On Mon, Jul 22, 2024 at 05:12:44PM +0200, Clemens Lang wrote: > Hi, > > > On 22. Jul 2024, at 16:32, Fabio Valentini <decatho...@gmail.com> wrote: > > > > On Mon, Jul 22, 2024 at 4:28 PM Clemens Lang <cll...@redhat.com> wrote: > >> > >> Hi Neal, > >> > >> > >>> On 22. Jul 2024, at 15:01, Neal Gompa <ngomp...@gmail.com> wrote: > >>> > >>> The CentOS approach isn't a deprecation, it's flat out removal. It's a > >>> completely different change. > >> > >> This isn’t correct. The headers are removed, but the ABI is still present > >> in CentOS Stream, so it is not flat out removal. > > > > This is arguing about semantics, but probably the difference is that > > packages in Fedora really MUST be kept in a state where they can be > > rebuilt at any time, and removing the headers breaks that. It doesn't > > break existing packages, but as soon as any changes need to be made to > > any package that depends on those headers (or just a plain rebuild for > > some other change in the distribution, or a mass rebuild), it *is* > > equivalent to a removal. > > There are three cases: > > (1) packages that are broken now because they don’t yet depend on > openssl-devel-engine and do not set OPENSSL_NO_ENGINE. > (2) packages that have been fixed by adding -DOPENSSL_NO_ENGINE to CPPFLAGS > (3) packages that have been fixed by adding a dependency on > openssl-devel-engine > > If we change OpenSSL to define OPENSSL_NO_ENGINE by default, with an override > available, that affects these three cases as follows: > > (1) now (hopefully, unless it’s an upstream bug) automatically don’t use > ENGINEs, build should be fixed > (2) no change, continues to build > (3) continues to build, but stops using ENGINEs (but the maintainer would get > a bug ticket about that from me, and then can set > -DFEDORA_OPENSSL_STILL_USE_ENGINES) > > > At no point would a package move to a state where it doesn’t build. > > > (1) and (2) improve the situation for package maintainers. (3) is some extra > work, but it’s also not fail-silent due to the ticket. > > The alternative is doing nothing, which means packages in (1) stay broken and > need to be fixed by somebody, and everybody else gets to keep the > -DOPENSSL_NO_ENGINE define or dependency on openssl-devel-engine in their > specfiles.
At this point, this sounds like the best approach. The problem is well understood and the build failures are trivially resolved by adding a single BuildRequires line or a single define. If we start changing things again, some packages will already adapted will need to adapt again, and overall there'll much more confusion. Zbyszek -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
