classification
Title: Upgrade windows builds to use OpenSSL 1.0.2c
Type: Stage: resolved
Components: Library (Lib) Versions: Python 3.6, Python 3.5, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: steve.dower Nosy List: alex, benjamin.peterson, christian.heimes, dstufft, giampaolo.rodola, janssen, larry, ned.deily, paul.moore, pitrou, python-dev, r.david.murray, steve.dower, tim.golden, zach.ware
Priority: release blocker Keywords: security_issue

Created on 2015-06-11 15:05 by alex, last changed 2015-07-04 06:47 by python-dev. This issue is now closed.

Messages (29)
msg245173 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2015-06-11 15:05
https://www.openssl.org/news/secadv_20150611.txt
msg245178 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2015-06-11 17:56
Marking as release blocker for 3.5.0
msg245283 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2015-06-13 02:01
Make that OpenSSL 1.0.2c now.
msg246116 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2015-07-03 00:56
Steve?
msg246133 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 05:09
I'll give it a shot tomorrow. Haven't done it before (not even sure I have the svn.p.o permissions). Do I still need Perl for this?
msg246136 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 05:25
Yes, you'll need Perl, NASM, and svn on PATH.

I tried to send you an email about this a week or two ago, did I not get it
sent or did it go awry?
msg246143 - (view) Author: Tim Golden (tim.golden) * (Python committer) Date: 2015-07-03 07:34
Zach, is there a write-up in the devguide for how to do this? And/or
could you send me the same email, please?
msg246172 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 13:08
Not yet and yes :)
msg246182 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 14:35
There was an email, though I don't remember whether it was a detailed one.

I'll take notes as I work through it and write something up or contribute them to whoever is writing.
msg246185 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 15:11
I assume we use svn+ssh:// for this? I can't ssh into svn.python.org with my usual key, so I'm guessing it needs to be set up on there.

Who is best to contact about that?
msg246189 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-07-03 15:55
For SVN access, I think it's probably Martin or perhaps Benjamin. Apparently svn.python.org still lives on the old Europe-based infrastructure...

Perhaps it would be good to switch the externals repo to hg, actually?
msg246190 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 16:04
Antoine Pitrou added the comment:
> For SVN access, I think it's probably Martin or perhaps Benjamin.

Benjamin was the one who set up my access.

> Perhaps it would be good to switch the externals repo to hg, actually?

Moving away from svn.python.org has been on my to-figure-out list for
some time, but like instructions for the devguide, that hasn't
happened yet either.
msg246195 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 17:41
The advantage of svn for externals is that nobody needs the history and most people don't need a full enlistment. A hg setup should probably be one repo per project per version, and I'm not sure that's a great idea.
msg246205 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2015-07-03 18:21
I just wanna say, thanks everybody for tackling this.  Here's hoping it makes it into 3.5 beta 3!
msg246209 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 19:22
I've emailed Benjamin, but I'm not sure when he was getting back. If I'm blocked on this then I guess Zach will have to do it again.

I got as far as building and testing for 3.5 without any issues. But if I can't check in to the repository then there's not much else I can do. Preparing the sources was smooth enough (though I added a shebang to prepare_ssl so I could run it directly).
msg246210 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 19:36
Steve: what username did you use?  Try svn+ssh://pythondev@svn.python.org/external

I'm having to set things up in a new-since-last-time VM to be able to do it, so if that works before I get it done, go for it.
msg246211 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-07-03 19:45
Because svn is still on the old infrastructure, it is quite possible Steve's key didn't get added to pythondev's key list.  There might be someone else on infrastructure who could add it, if Benjamin isn't available.
msg246212 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-07-03 19:59
It turns out I have access to the machine: Steve's key is already enabled in the pythondev account.
msg246213 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 20:21
Yep, Benjamin added it about half an hour ago :)

Should have this done fairly soon.
msg246214 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 20:22
Already have the source checked in on svn.python.org
msg246215 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 20:33
Just spotted that. How about I kick off 3.5 and 2.7 with the old build files to test and you get 3.6 and 2.7 new?
msg246216 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 20:34
Sure, can do.  I already have a test running on 3.4 as well.
msg246221 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 21:14
It all seems to work (no new failures).
msg246222 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 21:18
Agreed. Build and obviously related tests are fine.
msg246224 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-07-03 21:27
Would you like to check it in on all branches?  I'm about to be separated from my computer for a while.
msg246225 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2015-07-03 21:55
Sure, I'll get it.
msg246227 - (view) Author: Roundup Robot (python-dev) Date: 2015-07-03 22:18
New changeset 6fd63f0a0026 by Steve Dower in branch '3.4':
Issue #24432: Update Windows builds to use OpenSSL 1.0.2c.
https://hg.python.org/cpython/rev/6fd63f0a0026

