Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL>=2.5.3

2018-01-17 Thread Christian Heimes
On 2018-01-16 22:47, Steve Dower wrote: > I think you mean out-of-band updates, and by “you” I'm going to pretend > you mean PyCA ;) Err, yes :) ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL>=2.5.3

2018-01-16 Thread Steve Dower
I think you mean out-of-band updates, and by “you” I'm going to pretend you mean PyCA ;) Top-posted from my Windows phone From: Christian Heimes Sent: Tuesday, January 16, 2018 21:42 To: python-dev@python.org Subject: Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL>

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

2018-01-16 Thread Steve Dower
statically link OpenSSL anymore, it can be done easily with ctypes, so I’ll probably put out a package for it sometime soon. Top-posted from my Windows phone From: Christian Heimes Sent: Tuesday, January 16, 2018 22:52 To: python-dev@python.org Subject: Re: [Python-Dev] Python 3.7: Require

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Christian Heimes
FYI, master on Travis CI now builds and uses OpenSSL 1.1.0g [1]. I have created a daily cronjob to populate Travis' cache with OpenSSL builds. Until the cache is filled, Linux CI will take an extra 5 minute. Christian [1] https://github.com/python/cpython/pull/5180

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Wes Turner
On Tuesday, January 16, 2018, Christian Heimes wrote: > On 2018-01-16 12:28, Wes Turner wrote: > > > > > > On Tuesday, January 16, 2018, Steve Dower > > wrote: > > > > From my perspective, we can’t keep an

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Christian Heimes
On 2018-01-16 12:28, Wes Turner wrote: > > > On Tuesday, January 16, 2018, Steve Dower > wrote: > > From my perspective, we can’t keep an OpenSSL-like API and use > Windows platform libraries (we *could* do a requests-like API

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Wes Turner
jp> > *Sent: *Tuesday, January 16, 2018 17:45 > *To: *Matt Billenstein <m...@vazor.com> > *Cc: *Christian Heimes <christ...@python.org>; python-dev@python.org > *Subject: *Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / > LibreSSL >=2.5.3 > > > > Mat

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

2018-01-16 Thread Christian Heimes
On 2018-01-16 08:08, Steve Dower wrote: > From my perspective, we can’t keep an OpenSSL-like API and use Windows > platform libraries (we *could* do a requests-like API easily enough, but > even urllib3 is painfully low-level). > >   > > We have to continue shipping our own copy of OpenSSL on

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

2018-01-15 Thread Steve Dower
ython-dev@python.org Subject: Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3 Matt Billenstein writes: > In my mind it becomes easier to bundle deps in a binary installer > across the board (Linux, OSX, Windows) rather than rely on whatever > version the operating

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-15 Thread Stephen J. Turnbull
Matt Billenstein writes: > In my mind it becomes easier to bundle deps in a binary installer > across the board (Linux, OSX, Windows) rather than rely on whatever > version the operating system provides. Thing is, as Christian points out, TLS is a rapidly moving target. Every Mac OS or iOS

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Matt Billenstein
On Sun, Jan 14, 2018 at 10:54:57AM -0500, Ned Deily wrote: > On Jan 14, 2018, at 08:39, Christian Heimes wrote: > > On 2018-01-14 09:24, Matt Billenstein wrote: > >> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has > >> deprecated (and no longer

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 16:54, Ned Deily wrote: > On Jan 14, 2018, at 08:39, Christian Heimes wrote: >> On 2018-01-14 09:24, Matt Billenstein wrote: >>> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has >>> deprecated (and no longer ships the header files

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Wes Turner
FWIW, anaconda and conda-forge currently have 1.0.2 X https://anaconda.org/anaconda/openssl https://anaconda.org/conda-forge/openssl On Sunday, January 14, 2018, Ned Deily wrote: > On Jan 14, 2018, at 08:39, Christian Heimes wrote: > > On 2018-01-14

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Ned Deily
On Jan 14, 2018, at 08:39, Christian Heimes wrote: > On 2018-01-14 09:24, Matt Billenstein wrote: >> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has >> deprecated (and no longer ships the header files for) the version shipped >> with >> recent

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 09:24, Matt Billenstein wrote: > Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has > deprecated (and no longer ships the header files for) the version shipped with > recent versions of osx. > > Perhaps this is an option to support the various flavors of

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Matt Billenstein
Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has deprecated (and no longer ships the header files for) the version shipped with recent versions of osx. Perhaps this is an option to support the various flavors of Linux as well? m On Sun, Jan 14, 2018 at 02:48:49AM

