Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL>=2.5.3

2018-01-17 Thread Christian Heimes
On 2018-01-16 22:47, Steve Dower wrote: > I think you mean out-of-band updates, and by “you” I'm going to pretend > you mean PyCA ;) Err, yes :) ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubs

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL>=2.5.3

2018-01-16 Thread Steve Dower
I think you mean out-of-band updates, and by “you” I'm going to pretend you mean PyCA ;) Top-posted from my Windows phone From: Christian Heimes Sent: Tuesday, January 16, 2018 21:42 To: python-dev@python.org Subject: Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL>

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

2018-01-16 Thread Steve Dower
statically link OpenSSL anymore, it can be done easily with ctypes, so I’ll probably put out a package for it sometime soon. Top-posted from my Windows phone From: Christian Heimes Sent: Tuesday, January 16, 2018 22:52 To: python-dev@python.org Subject: Re: [Python-Dev] Python 3.7: Require

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Christian Heimes
FYI, master on Travis CI now builds and uses OpenSSL 1.1.0g [1]. I have created a daily cronjob to populate Travis' cache with OpenSSL builds. Until the cache is filled, Linux CI will take an extra 5 minute. Christian [1] https://github.com/python/cpython/pull/5180 __

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Wes Turner
On Tuesday, January 16, 2018, Christian Heimes wrote: > On 2018-01-16 12:28, Wes Turner wrote: > > > > > > On Tuesday, January 16, 2018, Steve Dower > > wrote: > > > > From my perspective, we can’t keep an OpenSSL-like API and use > > Windows platform libra

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Christian Heimes
On 2018-01-16 12:28, Wes Turner wrote: > > > On Tuesday, January 16, 2018, Steve Dower > wrote: > > From my perspective, we can’t keep an OpenSSL-like API and use > Windows platform libraries (we *could* do a requests-like API easily > enough, but even

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-16 Thread Wes Turner
tein > *Cc: *Christian Heimes ; python-dev@python.org > *Subject: *Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / > LibreSSL >=2.5.3 > > > > Matt Billenstein writes: > > > > > In my mind it becomes easier to bundle deps in a binary installer &g

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

2018-01-16 Thread Christian Heimes
On 2018-01-16 08:08, Steve Dower wrote: > From my perspective, we can’t keep an OpenSSL-like API and use Windows > platform libraries (we *could* do a requests-like API easily enough, but > even urllib3 is painfully low-level). > >   > > We have to continue shipping our own copy of OpenSSL on Win

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3

2018-01-15 Thread Steve Dower
ython-dev@python.org Subject: Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3 Matt Billenstein writes: > In my mind it becomes easier to bundle deps in a binary installer > across the board (Linux, OSX, Windows) rather than rely on whatever > version the operating

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-15 Thread Stephen J. Turnbull
Matt Billenstein writes: > In my mind it becomes easier to bundle deps in a binary installer > across the board (Linux, OSX, Windows) rather than rely on whatever > version the operating system provides. Thing is, as Christian points out, TLS is a rapidly moving target. Every Mac OS or iOS upd

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Matt Billenstein
On Sun, Jan 14, 2018 at 10:54:57AM -0500, Ned Deily wrote: > On Jan 14, 2018, at 08:39, Christian Heimes wrote: > > On 2018-01-14 09:24, Matt Billenstein wrote: > >> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has > >> deprecated (and no longer ships the header files fo

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 16:54, Ned Deily wrote: > On Jan 14, 2018, at 08:39, Christian Heimes wrote: >> On 2018-01-14 09:24, Matt Billenstein wrote: >>> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has >>> deprecated (and no longer ships the header files for) the version shipped

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Wes Turner
FWIW, anaconda and conda-forge currently have 1.0.2 X https://anaconda.org/anaconda/openssl https://anaconda.org/conda-forge/openssl On Sunday, January 14, 2018, Ned Deily wrote: > On Jan 14, 2018, at 08:39, Christian Heimes wrote: > > On 2018-01-14 09:24, Matt Billenstein wrote: > >> Correct

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Ned Deily
On Jan 14, 2018, at 08:39, Christian Heimes wrote: > On 2018-01-14 09:24, Matt Billenstein wrote: >> Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has >> deprecated (and no longer ships the header files for) the version shipped >> with >> recent versions of osx. >> >> P

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 09:24, Matt Billenstein wrote: > Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has > deprecated (and no longer ships the header files for) the version shipped with > recent versions of osx. > > Perhaps this is an option to support the various flavors of Linu

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Matt Billenstein
Correct me if I'm wrong, but Python3 on osx bundles openssl since Apple has deprecated (and no longer ships the header files for) the version shipped with recent versions of osx. Perhaps this is an option to support the various flavors of Linux as well? m On Sun, Jan 14, 2018 at 02:48:49AM +

