openssl version 3.0 in arch?

mcloaked · 2022-06-27 20:35:06

There was a post in the [arch-general] mailing list asking when arch will be moving to openssl 3.0 as Fedora has now rebuilt their packages so that they have openssl 3.0 support. Does anyone know if there is a major problem with packages in arch being built against openssl 3.0?

loqs · 2022-06-27 20:50:17

See https://github.com/loqs/PACKAGES-OSSL3
Every listed package failed the first openssl 3 rebuild. Everything without a ✓ still needs work.

mcloaked · 2022-06-27 21:07:20

That looks promising - at least it should be possible to fix the build problems even if it takes some time.

loqs · 2022-06-27 21:31:15

If a compat openssl-1.1 package and the continued existence of openssl-1.0 was acceptable then it is achievable short term once all the listed FS are addressed.
Otherwise wait for whenever Valve stops use of openssl-1.0 for that package.
For openssl-1.1 ruby2.7/gitlab see https://github.com/cedarcode/webauthn-ruby/issues/359 nodejs-lts-fermium opensearch-dashboards is not going to move off fermium in the near future, consul is currently packaged without the UI so could drop makedepends on nodejs-lts-fermium, vault move to nodejs-lts-gallium, cozy-desktop ??? 389-ds-base ??? python-sphinx_rtd_theme ??? python2 this should be droppable this year https://bbs.archlinux.org/viewtopic.php?id=276130

GeneArch · 2022-08-28 19:55:17

Anyone aware of any progress with openssl 3.x yet ?

loqs · 2022-08-28 20:09:03

GeneArch wrote:

Anyone aware of any progress with openssl 3.x yet ?

The github link in post #2 is updated with the current state.
Could you help with a few of the remaining packages? dovecot contact upstream about the patch Fedora created. gitlab ask upstream to update the webauthn ruby gem to 2.5.2 see https://github.com/cedarcode/webauthn-ruby/issues/359
The openssl 3 update is probably blocked by the removal of python2 which is waiting for all the mailing lists to be converted to mailman 3.
Edit:
Also do you know if steam or steam-native depend on openssl 1.1 in addition to 1.0? openssl 1.0 support becomes more difficult as openssl 1.0 can break attempting to parse /etc/ssl/openssl.cnf which includes a provider / engine not available for 1.0 see https://repo.steampowered.com/steamrt/p … ian.tar.gz / debian/patches/steamrt/Disable-loading-of-etc-ssl-openssl.cnf-in-the-Steam-Runti.patch for more details.

Last edited by loqs (2022-08-28 20:20:02)

GeneArch · 2022-08-28 22:05:56

I'm not familiar with steam - I did some searching but did not find anything helpful.

dovecot:
- git has no commit mentioning openssl 3.x that I could find.
- I also don't see any pull requests either.
- I did find a reference in mailing list from June 2022.
https://dovecot.org/pipermail/dovecot/2 … 24877.html

I know your list doesn't cover extra or community - but definitely some important packages there too.
postfix (3.7+)
- supposed to work with openssl-3.0

nginx/nginx-mainline
- supposed to work with 3.0

nginx-quic
- dropped openssl and uses boringssl instead - so its fine too.
- I have built but not yet tested this yet.

Slithery · 2022-08-28 22:22:08

GeneArch wrote:

I know your list doesn't cover extra or community

Yes it does.

loqs · 2022-08-28 22:36:05

GeneArch wrote:

I'm not familiar with steam - I did some searching but did not find anything helpful.
dovecot:
- git has no commit mentioning openssl 3.x that I could find.
- I also don't see any pull requests either.
- I did find a reference in mailing list from June 2022.
https://dovecot.org/pipermail/dovecot/2 … 24877.html

Thank you for the mailing list find. So upstream is aware of the issue / Fedora patch.

GeneArch wrote:

I know your list doesn't cover extra or community - but definitely some important packages there too.

The list is structured the same way as [1] core and extra in one table then community in a second table.
Packages not listed built successfully in [1] . The only package in the repositories I am aware of that can not be built with OpenSSL 3.0 is nodejs-lts-fermium. I would switch that to using its bundled copy of openssl or switch to openssl-1.1 if that package is left in the repos.
python2 has a patch set for OpenSSL 3.0 from Ubuntu/Debian but as the package is in the process of removal I would leave the update until after python2 is removed. Every other package should build as is in the repos or there should be a branch in my repo with an updated PKGBUILD.

GeneArch wrote:

postfix (3.7+)
- supposed to work with openssl-3.0
nginx/nginx-mainline
- supposed to work with 3.0

Builds and passes tests.

GeneArch wrote:

nginx-quic
- dropped openssl and uses boringssl instead - so its fine too.
- I have built but not yet tested this yet.

As nginx-quic is in AUR I did not check it. Looking at the PKGBUILD as your said it is building borringssl so does not depend on the openssl package.

[1] https://md.archlinux.org/s/t8HOyhNOi#

GeneArch · 2022-08-28 22:46:10

Ah right, sorry read your list too quickly

Arch Linux

#1 2022-06-27 20:35:06

openssl version 3.0 in arch?

#2 2022-06-27 20:50:17

Re: openssl version 3.0 in arch?

#3 2022-06-27 21:07:20

Re: openssl version 3.0 in arch?

#4 2022-06-27 21:31:15

Re: openssl version 3.0 in arch?

#5 2022-08-28 19:55:17

Re: openssl version 3.0 in arch?

#6 2022-08-28 20:09:03

Re: openssl version 3.0 in arch?

#7 2022-08-28 22:05:56

Re: openssl version 3.0 in arch?

#8 2022-08-28 22:22:08

Re: openssl version 3.0 in arch?

#9 2022-08-28 22:36:05

Re: openssl version 3.0 in arch?

#10 2022-08-28 22:46:10

Re: openssl version 3.0 in arch?

Board footer