Opened 9 years ago

Last modified 9 years ago

#13385 closed enhancement

Remove TLS/SSL-related packages — at Version 17

Reported by: kini Owned by: tbd
Priority: major Milestone: sage-5.4
Component: packages: standard Keywords:
Cc: Merged in:
Authors: Reviewers:
Report Upstream: N/A Work issues:
Branch: Commit:
Dependencies: #13121 Stopgaps:

Status badges

Description (last modified by jhpalmieri)

See this sage-devel post by William.

Task

Remove the following SPKGs:

  • python_gnutls
  • gnutls
  • opencdk
  • libgcrypt
  • libgpg_error

Also:

  • no longer ship pyOpenSSL with sagenb (this will be taken care of in #13121)
  • no longer require OpenSSL dev headers in prereq

Rationale

Read the above linked thread, but basically, notebook(secure=True) is rarely used, and is not even really that desirable to use, except for people setting up multiuser Sage servers, which is a small percentage of Sage users. Therefore we will require users who want to use notebook(secure=True) to perform the additional step of installing pyOpenSSL into Sage's Python. This allows us to get rid of our sort of problematic dependencies on OpenSSL.

Furthermore, as I understand it, our switching to OpenSSL had already made GNUTLS useless in Sage when we started shipping the Flask notebook (Sage 5.2), so we can get rid of GNUTLS and related SPKGs at the same time.


Apply:

Copy http://sage.math.washington.edu/home/palmieri/SPKG/prereq-1.1.tar.gz to spkg/base.

Still to come: new sagenb spkg (at #13121).

Change History (20)

comment:1 Changed 9 years ago by novoselt

It would be nice to have a clear description of what someone has to do to make secure=True work and if someone has not done it - there should be a clear error message directing to these instructions...

comment:2 Changed 9 years ago by novoselt

It also would be a bit annoying to perform some extra installation on every newly built version of Sage. Is it possible to have instead some system dependencies and an environment variable that will force Sage to add pyOpenSSL automatically during build?

comment:3 follow-up: Changed 9 years ago by kini

You can just install the SPKG from #11384 after building Sage. Is that sufficient?

comment:4 Changed 9 years ago by kini

Sorry, I mean #13384. Also you'd need to have OpenSSL and its dev headers installed on the system if you wanted to use notebook(secure=True).

comment:5 in reply to: ↑ 3 Changed 9 years ago by novoselt

Replying to kini:

You can just install the SPKG from #11384 after building Sage. Is that sufficient?

So far

sage -i openssl

was sufficient (in 5.2 and later), but if this could be done automatically during build, it would be awesome.

comment:6 Changed 9 years ago by kini

Personally I don't think it's worth adding another environment variable to the long list we already have, just to avoid a small percentage of users having to run sage -i openssl and sage -i pyopenssl after make. Furthermore this will set a new precedent. Currently we have no environment variables which control whether a certain package is installed or not, except SAGE_INSTALL_GCC which is kind of a special case because we use GCC in Sage regardless of whether it's installed via SPKG or used from the system. Also, no environment variable causes the Sage build process to need network connectivity, as this suggestion would (unless you also want to make pyOpenSSL a standard shipped package).

IMHO installing an SPKG is not a big deal, it's one line and the average user doesn't need to know about it because they are not running a multi-user notebook server.

comment:7 Changed 9 years ago by vbraun

Please no new environment variables. We could have an extra makefile target

ssl: all
    ./sage -i openssl
    ./sage -i pyOpenSSL

comment:8 Changed 9 years ago by jhpalmieri

So what needs doing here?

Root repo:

  • remove the spkgs, modify deps and spkg/install accordingly
  • modify prereq so it no longer checks for openssl (i.e., undo some of the changes at #13329)
  • in README.txt, document what needs to be done to use the secure notebook
  • possibly add a new target to the Makefile

Sage library:

  • in the installation guide, document what needs to be done to use the secure notebook

Sagenb:

  • make it work without openssl

Anything else?

Last edited 9 years ago by jhpalmieri (previous) (diff)

comment:9 Changed 9 years ago by kini

In the sage library there is some code that does something with GNUTLS. It appears to be legacy code in devel/sage/sage/server/notebook . So I guess one more task is to see if anything breaks after removing the SPKGs.

comment:10 Changed 9 years ago by kini

(That includes upgrading extremely old notebook data, I guess.)

comment:11 Changed 9 years ago by kini

Here's a patch for the root repo. Did I miss anything in deps or install?

comment:12 Changed 9 years ago by jhpalmieri

The changes look okay at first glance. I'll try a build (on a system with openssl headers) to see how it goes. Perhaps you should mention make ssl in your changes to README.txt? And add a comment to the Makefile briefly describing the purpose of that target?

Last edited 9 years ago by jhpalmieri (previous) (diff)

comment:13 Changed 9 years ago by jhpalmieri

Oh, and in README.txt and Makefile, you should point out that sage -i openssl, make ssl, etc., require internet access.

comment:14 Changed 9 years ago by jhpalmieri

When I built with the root repo patch, all tests passed, because the old notebook directory has a file nodoctest.py. The appropriate files (like server/notebook/gnutls_socket_ssl.py) say things like

# This file is part of the OLD Sage notebook and is NOT actively developed,
# maintained, or supported.  As of Sage v4.1.2, all notebook development has
# moved to the separate Sage Notebook project

at the top, so I think it's okay to completely break this by removing gnutls.

Changed 9 years ago by jhpalmieri

comment:15 Changed 9 years ago by jhpalmieri

Here are some documentation patches, one for the root repo, one for the Sage library.

comment:16 Changed 9 years ago by jhpalmieri

Here's a patch for the prereq tarball, and here's a new prereq tarball.

Last edited 9 years ago by jhpalmieri (previous) (diff)

Changed 9 years ago by jhpalmieri

for prereq package; for review only

comment:17 Changed 9 years ago by jhpalmieri

  • Description modified (diff)

Changed 9 years ago by kini

apply to $SAGE_ROOT

Note: See TracTickets for help on using tickets.