Opened 3 years ago

Closed 22 months ago

#29555 closed enhancement (fixed)

Upgrade: OpenSSL 3.0, make it a standard package

Reported by: Samuel Lelièvre Owned by:
Priority: major Milestone: sage-9.3
Component: packages: optional Keywords: openssl
Cc: Samuel Lelièvre, Nathan Dunfield, Thierry Monteil, Michael Orlitzky, Dima Pasechnik, Matt Bogosian, Volker Braun Merged in:
Authors: Matthias Koeppe Reviewers: Dima Pasechnik
Report Upstream: N/A Work issues:
Branch: 383a100 (Commits, GitHub, GitLab) Commit: 383a10029e5ab56b0ba58950635ccdb75fd6d611
Dependencies: Stopgaps:

Status badges

Description (last modified by Samuel Lelièvre)

Upgrade to OpenSSL 3.0 and make openssl a standard package.

License is now Apache 2.0, which is GPL-compatible. https://github.com/openssl/openssl/blob/master/LICENSE

Once Sage macOS binaries ship OpenSSL, they will allow easily pip-installing extra packages.

Download tarball from:

Change History (31)

comment:1 Changed 3 years ago by Samuel Lelièvre

Last edited 3 years ago by Samuel Lelièvre (previous) (diff)

comment:2 Changed 3 years ago by Samuel Lelièvre

Cc: Samuel Lelièvre added

Time to make openssl a standard package too. Related tickets:

  • #24107 Inclusion of OpenSSL, stage 1
  • #23893 make openssl a dependency for pip packages

comment:3 Changed 3 years ago by Samuel Lelièvre

Description: modified (diff)

comment:4 Changed 3 years ago by Samuel Lelièvre

Description: modified (diff)
Keywords: openssl added

comment:5 Changed 3 years ago by Nathan Dunfield

Cc: Nathan Dunfield added

comment:6 Changed 3 years ago by Matthias Köppe

Cc: Thierry Monteil added

comment:7 Changed 3 years ago by Matthias Köppe

Branch: u/mkoeppe/upgrade__openssl_3_0

comment:8 Changed 3 years ago by Matthias Köppe

Commit: e37e813157fc7405cd4b3299be13937fe869a533

Of course it's too early to merge, but I wanted to check whether our python3 compiles with it. It does, at least on macOS.


New commits:

54387b8build/pkgs/openssl: Update to 3.0.0-alpha3
e37e813build/pkgs/openssl/spkg-install.in: Remove old build workarounds, hoping for the best

comment:9 Changed 3 years ago by git

Commit: e37e813157fc7405cd4b3299be13937fe869a533125a68324b11085e4f6aaa5a891d0e6227f75562

Branch pushed to git repo; I updated commit sha1. New commits:

d6eaab7build/pkgs/python3/dependencies: Add openssl
125a683build/pkgs/openssl/type: Make standard

comment:10 Changed 3 years ago by Matthias Köppe

Cc: Michael Orlitzky Dima Pasechnik added
Work issues: Add spkg-configure.m4

Next (other than waiting for the release), we need an spkg-configure.m4 for openssl

comment:11 Changed 3 years ago by Matthias Köppe

Summary: Upgrade: OpenSSL 3.0Upgrade: OpenSSL 3.0, make it a standard package

comment:12 Changed 2 years ago by Matthias Köppe

Now there's openssl-3.0.0-alpha4

comment:13 Changed 2 years ago by Samuel Lelièvre

OpenSSL 3.0.0.alpha6 is out.

comment:14 Changed 2 years ago by Matthias Köppe

Milestone: sage-9.2sage-9.3

comment:15 Changed 2 years ago by Matt Bogosian

Cc: Matt Bogosian added

comment:16 Changed 2 years ago by Matthias Köppe

alpha9 is out...

comment:17 Changed 23 months ago by Matthias Köppe

alpha10 is out

comment:18 Changed 23 months ago by Samuel Lelièvre

alpha11

comment:19 Changed 23 months ago by git

Commit: 125a68324b11085e4f6aaa5a891d0e6227f7556229af657b8d08818628aa0f3f6730f08d951819c6

Branch pushed to git repo; I updated commit sha1. New commits:

