[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3
Gregory P. Smith
greg at krypto.org
Sat Jan 13 21:02:59 EST 2018
On Sat, Jan 13, 2018 at 4:34 PM Steven D'Aprano <steve at pearwood.info> wrote:
> On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote:
> > On Sat, 13 Jan 2018 13:54:33 +0100
> > Christian Heimes <christian at python.org> wrote:
> > >
> > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can
> land
> > > bunch of useful goodies like proper hostname verification [2], proper
> > > fix for IP address in SNI TLS header [3], PEP 543 compatible
> Certificate
> > > and PrivateKey types (support loading certs and keys from file and
> > > memory) [4], and simplified cipher suite configuration [5]. I can
> > > finally clean up _ssl.c during the beta phase, too.
> >
> > Given the annoyance of supporting old OpenSSL versions, I'd say +1 to
> > this.
> >
> > We'll have to deal with the complaints of users of Debian oldstable,
> > CentOS 6 and RHEL 6, though.
>
> It will probably be more work for Christian, but is it reasonable to
> keep support for the older versions of OpenSSL, but make the useful
> goodies conditional on a newer version?
>
I don't think it is worth spending our limited engineering time supporting
an unsupported library version. Leave that burden to stale distro
maintainers who continue to choose dangerously stale software versions if
they ironically want to use something as modern as 3.7 on top of an ancient
set of libraries.
+1 from me for requiring OpenSSL >= 1.0.2 in Python 3.7.
-gps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180114/309b57f6/attachment.html>
More information about the Python-Dev
mailing list