On Mon, Aug 29, 2016 at 1:18 PM Christian Heimes <christ...@python.org> wrote:
> On 2016-08-29 21:31, M.-A. Lemburg wrote: > > On 29.08.2016 18:33, Cory Benfield wrote: > >> > >>> On 29 Aug 2016, at 04:09, M.-A. Lemburg <m...@egenix.com> wrote: > >>> > >>> On 28.08.2016 22:40, Christian Heimes wrote: > >>>> ... > >>>> I like to reduce the maintenance burden and list of supported OpenSSL > >>>> versions ASAP. OpenSSL has deprecated 0.9.8 and 1.0.0 last year. 1.0.1 > >>>> will reach EOL by the end of this year, > >>>> https://www.openssl.org/policies/releasestrat.html . However OpenSSL > >>>> 0.9.8 is still required for some platforms (OSX). > >>>> ... > >>>> For upcoming 3.6 I would like to limit support to 1.0.2+ and require > >>>> 1.0.2 features for 3.7. > >>>> ... > >>> > >>> Hmm, that last part would mean that Python 3.7 will no longer compile > >>> on e.g. Ubuntu 14.04 LTS which uses OpenSSL 1.0.1 as default version. > >>> Since 14.04 LTS is supported until 2019, I think it would be better > >>> to only start requiring 1.0.2 in Python 3.8. > >> > >> Can someone explain to me why this is a use-case we care about? > > > > Ubuntu 14.04 is a widely deployed system and newer Python version > > should run on such widely deployed systems without having to > > replace important vendor maintained system libraries such as > > OpenSSL. > > "Widely deployed" is true for a lot of old operating systems including > Windows XP. > > > Python 3.7 starts shipping around June 2018 (assuming the 18 month > > release cycle). Ubuntu 14.04 EOL is April 2019, so in order to > > be able to use Python 3.7 on such a system, you'd have to upgrade > > to a more recent LTS version 10 months before the EOL date (with > > all the associated issues) or lose vendor maintenance support and > > run with your own copy of OpenSSL. > > Why would you deploy an unsupported Python version on a LTS release? Why > should compatibility be our concern? > > > Sure, but Ubuntu will continue to support OpenSSL 1.0.1 > > until 2019, backporting important security fixes as necessary and > > that's what's important. > > I see an easy solution here: either pay or make Canonical backport all > required features to OpenSSL 1.0.1. </sarcasm> > > > It's unfortunate that Python has to rely on a 3rd party library > > for security, but we should at least make sure that our users > > can rely on OS vendor support to keep the lib up to date with > > security fixes. > > No, it is a good thing that we can rely on 3rd party libraries for > security. Crypto and security is not our domain. It is incredible hard > to develop and maintain crypto code. Also my proposal enforces OS > vendors to supply up to date OpenSSL versions. > > > > > On 29.08.2016 10:24, Christian Heimes wrote: > >> By the way I knew that something like this would come up from you. > >> Thank you that you satisfied my expectation. :p > > > > Sure, I want Python to be used on as many systems as possible, > > both in terms of architecture and OS. The more the better. > > If we don't have to drop support early, why should we ? > > MAL, I don't like your attitude. It feels like you want me and other > contributors to waste time on this topic. That is not how this > discussion is going to end. If *you* want to keep support for outdated > OpenSSL versions, than it is *your* responsibility and *your* time. You > cannot and will not put this burden on me. > Please keep your dialog civil Christian. That was unwarranted. Nobody was forcing a burden upon you. 3.6 will remain buildable and usable on common stable distros so long as we support 1.0.1 which sounds easy to do. For 3.7 we can move on and raise the minimum beyond that. ... > opinion it is more than reasonable to ditch 1.0.1 and earlier. > Given that you already said: """ For 3.6 I don't require any 1.0.2 feature yet. The 1.1.0 patch keeps code compatible with 0.9.8zc to 1.1.0. But as soon as I use new features, the ssl module will no longer be source and build compatible with < 1.0.2. There is also the point of OpenSSL 1.0.1. It reaches end-of-lifetime by the end if this year. 1.0.2 will be supported until 2019. I'm tempted to require 1.0.2 for Python 3.6 but it's technically not necessary yet. """ That to me means we should keep support for 1.0.1 in Python 3.6 unless there are features in 1.0.2 that you find are an absolute must have within the next two weeks. We're going to be entering 3.6beta on September 12th and current stable distros do not ship with a more recent version so lets not make the lives of our developers and buildbot maintainers hell by forcing them to install a special version. Lets make 3.7 require a higher version. The common OSS OS distros of its time will be better prepared. -gps
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
