[Python-Dev] Supported versions of OpenSSL

Cory Benfield cory at lukasa.co.uk
Tue Aug 30 18:03:11 EDT 2016 

> On 30 Aug 2016, at 16:07, M.-A. Lemburg <mal at egenix.com> wrote:
> 
> That was not my point. It's unfortunate that Python depends on
> a library which is inevitably going to need updates frequently,
> and which then may have the implication that Python won't compile on
> systems which don't ship with more recent OpenSSL libs - even
> if your application doesn't even need ssl at all.
> 
> Crypto is important to have, but at the same time it's not
> essentially for everything you do in Python, e.g. you can
> easily run data analysis scripts or applications without ever
> touching the ssl module.
> 
> Yet, a move to require OpenSSL 1.0.2 for Python 3.7 will make
> it impossible to run such apps on systems that still use OpenSSL
> 1.0.1, e.g. Ubuntu 14.04 or CentOS 7.

If your application doesn’t need SSL, then you can compile without OpenSSL. I just downloaded and compiled the current tip of the CPython repository on a system with no OpenSSL, and the world didn’t explode, it just printed this:

Python build finished successfully!
The necessary bits to build these optional modules were not found:
_bz2                  _curses               _curses_panel      
_dbm                  _gdbm                 _lzma              
_sqlite3              _ssl                  _tkinter           
readline              zlib                                     
To find the necessary bits, look in setup.py in detect_modules() for the module's name.

So this user you have considered, who needs Python but not the ssl module, is still well served. The ssl module is not mandatory in CPython, and no-one is proposing that it should be.

But the real question is this: who *is* this hypothetical user? This user apparently needs the latest CPython, but is entirely unwilling to update literally anything else, including moving to a more recent release of their operating system. They are equipped to compile Python from source, but are apparently unwilling or unable to install a more recent OpenSSL from source. I’m not entirely certain that python-dev should be supporting that user: that user should be contacting their LTS supplier.

Cory

More information about the Python-Dev mailing list