On Wed, Jan 3, 2018 at 3:51 PM, Alex Gaynor <alex.gay...@gmail.com> wrote: > If PyPy releases include a copy of OpenSSL (or LibreSSL) then we need to be > in the business of issuing new releases whenever upstream has a security > release, we can't be shipping people OpenSSLs with known security issues. > > Of LibreSSL and OpenSSL, I'd choose to ship OpenSSL -- I've found LibreSSL > fairly frustrating to work with and OpenSSL upstream is considerably cleaned > up in past years.
None of Linux, Windows, or MacOS provide reasonable pre-existing OpenSSL installs you can use. So it seems to me that if PyPy's going to ship any binaries at all and take that seriously, then it's going to have to ship OpenSSL (or LibreSSL), and do whatever security updates you all decide make sense. It's also probably not worth spending a lot of time trying to figure out how to avoid doing security updates for pypy2 on MacOS, if you're still going to have to do them for other binaries on other platforms. -n -- Nathaniel J. Smith -- https://vorpus.org _______________________________________________ pypy-dev mailing list pypy-dev@python.org https://mail.python.org/mailman/listinfo/pypy-dev
