[pypy-dev] pypy 5.10 release

[Nathaniel Smith]

On Wed, Jan 3, 2018 at 8:50 PM, Matti Picus <matti.picus at gmail.com> wrote:
> On 1/4/2018 3:15 AM, Nathaniel Smith wrote:
>> None of Linux, Windows, or MacOS provide reasonable pre-existing
>> OpenSSL installs you can use. So it seems to me that if PyPy's going
>> to ship any binaries at all and take that seriously, then it's going
>> to have to ship OpenSSL (or LibreSSL), and do whatever security
>> updates you all decide make sense.
>>
>> It's also probably not worth spending a lot of time trying to figure
>> out how to avoid doing security updates for pypy2 on MacOS, if you're
>> still going to have to do them for other binaries on other platforms.
>>
>> -n
>>
> Let's leave libffi out of the discussion, I assume there is no objection to
> statically linking to it.
>
> As for OpenSSL/LibreSSL the situation is not straight-forward. Here is my
> assessment, please correct me if I am wrong.
>
> In windows, both PyPy and CPython statically link to OpenSSL
>
> In linux, PyPy and CPython use the platform OpenSSL.

This depends on how PyPy/CPython is distributed. If you're getting
them from your distro, then they use the distro OpenSSL. CPython
doesn't have any official binary releases on Linux, so for them that's
the end of the story. If you're happy with telling Linux users that
they need to get their PyPy from their distro, then maybe that's the
end of the story for you too.

But, I think there are a lot of advantages to PyPy providing pre-built
binaries for Linux that work across distros, and if you want to do
that, then you have to ship your own OpenSSL. This is how Squeaky's
portable builds work.

> On macosx, _ssl cffi (as of the first release v5.10) uses a
> statically-linked LibreSSL with a patch for python3, and on python2 AFAICT
> both CPython and PyPy use a platform library, not clear to me which one.
>
> What does CPython do for macosx python3?

It ships a recent OpenSSL as part of the release.

-n

-- 
Nathaniel J. Smith -- https://vorpus.org