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 11:17, Antoine Pitrou wrote: > On Sat, 13 Jan 2018 23:45:07 +0100 > Christian Heimes wrote: >> On 2018-01-13 21:02, Brett Cannon wrote: >>> +1 from me as well for the improved security. >> >> Thanks, Brett! >> >> How should we handle CPython's Travis CI tests? The 14.04 boxes have

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Antoine Pitrou
On Sat, 13 Jan 2018 23:45:07 +0100 Christian Heimes wrote: > On 2018-01-13 21:02, Brett Cannon wrote: > > +1 from me as well for the improved security. > > Thanks, Brett! > > How should we handle CPython's Travis CI tests? The 14.04 boxes have > OpenSSL 1.0.1. To the best of my knowledge, Trav

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 03:48, Paul G wrote: > One thing to note is that if getting Travis working with Python 3.7 is a > pain, a huge number of libraries on PyPI probably just won't test > against Python 3.7, which is not a great situation to be in. > > It's probably worth contacting Travis to give them a

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Christian Heimes
On 2018-01-14 01:03, Steven D'Aprano wrote: > On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote: >> On Sat, 13 Jan 2018 13:54:33 +0100 >> Christian Heimes wrote: >>> >>> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land >>> bunch of useful goodies like proper ho

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-14 Thread Terry Reedy
On 1/13/2018 3:02 PM, Brett Cannon wrote: On Sat, Jan 13, 2018, 05:24 Antoine Pitrou, > wrote: On Sat, 13 Jan 2018 13:54:33 +0100 Christian Heimes mailto:christ...@python.org>> wrote: > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, th

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Oleg Broytman
On Sun, Jan 14, 2018 at 02:16:53AM +, Brett Cannon wrote: > My guess is we either move to containers on Travis, see if we can manually > install -- through apt or something -- a newer version of OpenSSL OpenSSL 1.0.2 cannot be installed with apt on Trusty but I think it can be compiled fro

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Paul G
One thing to note is that if getting Travis working with Python 3.7 is a pain, a huge number of libraries on PyPI probably just won't test against Python 3.7, which is not a great situation to be in. It's probably worth contacting Travis to give them a head's up and see how likely it is that th

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Brett Cannon
On Sat, Jan 13, 2018, 14:45 Christian Heimes, wrote: > On 2018-01-13 21:02, Brett Cannon wrote: > > +1 from me as well for the improved security. > > Thanks, Brett! > > How should we handle CPython's Travis CI tests? The 14.04 boxes have > OpenSSL 1.0.1. To the best of my knowledge, Travis doesn'

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Gregory P. Smith
On Sat, Jan 13, 2018 at 4:34 PM Steven D'Aprano wrote: > On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote: > > On Sat, 13 Jan 2018 13:54:33 +0100 > > Christian Heimes wrote: > > > > > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can > land > > > bunch of useful

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Steven D'Aprano
On Sat, Jan 13, 2018 at 02:23:19PM +0100, Antoine Pitrou wrote: > On Sat, 13 Jan 2018 13:54:33 +0100 > Christian Heimes wrote: > > > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land > > bunch of useful goodies like proper hostname verification [2], proper > > fix for IP

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Christian Heimes
On 2018-01-13 21:02, Brett Cannon wrote: > +1 from me as well for the improved security. Thanks, Brett! How should we handle CPython's Travis CI tests? The 14.04 boxes have OpenSSL 1.0.1. To the best of my knowledge, Travis doesn't offer 16.04. We could either move to container-based testing with

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Brett Cannon
On Sat, Jan 13, 2018, 05:24 Antoine Pitrou, wrote: > On Sat, 13 Jan 2018 13:54:33 +0100 > Christian Heimes wrote: > > > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land > > bunch of useful goodies like proper hostname verification [2], proper > > fix for IP address in S

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Antoine Pitrou
On Sat, 13 Jan 2018 15:49:21 +0100 Christian Heimes wrote: > On 2018-01-13 14:23, Antoine Pitrou wrote: > > On Sat, 13 Jan 2018 13:54:33 +0100 > > Christian Heimes wrote: > >> > >> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land > >> bunch of useful goodies like proper

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Christian Heimes
On 2018-01-13 14:23, Antoine Pitrou wrote: > On Sat, 13 Jan 2018 13:54:33 +0100 > Christian Heimes wrote: >> >> If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land >> bunch of useful goodies like proper hostname verification [2], proper >> fix for IP address in SNI TLS header

Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >= 2.5.3

2018-01-13 Thread Antoine Pitrou
On Sat, 13 Jan 2018 13:54:33 +0100 Christian Heimes wrote: > > If we agree to drop support for OpenSSL 0.9.8 and 1.0.1, then I can land > bunch of useful goodies like proper hostname verification [2], proper > fix for IP address in SNI TLS header [3], PEP 543 compatible Certificate > and PrivateK