[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

Sun Jan 14 13:06:20 EST 2018

FWIW, anaconda and conda-forge currently have 1.0.2 X

https://anaconda.org/anaconda/openssl

https://anaconda.org/conda-forge/openssl

On Sunday, January 14, 2018, Ned Deily <nad at python.org> wrote:

> On Jan 14, 2018, at 08:39, Christian Heimes <christian at python.org> wrote:
> > On 2018-01-14 09:24, Matt Billenstein wrote:
> >> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple
> has
> >> deprecated (and no longer ships the header files for) the version
> shipped with
> >> recent versions of osx.
> >>
> >> Perhaps this is an option to support the various flavors of Linux as
> well?
> >
> > AFAK Apple has decided to compile and statically link CPython's ssl with
> > an ancient, customized LibreSSL version. Cory posted [1] a couple of
> > months ago
>
> I think you're conflating some things here.  Apple has not yet shipped a
> version of Python 3 with macOS so the fact that Apple now links their
> version of Python2.7 with a "private" copy of LibreSSL is irrelevant.
> (It's private in the sense that they don't ship the header files for it;
> the shared libs are there just for the use of the open source products
> they ship with macOS that don't yet use the macOS native crypto APIs,
> products like Python and Perl.)
>
> What Matt is likely thinking of is the Python 3 versions provided by the
> python.org macOS binary installers where we do build and link with our
> own 1.0.2 (and soon 1.1.0 for 3.7) versions of OpenSSL.  Currently,
> the OpenSSL (and several other third-party libs such as libxz which
> is not shipped by Apple) are built as part of the installer build
> script in the Mac section of the source repo.  I would like to
> refactor and generalize that so those third-party libs
> could optionally be used for non-installer builds as well.  But, in
> any case, we don't have much choice for the installer builds until
> such time as cPython has support for the Apple-provided crypto APIs.

Support for Apple SecureTransport is part of the TLS module. IDK how far
along that work is (whether it'll be ready for 3.7 beta 1)?

https://github.com/python/peps/blob/master/pep-0543.rst

https://www.python.org/dev/peps/pep-0543/

http://markmail.org/search/?q=list%3Aorg.python+PEP+543+TLS

>
> > I'm not going to add OpenSSL sources or builds to CPython. We just got
> > rid of copies of libffi and other 3rd party dependencies. Crypto and TLS
> > libraries are much, MUCH more complicated to handle than libffi. It's a
> > constant moving targets of attacks. Vendors and distributions also have
> > different opinions about trust store and policies.
> >
> > Let's keep build dependencies a downstream and vendor problem.
>
> That's not always an option, unfortunately.
>
> --
>   Ned Deily
>   nad at python.org -- []
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/
> wes.turner%40gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180114/97baa6f3/attachment.html>