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 11:17, Antoine Pitrou wrote: > On Sat, 13 Jan 2018 23:45:07 +0100 > Christian Heimes wrote: >> On 2018-01-13 21:02, Brett Cannon wrote: >>> +1 from me as well for the improved security. >> >> Thanks, Brett! >> >> How should we handle CPython's Travis CI

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Antoine Pitrou
On Sat, 13 Jan 2018 23:45:07 +0100 Christian Heimes wrote: > On 2018-01-13 21:02, Brett Cannon wrote: > > +1 from me as well for the improved security. > > Thanks, Brett! > > How should we handle CPython's Travis CI tests? The 14.04 boxes have > OpenSSL 1.0.1. To the

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 03:48, Paul G wrote: > One thing to note is that if getting Travis working with Python 3.7 is a > pain, a huge number of libraries on PyPI probably just won't test > against Python 3.7, which is not a great situation to be in. > > It's probably worth contacting Travis to give them a

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 01:03, Steven D'Aprano wrote: > On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote: >> On Sat, 13 Jan 2018 13:54:33 +0100 >> Christian Heimes wrote: >>> >>> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land >>> bunch of useful

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Terry Reedy
On 1/13/2018 3:02 PM, Brett Cannon wrote: On Sat, Jan 13, 2018, 05:24 Antoine Pitrou, > wrote: On Sat, 13 Jan 2018 13:54:33 +0100 Christian Heimes > wrote: > > If we

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Oleg Broytman
On Sun, Jan 14, 2018 at 02:16:53AM +, Brett Cannon wrote: > My guess is we either move to containers on Travis, see if we can manually > install -- through apt or something -- a newer version of OpenSSL OpenSSL 1.0.2 cannot be installed with apt on Trusty but I think it

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Paul G
One thing to note is that if getting Travis working with Python 3.7 is a pain, a huge number of libraries on PyPI probably just won't test against Python 3.7, which is not a great situation to be in. It's probably worth contacting Travis to give them a head's up and see how likely it is that

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Brett Cannon
On Sat, Jan 13, 2018, 14:45 Christian Heimes, wrote: > On 2018-01-13 21:02, Brett Cannon wrote: > > +1 from me as well for the improved security. > > Thanks, Brett! > > How should we handle CPython's Travis CI tests? The 14.04 boxes have > OpenSSL 1.0.1. To the best of my

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Gregory P. Smith
On Sat, Jan 13, 2018 at 4:34 PM Steven D'Aprano wrote: > On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote: > > On Sat, 13 Jan 2018 13:54:33 +0100 > > Christian Heimes wrote: > > > > > > If we agree to drop support for OpenSSL 0.9.8 and

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Steven D'Aprano
On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote: > On Sat, 13 Jan 2018 13:54:33 +0100 > Christian Heimes wrote: > > > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land > > bunch of useful goodies like proper hostname verification [2],

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Christian Heimes
On 2018-01-13 21:02, Brett Cannon wrote: > +1 from me as well for the improved security. Thanks, Brett! How should we handle CPython's Travis CI tests? The 14.04 boxes have OpenSSL 1.0.1. To the best of my knowledge, Travis doesn't offer 16.04. We could either move to container-based testing

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Brett Cannon
On Sat, Jan 13, 2018, 05:24 Antoine Pitrou, wrote: > On Sat, 13 Jan 2018 13:54:33 +0100 > Christian Heimes wrote: > > > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land > > bunch of useful goodies like proper hostname

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Antoine Pitrou
On Sat, 13 Jan 2018 15:49:21 +0100 Christian Heimes wrote: > On 2018-01-13 14:23, Antoine Pitrou wrote: > > On Sat, 13 Jan 2018 13:54:33 +0100 > > Christian Heimes wrote: > >> > >> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Christian Heimes
On 2018-01-13 14:23, Antoine Pitrou wrote: > On Sat, 13 Jan 2018 13:54:33 +0100 > Christian Heimes wrote: >> >> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land >> bunch of useful goodies like proper hostname verification [2], proper >> fix for IP

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Antoine Pitrou
On Sat, 13 Jan 2018 13:54:33 +0100 Christian Heimes wrote: > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land > bunch of useful goodies like proper hostname verification [2], proper > fix for IP address in SNI TLS header [3], PEP 543 compatible

[Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Christian Heimes
Hi, I'm still working on a ssl module PEP for 3.7 [1], but it's probably not going to be finished before beta 1 deadline. I have a bunch of fixes and improvements for the ssl module in queue, most of them require OpenSSL 1.0.2 features. The features are also present and working properly since