[Python-checkins] cpython (3.5): Updates to the OS X installer for 3.5.0b3:

ned.deily python-checkins at python.org
Sat Jul 4 08:55:59 CEST 2015 

https://hg.python.org/cpython/rev/212a436483d6
changeset:   96796:212a436483d6
branch:      3.5
parent:      96794:bbf4e35ed69e
user:        Ned Deily <nad at acm.org>
date:        Fri Jul 03 23:53:51 2015 -0700
summary:
  Updates to the OS X installer for 3.5.0b3:
- update installer ReadMe file
- suppress installer per-file byte-compilation messages to system log
- speed up installer byte-compilation
- isolate ensurepip install from user site-packages

files:
  Mac/BuildScript/resources/ReadMe.rtf         |  69 +++++++++-
  Mac/BuildScript/scripts/postflight.ensurepip |  10 +-
  Mac/BuildScript/scripts/postflight.framework |  16 +-
  3 files changed, 80 insertions(+), 15 deletions(-)


diff --git a/Mac/BuildScript/resources/ReadMe.rtf b/Mac/BuildScript/resources/ReadMe.rtf
--- a/Mac/BuildScript/resources/ReadMe.rtf
+++ b/Mac/BuildScript/resources/ReadMe.rtf
@@ -1,4 +1,4 @@
-{\rtf1\ansi\ansicpg1252\cocoartf1347\cocoasubrtf570
+{\rtf1\ansi\ansicpg1252\cocoartf1348\cocoasubrtf170
 {\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fmodern\fcharset0 CourierNewPSMT;}
 {\colortbl;\red255\green255\blue255;}
 \margl1440\margr1440\vieww13380\viewh14600\viewkind0
@@ -24,7 +24,7 @@
 \i0  variant.  Unless you are installing to an 10.5 system or you need to build applications that can run on 10.5 systems, use the 10.6 variant if possible.  There are some additional operating system functions that are supported starting with 10.6 and you may see better performance using 64-bit mode.  By default, Python will automatically run in 64-bit mode if your system supports it.  Also see 
 \i Certificate verification and OpenSSL
 \i0  below.  The Pythons installed by these installers are built with private copies of some third-party libraries not included with or newer than those in OS X itself.  The list of these libraries varies by installer variant and is included at the end of the License.rtf file.
-\b \ul \ulc0 \
+\b \ul \
 \
 Update your version of Tcl/Tk to use IDLE or other Tk applications
 \b0 \ulnone \
@@ -36,6 +36,71 @@
 \i0  for this version of Python and of Mac OS X.\
 
 \b \ul \
+Certificate verification and OpenSSL\
+
+\b0 \ulnone \
+Python 3.5 includes a number of network security enhancements that were released in Python 3.4.3 and Python 2.7.10.  {\field{\*\fldinst{HYPERLINK "https://www.python.org/dev/peps/pep-0476/"}}{\fldrslt PEP 476}} changes several standard library modules, like 
+\i httplib
+\i0 , 
+\i urllib
+\i0 , and 
+\i xmlrpclib
+\i0 , to by default verify certificates presented by servers over secure (TLS) connections.  The verification is performed by the OpenSSL libraries that Python is linked to.  Prior to 3.4.3, both python.org installers dynamically linked with Apple-supplied OpenSSL libraries shipped with OS X.  OS X provides a multiple level security framework that stores trust certificates in system and user keychains managed by the 
+\i Keychain Access 
+\i0 application and the 
+\i security
+\i0  command line utility.\
+\
+For OS X 10.5, Apple provides 
+\i OpenSSL 0.9.7
+\i0  libraries.  This version of Apple's OpenSSL 
+\b does not
+\b0  use the certificates from the system security framework, even when used on newer versions of OS X.  Instead it consults a traditional OpenSSL concatenated certificate file (
+\i cafile
+\i0 ) or certificate directory (
+\i capath
+\i0 ), located in 
+\f1 /System/Library/OpenSSL
+\f0 .  These directories are typically empty and not managed by OS X; you must manage them yourself or supply your own SSL contexts.  OpenSSL 0.9.7 is obsolete by current security standards, lacking a number of important features found in later versions.  Among the problems this causes is the inability to verify higher-security certificates now used by python.org services, including 
+\i t{\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi"}}{\fldrslt he Python Package Index, PyPI}}
+\i0 .  To solve this problem, the 
+\i 10.5+ 32-bit-only python.org variant
+\i0  is linked with a private copy of 
+\i OpenSSL 1.0.2
+\i0 ; it consults the same default certificate directory, 
+\f1 /System/Library/OpenSSL
+\f0 .   As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certificate verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust.  If you use this Python variant to build standalone applications with third-party tools like {\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/py2app/"}}{\fldrslt 
+\f1 py2app}}, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.\
+\
+For OS X 10.6+, Apple also provides 
+\i OpenSSL
+\i0  
+\i 0.9.8 libraries
+\i0 .  Apple's 0.9.8 version includes an important additional feature: if a certificate cannot be verified using the manually administered certificates in 
+\f1 /System/Library/OpenSSL
+\f0 , the certificates managed by the system security framework In the user and system keychains are also consulted (using Apple private APIs).  For this reason, the 
+\i 64-bit/32-bit 10.6+ python.org variant
+\i0  continues to be dynamically linked with Apple's OpenSSL 0.9.8 since it was felt that the loss of the system-provided certificates and management tools outweighs the additional security features provided by newer versions of OpenSSL.  This will likely change in future releases of the python.org installers as Apple has deprecated use of the system-supplied OpenSSL libraries.  If you do need features from newer versions of OpenSSL, there are third-party OpenSSL wrapper packages available through 
+\i PyPI
+\i0 .\
+\
+The bundled 
+\f1 pip
+\f0  included with the Python 3.5 installers has its own default certificate store for verifying download connections.\
+\
+
+\b \ul Other changes\
+
+\b0 \ulnone \
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
+\cf0 For other changes in this release, see the 
+\i What's new
+\i0  section in the {\field{\*\fldinst{HYPERLINK "https://www.python.org/doc/"}}{\fldrslt Documentation Set}} for this release and its 
+\i Release Notes
+\i0  link at {\field{\*\fldinst{HYPERLINK "https://www.python.org/downloads/"}}{\fldrslt https://www.python.org/downloads/}}.\
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
+
+\b \cf0 \ul \
 Python 3 and Python 2 Co-existence\
 
