[Python-Dev] PEP 466 (round 2): Network security enhancements for Python 2.7
Nick Coghlan
ncoghlan at gmail.com
Mon Mar 24 13:51:50 CET 2014
On 24 March 2014 22:39, M.-A. Lemburg <mal at egenix.com> wrote:
> On 24.03.2014 13:33, Antoine Pitrou wrote:
>> Under Linux (and probably OS X too), the _ssl module is linked
>> dynamically with OpenSSL:
>>
>> $ ldd build/lib.linux-x86_64-2.7-pydebug/_ssl.so
>> linux-vdso.so.1 => (0x00007fff3f1de000)
>> libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fd8853ea000)
>> libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fd885010000)
>> libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd884df1000)
>> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd884a2b000)
>> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd884827000)
>> /lib64/ld-linux-x86-64.so.2 (0x00007fd885868000)
>
> Right, and it's using the system library, not a private copy - which
> can be both good and bad depending on how recent the system's library
> version is.
Even if *we* statically linked OpenSSL on Linux, you can bet distro
vendors would switch it back to dynamic linking. Hence the comment in
the PEP about vendor provided OpenSSL updates mitigating some of the
concerns on Linux (defaulting not all of them though - it's still far
too easy for developers to make mistakes and too hard from them to do
the right thing from a security perspective).
You also reminded me that I need to dig around for and reference Ned's
email about the status of OS X and reference that (OpenSSL upgrades
were a casualty of Apple's anti-GPL crusade, so the OS X installers
were switched to static linking somewhere along the line).
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list