[Python-Dev] Supported versions of OpenSSL
Cory Benfield
cory at lukasa.co.uk
Mon Aug 29 12:33:05 EDT 2016
> On 29 Aug 2016, at 04:09, M.-A. Lemburg <mal at egenix.com> wrote:
>
> On 28.08.2016 22:40, Christian Heimes wrote:
>> ...
>> I like to reduce the maintenance burden and list of supported OpenSSL
>> versions ASAP. OpenSSL has deprecated 0.9.8 and 1.0.0 last year. 1.0.1
>> will reach EOL by the end of this year,
>> https://www.openssl.org/policies/releasestrat.html . However OpenSSL
>> 0.9.8 is still required for some platforms (OSX).
>> ...
>> For upcoming 3.6 I would like to limit support to 1.0.2+ and require
>> 1.0.2 features for 3.7.
>> ...
>
> Hmm, that last part would mean that Python 3.7 will no longer compile
> on e.g. Ubuntu 14.04 LTS which uses OpenSSL 1.0.1 as default version.
> Since 14.04 LTS is supported until 2019, I think it would be better
> to only start requiring 1.0.2 in Python 3.8.
Can someone explain to me why this is a use-case we care about?
The nature of a stable distribution is that all the packages are guaranteed to work together. Once you start compiling your own software, you are out in the cold: you are no longer covered by that guarantee. Why, then, should someone compiling a version of Python that was barely conceived when Ubuntu 14.04 was released expect that they can compile it from source using only dependencies available in their mainline distribution?
I absolutely understand wanting to support Ubuntu 14.04 for any release of Python that already compiles on Ubuntu 14.04: that makes sense. But new releases should not be shackled to what is in LTS releases of operating systems. If it were, a more coherent argument would be that we cannot drop 0.9.8 support in any Python released before the middle of 2017 because RHEL 5 ships it, and we will not be able to require OpenSSL 1.0.2 until almost 2021 because RHEL 6 ships 1.0.1. After all, why does Ubuntu 14.04 get privileged over RHEL? Both are supported LTS releases, after all.
I don’t believe that the Python dev team has ever promised that future versions of Python will compile on a given LTS release. Am I mistaken?
While I’m here, I should note that Ubuntu 14.04 goes EOL in 2019, while OpenSSL 1.0.1 loses support from upstream at the end of this year, which is probably a good reason to stop supporting it in new Python versions. OpenSSL 1.0.0 and 0.9.8 are already unsupported by upstream.
Cory
More information about the Python-Dev
mailing list