[systemd-devel] [RFC] Switching to OpenSSL 3?

Davide Cavalca dcavalca at fb.com
Wed Sep 15 14:29:54 UTC 2021 

On Tue, 2021-09-14 at 13:36 +0200, Lennart Poettering wrote:
> Heya!
> 
> Some of the systemd developers have been discussing switching
> systemd's crypto libraries to be exclusively OpenSSL 3.0, and drop
> support for older OpenSSL versions, as well as any GNUTLS/libgcrypt
> support. As you might have noticed OpenSSL 3.0 has been released
> recently, and for the first time resolves the GPL2 license
> incompatibility mess comprehensively, which opens this door to us.
> 
> I personally care a lot about reducing the combinatorial explosion of
> deps a bit, and keeping our tree as maintainable as we can, with a
> single implementation of everything, not multiple, and no abstraction
> layers and such, and thus removing any compat kludges for other
> libraries or other library versions.
> 
> Now, before we make a decision on this, I'd like to collect feedback
> on such a move. I know that there are some people who backpart new
> systemd onto old distros. How big would the pain be require porting
> OpenSSL 3, too, at the same time?

This will be an issue for CentOS Stream 8, among others. We ship a
backport of the latest systemd (and dailies from the github master) for
it as part of the CentOS Hyperscale SIG
(https://wiki.centos.org/SpecialInterestGroup/Hyperscale). C8 currently
ships OpenSSL 1.1.1k, and given that this is a package from base it's
unlikely to get bumped throughout the lifecycle of the distro. We could
theoretically build OpenSSL 3 as part of Hyperscale, but that would
require rebuilding half the distribution, which is obviously not
practical. We might be able to build and ship a coinstallable private
OpenSSL 3 build just for systemd, but I don't know how technically
feasible that'll be in practice, and it'll definitely be a pain to
maintain and likely bring along some security fun.

The same issue applies to CentOS 7, though we've stopped building
backports for that past 246 so we're not directly impacted there. Now,
that good news is that this won't be an issue at all for CentOS Stream
9, as they've just rebased to 3.0.0 last week
(https://gitlab.com/redhat/centos-stream/rpms/openssl).

Cheers
Davide

More information about the systemd-devel mailing list