[Python-Dev] Supported versions of OpenSSL

Cory Benfield cory at lukasa.co.uk
Mon Aug 29 22:28:50 EDT 2016


> On 29 Aug 2016, at 15:31, M.-A. Lemburg <mal at egenix.com> wrote:
> 
> Ubuntu 14.04 is a widely deployed system and newer Python version
> should run on such widely deployed systems without having to
> replace important vendor maintained system libraries such as
> OpenSSL.

That's quite the non-sequitur. You never answered my question: what does "widely deployed" mean? At what level of deployment do we need to support the system configuration with no changes?

Do we need to support compiling out of box with Windows 10? Because we don't: if they want SSL, we need them to compile and install an OpenSSL. Do we need to support compiling out of the box on macOS 10.12 Sierra? Because we don't: if they want SSL they need to install their own OpenSSL.

At a certain point we need to give up on systems that do not provide up to date copies of important libraries, or say that if you want to use Python on them you need to compile without our support libraries. 

> Python 3.7 starts shipping around June 2018 (assuming the 18 month
> release cycle). Ubuntu 14.04 EOL is April 2019, so in order to
> be able to use Python 3.7 on such a system, you'd have to upgrade
> to a more recent LTS version 10 months before the EOL date (with
> all the associated issues) or lose vendor maintenance support and
> run with your own copy of OpenSSL.

Yes, that's true. But on the other hand, that LTS release is *already out* at this time, and has been for four months. By the time of the release of Python 3.7 it will have been released for two years and two months. The request to upgrade is not unreasonable. 

> Sure, but Ubuntu will continue to support OpenSSL 1.0.1
> until 2019, backporting important security fixes as necessary and
> that's what's important.

Then Ubuntu can ship us an engineer who is willing to support the SSL module with OpenSSL 1.0.1 going forward. The one engineer we have has said he is unwilling to do it.

> This doesn't sound like a feature worth breaking compatibility
> to me.

Does the compatibility guarantee apply to libraries that Python will link against?

Cory


More information about the Python-Dev mailing list