Re: [Python-Dev] Supported versions of OpenSSL

I think it's time for this thread to stop as everyone seems to be talking in circles. Christian said he's going to write a PEP so let's wait for that before discussing this any further so we have a concrete proposal to focus around. On Wed, 31 Aug 2016 at 05:04 Nick Coghlan

Re: [Python-Dev] Supported versions of OpenSSL

On 31.08.2016 14:02, Nick Coghlan wrote: > On 31 August 2016 at 20:20, M.-A. Lemburg wrote: >> ... which would then mean: Python's compatibility roadmap will >> be dictated by OpenSSL. >> >> I won't buy into that, sorry. Crypto is a helper in certain >> situations, it's not what

Re: [Python-Dev] Supported versions of OpenSSL

On 31 August 2016 at 20:20, M.-A. Lemburg wrote: > ... which would then mean: Python's compatibility roadmap will > be dictated by OpenSSL. > > I won't buy into that, sorry. Crypto is a helper in certain > situations, it's not what Python is all about. We should not > let OpenSSL

Re: [Python-Dev] Supported versions of OpenSSL

On 31 August 2016 at 19:33, M.-A. Lemburg wrote: > On 31.08.2016 10:43, Antoine Pitrou wrote: >> On Wed, 31 Aug 2016 10:31:12 +0200 >> "M.-A. Lemburg" wrote: >>> >>> I am thinking of Python users out there who are running on LTS >>> OS releases simply because

Re: [Python-Dev] Supported versions of OpenSSL

On 31.08.2016 12:05, Christian Heimes wrote: > This was my last reply to your mails on this topic. It's clear to me > that you are not open to Cory's, Nick's or my arguments and that you > won't change your position. More replies are just a waste of my limited > time. I *am* open to arguments,

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-30 18:00, Antoine Pitrou wrote: > On Sun, 28 Aug 2016 22:40:11 +0200 > Christian Heimes wrote: >> >> Here is the deal for 2.7 to 3.5: >> >> 1) All versions older than 0.9.8 are completely out-of-scope and no >> longer supported. >> >> 2) 0.9.8 is semi-support.

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-31 11:33, M.-A. Lemburg wrote: > On 31.08.2016 10:50, Christian Heimes wrote: >> On 2016-08-31 10:31, M.-A. Lemburg wrote: >>> In all this discussion I have yet to find a compelling security >>> relevant argument for using an 1.0.2 API which is so important >>> that we cannot make this

Re: [Python-Dev] Supported versions of OpenSSL

Le 31/08/2016 à 11:33, M.-A. Lemburg a écrit : > On 31.08.2016 10:43, Antoine Pitrou wrote: >> On Wed, 31 Aug 2016 10:31:12 +0200 >> "M.-A. Lemburg" wrote: >>> >>> I am thinking of Python users out there who are running on LTS >>> OS releases simply because their IT doesn't let

Re: [Python-Dev] Supported versions of OpenSSL

On 31.08.2016 10:43, Antoine Pitrou wrote: > On Wed, 31 Aug 2016 10:31:12 +0200 > "M.-A. Lemburg" wrote: >> >> I am thinking of Python users out there who are running on LTS >> OS releases simply because their IT doesn't let them run anything >> else. > > There is a solution

Re: [Python-Dev] Supported versions of OpenSSL

On 31.08.2016 10:50, Christian Heimes wrote: > On 2016-08-31 10:31, M.-A. Lemburg wrote: >> In all this discussion I have yet to find a compelling security >> relevant argument for using an 1.0.2 API which is so important >> that we cannot make this optional at runtime. >> >> The only argument

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-31 10:31, M.-A. Lemburg wrote: > In all this discussion I have yet to find a compelling security > relevant argument for using an 1.0.2 API which is so important > that we cannot make this optional at runtime. > > The only argument Christian reported was this one: > > """ >> BTW: Are

Re: [Python-Dev] Supported versions of OpenSSL

On Wed, 31 Aug 2016 10:31:12 +0200 "M.-A. Lemburg" wrote: > > I am thinking of Python users out there who are running on LTS > OS releases simply because their IT doesn't let them run anything > else. There is a solution nowadays, which is to use Anaconda (or Miniconda).

