I think there are two different topics here:

- macOS, windows: PyPy is not doing a good job with the native installers. We should be following CPython and provide real packages, not a tarball. This is issue 3697 [0] for macOS and issue 2894 [5] for windows.


- linux: (aarch64, x86_64, i686): we create a portable build of PyPy. It starts in a docker file based on manylinux2014 [1] (note the various install scripts to get updated versions of some libraries). There is an additional wrinkle in that some of the python modules we ship are based on cffi c-extensions (like _ssl, _gdbm, lzma). For these we have an additional build step to download and build the relevant support library on every build [6]. Then when packaging, we use  ldd to check dependencies [2], set RPATH appropriately, and bundle those into the tarball [4]. We make sure that not only libpypy3-c.so is checked with ldd, but also the c-extensions [3]. There is a tradeoff between putting libraries in the Docker file and rebuilding the buildbots or building them each time, and openssl is actually on both build paths (probably this could be simplified). CI caching could probably be used to lessen the burden, we have a different build/test workflow from CPython where we typically build only once a day.


[0] https://foss.heptapod.net/pypy/pypy/-/issues/3697

[1] https://foss.heptapod.net/pypy/buildbot/-/tree/branch/default/docker

[2] https://foss.heptapod.net/pypy/pypy/-/blob/branch/default/pypy/tool/release/make_portable.py#L39

[3] https://foss.heptapod.net/pypy/pypy/-/blob/branch/default/pypy/tool/release/make_portable.py#L119

[4] https://foss.heptapod.net/pypy/pypy/-/blob/branch/default/pypy/tool/release/package.py#L292

[5] https://foss.heptapod.net/pypy/pypy/-/issues/2894

[6] https://foss.heptapod.net/pypy/pypy/-/blob/branch/py3.8/lib_pypy/pypy_tools/build_cffi_imports.py#L65


As for complaints about OpenSSL versions: we release 2-3 times a year so can respond "quickly" if security concerns arise. My impression, based on the little feedback we get, is that shipping portable manylinux2014-based builds solves more end user problems than it causes. Sophisticated end users can always rebuild to suit their purposes.


Matti


On 1/4/22 01:47, matt--- via pypy-dev wrote:
I think you have to bundle on macOS - Apple ships a really old openssl.

I think cpython on macOS does this already? Might be good to be consistently 
bundling the same thing in Linus as well.

M

--
Matt Billenstein
m...@vazor.com

On Mar 31, 2022, at 3:36 PM, Brett Cannon <br...@python.org> wrote:

I noticed that https://www.pypy.org/download.html says that "the linux binaries 
ship an OpenSSL library". Have you found that to be an issue in any way? Have users 
been accepting of it?

I ask as I'm contemplating trying to get relocatable builds for CPython on 
Linux (to start), and I suspect the OpenSSL question is going to be one of the 
bigger/stickier discussion points and having some real-world 
experience/information on the topic would probably help.
_______________________________________________
pypy-dev mailing list -- pypy-dev@python.org
To unsubscribe send an email to pypy-dev-le...@python.org
https://mail.python.org/mailman3/lists/pypy-dev.python.org/
Member address: m...@vazor.com
_______________________________________________
pypy-dev mailing list -- pypy-dev@python.org
To unsubscribe send an email to pypy-dev-le...@python.org
https://mail.python.org/mailman3/lists/pypy-dev.python.org/
Member address: arch...@mail-archive.com

Reply via email to