[systemd-devel] [RFC] Switching to OpenSSL 3?

Davide Cavalca dcavalca at fb.com
Thu Nov 18 21:42:17 UTC 2021


On Wed, 2021-09-15 at 14:29 +0000, Davide Cavalca wrote:
> On Tue, 2021-09-14 at 13:36 +0200, Lennart Poettering wrote:
> > Heya!
> > 
> > Some of the systemd developers have been discussing switching
> > systemd's crypto libraries to be exclusively OpenSSL 3.0, and drop
> > support for older OpenSSL versions, as well as any GNUTLS/libgcrypt
> > support. As you might have noticed OpenSSL 3.0 has been released
> > recently, and for the first time resolves the GPL2 license
> > incompatibility mess comprehensively, which opens this door to us.
> > 
> > I personally care a lot about reducing the combinatorial explosion of
> > deps a bit, and keeping our tree as maintainable as we can, with a
> > single implementation of everything, not multiple, and no abstraction
> > layers and such, and thus removing any compat kludges for other
> > libraries or other library versions.
> > 
> > Now, before we make a decision on this, I'd like to collect feedback
> > on such a move. I know that there are some people who backpart new
> > systemd onto old distros. How big would the pain be require porting
> > OpenSSL 3, too, at the same time?
> 
> This will be an issue for CentOS Stream 8, among others. We ship a
> backport of the latest systemd (and dailies from the github master) for
> it as part of the CentOS Hyperscale SIG
> (https://wiki.centos.org/SpecialInterestGroup/Hyperscale). C8 currently
> ships OpenSSL 1.1.1k, and given that this is a package from base it's
> unlikely to get bumped throughout the lifecycle of the distro. We could
> theoretically build OpenSSL 3 as part of Hyperscale, but that would
> require rebuilding half the distribution, which is obviously not
> practical. We might be able to build and ship a coinstallable private
> OpenSSL 3 build just for systemd, but I don't know how technically
> feasible that'll be in practice, and it'll definitely be a pain to
> maintain and likely bring along some security fun.

To close the loop on this -- Michel (in CC) has built a coinstallable
openssl3 package in EPEL 8:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-ff6e908f7e

This should make it possible to continue backporting systemd on CentOS
Stream 8 even after the move to openssl3.

Cheers
Davide


More information about the systemd-devel mailing list