On Thu, Jan 12, 2017 at 6:10 AM, Jack Jansen <jack.jan...@cwi.nl> wrote:
> Ok, so this is a real problem:-( > > Again, I’m not deep enough into the SSL stuff to really understand this > (and specifically whether it needs a new openssl module, a new libssl, > both, something else, ….), but I’d like to think of ways to fix this before > the shit hits the fan for all poor mac Python users out there, if possible. > And that includes people who aren’t even aware they’re macPython users > because they use some app that uses Python under the hood….. > > So a couple of questions: > > 1. Is this fixable by Apple, by providing a security update to various OSX > versions that would include a newer python/libssl/whatever? > They stopped updating OpenSSL around Lion, and that's the real reason Python's ssl module is so behind. They recommend against using OpenSSL, and steer people towards using their Cocoa equivalents instead. > 1a. Would this still fall under Apple’s idea of “security update”? > 1b. Do we have any chance of making Apple interested in fixing this? > So long as Python for Mac uses OpenSSL, the answer is likely to be no. ANY software on a Mac that relies on the system OpenSSL has the same problem, and Apple clearly has shown no intention of providing an updated OpenSSL. The one thing that I think might make them consider it is if the Python ssl problem causes them problems internally. > 2. Is this fixable with an installer that would somehow override the > openssl module, so that installing this one thing would make the whole > Apple-Python installation work again? > Not sure about this one, but it seems like this would be problematic (e.g. system updates may undo it) and may make things even more confusing for people. Might as well just suggest they get the Python from python.org and leave it at that. > 3. Failing that, I assume its the end of the line for Apple-Python, and > we’ll have to steer end users towards installing a python.org version. > Right? > Short term, probably so, assuming the 2.7 installers start bundling their own OpenSSL like 3.x does. The only solution Apple themselves would probably accept would be for Python to have a Mac version of the SSL library that uses Cocoa instead of OpenSSL. It's probably what Python will have to do if it wants to ensure Apple isn't shipping a Python with a broken ssl module. > 3a. If that’s the case, is there something we could ask of the pip > developers, the PyPi maintainers, whoever else to help the poor end users? > I.e. get them to release a version that would not say “ssl v1 invalid > foobar get lost” but in stead “you appear to be using Apple Python which > does not support current security measures, please see www.example.com > for more information”. > > That is probably a question for Donald. Thanks, Kevin > Actually, question 3a to some extent also is 2a. > > Regards, > Jack > > > > On 10 Jan 2017, at 20:54, Ronald Oussoren <ronaldousso...@mac.com> > wrote: > > > > > >> On 10 Jan 2017, at 20:43, Ronald Oussoren <ronaldousso...@mac.com> > wrote: > >> > >> > >>> On 10 Jan 2017, at 17:05, Jack Jansen <jack.jan...@cwi.nl> wrote: > >>> > >>> I have completely ignored this whole TLS 1.0 versus TLS 1.2 security > debate until know, but just now the following post came in on > python-announce, which seems to suggest that TLS 1.0 is really about to be > phased out: https://mail.python.org/pipermail/python-announce- > list/2017-January/011437.html > >>> > >>> I think Python 2.7 older that 2.7.13 (i.e. including the apple-shipped > Pythons) don’t support TLS 1.2 by default, which would seem to suggest that > things like pip will stop working as of this summer. > >>> > >>> Or am I overreacting? > >> > >> You are not. Annoyingly Donald Stufft already noticed that Apple’s > Python is problematic, but breaking for users on a major OS is apparently > not a problem :-( > > > > Breaking Python tools is probably not really on Fastly’s radar and not > something that the PyPI folks can easily avoid. > > > >> > >> This shouldn’t be a problem for most serious development as those users > likely use a separate python installation anyway, but this will affect > casual users including at least some new users. > > > > BTW. This doesn’t just break /usr/bin/python but also the Python.org > installation of 2.7 (including 2.7.13), and likely any Python.org install > exception 3.6 as all installers upto 3.6 use the system OpenSSL that > doesn’t support anything beyond TLS 1.0. > > > > Ronald > > > > -- > Jack Jansen, <jack.jan...@cwi.nl>, http://www.cwi.nl/~jack > If I can't dance I don't want to be part of your revolution -- Emma Goldman > > > > _______________________________________________ > Pythonmac-SIG maillist - Pythonmac-SIG@python.org > https://mail.python.org/mailman/listinfo/pythonmac-sig > unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG >
_______________________________________________ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