 \b0 \ulnone \
diff --git a/Mac/BuildScript/scripts/postflight.ensurepip b/Mac/BuildScript/scripts/postflight.ensurepip
--- a/Mac/BuildScript/scripts/postflight.ensurepip
+++ b/Mac/BuildScript/scripts/postflight.ensurepip
@@ -10,15 +10,15 @@
 
 umask 022
 
-"${FWK}/bin/python${PYVER}" -m ensurepip --upgrade
+"${FWK}/bin/python${PYVER}" -E -s -m ensurepip --upgrade
 
-"${FWK}/bin/python${PYVER}" -Wi \
-    "${FWK}/lib/python${PYVER}/compileall.py" \
+"${FWK}/bin/python${PYVER}" -E -s -Wi \
+    "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \
     -f -x badsyntax \
     "${FWK}/lib/python${PYVER}/site-packages"
 
-"${FWK}/bin/python${PYVER}" -Wi -O \
-    "${FWK}/lib/python${PYVER}/compileall.py" \
+"${FWK}/bin/python${PYVER}" -E -s -Wi -O \
+    "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \
     -f -x badsyntax \
     "${FWK}/lib/python${PYVER}/site-packages"
 
diff --git a/Mac/BuildScript/scripts/postflight.framework b/Mac/BuildScript/scripts/postflight.framework
--- a/Mac/BuildScript/scripts/postflight.framework
+++ b/Mac/BuildScript/scripts/postflight.framework
@@ -6,23 +6,23 @@
 PYVER="@PYVER@"
 FWK="/Library/Frameworks/Python.framework/Versions/@PYVER@"
 
-"${FWK}/bin/python at PYVER@" -Wi \
-    "${FWK}/lib/python${PYVER}/compileall.py" \
+"${FWK}/bin/python at PYVER@" -E -s -Wi \
+    "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \
     -f -x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data' \
     "${FWK}/lib/python${PYVER}"
 
-"${FWK}/bin/python at PYVER@" -Wi -O \
-    "${FWK}/lib/python${PYVER}/compileall.py" \
+"${FWK}/bin/python at PYVER@" -E -s -Wi -O \
+    "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \
     -f -x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data' \
     "${FWK}/lib/python${PYVER}"
 
-"${FWK}/bin/python at PYVER@" -Wi \
-    "${FWK}/lib/python${PYVER}/compileall.py" \
+"${FWK}/bin/python at PYVER@" -E -s -Wi \
+    "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \
     -f -x badsyntax \
     "${FWK}/lib/python${PYVER}/site-packages"
 
-"${FWK}/bin/python at PYVER@" -Wi -O \
-    "${FWK}/lib/python${PYVER}/compileall.py" \
+"${FWK}/bin/python at PYVER@" -E -s -Wi -O \
+    "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \
     -f -x badsyntax \
     "${FWK}/lib/python${PYVER}/site-packages"
 

-- 
Repository URL: https://hg.python.org/cpython

More information about the Python-checkins mailing list