[Python-checkins] peps: PEP 466: cover OpenSSL compatibility

Mon Mar 24 14:20:31 CET 2014

http://hg.python.org/peps/rev/168173658ca7
changeset: 5427:168173658ca7
user: Nick Coghlan <ncoghlan at gmail.com>
date: Mon Mar 24 23:15:06 2014 +1000
summary:
 PEP 466: cover OpenSSL compatibility
files:
 pep-0466.txt | 35 +++++++++++++++++++++++++++++------
 1 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/pep-0466.txt b/pep-0466.txt
--- a/pep-0466.txt
+++ b/pep-0466.txt
@@ -150,6 +150,30 @@
 consideration.
 
 
+OpenSSL compatibility
+---------------------
+
+Under this policy, OpenSSL may be upgraded to more recent feature releases
+in Python 2.7 maintenance releases. On Linux and most other POSIX systems,
+the specific version of OpenSSL used already varies, as Python dynamically
+links to the system provided OpenSSL library by default.
+
+For the Windows binary installers, the ``_ssl`` and ``_hashlib`` modules are
+statically linked with OpenSSL and the associated symbols are not exported.
+Marc-Andre Lemburg indicates that updating to newer OpenSSL releases in the
+``egenix-pyopenssl`` binaries has not resulted in any reported compatibility
+issues [3]_
+
+The Mac OS X binary installers historically followed the same policy as
+other POSIX installations and dynamically linked to the Apple provided
+OpenSSL libraries. However, Apple has now ceased updating these
+cross-platform libraries, instead requiring that even cross-platform
+developers adopt Mac OS X specific interfaces to access up to date security
+infrastructure on their platform. Accordingly, and independently of this
+PEP, the Mac OS X binary installers were already going to be switched to
+statically linker newer versions of OpenSSL [4]_
+
+
 Other Considerations
 ====================
 
@@ -488,12 +512,9 @@
 Open Questions
 ==============
 
-* What are the risks associated with allowing OpenSSL to be updated to
- new feature versions in the Windows and Mac OS X binary installers for
- maintenance releases? Currently we just upgrade to the appropriate
- OpenSSL maintenance releases, rather than switching to the latest
- feature release. In particular, is it possible Windows C extensions may
- be linking against the Python provided OpenSSL module?
+* I believe I've addressed all the technical and scope questions I had, or
+ others raised. That just leaves the question of "If we agree to this plan,
+ who is actually going to handle all the extra work involved?" :)
 
 
 Disclosure of Interest
@@ -528,6 +549,8 @@
 
 .. [1] https://mail.python.org/pipermail/python-dev/2014-March/133334.html
 .. [2] https://mail.python.org/pipermail/python-dev/2014-March/133389.html
+.. [3] https://mail.python.org/pipermail/python-dev/2014-March/133438.html
+.. [4] https://mail.python.org/pipermail/python-dev/2014-March/133347.html
 
 
 Copyright
-- 
Repository URL: http://hg.python.org/peps
