[Python-checkins] cpython (2.7): Update the deprecated plain text version of the OS X installer
ned.deily
python-checkins at python.org
Wed Dec 10 10:07:39 CET 2014
https://hg.python.org/cpython/rev/f359049f5c23
changeset: 93802:f359049f5c23
branch: 2.7
user: Ned Deily <nad at acm.org>
date: Wed Dec 10 01:06:57 2014 -0800
summary:
Update the deprecated plain text version of the OS X installer
readme to match the rtf one and update the installer build
instructions README.
files:
Mac/BuildScript/README.txt | 60 ++++-----------
Mac/BuildScript/resources/ReadMe.txt | 21 +++++-
2 files changed, 36 insertions(+), 45 deletions(-)
diff --git a/Mac/BuildScript/README.txt b/Mac/BuildScript/README.txt
--- a/Mac/BuildScript/README.txt
+++ b/Mac/BuildScript/README.txt
@@ -8,50 +8,20 @@
an Installer package from the installation plus other files in ``resources``
and ``scripts`` and placed that on a ``.dmg`` disk image.
-For Python 2.7.x and 3.x, PSF practice is to build two installer variants
-for each release.
+This installers built by this script are legacy bundle installers that have
+been supported from the early days of OS X. In particular, they are supported
+on OS X 10.3.9, the earliest supported release for builds from this script.
-Beginning with Python 2.7.9, we plan to drop binary installer support for
-Mac OS X 10.3.9 and 10.4.x systems. To ease the transition, for Python 2.7.7
-and 2.7.8 there were three installers provided:
+Beginning with Python 2.7.9, PSF practice is to build two installer variants
+using the newer flat package format, supported on 10.5+, and signed with the
+builder's Apple developer key, allowing downloaded packages to satisfy Apple's
+default Gatekeeper policy (e.g. starting with 10.8, Apple store downloads and
+Apple developer ID signed apps and installer packages). The process for
+transforming the output build artifacts into signed flat packages is not
+yet integrated into ``build-installer.py``.
-1. DEPRECATED - 32-bit-only, i386 and PPC universal, capable on running on all
- machines supported by Mac OS X 10.3.9 through (at least) 10.9::
-
- /usr/bin/python build-installer.py \
- --sdk-path=/Developer/SDKs/MacOSX10.4u.sdk \
- --universal-archs=32-bit \
- --dep-target=10.3
-
- - builds the following third-party libraries
-
- * Bzip2
- * NCurses
- * GNU Readline (GPL)
- * SQLite 3.7.13
- * Zlib 1.2.3
- * Oracle Sleepycat DB 4.8 (Python 2.x only)
-
- - requires ActiveState ``Tcl/Tk 8.4`` (currently 8.4.19) to be installed for building
-
- - recommended build environment:
-
- * Mac OS X 10.5.8 PPC or Intel
- * Xcode 3.1.4
- * ``MacOSX10.4u`` SDK (later SDKs do not support PPC G3 processors)
- * ``MACOSX_DEPLOYMENT_TARGET=10.3``
- * Apple ``gcc-4.0``
- * bootstrap non-framework Python 2.7 for documentation build with
- Sphinx (as of 2.7.9)
-
- - alternate build environments:
-
- * Mac OS X 10.6.8 with Xcode 3.2.6
- - need to change ``/System/Library/Frameworks/{Tcl,Tk}.framework/Version/Current`` to ``8.4``
- * Note Xcode 4.* does not support building for PPC so cannot be used for this build
-
-2. 32-bit-only, i386 and PPC universal, capable on running on all machines
- supported by Mac OS X 10.5 through (at least) 10.9::
+1. 32-bit-only, i386 and PPC universal, capable on running on all machines
+ supported by Mac OS X 10.5 through (at least) 10.10::
/usr/bin/python build-installer.py \
--sdk-path=/Developer/SDKs/MacOSX10.5.sdk \
@@ -60,6 +30,7 @@
- builds the following third-party libraries
+ * libcrypto and libssl from OpenSSL 1.0.1j
* NCurses 5.9
* SQLite 3.7.13
* Oracle Sleepycat DB 4.8 (Python 2.x only)
@@ -86,7 +57,7 @@
- need to change ``/System/Library/Frameworks/{Tcl,Tk}.framework/Version/Current`` to ``8.4``
* Note Xcode 4.* does not support building for PPC so cannot be used for this build
-3. 64-bit / 32-bit, x86_64 and i386 universal, for OS X 10.6 (and later)::
+2. 64-bit / 32-bit, x86_64 and i386 universal, for OS X 10.6 (and later)::
/usr/bin/python build-installer.py \
--sdk-path=/Developer/SDKs/MacOSX10.6.sdk \
@@ -101,6 +72,7 @@
- uses system-supplied versions of third-party libraries
+ * libcrypto and libssl from Apple OpenSSL 0.9.8
* readline module links with Apple BSD editline (libedit)
- requires ActiveState Tcl/Tk 8.5.15 (or later) to be installed for building
@@ -164,7 +136,7 @@
``build-installer.py`` for its usage.
