From Fedora Project Wiki
(Announcing the change proposal)
(Deferring to F35)
(7 intermediate revisions by 3 users not shown)
Line 5: Line 5:


== Owner ==
== Owner ==
* Name: [[User:Tmraz| Tomáš Mráz]]
* Name: [[User:saprasad| Sahana Prasad]]
* Email: <tmraz@redhat.com>
* Email: <sahana@redhat.com>
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 12: Line 12:


== Current status ==
== Current status ==
[[Category:ChangeAnnounced]]
[[Category:ChangeAcceptedF35]]


<!-- Select proper category, default is Self Contained Change -->
<!-- Select proper category, default is Self Contained Change -->
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]


* Targeted release: [[Releases/33 | Fedora 33]]  
* Targeted release: [[Releases/35 | Fedora 35]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 26: Line 26:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2373 #2373]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1825937 #1825937]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/494 #494]


== Detailed Description ==
== Detailed Description ==
Line 46: Line 46:
* Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior.
* Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] If compat package is provided a mass rebuild should not be necessary.
* Release engineering: [https://pagure.io/releng/issue/9390 Releng issue #9390] If compat package is provided a mass rebuild should not be necessary.
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.  
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
Line 69: Line 69:
== Contingency Plan ==
== Contingency Plan ==


If the openssl-3.0 is too unstable before the branching point of Fedora 33 we will not update the package and delay the change to Fedora 34.
If the openssl-3.0 is too unstable before the branching point of Fedora 34 we will not update the package and delay the change to Fedora 35.


If the openssl is already updated but it is found out to be too unstable later we can revert to previous version however a rebuild of all dependencies that were already rebuilt will be needed.
If the openssl is already updated but it is found out to be too unstable later we can revert to previous version however a rebuild of all dependencies that were already rebuilt will be needed.
Line 86: Line 86:
== Release Notes ==
== Release Notes ==


Fedora 33 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface.
Fedora 34 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface.

Revision as of 15:24, 11 February 2021

OpenSSL3.0

Summary

The OpenSSL package is rebased to version 3.0 and the dependent packages are rebuilt.

Owner

Current status

Detailed Description

The OpenSSL 3.0 release is going to be a significantly new release with changed ABI however with minimal API changes. That means most of the dependent packages will need just a rebuild to work with the new OpenSSL package. However (at least temporarily) a compat-openssl11 package will be provided along the base package so the operation of the Rawhide is not disrupted.

The OpenSSL 3.0 is still in development now but a first beta release should be done in June. After that time the work on the rebase will start and it should be possible to finish it still with a beta releases. Later releases up to the final one should not be disruptive and they should not break API/ABI.

Benefit to Fedora

This change introduces OpenSSL 3.0 with its significantly reworked internals which allow for better replacement of the crypto implementations via the Crypto Providers concept.

Scope

  • Proposal owners: Provide a compat-openssl11 package, identify dependent packages, provide the rebased openssl package, work with dependent package owners on rebuilds.
  • Other developers: Dependent package owners rebuild their packages. Most of the dependencies will not require code changes but for some more fragile dependencies (mostly language bindings) there might be changes needed especially in the test cases which depend on some legacy behavior.
  • Release engineering: Releng issue #9390 If compat package is provided a mass rebuild should not be necessary.
  • Policies and guidelines: No update of packaging guidelines or other policies should be needed.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

If compat-openssl11 package is provided there should be no issues with upgrades.

How To Test

If your application uses OpenSSL to communicate via TLS or perform other tasks that use cryptographic algorithms from OpenSSL, please test whether it continues to work properly. This should be covered by the comprehensive upstream testsuite of OpenSSL. However many dependent packages also provide good test coverage of OpenSSL functionality.

User Experience

There should be no impact on end-user experience.

Dependencies

There are many packages which depend on libssl or libcrypto from OpenSSL. Most of them should just work after rebuild with the new openssl package. However it is also not critically needed to rebuild everything at once if compat library compat-openssl11 package is provided.

Contingency Plan

If the openssl-3.0 is too unstable before the branching point of Fedora 34 we will not update the package and delay the change to Fedora 35.

If the openssl is already updated but it is found out to be too unstable later we can revert to previous version however a rebuild of all dependencies that were already rebuilt will be needed.

  • Contingency mechanism: Revert package, rebuild updated dependencies.
  • Contingency deadline: Before release
  • Blocks release? No
  • Blocks product? No

Documentation

OpenSSL 3.0 upstream design document

OpenSSL 3.0 release schedule

Release Notes

Fedora 34 comes with OpenSSL 3.0 as the primary OpenSSL package. It brings support for Crypto Providers interface.