Package: release.debian.org
Control: affects -1 + src:openssl
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: transition
Severity: normal
Dear release team,
I aim for an OpenSSL transition :)
The so-version changes from 3 to 4 as a result of the ABI change.
The main changes are:
- The ENGINE API goes away. The "Provider mechanism" (available since
3.0) is the replacement.
There are three engines in tree:
libengine-gost-openssl, libengine-pkcs11-openssl,
libengine-tpm2-tss-openssl. The former two provide seem to provide a
matching provider. The latter is probably replaced by tpm2-openssl.
The build failure for non-engine code is the attempt to use a possibly
available engine (which fails to link since the code is gone).
- ASN1_STRING has been made opaque. This seems to cause the most compile
failures.
There is a blog post
https://openssl-library.org/post/2026-04-14-openssl-40-final-release/
The longterm plan is to switwch to 4.0 and then to 4.2 which should be
released around April and will be LTS. So Forky would have an LTS
supported release, see
https://openssl-library.org/post/2026-05-07-future-release/
There are approx 1k packages involved. I did a mass rebuild and opened
a few bugs:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=openssl-4.0;[email protected]
https://udd.debian.org/cgi-bin/[email protected]&tag=openssl-4.0
I also made a summary, it might be easier to track:
https://breakpoint.cc/openssl-rebuild/logs-4/
A bit of explanation of the last URL:
Red means it did not build against v4 but it built against the current
v3.6. Those have matching bug links and three build logs (two attempted
for v4 and one success for v3). The if bug has been closed in the
archive then the text changes open->closed.
A bit further down, there is the black category. These package I did not
managed to build. Either because apt couldn't satisfy the build
dependencies or because they do not build on amd64.
Then there is the brown category. Here the build started and failed
later. Sometimes it is a generic issue, sometimes it mysteriously passes
on the buildds ¯\_(ツ)_/¯
I would like to know what the release thinks about this and what the
requirements are before it can be started. I would also have to go
off grid in mid July-August ;)
The auto-Ben file in the transition tracker includes additionally the
udebs and looks fine. Below the one from the report-bug tool.
Ben file:
title = "openssl";
is_affected = .depends ~ "libssl3t64" | .depends ~ "libssl4";
is_good = .depends ~ "libssl4";
is_bad = .depends ~ "libssl3t64";
Sebastian
