Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
LTS planning #5120
We are now less than a year away from EOL for 1.1.0, it's clear that it's not the version to use for anything meaningful. But, we're also now less than 2 years away from 1.0.2 EOL, which makes it difficult for those of us looking at longer time horizons to plan.
To give you some insight into the Node.js dilemma:
So, the dilemma is what to do about OpenSSL support?
I'm acutely aware of the difficulty of roadmaps in open source software, and I hope this doesn't come off as entitled or rude. I'm genuinely grateful for the current team's work on OpenSSL and think you've done an amazing job at modernising both the code and the policies surrounding the project. Even the fact that the project has got to a place where we can have such a conversation as this is awesome.
Perhaps someone could provide additional insight into the thinking behind OpenSSL LTS planning, or whether there's even been much discussion about this? If not, I'd like to suggest that accelerating such a discussion would be of benefit to downstream users that are looking at a rapidly closing support window and need to do planning beyond that window.
We did discuss this issue at our f2f meeting in December but unfortunately we did not come to a conclusion on it. Thanks for raising it again.
As one more thing to consider (and I know this isn't really a solution to your main problem): 1.1.1 will be fully API and ABI compatible with 1.1.0 - so starting with 1.1.0 and later moving to 1.1.1 should not cause you any problems (with some caveats around TLSv1.3 behaviour explained in my blog post https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/)
FYI I've proposed a formal OpenSSL policy for Node.js, along with details about how we use it. The context here is around planning for Node.js 10 which is due out in April.
This proposal does note that TLS 1.3 is due to be finalised in March
As things stand though, here's the relevant part of the proposal, I'd love to hear if there's anything you can help us clarify that might adjust our position.
OpenSSL LTS support timing, the lack of OpenSSL LTS planning and the lack of a clear timeframe for a new FIPS module complicates Node.js 10.
As of the time of writing, the strategy for OpenSSL with Node.js 10 is:
ABI and API compatibility cannot be guaranteed in a switch from 1.1.0 to 1.1.1 although, as previously mentioned, the OpenSSL team have signaled their intention for this to be the case. The Node.js team should work with the OpenSSL team to ensure this is the case and smooth the upgrade path.
The lack of FIPS support is unfortunate, however, unless a new FIPS module takes an inordinate amount of time, Node.js users requiring FIPS support should be able to use Node.js 8 and switch to a future Node.js version that supports the new FIPS module (ideally Node.js 12).
This strategy must be communicated to users of Node.js 10 early and often. There is potential for instability and a change in default OpenSSL version is unprecedented and therefore unexpected. The potential for breaking API and/or ABI may also cause disruption, potentially requiring an increment of
That is our policy and intention. It would be good if the Node.js team were able to test the pre-release 1.1.1 versions to confirm that we haven't inadvertently broken something. Note also that the introduction of TLSv1.3 support does imply some potential configuration issues (see: https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/, (the ciphersuites issue mentioned in that blog is being addressed in #5392)).
Working on it, nodejs/node#18770. We can can compile without any changes on top of our 1.1.0 support so