#3101 Change: Remove OpenSSL Compat
Closed: Accepted 2 months ago by sgallagh. Opened 4 months ago by amoloney.

We are going to remove the openssl11 package from Fedora 40.

Owners, do not implement this work until the FESCo vote has explicitly ended.
The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed.
See the FESCo ticket policy and the Changes policy for more information.

REMINDER: This ticket is for FESCo members to vote on the proposal. Further discussion should happen in the devel list thread linked above.

Miro's concerns regarding what to do with Python 3.6 from four weeks ago have not been answered in the discussion thread. Not sure if that's still a concern, but I'd rather not have this approved without confirmation that this is OK from Python point of view.

-1 to prevent auto-approval.

Metadata Update from @ngompa:
- Issue tagged with: meeting

4 months ago

There's also no real contingency plan. -1

The idea is that we don't want to continue supporting. So lack of contingency plan is intentional.

Miro's concerns regarding what to do with Python 3.6 from four weeks ago have not been answered in the discussion thread.

Yeah, that is a valid question and deserves a reply.

Back when we dropped support for OpenSSL 1.0, didn't we have a period where the library remained and the -devel subpackage was removed? Couldn't we do that again here?

That will not help us with Python 3.6 at all. We need to be able to rebuild it in case we have a CVE to fix. We maintain this package in RHEL 8 and we expect to land security fixes to Fedora as long as we do that there. The OpenSSL 1.1 package is maintained in RHEL 8 as well.

(Note that it is entirely possible to switch to OpenSSL 3, as it was already done with Python 2.7 which is much older than 3.6, we just need help doing it.)

Right, I was ignoring the Python 3.6 problem with that comment. I probably should have been more explicit about that. Treat that suggestion as assuming that Python 3.6 gets the OpenSSL 3 conversion.

We already have -devel package removed

We already have -devel package removed

The -devel package is still there in Rawhide, otherwise python3.6 would not build.

$ repoquery -q --repo=rawhide openssl1.1-devel

There's a %bcond in the spec file for it and it's enabled.

This will be discussed today at 17:00 UTC in #fedora-meeting-2.

@dbelyavs We're still waiting for an answer about the plan for pytho3.6. Please reply.

This was discussed in today's meeting:
We're waiting for a reply from the Change Owner about python3.6.

I believe @sgallagh already proposed a reasonable solution. Python 3.6 should start using OpenSSL 3.

It's a general idea. The question is who will do the work and what will happen if that work isn't done.

I can answer questions. I can't rewrite the code myself, sorry.

Can you at least provide code review?

@dbelyavs @churchyard Has there been any movement on Python 3.6?

I'm going to put this on the agenda for tomorrow's meeting.

Has there been any movement on Python 3.6?

Apart from https://discussion.fedoraproject.org/t/f40-change-proposal-removing-openssl-1-1-package-system-wide/92899/4 no, it hasn't. The Python Main team is one person short now and others are still on vacation.

AGREED: The Change is approved, any package still depending on openssl-compat at Beta Freeze will be dropped from Fedora at that time. (+7, 0, -1) (sgallagh, 17:26:11)

Metadata Update from @sgallagh:
- Issue untagged with: meeting
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

2 months ago

I posted a port of the python2.7 patch to the 3.6 bz -- it builds, but still fails a few tests.

Login to comment on this ticket.