On Thu, 30 Nov 2023 at 12:52, Giuseppe D'Angelo via Development <development@qt-project.org> wrote: > > Hi, > > OpenSSL 1 has reached EOL last September: > > > https://www.openssl.org/blog/blog/2023/09/11/eol-111/ > > > Qt has supported OpenSSL 3 for a while, and so last week I pushed a > patch to drop OpenSSL 1 support from Qt. "This has made a lot of people > very angry and been widely regarded as a bad move." > > > It turns out that not every platform officially supported by Qt ships > OpenSSL 3 yet. Some of these platforms are promising to maintain OpenSSL > 1 for a little while longer, for instance Ubuntu 20.04 LTS: > > > https://canonical.com/blog/running-openssl-1-1-1-after-eol-with-ubuntu-pro > > > How to move forward from here: "revert the patch", sure, but also not so > fast: > > * First and foremost, I'd like a semi-formal insurance from Qt SSL > maintainers that they're willing to maintain OpenSSL 1 code in Qt as > long as needed. This should be done publicly, in docs + blog posts, > because users are going to depend on this information. > > * For "how long" is that exactly? Also a very good question. Can we > gather 1) which supported platforms are still offering only OpenSSL 1, > and 2) for how long do they plan to support OpenSSL 1, and 3) for how > long Qt would like to support these platforms? (Basically, assessing > whether the "insurance" above is realistic) > > * Then, a plain revert isn't a good idea either: the whole point of the > original commit is that using OpenSSL 1 is outright dangerous if you > don't know what you're doing. (Using unmaintained security-sensitive > code is a terrible idea). Therefore, a revert must also include make > OpenSSL 1 entirely opt-in (cmake switch), and not using any automatic > detection whatsoever: users of Qt should never ever be enabling it "by > accident".
Well, this is straightforward in the sense that QNX doesn't support openssl3 yet. Dropping OpenSSL1 support is dropping support for TLS on QNX, and we don't want to do that. I don't quite follow why the revert "must" include making OpenSSL1 entirely an opt-in. That doesn't change anything in how we build our release packages, at the end of the day. Innocent users should just build with an OpenSSL3-enabled system. -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
