Opened 3 years ago

Closed 2 years ago

#22089 closed defect (wontfix)

Patch python to accept openSSL >= 1.1

Reported by: charpent Owned by:
Priority: critical Milestone: sage-duplicate/invalid/wontfix
Component: packages: standard Keywords: SSL pip packages
Cc: slelievre, jdemeyer Merged in:
Authors: Reviewers: Emmanuel Charpentier
Report Upstream: N/A Work issues:
Branch: Commit:
Dependencies: Stopgaps:

Description (last modified by charpent)

Rationale : see this thread.

In short, OpenSSL development interface have changed incompatibly with versions<1.1. A lot of applications have been affected. That includes "our" python (see this python ticket) and "our" git (see #22058), which are now unable to use SSL transport when compiled against OpenSSL>=1.1. This notably impedes the use of pip.

This library has now entered :

  • mainstream Linux distributions (e. g. Debian testing, which means Ubuntu in 4 months...),
  • but not (yet) cygwin
  • (I dunno about Mac OS X, which has other problems).

However, one notes that cygwin has now Python 2.7.12, which is patched for openssl>=1.1.

These distributions can no longer compile Sagemath with a functional pip. Therefore, unless we are willing to restrict Sagemath use to "stable" (read "antique") distributions, we have to either patch our current Python or upgrade it.

Change History (13)

comment:1 Changed 3 years ago by charpent

  • Description modified (diff)

comment:2 follow-up: Changed 3 years ago by slelievre

  • Cc slelievre added

Upgrade to Python 2.7.12 is done at #19735.

Upgrade to Python 2.7.13 is in progress at #22037.

comment:3 in reply to: ↑ 2 ; follow-up: Changed 3 years ago by charpent

Replying to slelievre:

Upgrade to Python 2.7.12 is done at #19735.

Upgrade to Python 2.7.13 is in progress at #22037.

<DonsBrownPaperBagOnHead?> Aaaarghhh ! You are right. </DonsBrownPaperBagOnHead?>

I can't test this right now (my Sage installation dates back from before the time openSSL entered the game...). I'll upgrade it to 7.5rc0 (which includes #19735), and see how well this goes.

I'll have a look at a pristine VM tonight.

comment:4 in reply to: ↑ 3 Changed 3 years ago by charpent

Replying to charpent:

I can't test this right now (my Sage installation dates back from before the time openSSL entered the game...). I'll upgrade it to 7.5rc0 (which includes #19735), and see how well this goes.

Well... testing this on a machine that used to have a functional _ssl module in python, I now get :

charpent@SAP5057241:/usr/local/sage-7$ sage -python
Python 2.7.12 (default, Dec 22 2016, 11:47:35) 
[GCC 6.2.1 20161124] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> quit()
charpent@SAP5057241:/usr/local/sage-7$ sage -pip search lalala
Exception:
Traceback (most recent call last):
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/commands/search.py", line 43, in run
    pypi_hits = self.search(query, options)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/commands/search.py", line 60, in search
    hits = pypi.search({'name': query, 'summary': query}, 'or')
  File "/usr/local/sage-7/local/lib/python/xmlrpclib.py", line 1243, in __call__
    return self.__send(self.__name, args)
  File "/usr/local/sage-7/local/lib/python/xmlrpclib.py", line 1602, in __request
    verbose=self.__verbose
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/download.py", line 764, in request
    headers=headers, stream=True)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 518, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/download.py", line 378, in request
    return super(PipSession, self).request(method, url, *args, **kwargs)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 585, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/_vendor/cachecontrol/adapter.py", line 46, in send
    resp = super(CacheControlAdapter, self).send(request, **kw)
  File "/usr/local/sage-7/local/lib/python2.7/site-packages/pip/_vendor/requests/adapters.py", line 477, in send
    raise SSLError(e, request=request)
SSLError: Can't connect to HTTPS URL because the SSL module is not available.

The issue still stands (and is worse than previously thought of...).

comment:5 Changed 3 years ago by charpent

My attempts at using the upstream patch have failed. I think now that the only realistic option is #22037.

This ticket should be closed as Invalid/Wontfix?...

comment:6 follow-up: Changed 3 years ago by jdemeyer

Does #22037 actually fix this ticket? I.e. does Python 2.7.13 work with the latest OpenSSL?

comment:7 in reply to: ↑ 6 ; follow-up: Changed 3 years ago by charpent

  • Cc jdemeyer added

Replying to jdemeyer:

Does #22037 actually fix this ticket? I.e. does Python 2.7.13 work with the latest OpenSSL?

Ah. I was waiting for #22037 to be marked "needs_review". I'll test that tonight.

comment:8 Changed 3 years ago by embray

+1 for going with #22037

comment:9 in reply to: ↑ 7 Changed 3 years ago by charpent

  • Status changed from new to needs_review

Reviewing other tickets, I find this one, that I had mentallt noted as "Fixed".

Replying to charpent:

Replying to jdemeyer:

Does #22037 actually fix this ticket? I.e. does Python 2.7.13 work with the latest OpenSSL?

Ah. I was waiting for #22037 to be marked "needs_review". I'll test that tonight.

Indeed, #22037 does fix the problem. This ticket should be marked as invalid/won't fix and closed. Someting I can't do myself.

I'm marking this ticket as "needs review" : plan is to mark it as "positive review" to get the attention of the release manager who *can* mar it as invalid/won't fix and close it.

comment:10 Changed 3 years ago by charpent

  • Reviewers set to Emmanuel Charpentier
  • Status changed from needs_review to positive_review

Morking it as positive_review to get it reviewed by the release manager. Who should mark it as invalid and close it.

comment:11 follow-up: Changed 3 years ago by tscrim

  • Milestone changed from sage-7.5 to sage-duplicate/invalid/wontfix

Don't forget to set the milestone to invalid. ;)

comment:12 in reply to: ↑ 11 Changed 3 years ago by charpent

Thanks !

Replying to tscrim:

Don't forget to set the milestone to invalid. ;)

<Blush>

That was the piece of information I missed (consistently...). It is probably documented in a doc that I studiously missed ;-).

</Blush>

comment:13 Changed 2 years ago by embray

  • Resolution set to wontfix
  • Status changed from positive_review to closed

Closing tickets in the sage-duplicate/invalid/wontfix module with positive_review (i.e. someone has confirmed they should be closed).

Note: See TracTickets for help on using tickets.