<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">We assume nobody has it installed, which is why the wheel statically links it. It, unfortunately, shifts the upgrade burden to "remember to upgrade your python package", but there's no way around that.</div> <div id="bloop_sign_1453501581932948224" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px"><br></div></div><p class="airmail_on">On January 22, 2016 at 4:25:46 PM, Ron Frederick (<a href="mailto:ronf@timeheart.net">ronf@timeheart.net</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div></div><div>

<title></title>

<div>Gotcha, thanks.</div>

<div><br class=""></div>

<div>On my OS X system, I have 1.0.2e installed from MacPorts, but

I imagine many Mac users don’t.</div>

<div><br class=""></div>

<div>On Jan 22, 2016, at 2:21 PM, Alex Gaynor <<a href="mailto:alex.gaynor@gmail.com" class="">alex.gaynor@gmail.com</a>> wrote:<br class="">

<blockquote type="cite" class="">

<div class="">

<div dir="ltr" class="">Uhhh, sorry, which includes OpenSSL

*1.0.2*.

<div class=""><br class=""></div>

<div class="">Alex</div>

</div>

<div class="gmail_extra"><br class="">

<div class="gmail_quote">On Fri, Jan 22, 2016 at 5:21 PM, Alex

Gaynor <span dir="ltr" class=""><<a href="mailto:alex.gaynor@gmail.com" target="_blank" class="">alex.gaynor@gmail.com</a>></span> wrote:<br class="">

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr" class="">On OS X and Windows we distribute a

Cryptography wheel which includes OpenSSL 0.9.8.

<div class=""><br class=""></div>

<div class="">Alex</div>

</div>

<div class="gmail_extra"><br class="">

<div class="gmail_quote">

<div class="">

<div class="h5">On Fri, Jan 22, 2016 at 5:19 PM, Ron Frederick

<span dir="ltr" class=""><<a href="mailto:ronf@timeheart.net" target="_blank" class="">ronf@timeheart.net</a>></span>

wrote:<br class=""></div>

</div>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div class="">

<div class="h5">

<div style="word-wrap:break-word" class="">

<div class="">What impact will this have on MacOS systems? Even the

latest MacOS El Capitan (10.11.3) is still back on OpenSSL

0.9.8zg from 14 July 2015 for the /usr/bin/openssl binary. They

ship with a version of libressl for use by OpenSSH (OpenSSH_6.9p1,

LibreSSL 2.1.8), but I don’t know if that library is available for

other applications or libraries to use.</div>

<div class=""><br class=""></div>

<div class=""><span class="">On Jan 22, 2016, at 1:58 PM, Alex

Gaynor <<a href="mailto:alex.gaynor@gmail.com" target="_blank" class="">alex.gaynor@gmail.com</a>> wrote:<br class=""></span>

<blockquote type="cite" class="">

<div class="">

<div dir="ltr" class=""><span class="">Hi all,</span>

<div class=""><span class=""><br class=""></span></div>

<div class=""><span class="">I'd like to propose we deprecate

support for OpenSSL 0.9.8 in our next release, and remove support

in the release after (we already emit warnings in our current

release, so this is consistent with our schedule).</span></div>

<div class=""><span class=""><br class="">

Rationale: OpenSSL 0.9.8 is old, does not support modern web

security (e.g. no TLS 1.2), and supporting it adds complexity, in

the form of hundreds of additional lines of code and configuration

options.</span></div>

<div class=""><span class=""><br class=""></span></div>

<div class=""><span class="">Supporting data: As of pip 8 (released

this week, already used for something like 1/3 of PyPI downloads),

the user agent of pip includes the system's OpenSSL version.

Looking at the data (excluding Windows and OS X, since on those

platforms we include OpenSSL 1.0.2 in our wheels). The overall

distribution is:</span></div>

<div class=""><span class=""><br class=""></span></div>

<div class=""><br class="">

<div class=""><br class=""></div>

<div class=""><span class="">Indicating that OpenSSL 0.9.8 on Linux

repersents less than 1% of all installations.</span></div>

<div class=""><span class=""><br class=""></span></div>

<div class=""><span class="">Looking at per-package data, here are

the percent of downloads using OpenSSL 0.9.8 for some relevant

packages:</span></div>

<div class=""><span class=""><br class=""></span></div>

<div class=""><span class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">- unidecode: </span><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;text-align:right;white-space:nowrap" class="">7.6% (This is the package with the highest percent of

0.9.8 users)</span></span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;text-align:right;white-space:nowrap" class="">- rsa: 3.3%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;text-align:right;white-space:nowrap" class="">- </span><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">pyasn1: 2.2%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">- requests: 1.6%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">- pycrypto: 0.8%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">- pip: 0.6%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">- </span><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">pyopenssl: 0.4%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">- </span><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">letsencrypt-apache: 0.3%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">- </span><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">cryptography: 0.3%</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class=""><br class=""></span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class=""><br class=""></span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class="">I think these numbers are low enough that we can safely

drop OpenSSL 0.9.8 support.</span></div>

<div class=""><span style="font-family:Arial,sans-serif;font-size:13px;line-height:25px;white-space:nowrap" class=""><br class=""></span></div>

<div class=""><font face="Arial, sans-serif" class=""><span style="line-height:25px;white-space:nowrap" class="">Platforms

specifically known to be affected:</span></font></div>

<div class=""><font face="Arial, sans-serif" class=""><span style="line-height:25px;white-space:nowrap" class="">- RHEL/CentOS 5 and

older</span></font></div>

<div class=""><font face="Arial, sans-serif" class=""><span style="line-height:25px;white-space:nowrap" class="">- Debian Squeeze

(baed on OpenSSL version, this is where most of the affected users

will be).</span></font></div>

<div class=""><font face="Arial, sans-serif" class=""><span style="line-height:25px;white-space:nowrap" class=""><br class=""></span></font></div>

<div class=""><font face="Arial, sans-serif" class=""><span style="line-height:25px;white-space:nowrap" class=""><br class=""></span></font></div>

<div class=""><font face="Arial, sans-serif" class=""><span style="line-height:25px;white-space:nowrap" class="">Thoughts? Will you

be affected by this?</span></font></div>

<div class="">Alex<br class=""></div>

<div class=""><br class=""></div>

--<br class="">

<div class="">

<div dir="ltr" class="">"I disapprove of what you say, but I will

defend to the death your right to say it." -- Evelyn Beatrice Hall

(summarizing Voltaire)<br class="">

"The people's good is the highest law." -- Cicero<br class="">

<div class="">GPG Key fingerprint: 125F 5C67 DFE9 4084</div>

</div>

</div>

</div>

</div>

</div>

</blockquote>

</div>

</div>

</div>

</div>

</blockquote>

</div>

</div>

</blockquote>

</div>

</div>

</div>

</blockquote>

</div>

<div class="">

<div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;">

-- </span></div>

<div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;">

Ron Frederick</span></div>

<div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;">

<a href="mailto:ronf@timeheart.net" class="">ronf@timeheart.net</a></span></div>

<div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;">

<br class=""></span></div>

<br class="Apple-interchange-newline"></div>

<br class="">

_______________________________________________

<br>Cryptography-dev mailing list

<br>Cryptography-dev@python.org

<br>https://mail.python.org/mailman/listinfo/cryptography-dev

<br></div></div></span></blockquote></body></html>