48c801bMerge tag '9.3.beta6' into t/29555/upgrade__openssl_3_0
29af657build/pkgs/openssl: Update to 3.0.0-alpha11

comment:20 Changed 23 months ago by git

Commit: 29af657b8d08818628aa0f3f6730f08d951819c6383a10029e5ab56b0ba58950635ccdb75fd6d611

Branch pushed to git repo; I updated commit sha1. New commits:

909f796build/pkgs/openssl/SPKG.rst: Update license
383a100build/pkgs/openssl/spkg-configure.m4: Add warning about alpha release

comment:21 Changed 23 months ago by Matthias Köppe

Authors: Matthias Koeppe
Cc: Volker Braun added
Status: newneeds_review
Work issues: Add spkg-configure.m4

Wondering how people would feel about this one. Solves our openssl license compatibility problem. Includes big fat warning that it's an alpha release. To my understanding, the way that current jupyter depends on the ssl module (via tornado - see 30674), it is merely a dependency and no SSL is actually spoken to anyone but possibly localhost.

SSL would still kick in when pip packages are installed - but these are all optional and users have been warned.

comment:22 Changed 23 months ago by Thierry Monteil

I would prefer that we stick to 1.1.1* until openssl 3.0 is released, the current 3.0 is not even beta !

comment:23 in reply to:  22 Changed 23 months ago by Nathan Dunfield

Replying to tmonteil:

I would prefer that we stick to 1.1.1* until openssl 3.0 is released, the current 3.0 is not even beta !

Currently, the macOS binaries don't have any version of openssl at all. So there, the choice is 3.0 alpha or nothing, meaning the user is unable to run Jupyter notebooks, which is a pretty core feature of Sage for many users.

I say go for it, the current situation is causing a lot of people problems, see all the posts to sage-support and sage-devel.

comment:24 Changed 23 months ago by Thierry Monteil

Could this be only shipped with macOS binaries ?

comment:25 in reply to:  24 Changed 23 months ago by Nathan Dunfield

Replying to tmonteil:

Could this be only shipped with macOS binaries ?

On Linux, Sage doesn't need to provide its own copy of openssl, it just uses the system library. The problem is macOS deprecated openssl in favor of their own APIs and only provides openssl 0.9.8, which is too old to be useful.

comment:26 Changed 22 months ago by Matthias Köppe

Another idea could be to make openssl 3.0 standard (as on this ticket) but keep the stable (but license-incompatible) openssl 1.1.x as an optional package. So people who need to deploy a secure system but cannot do so using a system installation of openssl would be enable this optional package. But it is not clear whether this is a convincing use case that would warrant adding this kind of build system complexity for it.

comment:27 in reply to:  24 ; Changed 22 months ago by Matthias Köppe

Replying to tmonteil:

Could this be only shipped with macOS binaries ?

These issues with ssl also affect people who build from source.

comment:28 Changed 22 months ago by Dima Pasechnik

Reviewers: Dima Pasechnik
Status: needs_reviewpositive_review

I suppose this is tested on macOS. On Linux it's fine.

comment:29 in reply to:  27 Changed 22 months ago by Thierry Monteil

Replying to mkoeppe:

Replying to tmonteil:

Could this be only shipped with macOS binaries ?

These issues with ssl also affect people who build from source.

I imagine the people that build from source use a decent distribution of packages that includes openssl like homebrew, as recommended in the Sage installation documenation.

I do not like the current way as it will install an immature implementation of SSL within Sage for most people, since even on some OS that ship openssl-dev, this latter is rarely installed by default, see e.g. https://ask.sagemath.org/question/47513/rise-in-jupyter/

The warning are probably not enough (and probably lost among tons of configure lines) since people will just go ahead and "prefer" using the standard openssl spkg over installing the lib from their distro.

comment:30 Changed 22 months ago by Samuel Lelièvre

I'm also uneasy with an alpha stage OpenSSL 3 becoming standard.

Maybe we can create an "openssl3" optional package for now?

We should advertise the fix_mac_sage scripts by the 3-manifolds group

that can "fix" a Sage install on macOS by adding SSL and tkinter to its Python.

We should advertise it

  • in the README file that is shipped with macOS binaries
  • on the macOS download page of the SageMath website

comment:31 Changed 22 months ago by Volker Braun

Branch: u/mkoeppe/upgrade__openssl_3_0383a10029e5ab56b0ba58950635ccdb75fd6d611
Resolution: fixed
Status: positive_reviewclosed
Note: See TracTickets for help on using tickets.