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-30 22:07, M.-A. Lemburg wrote: > That was not my point. It's unfortunate that Python depends on > a library which is inevitably going to need updates frequently, > and which then may have the implication that Python won't compile on > systems which don't ship with more recent OpenSSL

Re: [Python-Dev] Supported versions of OpenSSL

On 31.08.2016 01:55, Gregory P. Smith wrote: > On Tue, Aug 30, 2016 at 1:08 PM M.-A. Lemburg wrote: >>> On 29.08.2016 22:16, Christian Heimes wrote: >>> In my >>> opinion it is more than reasonable to ditch 1.0.1 and earlier. >> >> I want you to consider the consequences of doing

Re: [Python-Dev] Supported versions of OpenSSL

On 31 August 2016 at 00:55, Gregory P. Smith wrote: > I find that users of such systems either use only what their distro itself > supplies (ie: ancient versions at that point) or are fully comfortable > building any dependencies their own software needs. If they are comfortable

Re: [Python-Dev] Supported versions of OpenSSL

On 31 August 2016 at 09:55, Gregory P. Smith wrote: > On Tue, Aug 30, 2016 at 1:08 PM M.-A. Lemburg wrote: >> Yet, a move to require OpenSSL 1.0.2 for Python 3.7 will make >> it impossible to run such apps on systems that still use OpenSSL >> 1.0.1, e.g. Ubuntu

Re: [Python-Dev] Supported versions of OpenSSL

On Tue, Aug 30, 2016 at 1:08 PM M.-A. Lemburg wrote: > On 29.08.2016 22:16, Christian Heimes wrote: > > On 2016-08-29 21:31, M.-A. Lemburg wrote: > >> On 29.08.2016 18:33, Cory Benfield wrote: > >>> > On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: > >

Re: [Python-Dev] Supported versions of OpenSSL

> On 30 Aug 2016, at 16:07, M.-A. Lemburg wrote: > > That was not my point. It's unfortunate that Python depends on > a library which is inevitably going to need updates frequently, > and which then may have the implication that Python won't compile on > systems which don't

Re: [Python-Dev] Supported versions of OpenSSL

On 29.08.2016 22:16, Christian Heimes wrote: > On 2016-08-29 21:31, M.-A. Lemburg wrote: >> On 29.08.2016 18:33, Cory Benfield wrote: >>> On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: On 28.08.2016 22:40, Christian Heimes wrote: > ... > I like to reduce

Re: [Python-Dev] Supported versions of OpenSSL

On Sun, 28 Aug 2016 22:40:11 +0200 Christian Heimes wrote: > > Here is the deal for 2.7 to 3.5: > > 1) All versions older than 0.9.8 are completely out-of-scope and no > longer supported. > > 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8. >

Re: [Python-Dev] Supported versions of OpenSSL

On 8/29/2016 10:59 PM, Nick Coghlan wrote: By contrast (and assuming I understand the situation correctly), the Windows build is already set up around the assumption that you'll need to build OpenSSL yourself. If one installs a minimal svn client and passes -e to Zack's wonderful built.bat,

Re: [Python-Dev] Supported versions of OpenSSL

On 30 August 2016 at 15:13, Benjamin Peterson wrote: > On Sun, Aug 28, 2016, at 22:42, Christian Heimes wrote: >> In my proto-PEP I'm talking about different levels of support: full, >> build-only and unsupported. Full support means that the combination of >> Python and

Re: [Python-Dev] Supported versions of OpenSSL

On Sun, Aug 28, 2016, at 22:42, Christian Heimes wrote: > On 2016-08-29 04:38, Ned Deily wrote: > > On Aug 28, 2016, at 19:06, Benjamin Peterson wrote: > >> On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote: > >>> Here is the deal for 2.7 to 3.5: > >>> > >>> 1) All

Re: [Python-Dev] Supported versions of OpenSSL

On Aug 29, 2016, at 22:59, Nick Coghlan wrote: > The other thing I've been looking at is how well documented the > process is for building with a custom OpenSSL instead of the system > one, and as near as I can tell, it isn't documented at all - the top > level README doesn't

Re: [Python-Dev] Supported versions of OpenSSL

On 30 August 2016 at 08:56, Barry Warsaw wrote: > On Aug 29, 2016, at 12:33 PM, Cory Benfield wrote: > >>Can someone explain to me why this is a use-case we care about? > > I do think it would be nice to be able to compile newer versions of Python on > stock LTS releases,

