[Development] Removal/deprecation of OpenSSL 1 in Qt
Giuseppe D'Angelo
giuseppe.dangelo at kdab.com
Thu Nov 30 11:49:45 CET 2023
Hi,
OpenSSL 1 has reached EOL last September:
> https://www.openssl.org/blog/blog/2023/09/11/eol-111/
Qt has supported OpenSSL 3 for a while, and so last week I pushed a
patch to drop OpenSSL 1 support from Qt. "This has made a lot of people
very angry and been widely regarded as a bad move."
It turns out that not every platform officially supported by Qt ships
OpenSSL 3 yet. Some of these platforms are promising to maintain OpenSSL
1 for a little while longer, for instance Ubuntu 20.04 LTS:
> https://canonical.com/blog/running-openssl-1-1-1-after-eol-with-ubuntu-pro
How to move forward from here: "revert the patch", sure, but also not so
fast:
* First and foremost, I'd like a semi-formal insurance from Qt SSL
maintainers that they're willing to maintain OpenSSL 1 code in Qt as
long as needed. This should be done publicly, in docs + blog posts,
because users are going to depend on this information.
* For "how long" is that exactly? Also a very good question. Can we
gather 1) which supported platforms are still offering only OpenSSL 1,
and 2) for how long do they plan to support OpenSSL 1, and 3) for how
long Qt would like to support these platforms? (Basically, assessing
whether the "insurance" above is realistic)
* Then, a plain revert isn't a good idea either: the whole point of the
original commit is that using OpenSSL 1 is outright dangerous if you
don't know what you're doing. (Using unmaintained security-sensitive
code is a terrible idea). Therefore, a revert must also include make
OpenSSL 1 entirely opt-in (cmake switch), and not using any automatic
detection whatsoever: users of Qt should never ever be enabling it "by
accident".
Thank you,
--
Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Senior Software Engineer
KDAB (France) S.A.S., a KDAB Group company
Tel. France +33 (0)4 90 84 08 53, http://www.kdab.com
KDAB - Trusted Software Excellence
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4244 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.qt-project.org/pipermail/development/attachments/20231130/92cf41cd/attachment.bin>
More information about the Development
mailing list