[release/5.0] Should we revert adding libssl3 dependency to enable installation on Ubuntu 22.04? #67986
Comments
dotnet-issue-labeler
bot
added
the
untriaged
|
cc: @bartonjs @dotnet/area-system-security |
|
Jeremy is currently OOF. @GrabYourPitchforks are you able to chime in? |
|
I believe @omajid has seen some related errors as well. |
I agree with this sentiment. It seems like this change isn't helping customers in practice unless we also backport the entirety of our libssl3 support to the 5.0 servicing branches. |
|
EOL for 5.0 is in 3 weeks roughly (May 8, 2022) |
|
The same fix was merged to 3.1 today: dotnet/core-setup#9204 |
|
Hello! Maybe @vcsjones can chime in too? That said:
|
|
cc @mirespace |
We don't have time. The only thing we should decide today is if we have to revert the change or not. |
|
The change enables installation of .NET 5 (and .NET 3.1) on 22.04. Without the change it's impossible to install - almost - there are some workarounds with apt-get and dpkg, but none of them are clean, and leave package manager in broken state. If we do not want to support 3.1 or 5.0 on 22.04, we could revert those two PRs. |
|
(I don't work for Microsoft, and nor for Canonical; I dont even use Ubuntu. Please take my opinions with a grain of salt) I don't think making .NET 5 installable on Ubuntu 22.04 - while major components/features are broken - does our .NET users any favours. We should expect to receive a ton of bugs about .NET being broken. Instead we should simply tell users to use .NET 6 instead and point them to a path to success. .NET Core 3.1 is more complex and I don't have a clear opinion on that yet. Perhaps we should back out the PR for now, evaluate the effort needed to support it fully on Ubuntu 22.04 and revisit in May? |
|
@omajid raises some good points. @NikolaMilosavljevic, are you the right person to decide if we want to keep the change or revert it? |
@vcsjones can chime in! Though, I don't have much to add to what others have said. @omajid appears to have summarized things as I understand them. Only .NET 6+ supports OpenSSL 3 (libcrypto / libssl), so if you are on a linux that has only 3, things aren't going to work. Reverting it though means I think it prevents installation completely, On the other hand, .NET on Linux has a hard dependency on a functioning OpenSSL. We flat out runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.c Lines 143 to 144 in e95a658 So allowing the installation doesn't do a lot of good - many apps will end up with aborted processes if they attempt to do anything related to OpenSSL, such as cryptography or HTTPS / TLS. NuGet package restore wouldn't work. |
I believe, based on @vcsjones comment above, that this should be reverted, and our release notes updated to specify that .NET 5.0 and 3.1 do not support Ubuntu 22.04. |
|
cc @leecow |
|
adding @jeffhandley as owner of area-System.Security -- @bartonjs is out ... |
|
I agree with @NikolaMilosavljevic -- it returns us to a known state, and also the number of customers affected should be small anyway - and support is about to expire for them too. |
|
I also support the proposal from @NikolaMilosavljevic, that we should revert the change, and specify that .NET 5.0 and .NET Core 3.1 do not support Ubuntu 22.04 because there is no overlap in supported versions of OpenSSL between the two installations. The guidance would be to migrate to .NET 6.0 if Ubuntu 22.04 (or OpenSSL 3) is needed. |
carlossanlop
removed
the
untriaged
|
Thank you everyone for your input. We have merged the reverts: 5.0 #67994 @NikolaMilosavljevic do you want to keep this issue open to track adding the documentation as recommended by @jeffhandley, or should we close this? I don't know in which repo we would add such documentation. Maybe somewhere in dotnet/core? |
I think dotnet/core might be the best place for a doc issue. @leecow is that correct? |
|
Yes, content can be added to the known issues docs in the appropriate version track at https://github.com/dotnet/core/tree/main/release-notes. |
Thanks @omajid ! I was OoO, sorry for that. I've read the thread and I think it's the right way too... thanks everyone. |
|
Did I get it right, that it would be impossible to use sdk less than 6 version on the new Ubuntu edition (22.04)? |
|
It's not impossible, it's just not easy or the right thing to do for most users. You could, for example, build OpenSSL 1.1 from source and then install that, and get .NET Core 3.1 to run against that. But that requires building OpenSSL from source, and keeping it up with any security updates/issues that come up. You could, alternatively, find a trusted third party that's providing custom packages for OpenSSL 1.1 for Ubuntu 22.04 and intends to maintain it and then use those packages. The snap packages for 3.1 or 5.0 might work on Ubuntu 22.04, since they bring their own OpenSSL. |
|
For what it's worth, I agree with not installing to a broken state on Ubuntu 22.04. (I only remember seeing PRs for changing the dependencies for main and 6.0... if I signed off on 5.0 or 3.1 I blame vacation-anticipation) If a compat package gets propped up that enables OpenSSL 1.1.1 on Ubuntu 22.04 then things will Just Work... and that, to me, seems like the right answer. (The OSSL3 support work is a bit invasive, and if the Powers That Be ask my opinion on whether it's worth servicing that into 3.1 for its remaining lifetime I'd say no.) |
|
@omajid Yeah, I get it, but it is cumbersome. Moreover I am not sure Ubuntu would work fine with the old version of ssl. I am pretty sure there are lots of projects which are still running on 3.1 and 5 and the level of their complexity doesn't allow to move to the 6 version fast. I also agree with bartonjs, that would great to have a complete solution in one package. Speaking about the snap packages, I couldn't find one for a specific version of dotnet, only for the latest one. |
|
@carlossanlop |
|
I believe so. To use Ubuntu 22.04, you must use .NET 6 or later. cc @richlander for anything he wants to add. |
|
Ah never mind @richlander , I see your post: dotnet/core#7038 (comment) |
ghost
locked as resolved and limited conversation to collaborators
@NikolaMilosavljevic @jkoritzinsky @danmoseley @leecow @mmitche
This merged servicing PR #67862 is introducing a change that would add libssl3 as one of the allowed versions of libssl that could work as dependencies for installing .NET 5.0 in Ubuntu 22.04.
The problem with this change is that if the only version installed in that Ubuntu version, is indeed libssl3, then nothing that depends on SSL would work. This is because we don't have SSL 3 support in .NET 5.0 - @jkoritzinsky please correct me if I explained this incorrectly.
The concern here is that if we had to add libssl3 in the first place to unblock people that couldn't install .NET 5.0 in Ubuntu 22.04 due to the package manager not being able to find the missing dependency, then it means that the only version of SSL installed in that machine was libssl3 (or probably none was installed). So how exactly are customers being helped?
Maybe the right approach would be to tell those customers to install a version of libssl that 5.0 supports, or just upgrade to a newer .NET version.
Thoughts? We need to make a decision soon.
The text was updated successfully, but these errors were encountered: