So, here was my thought process on 1.0.0: - Basically no one is using it - It's slightly less burdensome to support. - We should only do one thing at a time, if for some reason everyone who upgrades 0.9.8 moves to 1.0.0, that's an interesting data point we should seek to collect.
I like the idea of adding a CRYPTOGRAPHY_ALLOW_DEPRECATED_OPENSSL for 1 release. That makes the timetable - 1.3: Show deprecation warning - 1.4: Removed by default with CRYPTOGRAPHY_ALLOW_DEPRECATED_OPENSSL fallback - 1.5: Removed entirely With the 1.5 step contigent on feedback we receive from 1.4. Alex On Fri, Jan 22, 2016 at 5:29 PM, Paul Kehrer <paul.l.keh...@gmail.com> wrote: > We should also disable 1.0.0 as that's EOL as well and has even lower > usage than 0.9.8. I'd like to have at least one additional release with > 0.9.8/1.0.0 support disabled but available via env variable (e.g. > ALLOW_OLD_BAD_OPENSSL). This way we can provide a path to re-enable support > if it turns out more people are using cryptography with old Python than our > data currently suggests. > > -Paul Kehrer (reaperhulk) > > On January 22, 2016 at 4:25:46 PM, Ron Frederick (r...@timeheart.net) > wrote: > > Gotcha, thanks. > > On my OS X system, I have 1.0.2e installed from MacPorts, but I imagine > many Mac users don’t. > > On Jan 22, 2016, at 2:21 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: > > Uhhh, sorry, which includes OpenSSL *1.0.2*. > > Alex > > On Fri, Jan 22, 2016 at 5:21 PM, Alex Gaynor <alex.gay...@gmail.com> > wrote: > >> On OS X and Windows we distribute a Cryptography wheel which includes >> OpenSSL 0.9.8. >> >> Alex >> >> On Fri, Jan 22, 2016 at 5:19 PM, Ron Frederick <r...@timeheart.net> >> wrote: >> >>> What impact will this have on MacOS systems? Even the latest MacOS El >>> Capitan (10.11.3) is still back on OpenSSL 0.9.8zg from 14 July 2015 for >>> the /usr/bin/openssl binary. They ship with a version of libressl for use >>> by OpenSSH (OpenSSH_6.9p1, LibreSSL 2.1.8), but I don’t know if that >>> library is available for other applications or libraries to use. >>> >>> On Jan 22, 2016, at 1:58 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: >>> >>> Hi all, >>> >>> I'd like to propose we deprecate support for OpenSSL 0.9.8 in our next >>> release, and remove support in the release after (we already emit warnings >>> in our current release, so this is consistent with our schedule). >>> >>> Rationale: OpenSSL 0.9.8 is old, does not support modern web security >>> (e.g. no TLS 1.2), and supporting it adds complexity, in the form of >>> hundreds of additional lines of code and configuration options. >>> >>> Supporting data: As of pip 8 (released this week, already used for >>> something like 1/3 of PyPI downloads), the user agent of pip includes the >>> system's OpenSSL version. Looking at the data (excluding Windows and OS X, >>> since on those platforms we include OpenSSL 1.0.2 in our wheels). The >>> overall distribution is: >>> >>> >>> >>> Indicating that OpenSSL 0.9.8 on Linux repersents less than 1% of all >>> installations. >>> >>> Looking at per-package data, here are the percent of downloads using >>> OpenSSL 0.9.8 for some relevant packages: >>> >>> - unidecode: 7.6% (This is the package with the highest percent of >>> 0.9.8 users) >>> - rsa: 3.3% >>> - pyasn1: 2.2% >>> - requests: 1.6% >>> - pycrypto: 0.8% >>> - pip: 0.6% >>> - pyopenssl: 0.4% >>> - letsencrypt-apache: 0.3% >>> - cryptography: 0.3% >>> >>> >>> I think these numbers are low enough that we can safely drop OpenSSL >>> 0.9.8 support. >>> >>> Platforms specifically known to be affected: >>> - RHEL/CentOS 5 and older >>> - Debian Squeeze (baed on OpenSSL version, this is where most of the >>> affected users will be). >>> >>> >>> Thoughts? Will you be affected by this? >>> Alex >>> >>> -- >>> "I disapprove of what you say, but I will defend to the death your right >>> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >>> "The people's good is the highest law." -- Cicero >>> GPG Key fingerprint: 125F 5C67 DFE9 4084 >>> >>> -- > Ron Frederick > r...@timeheart.net > > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
