OpenSSL 3.0 transition plans

Bryce Harrington bryce.harrington at canonical.com
Tue Oct 12 18:02:16 UTC 2021


On Mon, Oct 11, 2021 at 06:47:45AM -0700, Simon Chopin wrote:
> Hi Robie,
> 
> Quoting Robie Basak (2021-10-11 12:39:00)
> > I think it's worth noting what happened with nodejs in Bionic:
> >
> > https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1779863
> > https://bugs.launchpad.net/ubuntu/+source/nodejs/+bug/1794589
> >
> > Summary: nodejs incorporated the version of openssl it gets built with
> > into its ABI, causing incompatibility between binary modules built in
> > different places if they mismatch, contrary to ecosystem expectations.
> > Upstream therefore considers[1] the openssl version that must be used
> > "locked" for a particular nodejs version. But if we use the version
> > upstream wants, and that differs from our "default" version, then the
> > resulting co-installability conflict between the two -dev packages
> > results in users complaining about that instead.
> >
> > It might be worth someone looking into this early in order to try to
> > avoid or mitigate a recurrence of this kind of issue.
> 
> (my apologies, this mail will likely contain quite a few links)
> 
> I looked a little bit into this, and as of 8 hours ago, the embedded copy
> of OpenSSL has been updated to version 3.0.0[0]. They have an open issue
> tracking the OpenSSL 3.0 support situation[1], and their technical
> committee has a document specifiying which OpenSSL release is supported
> for a given NodeJS version[2].
> 
> According to this comment[3] it seems they don't plan on supporting
> OpenSSL 3.0 in the 16.x branch, but rather in the 17.x which will have
> its first release next week according to their release schedule[4].
> Sadly, the new 17.x branch isn't planned as an LTS one.
> 
> Looking inwards, we currently ship a NodeJS version based on the 12.x
> branch, and Debian seems to be planning[5] a transition towards the 14.x
> branch. None of which support OpenSSL 3.0.
> 
> Unless I'm missing something, I see the following options, in no
> particular order:
> 
> (a) Remove NodeJS from the archive. Had to be mentioned, but I don't
>   think it's realistic ;-)
> 
> (b) Keep in sync with Debian, use the 14.x branch, but keep OpenSSL 1.1.1
>     in the archive via a compat package.
> (b') The same but using the embedded copy of OpenSSL (if even possible?).
> 
> (c) Use NodeJS v17.x in JJ (when it's out), with OpenSSL 3.0. This would entail
>     doing the transition on our own, and it basically would be EOL two
>     months after the JJ release.
> 
> (d) Track the NodeJS master branch in JJ and update NodeJS to the official
>     version 18.0 a few days after our release of 22.04.
> 
> (e) Use 16.x + OpenSSL3 patches. I'm not entirely sure whether this
>     would create the same issues as mentioned by Robie, as the support
>     for a linked 3.0.0 is documented in [2].
> 
> I feel like (b) is our safest bet. If we go this route, we'll want to
> make sure that libssl-dev and libssl1.1-dev are coinstallable, as it was
> apparently a painpoint in the previous OpenSSL transition.
> 
> I welcome any other options or perspectives on the issue :)

Yeah none of those seem ideal, but I can't think of anything to add to
your list.

A couple additional factors come to mind, although maybe you've already
taken them into account.  First, nodejs tutorials commonly have the
reader use the platform nodejs to bootstrap to a newer nodejs for actual
development.  So, better to be consistent and stable than latest in
greatest.  Second, nodejs is in universe, so that affects its support
situation differently than if it were in main.  So, best not to expect
very heavy maintenance activity post-release.

v14 hits upstream EOL in 2023-04-30, which seems suboptimal for
supportability.  Initial release for v18 (final) isn't scheduled until
2022-03-19, so while that might be feasible for 22.04.1 it isn't an
option for the 22.04.0 image.  It looks like Fedora moved to nodejs v16
for their Fedora 35 release [0], and plan to adopt OpenSSL 3 for 36 [1],
although they have already run into at least one incompatibility [2].
Anyway, makes me a bit curious about feasibility of (e).

Bryce

[0]: https://fedoraproject.org/wiki/Releases/35/ChangeSet#Node.js_16.x_by_default
[1]: https://fedoraproject.org/wiki/Changes/OpenSSL3.0
[2]: https://www.spinics.net/lists/fedora-devel/msg291957.html


> Cheers,
> Simon
> 
> [0]: https://github.com/nodejs/node/commit/66da32c045035cf2710a48773dc6f55f00e20c40
> [1]: https://github.com/nodejs/node/issues/29817
> [2]: https://github.com/nodejs/TSC/blob/main/OpenSSL-Strategy.md
> [3]: https://github.com/nodejs/node/issues/40106#issuecomment-937718359
> [4]: https://github.com/nodejs/Release#release-schedule
> [5]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989266#10
> 
> -- 
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel



More information about the ubuntu-devel mailing list