After OpenSSL 3.5, non-LTS versions will have quite reduced support duration (details)
Also notable is the pre-announcement of the next major version in April 2026.
While we've been banking on the promised ABI-compatibility across the 3.x series (successfully so far), other players (e.g. Anaconda) have chosen to stay on LTS version. We could certainly keep the current flow going for 3.6, but 4.0 might put us in an awkward spot there.
The OpenSSL 3.0 migration took quite a while to finish (16 months between conda-forge/conda-forge-pinning-feedstock#1896 and conda-forge/conda-forge-pinning-feedstock#3892), and we've had dual builds during all that time. While it's reasonable to assume that there will be less breakage from 3->4 than from 1.1.1->3 (which was major rewrite), it still takes the ecosystem quite a while to adapt to such changes.
I think a better plan would be to keep the pinning on OpenSSL 3.5 (once 3.6 comes out), and then wait 6-12 month after the release of 4.0 before we try migrating that. Much depends on the details of 4.0 resp. its features and breaking changes, but I thought I'd open this well before we start producing packages with openssl>=3.6 constraints, which would then be stuck without support unless we migrate to 4.0 very quickly.
After OpenSSL 3.5, non-LTS versions will have quite reduced support duration (details)
Also notable is the pre-announcement of the next major version in April 2026.
While we've been banking on the promised ABI-compatibility across the 3.x series (successfully so far), other players (e.g. Anaconda) have chosen to stay on LTS version. We could certainly keep the current flow going for 3.6, but 4.0 might put us in an awkward spot there.
The OpenSSL 3.0 migration took quite a while to finish (16 months between conda-forge/conda-forge-pinning-feedstock#1896 and conda-forge/conda-forge-pinning-feedstock#3892), and we've had dual builds during all that time. While it's reasonable to assume that there will be less breakage from 3->4 than from 1.1.1->3 (which was major rewrite), it still takes the ecosystem quite a while to adapt to such changes.
I think a better plan would be to keep the pinning on OpenSSL 3.5 (once 3.6 comes out), and then wait 6-12 month after the release of 4.0 before we try migrating that. Much depends on the details of 4.0 resp. its features and breaking changes, but I thought I'd open this well before we start producing packages with
openssl>=3.6constraints, which would then be stuck without support unless we migrate to 4.0 very quickly.