We are going to remove the openssl11 package from Fedora 40.
Owners, do not implement this work until the FESCo vote has explicitly ended. The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed. See the FESCo ticket policy and the Changes policy for more information.
REMINDER: This ticket is for FESCo members to vote on the proposal. Further discussion should happen in the devel list thread linked above.
+1
Miro's concerns regarding what to do with Python 3.6 from four weeks ago have not been answered in the discussion thread. Not sure if that's still a concern, but I'd rather not have this approved without confirmation that this is OK from Python point of view.
-1 to prevent auto-approval.
Metadata Update from @ngompa: - Issue tagged with: meeting
There's also no real contingency plan. -1
The idea is that we don't want to continue supporting. So lack of contingency plan is intentional.
Miro's concerns regarding what to do with Python 3.6 from four weeks ago have not been answered in the discussion thread.
Yeah, that is a valid question and deserves a reply.
Back when we dropped support for OpenSSL 1.0, didn't we have a period where the library remained and the -devel subpackage was removed? Couldn't we do that again here?
That will not help us with Python 3.6 at all. We need to be able to rebuild it in case we have a CVE to fix. We maintain this package in RHEL 8 and we expect to land security fixes to Fedora as long as we do that there. The OpenSSL 1.1 package is maintained in RHEL 8 as well.
(Note that it is entirely possible to switch to OpenSSL 3, as it was already done with Python 2.7 which is much older than 3.6, we just need help doing it.)
Right, I was ignoring the Python 3.6 problem with that comment. I probably should have been more explicit about that. Treat that suggestion as assuming that Python 3.6 gets the OpenSSL 3 conversion.
We already have -devel package removed
The -devel package is still there in Rawhide, otherwise python3.6 would not build.
$ repoquery -q --repo=rawhide openssl1.1-devel openssl1.1-devel-1:1.1.1q-5.fc39.i686 openssl1.1-devel-1:1.1.1q-5.fc39.x86_64
There's a %bcond in the spec file for it and it's enabled.
This will be discussed today at 17:00 UTC in #fedora-meeting-2.
@dbelyavs We're still waiting for an answer about the plan for pytho3.6. Please reply.
This was discussed in today's meeting: We're waiting for a reply from the Change Owner about python3.6.
I believe @sgallagh already proposed a reasonable solution. Python 3.6 should start using OpenSSL 3.
It's a general idea. The question is who will do the work and what will happen if that work isn't done.
I can answer questions. I can't rewrite the code myself, sorry.
Can you at least provide code review?
I think yes
I opened https://bugzilla.redhat.com/show_bug.cgi?id=2254550
@dbelyavs @churchyard Has there been any movement on Python 3.6?
I'm going to put this on the agenda for tomorrow's meeting.
Has there been any movement on Python 3.6?
Apart from https://discussion.fedoraproject.org/t/f40-change-proposal-removing-openssl-1-1-package-system-wide/92899/4 no, it hasn't. The Python Main team is one person short now and others are still on vacation.
AGREED: The Change is approved, any package still depending on openssl-compat at Beta Freeze will be dropped from Fedora at that time. (+7, 0, -1) (sgallagh, 17:26:11)
Metadata Update from @sgallagh: - Issue untagged with: meeting - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
I posted a port of the python2.7 patch to the 3.6 bz -- it builds, but still fails a few tests.
Hello, not sure where is best to report this but the mold linker package on fedora 40 still needs openssl 1.1 as such fails to run.
~ via C v14.0.1-gcc via v20.11.1 via v3.12.2 ❯ mold mold: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
@arlyon You should report that on bugzilla, but first please make sure you are really using Fedora's mold. Upstream dropped the openssl dependency entirely in 2.2.0 after switching to BLAKE3, and F40 has 2.30.0.
Thanks for the email. I. Can confirm I did in fact have two copies of = mold and assumed the one I was invoking was the packaged version. Thanks = for the quick reply!
On 18 Apr 2024, at 19:47, Josh Stone pagure@pagure.io wrote: =20 =20 jistone added a new comment to an issue you are following: @arlyon You should report that on bugzilla, but first please make sure = you are really using Fedora's mold. Upstream dropped the openssl = dependency entirely in 2.2.0 after switching to BLAKE3, and F40 has = 2.30.0. =20 To reply, visit the link below or just reply to this email https://pagure.io/fesco/issue/3101
@arlyon You should report that on bugzilla, but first please make sure = you are really using Fedora's mold. Upstream dropped the openssl = dependency entirely in 2.2.0 after switching to BLAKE3, and F40 has = 2.30.0.
Log in to comment on this ticket.