Re: [Python-Dev] Supported versions of OpenSSL

> On 29 Aug 2016, at 15:31, M.-A. Lemburg wrote: > > Ubuntu 14.04 is a widely deployed system and newer Python version > should run on such widely deployed systems without having to > replace important vendor maintained system libraries such as > OpenSSL. That's quite the

Re: [Python-Dev] Supported versions of OpenSSL

On 30 August 2016 at 02:33, Cory Benfield wrote: > >> On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: >> >> On 28.08.2016 22:40, Christian Heimes wrote: >>> ... >>> I like to reduce the maintenance burden and list of supported OpenSSL >>> versions ASAP. OpenSSL

Re: [Python-Dev] Supported versions of OpenSSL

On 8/29/2016 5:20 PM, Christian Heimes wrote: On 2016-08-29 23:00, Gregory P. Smith wrote: Lets make 3.7 require a higher version. The common OSS OS distros of its time will be better prepared. Especially is warned. My multissl test script allows me to compile and test _ssl.c and

Re: [Python-Dev] Supported versions of OpenSSL

On Aug 29, 2016, at 12:33 PM, Cory Benfield wrote: >Can someone explain to me why this is a use-case we care about? I do think it would be nice to be able to compile newer versions of Python on stock LTS releases, especially for people developing software that they want to support on a

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-29 23:00, Gregory P. Smith wrote: > > Given that you already said: > > """ > For 3.6 I don't require any 1.0.2 feature yet. The 1.1.0 patch keeps > code compatible with 0.9.8zc to 1.1.0. But as soon as I use new > features, the ssl module will no longer be source and build compatible

Re: [Python-Dev] Supported versions of OpenSSL

On Mon, Aug 29, 2016 at 1:18 PM Christian Heimes wrote: > On 2016-08-29 21:31, M.-A. Lemburg wrote: > > On 29.08.2016 18:33, Cory Benfield wrote: > >> > >>> On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: > >>> > >>> On 28.08.2016 22:40, Christian Heimes

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-29 22:10, Random832 wrote: > On Mon, Aug 29, 2016, at 04:09, M.-A. Lemburg wrote: >> Hmm, that last part would mean that Python 3.7 will no longer compile >> on e.g. Ubuntu 14.04 LTS which uses OpenSSL 1.0.1 as default version. >> Since 14.04 LTS is supported until 2019, I think it

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-29 21:31, M.-A. Lemburg wrote: > On 29.08.2016 18:33, Cory Benfield wrote: >> >>> On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: >>> >>> On 28.08.2016 22:40, Christian Heimes wrote: ... I like to reduce the maintenance burden and list of supported OpenSSL

Re: [Python-Dev] Supported versions of OpenSSL

On Mon, Aug 29, 2016, at 04:09, M.-A. Lemburg wrote: > Hmm, that last part would mean that Python 3.7 will no longer compile > on e.g. Ubuntu 14.04 LTS which uses OpenSSL 1.0.1 as default version. > Since 14.04 LTS is supported until 2019, I think it would be better > to only start requiring 1.0.2

Re: [Python-Dev] Supported versions of OpenSSL

On 29.08.2016 18:33, Cory Benfield wrote: > >> On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: >> >> On 28.08.2016 22:40, Christian Heimes wrote: >>> ... >>> I like to reduce the maintenance burden and list of supported OpenSSL >>> versions ASAP. OpenSSL has deprecated 0.9.8 and

Re: [Python-Dev] Supported versions of OpenSSL

On Mon, 29 Aug 2016 at 09:34 Cory Benfield wrote: > > > On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: > > > > On 28.08.2016 22:40, Christian Heimes wrote: > >> ... > >> I like to reduce the maintenance burden and list of supported OpenSSL > >> versions ASAP.

Re: [Python-Dev] Supported versions of OpenSSL

> On 29 Aug 2016, at 04:09, M.-A. Lemburg wrote: > > On 28.08.2016 22:40, Christian Heimes wrote: >> ... >> I like to reduce the maintenance burden and list of supported OpenSSL >> versions ASAP. OpenSSL has deprecated 0.9.8 and 1.0.0 last year. 1.0.1 >> will reach EOL by the

Re: [Python-Dev] Supported versions of OpenSSL

On Mon, Aug 29, 2016 at 9:16 PM, Nick Coghlan wrote: > On 29 August 2016 at 21:05, Chris Angelico wrote: >> On Mon, Aug 29, 2016 at 8:52 PM, Nick Coghlan wrote: >>> For upcoming 3.6 I would like to limit support to 1.0.2+ and require >>>

