Yeah, the fact that it really has to be our own copy of the DLL negates the advantage. If someone can rebuild that, they could rebuild the modules that statically link it.
Cheers, Steve Top-posted from my Windows Phone ________________________________ From: Martin v. Löwis<mailto:mar...@v.loewis.de> Sent: 6/18/2014 2:46 To: Steve Dower<mailto:steve.do...@microsoft.com>; Yates, Andy (CS Houston, TX)<mailto:aya...@hp.com>; Python-Dev@python.org<mailto:Python-Dev@python.org> Subject: Re: [Python-Dev] Issue 21671: CVE-2014-0224 OpenSSL upgrade to 1.0.1h on Windows required Am 17.06.14 20:27, schrieb Steve Dower: > You'll only need to rebuild the _ssl and _hashlib extension modules > with the new OpenSSL version. The easiest way to do this is to build > from source (which has already been updated for 1.0.1h if you use the > externals scripts in Tools\buildbot), and you should just be able to > drop _ssl.pyd and _hashlib.pyd on top of a normal install. > > Aside: I wonder if it's worth changing to dynamically linking to > OpenSSL? It would make this kind of in-place upgrade easier when > people need to do it. Any thoughts? (Does OpenSSL even support it?) We originally considered using prebuilt binaries, such as http://slproweb.com/products/Win32OpenSSL.html This is tricky because of CRT issues: they will likely bind to a different version of the CRT, and a) it is unclear whether this would reliably work, and b) requires the Python installer to include a different version of the CRT, which we would not have a license to include (as the CRT redistribution license only applies to the version of the CRT that Python was built with) There was also the desire to use the same compiler for all code distributed, to use the same optimizations on all of it. In addition, for OpenSSL, there is compile time configuration wrt. to the algorithms built into the binaries where Python's build deviates from the default. Having a separate project to build a DLL within pcbuild.sln was never implemented. Doing so possibly increases the risk of DLL hell, if Python picks up the wrong version of OpenSSL (e.g. if Python gets embedded into some other application). Regards, Martin
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
