OpenSSL 3.0 transition plans

Dimitri John Ledkov dimitri.ledkov at canonical.com
Tue Oct 12 17:04:51 UTC 2021 

On Mon, Oct 11, 2021 at 2:48 PM Simon Chopin <simon.chopin at canonical.com> wrote:
>
> Hi Robie,
>
> Quoting Robie Basak (2021-10-11 12:39:00)
> > I think it's worth noting what happened with nodejs in Bionic:
> >
> > https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863
> > https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1794589
> >
> > Summary: nodejs incorporated the version of openssl it gets built with
> > into its ABI, causing incompatibility between binary modules built in
> > different places if they mismatch, contrary to ecosystem expectations.
> > Upstream therefore considers[1] the openssl version that must be used
> > "locked" for a particular nodejs version. But if we use the version
> > upstream wants, and that differs from our "default" version, then the
> > resulting co-installability conflict between the two -dev packages
> > results in users complaining about that instead.
> >
> > It might be worth someone looking into this early in order to try to
> > avoid or mitigate a recurrence of this kind of issue.
>
> (my apologies, this mail will likely contain quite a few links)
>
> I looked a little bit into this, and as of 8 hours ago, the embedded copy
> of OpenSSL has been updated to version 3.0.0[0]. They have an open issue
> tracking the OpenSSL 3.0 support situation[1], and their technical
> committee has a document specifiying which OpenSSL release is supported
> for a given NodeJS version[2].
>
> According to this comment[3] it seems they don't plan on supporting
> OpenSSL 3.0 in the 16.x branch, but rather in the 17.x which will have
> its first release next week according to their release schedule[4].
> Sadly, the new 17.x branch isn't planned as an LTS one.
>
> Looking inwards, we currently ship a NodeJS version based on the 12.x
> branch, and Debian seems to be planning[5] a transition towards the 14.x
> branch. None of which support OpenSSL 3.0.
>
> Unless I'm missing something, I see the following options, in no
> particular order:
>
> (a) Remove NodeJS from the archive. Had to be mentioned, but I don't
>   think it's realistic ;-)
>
> (b) Keep in sync with Debian, use the 14.x branch, but keep OpenSSL 1.1.1
>     in the archive via a compat package.
> (b') The same but using the embedded copy of OpenSSL (if even possible?).
>

(b') has been done in the past in Debian, and can be done again in
Debian/Ubuntu.

I'm not sure how well extensions compile when one does that and if we
will still need to package nodejs-openssl headers somewhere. Doing
(b') imho is less liability than packaging and providing 1.1.1 in the
archive, as despite all pleas people tend to assume that they don't
need to do anything and can stick with 1.1.1 for another ten years
without doing any work to migrate to 3.0.0.

--
Regards,

Dimitri.


> (c) Use NodeJS v17.x in JJ (when it's out), with OpenSSL 3.0. This would entail
>     doing the transition on our own, and it basically would be EOL two
>     months after the JJ release.
>
> (d) Track the NodeJS master branch in JJ and update NodeJS to the official
>     version 18.0 a few days after our release of 22.04.
>
> (e) Use 16.x + OpenSSL3 patches. I'm not entirely sure whether this
>     would create the same issues as mentioned by Robie, as the support
>     for a linked 3.0.0 is documented in [2].
>
> I feel like (b) is our safest bet. If we go this route, we'll want to
> make sure that libssl-dev and libssl1.1-dev are coinstallable, as it was
> apparently a painpoint in the previous OpenSSL transition.
>
> I welcome any other options or perspectives on the issue :)
>
> Cheers,
> Simon
>
> [0]: https://github.com/nodejs/node/commit/66da32c045035cf2710a48773dc6f55f00e20c40
> [1]: https://github.com/nodejs/node/issues/29817
> [2]: https://github.com/nodejs/TSC/blob/main/OpenSSL-Strategy.md
> [3]: https://github.com/nodejs/node/issues/40106#issuecomment-937718359
> [4]: https://github.com/nodejs/Release#release-schedule
> [5]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989266#10
>
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

More information about the ubuntu-devel mailing list