is still in development now but a first beta release should be done in June. After that time the work on the rebase will start and it should be possible to finish it still with a beta releases. Later releases up to the final one should not be disruptive and they should not break API/ABI. == Benefit to Fedora == This change introduces OpenSSL 3.0 with its significantly reworked internals which allow for better replacement of the crypto implementations via the [https://www.openssl.org/docs/OpenSSL300Design.html Crypto Providers] concept. == Scope == * Proposal owners: Provide a compat-openssl11 package, identify dependent packages, provide the rebased openssl package, work with dependent package owners on rebuilds. * Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior. * Release engineering: [https://pagure.io/releng/issues #Releng issue number] If compat package is provided a mass rebuild should not be necessary. * Policies and guidelines: No update of packaging guidelines or other policies should be needed. * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == If compat-openssl11 package is provided there should be no issues with upgrades. == How To Test == If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly. This should be covered by the comprehensive upstream testsuite of OpenSSL. However many dependent packages also provide good test coverage of OpenSSL functionality. == User Experience == There should be no impact on end-user experience. == Dependencies == There are many packages which depend on libssl or libcrypto from OpenSSL. Most of them should just work after rebuild with the new openssl package. However it is also not critically needed to rebuild everything at once if compat library compat-openssl11 package is provided. == Contingency Plan == If the openssl-3.0 is too unstable before the branching point of Fedora 33 we will not update the package and delay the change to Fedora 34. If the openssl is already updated but it is found out to be too unstable later we can revert to previous version however a rebuild of all dependencies that were already rebuilt will be needed. * Contingency mechanism: Revert package, rebuild updated dependencies. * Contingency deadline: Before release * Blocks release? No * Blocks product? No == Documentation == [https://www.openssl.org/docs/OpenSSL300Design.html OpenSSL 3.0 upstream design document] [https://www.openssl.org/policies/releasestrat.html OpenSSL 3.0 release schedule] == Release Notes == Fedora 33 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface. -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
