In our current packages of OVMF, we've been embedding a specific version of OpenSSL which is used during the building process, just like upstream edk2 does. We should implement a cleaner solution, using a version which is supported by the distribution and the security team.
From the internal discussion it sounds like we are roughly keeping the current packaging state, but with a goal of improved tooling to simplify pulling in new openssl versions from fedora dist-git. That's just an optimization though and not something that needs to be explicitly tracked, so I think we can close this. Please reopen if I misunderstood
Yeah, the specific version is now taken from Fedora and edk2 updates in Fedora are gated on the OpenSSL package having the desired version. We're also applying Fedora patches.