On 24 March 2014 22:39, M.-A. Lemburg firstname.lastname@example.org wrote:
On 24.03.2014 13:33, Antoine Pitrou wrote:
Under Linux (and probably OS X too), the _ssl module is linked dynamically with OpenSSL:
$ ldd build/lib.linux-x86_64-2.7-pydebug/_ssl.so linux-vdso.so.1 => (0x00007fff3f1de000) libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fd8853ea000) libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fd885010000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd884df1000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd884a2b000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd884827000) /lib64/ld-linux-x86-64.so.2 (0x00007fd885868000)
Right, and it's using the system library, not a private copy - which can be both good and bad depending on how recent the system's library version is.
Even if *we* statically linked OpenSSL on Linux, you can bet distro vendors would switch it back to dynamic linking. Hence the comment in the PEP about vendor provided OpenSSL updates mitigating some of the concerns on Linux (defaulting not all of them though - it's still far too easy for developers to make mistakes and too hard from them to do the right thing from a security perspective).
You also reminded me that I need to dig around for and reference Ned's email about the status of OS X and reference that (OpenSSL upgrades were a casualty of Apple's anti-GPL crusade, so the OS X installers were switched to static linking somewhere along the line).