Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoBuildEngine Discussion thread - https://discussion.fedoraproject.org/t/f43-change-proposal-disabling-support-of-building-openssl-engines-system-wide/145922
This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == We disable support of building engines in OpenSSL and remove the deprecated openssl-devel-engine subpackage. == Owner == * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] * Email: dbely...@redhat.com == Detailed Description == We are going to build OpenSSL without engine support. Engines are not FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. The engine functionality we are aware of (PKCS#11, TPM) is covered by providers. The package necessary to build engines (openssl-devel-engine) is already declared as deprecated and will be removed. For the applications that still unconditionally refer to openssl/engine.h we will provide a dummy engine.h file == Feedback == == Benefit to Fedora == We get rid of deprecated functionality and enforce using up-to-date API. Engine support is deprecated in OpenSSL upstream, and after provider migration caused some deficiencies with engine support. No new features will be added to the engine. So we reduce the maintenance burden and potentially attack surface. == Scope == * Proposal owners: maintainers of packages relying to openssl engine functionality * Other developers: * Release engineering: [https://pagure.io/releng/issues #Releng issue number] This change probably requires mass-rebuild. * Policies and guidelines: N/A * Trademark approval: N/A * Alignment with the Fedora Strategy: == Upgrade/compatibility impact == == Early Testing (Optional) == == How To Test == Applications using OpenSSL ENGINE API can't be built. ENGINE API is still exported by libcrypto. == User Experience == Users will have to reconfigure systems to providers if they use engines. No other changes are expected. == Dependencies == In theory, all OpenSSL-dependent packages. In practice, only those that explicitly use ENGINE api. == Contingency Plan == Reenable openssl-devel-engine package keeping it deprecated * Contingency mechanism: N/A * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change) == Documentation == TBD == Release Notes == TBD -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-annou...@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-annou...@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
