On 31/05/2022 17:59, Rémy Maucherat wrote:
On Tue, May 31, 2022 at 6:48 PM Mark Thomas <ma...@apache.org> wrote:
<snip/>
On that topic, I originally made the decision to keep LibreSSL support
when I thought that 10.1.x would required Tomcat Native 2.0.x. The plan
has since shifted and 10.1.x will ship with Tomcat Native 2.0.x but will
still be able to use (a sufficiently recent) Tomcat Native 1.2.x. With
that in mind, do we want to keep LibreSSL support in Tomcat Native 2.0.x?
If tomcat-native 2.0 is fully aligned with what the Panama code does
(so no LibreSSL), it would be better for a future transition to it.
OTOH, it would force supporting 1.2 for (much) longer.
Hmm. Tricky.
If we assume that we need to support Tomcat Native 1.x until EOL of
9.0.x (due to the o.a.t.u.jni package) the we will be supporting 1.x for
(best guess) until 2028 or so.
OpenSSL 1.1.1 is EOL 2023-09-11 so there is a 4/5 year gap there.
However, various distributions are committed to supporting OpenSSL 1.1.1
for much longer.
Looking at the various timescales, I think we should be helpful to the
downstream distributions where we can but they are going to have to take
on some of the maintenance work for their LTS distributions once OpenSSL
1.1.1 reaches EOL.
So that starts to look like 1.3.x (built with OpenSSL 3.0.x) around the
middle of next year. That should be good to Sept 2026. Not sure what
we'd for the last few years of 9.0.x. 1.4.x built on whatever the new
OpenSSL LTS is?
Then what do we do with LibreSSL? Maintain support in the 1.x branch?
Given the direction of travel (towards Panama and using OpenSSL
directly) how much effort do we want to put into LibreSSL support?
Do we want to announce an early EOL for the deprecated parts of the
o.a.t.u.jni package with a view to removing them during the lifetime of
8.5.x and 9.0.x? That would simplify planning (Tomcat Native 1.2.x would
EOL at the same time). But it would be highly unusual for us to do that
and could cause breakage with a point release.
What about LibreSSL? Are we looking towards a panama module for LibreSSL
and then some glue code so you can swap between panama modules for
different TLS native libraries?
Lots of questions there. Nothing jumps out at me as the "obvious" plan.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
