Message 181366 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ned.deily
Recipients	benjamin.peterson, georg.brandl, larry, ned.deily, ronaldoussoren
Date	2013-02-04.18:31:20
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1360002680.77.0.851671416179.issue17128@psf.upfronthosting.co.za>
In-reply-to

Content
Apple has deprecated use of openssl in OS X due to its unstable API between versions: "If your app depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your app" https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html Currently OS X ships with patched versions of libssl 0.9.7 and 0.9.8. The 32-bit python.org installer links with and dynamically loads 0.9.7 and the 64-/32-bit installer with 0.9.8. build-installer.py should be enhanced to build and link with its own universal more up-to-date static libssl, as is done for several other OS X-supplied libraries. Since apparently the openssl upstream builds do not support OS X universal builds, build-installer.py will need to learn how to build each arch separately and lipo them together. With the current discussion around security issues, are there features in openssl 1.x.x that warrant making this a release blocker for 2.7.4 and 3.2.4? I should be able to implement and test this over the next few days if so. Setting to release blocker for release managers' decision.

Apple has deprecated use of openssl in OS X due to its unstable API between versions:

"If your app depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your app"

https://developer.apple.com/library/mac/#documentation/security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html

Currently OS X ships with patched versions of libssl 0.9.7 and 0.9.8.  The 32-bit python.org installer links with and dynamically loads 0.9.7 and the 64-/32-bit installer with 0.9.8.

build-installer.py should be enhanced to build and link with its own universal more up-to-date static libssl, as is done for several other OS X-supplied libraries.  Since apparently the openssl upstream builds do not support OS X universal builds, build-installer.py will need to learn how to build each arch separately and lipo them together.

With the current discussion around security issues, are there features in openssl 1.x.x that warrant making this a release blocker for 2.7.4 and 3.2.4?  I should be able to implement and test this over the next few days if so.

Setting to release blocker for release managers' decision.

History
Date	User	Action	Args
2013-02-04 18:31:20	ned.deily	set	recipients: + ned.deily, georg.brandl, ronaldoussoren, larry, benjamin.peterson
2013-02-04 18:31:20	ned.deily	set	messageid: <1360002680.77.0.851671416179.issue17128@psf.upfronthosting.co.za>
2013-02-04 18:31:20	ned.deily	link	issue17128 messages
2013-02-04 18:31:20	ned.deily	create