OpenSSL and OS updates
As we get close to the Python 3.7.0 release, I have been paying more attention to the buildbots and I have noticed that quite a few are currently skipping building some of the standard library modules due to version incompatibilities, i.e Python now needs a newer version than a older OS version provides. This is particularly true for OpenSSL, which as of 3.7.0, now requires OpenSSL 1.0.2 or 1.1.x. These days it's pretty critical that we be building and testing ssl support as network best practices have changed pretty rapidly and dramatically.
Along with that, there have been some major LTS support releases over the past year or so that provide these newer versions of OpenSSL. In particular, Debian has released Debian 9 (stretch) as the current stable release. And the latest Ubuntu LTS release is 18.04 (bionic beaver). Both of these have suitable OpenSSL's and more. If you are hosting a buildbot on a Debian or Ubuntu system, it would be great if you could consider upgrading.
And for all buildbot owners, if you do happen to notice that key modules are not getting built, like _ssl, let us know and we can try to resolve the problem. (Depending on the release branch, there will be a few that are not expected to build on many platforms like "ossaudiodev" and "spwd". These can be ignored.)
From the release team, a very big thank you for your generosity in hosting the Python buildbots in your environments! The feedback they provide helps to ensure that Python continues to work on the amazingly broad range of platforms our users expect.
https://docs.python.org/3.7/whatsnew/3.7.html#ssl
-- Ned Deily nad@python.org -- []
Hey Ned,
Noticed the OSX buildbot I'm running is linking to homebrew ssl 1.0.0 -- not ideal -- the distributed python bundles openssl now does it not?
mattb-mbp2:build buildbot$ pwd /Users/buildbot/buildarea/3.x.billenstein-sierra/build
mattb-mbp2:build buildbot$ otool -L build/lib.macosx-10.13-x86_64-3.8-pydebug/_ssl.cpython-38dm-darwin.so build/lib.macosx-10.13-x86_64-3.8-pydebug/_ssl.cpython-38dm-darwin.so: /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)
m
On Sun, May 27, 2018 at 04:57:01AM -0400, Ned Deily wrote:
As we get close to the Python 3.7.0 release, I have been paying more attention to the buildbots and I have noticed that quite a few are currently skipping building some of the standard library modules due to version incompatibilities, i.e Python now needs a newer version than a older OS version provides. This is particularly true for OpenSSL, which as of 3.7.0, now requires OpenSSL 1.0.2 or 1.1.x. These days it's pretty critical that we be building and testing ssl support as network best practices have changed pretty rapidly and dramatically.
Along with that, there have been some major LTS support releases over the past year or so that provide these newer versions of OpenSSL. In particular, Debian has released Debian 9 (stretch) as the current stable release. And the latest Ubuntu LTS release is 18.04 (bionic beaver). Both of these have suitable OpenSSL's and more. If you are hosting a buildbot on a Debian or Ubuntu system, it would be great if you could consider upgrading.
And for all buildbot owners, if you do happen to notice that key modules are not getting built, like _ssl, let us know and we can try to resolve the problem. (Depending on the release branch, there will be a few that are not expected to build on many platforms like "ossaudiodev" and "spwd". These can be ignored.)
From the release team, a very big thank you for your generosity in hosting the Python buildbots in your environments! The feedback they provide helps to ensure that Python continues to work on the amazingly broad range of platforms our users expect.
https://docs.python.org/3.7/whatsnew/3.7.html#ssl
-- Ned Deily nad@python.org -- []
Python-Buildbots mailing list Python-Buildbots@python.org https://mail.python.org/mailman/listinfo/python-buildbots
-- Matt Billenstein matt@vazor.com http://www.vazor.com/
On May 29, 2018, at 15:58, Matt Billenstein <matt@vazor.com> wrote:
Noticed the OSX buildbot I'm running is linking to homebrew ssl 1.0.0 -- not ideal -- the distributed python bundles openssl now does it not?
mattb-mbp2:build buildbot$ pwd /Users/buildbot/buildarea/3.x.billenstein-sierra/build
mattb-mbp2:build buildbot$ otool -L build/lib.macosx-10.13-x86_64-3.8-pydebug/_ssl.cpython-38dm-darwin.so build/lib.macosx-10.13-x86_64-3.8-pydebug/_ssl.cpython-38dm-darwin.so: /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)
Matt,
In the OpenSSL case, the library file name does not tell you what version of OpenSSL is actually being used. AFAIK, all recent versions use 1.0.0 in the file name I believe because they *may* be ABI compatible, not that I would bet the ranch on it. A better way to tell is to look at the output of the relatively new (and cool - thank you, Victor!) "pythoninfo" buildbot build step which runs a script that records the values of various things including the OpenSSL version that the built Python links to. For your macOS Sierra buildbots for 3.x and 3.7, I see:
ssl.OPENSSL_VERSION: OpenSSL 1.0.2o 27 Mar 2018 ssl.OPENSSL_VERSION_INFO: (1, 0, 2, 15, 15)
(for example, from http://buildbot.python.org/all/#/builders/14/builds/1056/steps/3/logs/stdio )
So all is cool by you :)
Thanks for checking!
-- Ned Deily nad@python.org -- []
participants (2)
-
Matt Billenstein
-
Ned Deily