- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Sebastian Andrzej Siewior
- Date:
- 2026-06-16 22:43:01 UTC
- Severity:
- normal
Dear release team, I aim for an OpenSSL transition :) The so-version changes from 3 to 4 as a result of the ABI change. The main changes are: - The ENGINE API goes away. The "Provider mechanism" (available since 3.0) is the replacement. There are three engines in tree: libengine-gost-openssl, libengine-pkcs11-openssl, libengine-tpm2-tss-openssl. The former two provide seem to provide a matching provider. The latter is probably replaced by tpm2-openssl. The build failure for non-engine code is the attempt to use a possibly available engine (which fails to link since the code is gone). - ASN1_STRING has been made opaque. This seems to cause the most compile failures. There is a blog post https://openssl-library.org/post/2026-04-14-openssl-40-final-release/ The longterm plan is to switwch to 4.0 and then to 4.2 which should be released around April and will be LTS. So Forky would have an LTS supported release, see https://openssl-library.org/post/2026-05-07-future-release/ There are approx 1k packages involved. I did a mass rebuild and opened a few bugs: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=openssl-4.0;users=pkg-openssl-devel@lists.alioth.debian.org https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-openssl-devel@lists.alioth.debian.org&tag=openssl-4.0 I also made a summary, it might be easier to track: https://breakpoint.cc/openssl-rebuild/logs-4/ A bit of explanation of the last URL: Red means it did not build against v4 but it built against the current v3.6. Those have matching bug links and three build logs (two attempted for v4 and one success for v3). The if bug has been closed in the archive then the text changes open->closed. A bit further down, there is the black category. These package I did not managed to build. Either because apt couldn't satisfy the build dependencies or because they do not build on amd64. Then there is the brown category. Here the build started and failed later. Sometimes it is a generic issue, sometimes it mysteriously passes on the buildds ¯\_(ツ)_/¯ I would like to know what the release thinks about this and what the requirements are before it can be started. I would also have to go off grid in mid July-August ;) The auto-Ben file in the transition tracker includes additionally the udebs and looks fine. Below the one from the report-bug tool. Ben file: title = "openssl"; is_affected = .depends ~ "libssl3t64" | .depends ~ "libssl4"; is_good = .depends ~ "libssl4"; is_bad = .depends ~ "libssl3t64"; Sebastian
April 2027? The alternative would be to defer this transition to duke and downgrade forky to 3.5 (same as in trixie), which is an LTS release supported until April 2030. This is not a one-off issue: OpenSSL plans to have new LTS releases every second year in April, always in our release years. cu Adrian