Running this script takes some time, it will not only build Python itself
- but also some 3th-party libraries that are needed for extensions.
+ but also some 3rd-party libraries that are needed for extensions.
* When done the script will tell you where the DMG image is (by default
somewhere in ``/tmp/_py``).
diff --git a/Mac/BuildScript/resources/ReadMe.txt b/Mac/BuildScript/resources/ReadMe.txt
--- a/Mac/BuildScript/resources/ReadMe.txt
+++ b/Mac/BuildScript/resources/ReadMe.txt
@@ -1,6 +1,12 @@
This package will install Python $FULL_VERSION for Mac OS X $MACOSX_DEPLOYMENT_TARGET for the following architecture(s): $ARCHITECTURES.
=============================
+Which installer variant should I use?
+=============================
+
+Python.org provides two installer variants for download: one that installs a 64-bit/32-bit Intel Python capable of running on Mac OS X 10.6 (Snow Leopard) or later; and one that installs a 32-bit-only (Intel and PPC) Python capable of running on Mac OS X 10.5 (Leopard) or later. This ReadMe was installed with the $MACOSX_DEPLOYMENT_TARGET variant. Unless you are installing to an 10.5 system or you need to build applications that can run on 10.5 systems, use the 10.6 variant if possible. There are some additional operating system functions that are supported starting with 10.6 and you may see better performance using 64-bit mode. By default, Python will automatically run in 64-bit mode if your system supports it. Also see Certificate verification and OpenSSL below.
+
+=============================
Update your version of Tcl/Tk to use IDLE or other Tk applications
=============================
@@ -25,7 +31,20 @@
[NEW for Python 2.7.9]
=============================
-The Python installer now includes an option to automatically install or upgrade pip, a tool for installing and managing Python packages. This option is enabled by default and no Internet access is required. If you do not want the installer to do this, select the Customize option at the Installation Type step and uncheck the Install or ugprade pip option. For other changes in this release, see the Release Notes link for this release at https://www.python.org/downloads/.
+The Python installer now includes an option to automatically install or upgrade pip, a tool for installing and managing Python packages. This option is enabled by default and no Internet access is required. If you do not want the installer to do this, select the Customize option at the Installation Type step and uncheck the Install or upgrade pip option. For other changes in this release, see the Release Notes link for this release at https://www.python.org/downloads/.
+
+=============================
+Certificate verification and OpenSSL
+[CHANGED for Python 2.7.9]
+=============================
+
+Python 2.7.9 includes a number of network security enhancements that have been approved for inclusion in Python 2.7 maintenance releases. PEP 476 changes several standard library modules, like httplib, urllib2, and xmlrpclib, to by default verify certificates presented by servers over secure (TLS) connections. The verification is performed by the OpenSSL libraries that Python is linked to. Prior to 2.7.9, the python.org installers dynamically linked with Apple-supplied OpenSSL libraries shipped with OS X. OS X provides a multiple level security framework that stores trust certificates in system and user keychains managed by the Keychain Access application and the security command line utility.
+
+For OS X 10.5, Apple provides OpenSSL 0.9.7 libraries. This version of Apple's OpenSSL does not use the certificates from the system security framework, even when used on newer versions of OS X. Instead it consults a traditional OpenSSL concatenated certificate file (cafile) or certificate directory (capath), located in /System/Library/OpenSSL. These directories are typically empty and not managed by OS X; you must manage them yourself or supply your own SSL contexts. OpenSSL 0.9.7 is obsolete by current security standards, lacking a number of important features found in later versions. Among the problems this causes is the inability to verify higher-security certificates now used by python.org services, including the Python Package Index, PyPI. To solve this problem, as of 2.7.9 the 10.5+ 32-bit-only python.org variant is linked with a private copy of OpenSSL 1.0.1j; it consults the same default certificate directory, /System/Library/OpenSSL. As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certification verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust. If you use this Python variant to build standalone applications with third-party tools like py2app, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.
+
+For OS X 10.6+, Apple also provides OpenSSL 0.9.8 libraries. Apple's 0.9.8 version includes an important additional feature: if a certificate cannot be verified using the manually administered certificates in /System/Library/OpenSSL, the certificates managed by the system security framework In the user and system keychains are also consulted (using Apple private APIs). For this reason, for 2.7.9 the 64-bit/32-bit 10.6+ python.org variant continues to be dynamically linked with Apple's OpenSSL 0.9.8 since it was felt that the loss of the system-provided certificates and management tools outweighs the additional security features provided by newer versions of OpenSSL. This will likely change in future releases of the python.org installers as Apple has deprecated use of the system-supplied OpenSSL libraries. If you do need features from newer versions of OpenSSL, there are third-party OpenSSL wrapper packages available through PyPI.
+
+The bundled pip included with 2.7.9 has its own default certificate store for verifying download connections.
=============================
Binary installer support for OS X 10.4 and 10.3.9 discontinued
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list