Uhhh, sorry, which includes OpenSSL *1.0.2*. Alex
On Fri, Jan 22, 2016 at 5:21 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: > On OS X and Windows we distribute a Cryptography wheel which includes > OpenSSL 0.9.8. > > Alex > > On Fri, Jan 22, 2016 at 5:19 PM, Ron Frederick <r...@timeheart.net> wrote: > >> What impact will this have on MacOS systems? Even the latest MacOS El >> Capitan (10.11.3) is still back on OpenSSL 0.9.8zg from 14 July 2015 for >> the /usr/bin/openssl binary. They ship with a version of libressl for use >> by OpenSSH (OpenSSH_6.9p1, LibreSSL 2.1.8), but I don’t know if that >> library is available for other applications or libraries to use. >> >> On Jan 22, 2016, at 1:58 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: >> >> Hi all, >> >> I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next >> release, and remove support in the release after (we already emit warnings >> in our current release, so this is consistent with our schedule). >> >> Rationale: OpenSSL 0.9.8 is old, does not support modern web security >> (e.g. no TLS 1.2), and supporting it adds complexity, in the form of >> hundreds of additional lines of code and configuration options. >> >> Supporting data: As of pip 8 (released this week, already used for >> something like 1/3 of PyPI downloads), the user agent of pip includes the >> system's OpenSSL version. Looking at the data (excluding Windows and OS X, >> since on those platforms we include OpenSSL 1.0.2 in our wheels). The >> overall distribution is: >> >> >> >> Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all >> installations. >> >> Looking at per-package data, here are the percent of downloads using >> OpenSSL 0.9.8 for some relevant packages: >> >> - unidecode: 7.6% (This is the package with the highest percent of 0.9.8 >> users) >> - rsa: 3.3% >> - pyasn1: 2.2% >> - requests: 1.6% >> - pycrypto: 0.8% >> - pip: 0.6% >> - pyopenssl: 0.4% >> - letsencrypt-apache: 0.3% >> - cryptography: 0.3% >> >> >> I think these numbers are low enough that we can safely drop OpenSSL >> 0.9.8 support. >> >> Platforms specifically known to be affected: >> - RHEL/CentOS 5 and older >> - Debian Squeeze (baed on OpenSSL version, this is where most of the >> affected users will be). >> >> >> Thoughts? Will you be affected by this? >> Alex >> >> -- >> "I disapprove of what you say, but I will defend to the death your right >> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: 125F 5C67 DFE9 4084 >> >> -- >> Ron Frederick >> r...@timeheart.net >> >> >> >> >> _______________________________________________ >> Cryptography-dev mailing list >> Cryptography-dev@python.org >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: 125F 5C67 DFE9 4084 > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
