[systemd-devel] [RFC] Switching to OpenSSL 3?

[Mike Gilbert]

On Tue, Sep 14, 2021 at 7:36 AM Lennart Poettering
<lennart at poettering.net> wrote:
>
> Heya!
>
> Some of the systemd developers have been discussing switching
> systemd's crypto libraries to be exclusively OpenSSL 3.0, and drop
> support for older OpenSSL versions, as well as any GNUTLS/libgcrypt
> support. As you might have noticed OpenSSL 3.0 has been released
> recently, and for the first time resolves the GPL2 license
> incompatibility mess comprehensively, which opens this door to us.
>
> I personally care a lot about reducing the combinatorial explosion of
> deps a bit, and keeping our tree as maintainable as we can, with a
> single implementation of everything, not multiple, and no abstraction
> layers and such, and thus removing any compat kludges for other
> libraries or other library versions.
>
> Now, before we make a decision on this, I'd like to collect feedback
> on such a move. I know that there are some people who backpart new
> systemd onto old distros. How big would the pain be require porting
> OpenSSL 3, too, at the same time?
>
> (What's not up for discussion: for new additions to systemd we'll do
> only OpenSSL, and won't accept anything else. My question is really
> just about the stuff we aleady have, where we currently support
> GNUTLS/libcgrypt.).
>
> Anyway, I'd be interested in your thoughts about this. i.e. hear
> multiple takes, opinions, from differently people and positions?

I would definitely like to be able to depend on one crypto/TLS
implementation that would cover all features in systemd, instead of
having to depend on OpenSSL for some features, and GnuTLS for other
features. The current situation is quite messy.

Settling on OpenSSL sounds fine to me.

It will probably take a few months for Gentoo to get fully upgraded to
OpenSSL 3.0. Here is our tracker for that:

https://bugs.gentoo.org/797325

Do you have a target date/milestone in mind for introducing this
dependency in systemd?