From a0068e1e6a527b525a1044597bd8da6b201534e9 Mon Sep 17 00:00:00 2001 From: Nick Coghlan Date: Mon, 24 Mar 2014 23:15:06 +1000 Subject: [PATCH] PEP 466: cover OpenSSL compatibility --- pep-0466.txt | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/pep-0466.txt b/pep-0466.txt index b2acaa838..fa644c991 100644 --- a/pep-0466.txt +++ b/pep-0466.txt @@ -150,6 +150,30 @@ that make the secure networking infrastructure worthy of special consideration. +OpenSSL compatibility +--------------------- + +Under this policy, OpenSSL may be upgraded to more recent feature releases +in Python 2.7 maintenance releases. On Linux and most other POSIX systems, +the specific version of OpenSSL used already varies, as Python dynamically +links to the system provided OpenSSL library by default. + +For the Windows binary installers, the ``_ssl`` and ``_hashlib`` modules are +statically linked with OpenSSL and the associated symbols are not exported. +Marc-Andre Lemburg indicates that updating to newer OpenSSL releases in the +``egenix-pyopenssl`` binaries has not resulted in any reported compatibility +issues [3]_ + +The Mac OS X binary installers historically followed the same policy as +other POSIX installations and dynamically linked to the Apple provided +OpenSSL libraries. However, Apple has now ceased updating these +cross-platform libraries, instead requiring that even cross-platform +developers adopt Mac OS X specific interfaces to access up to date security +infrastructure on their platform. Accordingly, and independently of this +PEP, the Mac OS X binary installers were already going to be switched to +statically linker newer versions of OpenSSL [4]_ + + Other Considerations ==================== @@ -488,12 +512,9 @@ of them are unlikely to do. Open Questions ============== -* What are the risks associated with allowing OpenSSL to be updated to - new feature versions in the Windows and Mac OS X binary installers for - maintenance releases? Currently we just upgrade to the appropriate - OpenSSL maintenance releases, rather than switching to the latest - feature release. In particular, is it possible Windows C extensions may - be linking against the Python provided OpenSSL module? +* I believe I've addressed all the technical and scope questions I had, or + others raised. That just leaves the question of "If we agree to this plan, + who is actually going to handle all the extra work involved?" :) Disclosure of Interest @@ -528,6 +549,8 @@ References .. [1] https://mail.python.org/pipermail/python-dev/2014-March/133334.html .. [2] https://mail.python.org/pipermail/python-dev/2014-March/133389.html +.. [3] https://mail.python.org/pipermail/python-dev/2014-March/133438.html +.. [4] https://mail.python.org/pipermail/python-dev/2014-March/133347.html Copyright