> On Jan 12, 2017, at 6:10 AM, Jack Jansen <jack.jan...@cwi.nl> wrote:
> 
> Ok, so this is a real problem:-(
> 
> Again, I’m not deep enough into the SSL stuff to really understand this (and 
> specifically whether it needs a new openssl module, a new libssl, both, 
> something else, ….), but I’d like to think of ways to fix this before the 
> shit hits the fan for all poor mac Python users out there, if possible. And 
> that includes people who aren’t even aware they’re macPython users because 
> they use some app that uses Python under the hood…..
> 
> So a couple of questions:
> 
> 1. Is this fixable by Apple, by providing a security update to various OSX 
> versions that would include a newer python/libssl/whatever? 

Yes.  Apple should really be including a private OpenSSL with Python.  But they 
probably won't do that.

> 1a. Would this still fall under Apple’s idea of “security update”?

No, it would probably be a Major-OS sort of thing.

> 1b. Do we have any chance of making Apple interested in fixing this?

It's doubtful that they will update OpenSSL directly.  But they might include a 
new version of Python with a different approach to basic TLS (see the 'tls' 
module in my other response)

> 2. Is this fixable with an installer that would somehow override the openssl 
> module, so that installing this one thing would make the whole Apple-Python 
> installation work again?

Yes and no.  You could fix this by replacing the 'ssl' module with a wrapper 
that replicates it based on 'pyOpenSSL', which is a layer over 'cryptography', 
but this doesn't help users bootstrap via Pip; it would be easier to just tell 
them to get a different Python.
> 
> 3. Failing that, I assume its the end of the line for Apple-Python, and we’ll 
> have to steer end users towards installing a python.org version. Right?

Homebrew is by far my most preferred option (easier to get updates, easier to 
get PyPy, easier to make multiple versions play nicely, more tuned for 
developers, etc etc etc).  But python.org <http://python.org/> is a reasonable 
option as well.  And there are lots of other reasons not to tell users to use 
the system-provided Python.

> 3a. If that’s the case, is there something we could ask of the pip 
> developers, the PyPi maintainers, whoever else to help the poor end users? 
> I.e. get them to release a version that would not say “ssl v1 invalid foobar 
> get lost” but in stead “you appear to be using Apple Python which does not 
> support current security measures, please see www.example.com for more 
> information”.

There's no way to do this purely from PyPI's side, but with a little help from 
Apple it's doable.

Another option here is to build the mac Python installers differently so 
they're more user-friendly, and rather than a .pkg make a .app, so that users 
who have sufficiently little command-line expertise to be able to get something 
like Homebrew to behave properly would be able to get on-screen instructions 
and prompts that would help them get set up with a correct command linee.

-glyph

_______________________________________________
Pythonmac-SIG maillist  -  Pythonmac-SIG@python.org
https://mail.python.org/mailman/listinfo/pythonmac-sig
unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG

Reply via email to