New changeset ebc8559b2e57 by Steve Dower in branch '3.5':
Issue #24432: Update Windows builds to use OpenSSL 1.0.2c.
https://hg.python.org/cpython/rev/ebc8559b2e57

New changeset 91c5097bca2b by Steve Dower in branch 'default':
Issue #24432: Update Windows builds to use OpenSSL 1.0.2c.
https://hg.python.org/cpython/rev/91c5097bca2b
msg246228 - (view) Author: Roundup Robot (python-dev) Date: 2015-07-03 22:19
New changeset c49d2ea5e48a by Steve Dower in branch '2.7':
Issue #24432: Update Windows builds to use OpenSSL 1.0.2c.
https://hg.python.org/cpython/rev/c49d2ea5e48a
msg246240 - (view) Author: Roundup Robot (python-dev) Date: 2015-07-04 06:47
New changeset 695bbbaf2478 by Ned Deily in branch '2.7':
Issue #24432: Update OS X 10.5+ installer builds to use OpenSSL 1.0.2c.
https://hg.python.org/cpython/rev/695bbbaf2478

New changeset 4b52fce3753d by Ned Deily in branch '3.4':
Issue #24432: Update OS X 10.5+ installer builds to use OpenSSL 1.0.2c.
https://hg.python.org/cpython/rev/4b52fce3753d

New changeset bbf4e35ed69e by Ned Deily in branch '3.5':
Issue #24432: Update OS X 10.5+ installer builds to use OpenSSL 1.0.2c.
https://hg.python.org/cpython/rev/bbf4e35ed69e

New changeset fbb9ac8aebfd by Ned Deily in branch 'default':
Issue #24432: merge from 3.5
https://hg.python.org/cpython/rev/fbb9ac8aebfd
History
Date User Action Args
2015-07-04 06:47:41python-devsetmessages: + msg246240
2015-07-03 22:28:01steve.dowersetstatus: open -> closed
resolution: fixed
stage: needs patch -> resolved
2015-07-03 22:19:53python-devsetmessages: + msg246228
2015-07-03 22:18:01python-devsetnosy: + python-dev
messages: + msg246227
2015-07-03 21:55:29steve.dowersetmessages: + msg246225
2015-07-03 21:27:32zach.waresetmessages: + msg246224
title: Upgrade windows builds to use OpenSSL 1.0.2b -> Upgrade windows builds to use OpenSSL 1.0.2c
2015-07-03 21:18:10steve.dowersetmessages: + msg246222
2015-07-03 21:14:53zach.waresetmessages: + msg246221
2015-07-03 20:34:00zach.waresetmessages: + msg246216
2015-07-03 20:33:05steve.dowersetmessages: + msg246215
2015-07-03 20:22:41zach.waresetmessages: + msg246214
2015-07-03 20:21:55steve.dowersetmessages: + msg246213
2015-07-03 19:59:09pitrousetmessages: + msg246212
2015-07-03 19:45:35r.david.murraysetnosy: + r.david.murray
messages: + msg246211
2015-07-03 19:36:20zach.waresetmessages: + msg246210
2015-07-03 19:22:42steve.dowersetmessages: + msg246209
2015-07-03 18:21:43larrysetmessages: + msg246205
2015-07-03 17:41:34steve.dowersetmessages: + msg246195
2015-07-03 16:04:15zach.waresetmessages: + msg246190
2015-07-03 15:55:13pitrousetmessages: + msg246189
2015-07-03 15:11:53steve.dowersetmessages: + msg246185
2015-07-03 14:35:29steve.dowersetmessages: + msg246182
2015-07-03 13:08:07zach.waresetmessages: + msg246172
2015-07-03 07:34:02tim.goldensetmessages: + msg246143
2015-07-03 05:25:04zach.waresetmessages: + msg246136
2015-07-03 05:09:43steve.dowersetmessages: + msg246133
2015-07-03 00:56:55larrysetassignee: steve.dower
messages: + msg246116
2015-06-13 02:01:51ned.deilysetmessages: + msg245283
2015-06-11 17:56:31ned.deilysetpriority: normal -> release blocker
versions: + Python 2.7, Python 3.4, Python 3.5, Python 3.6
nosy: + ned.deily, larry, benjamin.peterson

messages: + msg245178

stage: needs patch
2015-06-11 15:05:25alexcreate