F40 Change Proposal: Removing OpenSSL 1.1 package (System-Wide)

Wiki Link: https://fedoraproject.org/wiki/Changes/RemoveOpensslCompat

Discussion.fpo Link:
https://discussion.fedoraproject.org/t/f40-change-proposal-removing-openssl-1-1-package-system-wide/92899

== Summary ==
We are going to remove the openssl1.1 package from Fedora 40.

== Owner ==
* Name: [[User:DmitryBelyavskiy| Dmitry Belyavskiy]]
* Email: dbelyavs@redhat.com


== Detailed Description ==
In Fedora 36 we switched to OpenSSL 3.0 branch. This is a brand new
version with new architecture. We left the openssl1.1 package for the
applications that were unable to switch to the new API/architecture,
3rd-party applications, etc. The package was marked as deprecated in
F37.

OpenSSL 1.1.1 has reached EOL in September 2023. We want to remove it
from Fedora.

== Feedback ==


== Benefit to Fedora ==
This proposal ensures than no new packages in Fedora will use the
deprecated OpenSSL version that will cause an overall increase of
security/stability.

It will also reduce the maintenance burden for the OpenSSL
maintainers, especially when new CVEs are published.

== Scope ==
* Proposal owners: provide assistance in migration to other developers.

* Other developers: Patch their packages to work with OpenSSL 3.0.

* Release engineering: This feature doesn't require coordination with
release engineering.

* Policies and guidelines: N/A (not needed for this Change) <!--
REQUIRED FOR SYSTEM WIDE CHANGES -->

* Trademark approval: N/A (not needed for this Change)

* Alignment with Community Initiatives:

== Upgrade/compatibility impact ==
3rd-party packages depending on OpenSSL 1.1.1 should be replaced with
new versions using new OpenSSL 3.0+.

== How To Test ==
OpenSSL 1.1 should not be available to install from Fedora repository.
No packages should depend on OpenSSL 1.1.1.

== User Experience ==
Shouldn't be affected.

== Dependencies ==
We have found at least the following packages depending on OpenSSL 1.1:
* gloo-0.5.0^git20230824.01a0c81-6.fc40.src.rpm
* opensmtpd-6.8.0p2-12.fc39.src.rpm
* python3.6-3.6.15-20.fc39.src.rpm

== Contingency Plan ==
None.

* Contingency mechanism: (What to do? Who will do it?) Package owners
should update their packages to remove the dependency
* Contingency deadline: beta freeze
* Blocks release? Yes

== Documentation ==
Should be mentioned in Release Notes.

== Release Notes ==

openssl1.1 package is removed and should not be used by any packages.


--
Aoife Moloney

Product Owner

Community Platform Engineering Team

Red Hat EMEA

Communications House

Cork Road

Waterford
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue