F40 Change Proposal: Removing OpenSSL 1.1 package (System-Wide)

Removing OpenSSL 1.1 package

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

:link: Summary

We are going to remove the openssl11 package from Fedora 40.

:link: Owner

:link: Detailed Description

In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new version with new architecture. We left the openssl1.1 package for the applications that were unable to switch to the new API/architecture, 3rd-party applications, etc. The package was marked as deprecated in F37.

OpenSSL 1.1.1 has reached EOL in September 2023. We want to remove it from Fedora.

:link: Feedback

:link: Benefit to Fedora

This proposal ensures than no new packages in Fedora will use the deprecated OpenSSL version that will cause an overall increase of security/stability.

It will also reduce the maintenance burden for the OpenSSL maintainers, especially when new CVEs are published.

:link: Scope

  • Proposal owners: provide assistance in migration to other developers.

  • Other developers: Patch their packages to work with OpenSSL 3.0.

  • Release engineering: This feature doesn’t require coordination with release engineering.

  • Policies and guidelines: N/A (not needed for this Change)

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with Community Initiatives:

:link: Upgrade/compatibility impact

3rd-party packages depending on OpenSSL 1.1.1 should be replaced with new versions using new OpenSSL 3.0+.

:link: How To Test

OpenSSL 1.1 should not be available to install from Fedora repository. No packages should depend on OpenSSL 1.1.1.

:link: User Experience

Shouldn’t be affected.

:link: Dependencies

We have found at least the following packages depending on OpenSSL 1.1:

  • gloo-0.5.0^git20230824.01a0c81-6.fc40.src.rpm
  • opensmtpd-6.8.0p2-12.fc39.src.rpm
  • python3.6-3.6.15-20.fc39.src.rpm

:link: Contingency Plan

None.

  • Contingency mechanism: (What to do? Who will do it?) Package owners should update their packages to remove the dependency
  • Contingency deadline: beta freeze
  • Blocks release? Yes

:link: Documentation

Should be mentioned in Release Notes.

:link: Release Notes

openssl1.1 package is removed and should not be used by any packages.

I don’t think the contingency plan is sustainable.


Nevertheless, are you able to help us port Python 3.6 to OpenSSL 3.0? We already have a patch in Python 2.7, so it should be doable. Unlike OpenSSL maintainers, we want to provide Python 3.6 to engineers targeting RHEL 8 but using Fedora as their workstations and/or CI. Dropping Python 3.6 before RHEL 8 EOL would be unfortunate.

2 Likes

This change proposal has now been submitted to FESCo with ticket #3101 for voting.

To find out more, please visit our Changes Policy documentation.

The person who ported Python to openssl 3 is not active any more. If there are no more openssl experts willing to help port python3.6, the options I see are:

  • python3.6 will be removed.
  • python3.6 will be built without _ssl, _hashlib, ssl (and maybe others). This means that e.g. pip won’t be able to directly install additional packages over HTTPS.

No one can force you to keep maintaining openssl 1.1. But to have a correct change proposal, consider

  • Either:
    • Including the effect (one of the above) in “User Experience”.
    • In Scope, removing or adjusting the line “Proposal owners: provide assistance in migration to other developers.”
  • Or if helping to port python3.6 is still an option:
    • Including the worst-case effect (one of the above) as the “contingency mechanism”
1 Like