Ok, so this is a real problem:-( Again, I’m not deep enough into the SSL stuff to really understand this (and specifically whether it needs a new openssl module, a new libssl, both, something else, ….), but I’d like to think of ways to fix this before the shit hits the fan for all poor mac Python users out there, if possible. And that includes people who aren’t even aware they’re macPython users because they use some app that uses Python under the hood…..
So a couple of questions: 1. Is this fixable by Apple, by providing a security update to various OSX versions that would include a newer python/libssl/whatever? 1a. Would this still fall under Apple’s idea of “security update”? 1b. Do we have any chance of making Apple interested in fixing this? 2. Is this fixable with an installer that would somehow override the openssl module, so that installing this one thing would make the whole Apple-Python installation work again? 3. Failing that, I assume its the end of the line for Apple-Python, and we’ll have to steer end users towards installing a python.org version. Right? 3a. If that’s the case, is there something we could ask of the pip developers, the PyPi maintainers, whoever else to help the poor end users? I.e. get them to release a version that would not say “ssl v1 invalid foobar get lost” but in stead “you appear to be using Apple Python which does not support current security measures, please see www.example.com for more information”. Actually, question 3a to some extent also is 2a. Regards, Jack > On 10 Jan 2017, at 20:54, Ronald Oussoren <ronaldousso...@mac.com> wrote: > > >> On 10 Jan 2017, at 20:43, Ronald Oussoren <ronaldousso...@mac.com> wrote: >> >> >>> On 10 Jan 2017, at 17:05, Jack Jansen <jack.jan...@cwi.nl> wrote: >>> >>> I have completely ignored this whole TLS 1.0 versus TLS 1.2 security debate >>> until know, but just now the following post came in on python-announce, >>> which seems to suggest that TLS 1.0 is really about to be phased out: >>> https://mail.python.org/pipermail/python-announce-list/2017-January/011437.html >>> >>> I think Python 2.7 older that 2.7.13 (i.e. including the apple-shipped >>> Pythons) don’t support TLS 1.2 by default, which would seem to suggest that >>> things like pip will stop working as of this summer. >>> >>> Or am I overreacting? >> >> You are not. Annoyingly Donald Stufft already noticed that Apple’s Python is >> problematic, but breaking for users on a major OS is apparently not a >> problem :-( > > Breaking Python tools is probably not really on Fastly’s radar and not > something that the PyPI folks can easily avoid. > >> >> This shouldn’t be a problem for most serious development as those users >> likely use a separate python installation anyway, but this will affect >> casual users including at least some new users. > > BTW. This doesn’t just break /usr/bin/python but also the Python.org > installation of 2.7 (including 2.7.13), and likely any Python.org install > exception 3.6 as all installers upto 3.6 use the system OpenSSL that doesn’t > support anything beyond TLS 1.0. > > Ronald > -- Jack Jansen, <jack.jan...@cwi.nl>, http://www.cwi.nl/~jack If I can't dance I don't want to be part of your revolution -- Emma Goldman _______________________________________________ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
