PEP 644: OpenSSL 1.1.1, CI proviers, Debian, SHA-3 (GH-1875)

pep-0644.rst

@@ -1,5 +1,5 @@
 PEP: 644
-Title: Require OpenSSL 1.1 or newer
+Title: Require OpenSSL 1.1.1 or newer
 Author: Christian Heimes <christian@python.org>
 BDFL-Delegate: n/a
 Discussions-To: https://discuss.python.org/t/pep-644-require-openssl-1-1-or-newer/5584
@@ -8,7 +8,7 @@ Type: Standards Track
 Content-Type: text/x-rst
 Created: 27-Oct-2020
 Python-Version: 3.10
-Post-History: 27-Oct-2020, 03-Mar-2021
+Post-History: 27-Oct-2020, 03-Mar-2021, 17-Mar-2021
 
 
 Abstract
@@ -106,7 +106,7 @@ support for ChaCha20-Poly1305, BLAKE2 (basic features), X25519 and CT. The
 majority of structs were made opaque and new APIs were introduced. OpenSSL
 1.1.0 is not API compatible with 1.0.2.
 
-- Debian 9 Stretch (estimated EOL 2022-06)
+- Debian 9 Stretch (security support ended 2020-07, LTS until 2022-06)
 - Ubuntu 18.04 LTS / Bionic (general support ends 2023-04)
 
 
@@ -122,6 +122,7 @@ OpenSSL 1.1.1 added TLS 1.3, SHA-3, X448 and Ed448.
 - Arch Linux current
 - CentOS 8.0+
 - Debian 10 Buster
+- Debian 11 Bullseye (ETA 2021-06)
 - Fedora 29+
 - FreeBSD 11.3+
 - Gentoo Linux stable (dropped LibreSSL as alternative in January 2021 [10]_)
@@ -138,11 +139,22 @@ OpenSSL 1.1.1 added TLS 1.3, SHA-3, X448 and Ed448.
 - VoidLinux (switched back to OpenSSL in March 2021 [5]_)
 - Windows (python.org installer, Conda)
 
+Major CI providers provide images with OpenSSL 1.1.1.
+
+- AppVeyor (with image ``Ubuntu2004``)
+- CircleCI (with recent ``cimg/base:stable`` or ``cimg/base:stable-20.04``)
+- GitHub Actions (with ``runs-on: ubuntu-20.04``)
+- Giblab CI (with Debian Stretch, Ubuntu Focal, CentOS 8, RHEL 8, or Fedora
+  runner)
+- Packit
+- TravisCI (with ``dist: focal``)
+- Zuul
+
 
 OpenSSL 3.0.0
 -------------
 
-released: n/a (planned for early 2021)
+released: n/a (planned for mid/late 2021)
 
 OpenSSL 3.0.0 is currently under development. Major changes include
 relicensing to Apache License 2.0 and a new API for cryptographic algorithms
@@ -299,14 +311,33 @@ or extend compatibility with EOLed releases as we see fit.
 
 The new ABI stability and LTS policies of OpenSSL [9]_ should help, too.
 
+Keep support for OpenSSL 1.1.0
+------------------------------
+
+It was suggested to keep support for OpenSSL 1.1.0 for compatibility with
+Debian 9 (Stretch). The proposal was rejected since it would complicated code
+cleanup and testing. Stretch is already out of regular security support and
+close to end of long-term support. By the time of Python 3.10 final release,
+Debian Buster and Debian Bullseye will be available.
+
+Instead Python 3.10 will gain additional documentation and a new
+``configure`` option ``--with-openssl-rpath=auto`` to simplify use of custom
+OpenSSL builds [11].
+
 
 Backwards Compatibility
 =======================
 
 Python 3.10 will no longer support TLS/SSL and fast hashing on platforms
-with OpenSSL 1.0.2 or LibreSSL. This PEP is published at the beginning of
-the 3.10 release cycles. It gives vendors like Linux distributors or CI
-providers roughly 11 months to react.
+with OpenSSL 1.0.2 or LibreSSL. The first draft of this PEP was published at
+the beginning of the 3.10 release cycles to give vendors like Linux
+distributors or CI providers sufficient time to plan.
+
+Python's internal copy of the *Keccak Code Package* and the internal
+``_sha3`` module will be removed. This will reduce source code size by
+about 280kB and code size by roughly 0.5MB. The ``hashlib`` will solely rely
+on OpenSSL's SHA-3 implementation. SHA-3 and SHAKE will no longer be available
+without OpenSSL.
 
 
 Disclaimer and special thanks
@@ -332,6 +363,7 @@ References
 .. [8] https://www.openssl.org/docs/OpenSSL300Design.html
 .. [9] https://www.openssl.org/policies/releasestrat.html
 .. [10] https://www.gentoo.org/support/news-items/2021-01-05-libressl-support-discontinued.html
+.. [11] https://bugs.python.org/issue43466
 
 
 Copyright