[Python-Dev] Supported versions of OpenSSL
Nick Coghlan
ncoghlan at gmail.com
Tue Aug 30 02:29:07 EDT 2016
On 30 August 2016 at 15:13, Benjamin Peterson <benjamin at python.org> wrote:
> On Sun, Aug 28, 2016, at 22:42, Christian Heimes wrote:
>> In my proto-PEP I'm talking about different levels of support: full,
>> build-only and unsupported. Full support means that the combination of
>> Python and OpenSSL versions is reasonable secure and recommended.
>>
>> On the other hand build-only support doesn't come with any security
>> promise. The ssl and hashlib module are source compatible with OpenSSL
>> 0.9.8. You can still compile Python, do https connections but they might
>> not be secure. It's "Warranty void" mode.
>
> I'm not sure having such "support" is a good idea. If we're not able to
> support a security module securely, it's probably better if it doesn't
> compile at all.
We may not be able to practically support these variations directly
upstream, but that doesn't mean the particular downstream
redistributor or end user building against the older version can't -
they get to narrow their support matrix in a different way from us by
only caring about their particular platform or deployment environment.
So I don't think it makes sense to fight this particular battle right
now - it may be something we want to explore in the future as a
deliberate "You must have the ability to maintain patches against
CPython and hence presumably OpenSSL if you want to use older OpenSSL
versions" barrier to entry, but just the notion of imposing minimum
OpenSSL versions on *nix and hence potentially deprecating upstream
support for older LTS Linux releases before their distributors do is
already going to be a significant change.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list