Re: Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3
On 2023-05-14, Judah Kocher wrote: > Some web searching has not turned up any details around this. I also do > not see python 3.9 as an installable option via pkg_add, just 3.10 and > 3.11. 3.9 is still there. > Does this mean that installing python via pkg_add installs a > python version that is incompatible with LibreSSL? 3.10 from packages works well with LibreSSL. There are some small local patches to disable a couple of things which aren't supported and are not at all widely used. Python's policy for 3.10+ is essentially "don't go out of the way to prevent running it with LibreSSL, but don't jump through hoops to make it work". urllib3 is going beyond that and explicitly checking for OpenSSL 1.1.1+ and refusing to run otherwise (including on 3.7-3.9 for which urllib3 claims support). >When I look at the > info for the OpenSSL package it includes this warning: > > This package is not intended for general-purpose use in OpenBSD - it > is present for test/comparison purposes, and occasionally to provide > support for applications which cannot be made compatible with LibreSSL > (mostly due to use of removed APIs); in the latter case care must be > taken - it will conflict if library dependencies use LibreSSL libraries. Essentially: if we built Python using OpenSSL instead of LibreSSL, things would break for any compiled modules linked to libraries which themselves link to LibreSSL's libssl/libcrypto - e.g. including things like py-curl, py-ldap, py-psycopg2, ...) > What would be the best way to resolve this issue? I would guess that > plenty of others are using python with OpenBSD so there must be a > recommended resolution, but I have not found it documented anywhere yet. I'd suggest installing urllib3 from OpenBSD packages instead. If you have some particular requirement to install some version via pip instead, pin to an older (pre 2.x) urllib3 for now. urllib3 seem to be considering relaxing this again (possibly largely thanks to Apple widely distributing a libressl-linked version of Python), https://github.com/urllib3/urllib3/issues/3020#issuecomment-1541523700) - I think that would be the right thing for them to do.
Re: Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3
Thank you Otto! pip install urllib3==1.26.15 replaced the v2 version with the latest non v2 version, and now my scripts work again. On 5/14/23 14:34, Otto Moerbeek wrote: On Sun, May 14, 2023 at 12:25:28PM -0400, Judah Kocher wrote: After updating one of my routers to OpenBSD 7.3, my python scripts that update various public DNS records when my public IP changes started failing with generic segfaults. I did see the note in the OpenBSD Upgrade Guide about 3.10 being the new default so I ran pkg_add -u which updated python to 3.10 and now the same scripts fail but with this error: ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 3.7.2. See: https://github.com/urllib3/urllib3/issues/2168 The included github link mentions that older versions of SSL are no longer usable with the urllib library but makes no mention of LibreSSL. Some web searching has not turned up any details around this. I also do not see python 3.9 as an installable option via pkg_add, just 3.10 and 3.11. Does this mean that installing python via pkg_add installs a python version that is incompatible with LibreSSL? When I look at the info for the OpenSSL package it includes this warning: This package is not intended for general-purpose use in OpenBSD - it is present for test/comparison purposes, and occasionally to provide support for applications which cannot be made compatible with LibreSSL (mostly due to use of removed APIs); in the latter case care must be taken - it will conflict if library dependencies use LibreSSL libraries. What would be the best way to resolve this issue? I would guess that plenty of others are using python with OpenBSD so there must be a recommended resolution, but I have not found it documented anywhere yet. Thanks! Judah The problem is very likely a version of urllib3 installed via pip, and has little to do with the python version itself. -Otto -- Judah Kocher Assistant Chief Cochranville Fire Company 484-266-9257
Re: Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3
On Sun, May 14, 2023 at 12:25:28PM -0400, Judah Kocher wrote: > After updating one of my routers to OpenBSD 7.3, my python scripts that > update various public DNS records when my public IP changes started failing > with generic segfaults. I did see the note in the OpenBSD Upgrade Guide > about 3.10 being the new default so I ran pkg_add -u which updated python to > 3.10 and now the same scripts fail but with this error: > > ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' > module is compiled with LibreSSL 3.7.2. See: > https://github.com/urllib3/urllib3/issues/2168 > > The included github link mentions that older versions of SSL are no longer > usable with the urllib library but makes no mention of LibreSSL. > > Some web searching has not turned up any details around this. I also do not > see python 3.9 as an installable option via pkg_add, just 3.10 and 3.11. > Does this mean that installing python via pkg_add installs a python version > that is incompatible with LibreSSL? When I look at the info for the OpenSSL > package it includes this warning: > > This package is not intended for general-purpose use in OpenBSD - it > is present for test/comparison purposes, and occasionally to provide > support for applications which cannot be made compatible with LibreSSL > (mostly due to use of removed APIs); in the latter case care must be > taken - it will conflict if library dependencies use LibreSSL libraries. > > What would be the best way to resolve this issue? I would guess that plenty > of others are using python with OpenBSD so there must be a recommended > resolution, but I have not found it documented anywhere yet. > > > Thanks! > > Judah > The problem is very likely a version of urllib3 installed via pip, and has little to do with the python version itself. -Otto
Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3
After updating one of my routers to OpenBSD 7.3, my python scripts that update various public DNS records when my public IP changes started failing with generic segfaults. I did see the note in the OpenBSD Upgrade Guide about 3.10 being the new default so I ran pkg_add -u which updated python to 3.10 and now the same scripts fail but with this error: ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 3.7.2. See: https://github.com/urllib3/urllib3/issues/2168 The included github link mentions that older versions of SSL are no longer usable with the urllib library but makes no mention of LibreSSL. Some web searching has not turned up any details around this. I also do not see python 3.9 as an installable option via pkg_add, just 3.10 and 3.11. Does this mean that installing python via pkg_add installs a python version that is incompatible with LibreSSL? When I look at the info for the OpenSSL package it includes this warning: This package is not intended for general-purpose use in OpenBSD - it is present for test/comparison purposes, and occasionally to provide support for applications which cannot be made compatible with LibreSSL (mostly due to use of removed APIs); in the latter case care must be taken - it will conflict if library dependencies use LibreSSL libraries. What would be the best way to resolve this issue? I would guess that plenty of others are using python with OpenBSD so there must be a recommended resolution, but I have not found it documented anywhere yet. Thanks! Judah