[Python-Dev] Supported versions of OpenSSL (original) (raw)

Ned Deily nad at python.org
Sun Aug 28 22:38:20 EDT 2016

On Aug 28, 2016, at 19:06, Benjamin Peterson <benjamin at python.org> wrote:

On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote:

Here is the deal for 2.7 to 3.5:

1) All versions older than 0.9.8 are completely out-of-scope and no longer supported. +1 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8. However we do NOT promise that is secure to run 0.9.8. We also require a recent version. Patch level 0.9.8zc from October 2014 is reasonable because it comes with SCSV fallback (CVE-2014-3566). I think we should support 0.9.8 for 2.7 and drop it for 3.6.

Sounds good to me, too. I think we should also not change things for 3.5.x at this point, e.g. continue to support 0.9.8 there.

3) 1.0.0 is irrelevant. Users are either stuck on 0.9.8 or are able to upgrade to 1.0.1+. Let's not support it.

4) 1.0.1 is discouraged but still supported until its EOL. 5) 1.0.2 is the recommend version. 6) 1.1 support will be added by #26470 soon.

[...]

For upcoming 3.6 I would like to limit support to 1.0.2+ and require 1.0.2 features for 3.7.

It's not clear to me what you are proposing as the differences between 3.6 ("limit support to 1.0.2+") and 3.7 ("require 1.0.2 features"). Could you elaborate?

What is the status of Python.org's OSX builds? Is it possible to drop 0.9.8?

I think we can safely drop 0.9.8 support in 3.6. If anyone is aware of any supported platform where this will would cause a problem, please speak up now.

With regard to OS X (or macOS, as the upcoming next major release is called), the 3.6.0 python.org OS X installer will supply a private copy of OpenSSL 1.0.2+. Most other third-party distributors of Python on OS X already do not use the Apple-suplied deprecated system OpenSSL libs. As of the current OS X 10.11 El Capitan, Apple no longer supplies the header files for OpenSSL in either Xcode macosx SDK or in the optional Command Line Tools /usr/include headers so, if you want to build Python on OS X, you now need to use a non-system copy of OpenSSL anyway (the devguide explains how to build with OpenSSL libs from either Homebrew or MacPorts). The shared libs are still supplied for the benefit of applications built on older releases and for the Apple-supplied system Pythons (2.6.x and 2.7.x, still no 3.x).

Thanks for writing this patch!

Ditto!

-- Ned Deily nad at python.org -- []

More information about the Python-Dev mailing list