[Development] Removal/deprecation of OpenSSL 1 in Qt
    Ville Voutilainen 
    ville.voutilainen at gmail.com
       
    Thu Dec  7 19:32:43 CET 2023
    
    
  
On Thu, 7 Dec 2023 at 12:33, Giuseppe D'Angelo
<giuseppe.dangelo at kdab.com> wrote:
> * For how long is QNX going to support OpenSSL 1? Is OpenSSL 3 support
> on the radar?
Yes, it's on the radar for QNX 8, which is not released yet.
> Is there an online resource showing their commitment at
> maintaining it? Is there the possibility of just building+shipping
> OpenSSL 3 outside of what it's provided by the base OS?
Well, like it is on Linux distros, building and shipping it as a
replacement is not easy,
and building and shipping it alongside is not easy either.
> * For how long are *we* going to support QNX and OpenSSL 1 on there?
Until QNX 8 ships.
> * What about other platforms?
Maybe we should keep OpenSSL1 support in 6.5 throughout the lifetime
of that LTS.
> * Can we put this "contract" in the docs?
Sure seems like it would be a good idea to revisit this for the next
LTS in any case. Make that the point
where we drop OpenSSL1 regardless of whether Blackberry has managed to
ship QNX 8. That's different
from doing it in a patch release, or backporting the drop to
everywhere. We can plausibly say at that
point that we'll just drop it.
> > I don't quite follow why the revert "must" include making OpenSSL1
> > entirely an opt-in.
> > That doesn't change anything in how we build our release packages, at
> > the end of the day.
> > Innocent users should just build with an OpenSSL3-enabled system.
>
> Innocent users may have their own build scripts that pull OpenSSL 1 and
> build Qt against that, without realizing that they're playing with fire.
> We should never expose users to insecure defaults, hence the opt-in
> flag, and a build error if you ask for autodetection and only OpenSSL 1
> is found.
Well, okay then. Patch it first so that the opt-in supersedes
autodetection but the autodetection
is still there, then patch coin so that everything in it that needs
this uses the opt-in, then drop
the autodetection.
    
    
More information about the Development
mailing list