We disable support of building engines in OpenSSL and remove the deprecated openssl-devel-engine subpackage.
Owners, do not implement this work until the FESCo vote has explicitly ended. The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed. See the FESCo ticket policy and the Changes policy for more information.
REMINDER: This ticket is for FESCo members to vote on the proposal. Further discussion should happen in the Discourse discussion linked above. Additional discussion may happen on the Fedora Devel mailing list.
-1
I don't think breaking builds of affected packages is acceptable. It makes it impossible to ship updates for packages that are still available and installable from Fedora repos - including blocking any critical security or bug fixes.
This change is about accelerating the planned removal of engine support in openssl-4 and doing it in downstream already in the openssl-3.x branch. The number of packages that still use engine support is quite long, so this would be quite painful and would create additional pressure on maintainers, who'd need to adjust to the missing engine support in their projects. The stated benefit is "reduced maintenance burden". The burden for openssl maintainers would possibly be reduced a bit, but it'd increase quite a lot for other maintainers. The overall balance seems quite negative.
I don't think it makes sense for Fedora to act as a testing ground for the (not-yet-certain) removal of the code in upstream. Things like this are better done in a Copr.
I agree with @decathorpe and @zbyszek on this, so...
This will be discussed during the FESCo meeting today at 17:00 UTC in https://matrix.to/#/#meeting:fedoraproject.org.
Metadata Update from @zbyszek: - Issue tagged with: meeting
For the sake of helping the security engineering team plan for the future, I'd like to propose formally that we won't accept a removal of OpenSSL Engines ahead of at least a Beta (or equivalent prerelease) of OpenSSL 4.0 where upstream has made the same removal.
We should absolutely encourage packagers to remove the dependency in their code, but forcing it earlier than upstream is both impractical and actively harmful to our user-base.
OK, I see that there are pretty good reasons not to remove engine support now.
Hmm, it seems I forgot to actually add this to the meeting agenda. We should handle this next week.
This will be discussed during today's meeting (17:00 UTC in #meeting:fedoraproject.org).
#meeting:fedoraproject.org
This was discussed during today's meeting:
Announced in meeting minutes: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/E3RKVL5T6GEDX7NIMKIPCCC76AHRXKIY/
Metadata Update from @decathorpe: - Issue untagged with: meeting - Issue close_status updated to: Rejected - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.