Re: [Python-Dev] Supported versions of OpenSSL

On 29 August 2016 at 21:05, Chris Angelico wrote: > On Mon, Aug 29, 2016 at 8:52 PM, Nick Coghlan wrote: >> For upcoming 3.6 I would like to limit support to 1.0.2+ and require >> 1.0.2 features for 3.7. > > What does "limit support" mean? Will it be

Re: [Python-Dev] Supported versions of OpenSSL

On Mon, Aug 29, 2016 at 8:52 PM, Nick Coghlan wrote: > On 29 August 2016 at 19:14, Chris Angelico wrote: >> On Mon, Aug 29, 2016 at 6:24 PM, Christian Heimes >> wrote: >>> No, LTS support should not be our concern. If you need a brand

Re: [Python-Dev] Supported versions of OpenSSL

On 29 August 2016 at 19:14, Chris Angelico wrote: > On Mon, Aug 29, 2016 at 6:24 PM, Christian Heimes > wrote: >> No, LTS support should not be our concern. If you need a brand new >> version of Python on an old LTS or Enterprise version of your OS,

Re: [Python-Dev] Supported versions of OpenSSL

On Mon, Aug 29, 2016 at 6:24 PM, Christian Heimes wrote: > No, LTS support should not be our concern. If you need a brand new > version of Python on an old LTS or Enterprise version of your OS, please > contact your vendor and buy support. You don't get to run old metal and

Re: [Python-Dev] Supported versions of OpenSSL

On Mon, Aug 29, 2016 at 10:24:42AM +0200, Christian Heimes wrote: > On 2016-08-29 10:09, M.-A. Lemburg wrote: > > On 28.08.2016 22:40, Christian Heimes wrote: > >> ... > >> I like to reduce the maintenance burden and list of supported OpenSSL > >> versions ASAP. OpenSSL has deprecated 0.9.8 and

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-29 10:09, M.-A. Lemburg wrote: > On 28.08.2016 22:40, Christian Heimes wrote: >> ... >> I like to reduce the maintenance burden and list of supported OpenSSL >> versions ASAP. OpenSSL has deprecated 0.9.8 and 1.0.0 last year. 1.0.1 >> will reach EOL by the end of this year, >>

Re: [Python-Dev] Supported versions of OpenSSL

On 28.08.2016 22:40, Christian Heimes wrote: > ... > I like to reduce the maintenance burden and list of supported OpenSSL > versions ASAP. OpenSSL has deprecated 0.9.8 and 1.0.0 last year. 1.0.1 > will reach EOL by the end of this year, > https://www.openssl.org/policies/releasestrat.html .

Re: [Python-Dev] Supported versions of OpenSSL

On 2016-08-29 04:38, Ned Deily wrote: > On Aug 28, 2016, at 19:06, Benjamin Peterson wrote: >> On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote: >>> Here is the deal for 2.7 to 3.5: >>> >>> 1) All versions older than 0.9.8 are completely out-of-scope and no >>> longer

Re: [Python-Dev] Supported versions of OpenSSL

On Aug 28, 2016, at 19:06, Benjamin Peterson wrote: > On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote: >> Here is the deal for 2.7 to 3.5: >> >> 1) All versions older than 0.9.8 are completely out-of-scope and no >> longer supported. > +1 >> 2) 0.9.8 is semi-support.

Re: [Python-Dev] Supported versions of OpenSSL

On 29 August 2016 at 06:40, Christian Heimes wrote: > Hi, > > we need to talk about OpenSSL and LibreSSL before the next release of > Python. I'm working on a PEP. Most likely it won't be ready before the > feature freeze. If it's just drafting work that you need help with

Re: [Python-Dev] Supported versions of OpenSSL

> On 28 Aug 2016, at 16:40, Christian Heimes wrote: > > For upcoming 3.6 I would like to limit support to 1.0.2+ and require > 1.0.2 features for 3.7. What is the status of Python.org's OSX builds? > Is it possible to drop 0.9.8? I strongly support this change. Python

Re: [Python-Dev] Supported versions of OpenSSL

On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote: > Here is the deal for 2.7 to 3.5: > > 1) All versions older than 0.9.8 are completely out-of-scope and no > longer supported. +1 > > 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8. > However we do NOT promise