openssl: 3.0.8 -> 3.1.0

[ajs124]

Description of changes

https://www.openssl.org/news/openssl-3.1-notes.html

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[vcunat]

I can't see anything risky in changelog: https://www.openssl.org/news/cl31.txt
so perhaps we could just stage it without extensive testing.

[ajs124]

According to https://www.openssl.org/policies/releasestrat.html:

Version 3.1 will be supported until 2025-03-14
Version 3.0 will be supported until 2026-09-07 (LTS).

So maybe we actually want to stick with 3.0.x?

[mweinelt]

I don't think we should stick with it.

Maybe we should keep it around, but I'm not sure yet who its consumers might be.

Let's wait until someone complains? A version we track is something we have to clean up at some point, so the fewer things we track the better.

[mweinelt]

@ofborg eval

[ajs124]

Well, ibm-sw-tpm2 fails to build, which is an issue since systemd depend on it through tpm2-tss.

My argument for sticking with 3.0.x boils down to "it's an LTS release". Apparently that gives us 1.5 more years to switch to the next minor (or mayor) release.

[tomberek]

don't think we should stick with it.

Agreed, there shouldn't be a need for both 3.0 and 3.1.

Well, ibm-sw-tpm2 fails to build, which is an issue since systemd depend on it through tpm2-tss.

The failure seems to be with ibm-sw-tpm2 not being updated to understand the newer openssl version. Please see (kgoldman/ibmswtpm2@15501bf) and any relevant Nixpkgs bump.

[ajs124]

Personally, I intend to keep OpenSSL on LTS releases, because even updating it to those is more than enough effort (see e.g. #150093 and #210452).

If anyone sees real value in being on 3.1 (or any other non-LTS release) instead of 3.0 (or a future LTS release) and is willing to put in the work for this to actually work in nixpkgs… well, they can go ahead and do that, but tbh I'll probably stop trying to work on OpenSSL in nixpkgs, because those efforts will probably just end up like what lead to #215109.