Opened 2 years ago
Closed 15 months ago
#29555 closed enhancement (fixed)
Upgrade: OpenSSL 3.0, make it a standard package
Reported by: | slelievre | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | sage-9.3 |
Component: | packages: optional | Keywords: | openssl |
Cc: | slelievre, dunfield, tmonteil, mjo, dimpase, gh-posita, vbraun | Merged in: | |
Authors: | Matthias Koeppe | Reviewers: | Dima Pasechnik |
Report Upstream: | N/A | Work issues: | |
Branch: | 383a100 (Commits, GitHub, GitLab) | Commit: | 383a10029e5ab56b0ba58950635ccdb75fd6d611 |
Dependencies: | Stopgaps: |
Description (last modified by )
Upgrade to OpenSSL 3.0 and make openssl a standard package.
License is now Apache 2.0, which is GPL-compatible. https://github.com/openssl/openssl/blob/master/LICENSE
Once Sage macOS binaries ship OpenSSL, they will allow easily pip-installing extra packages.
Download tarball from:
Change History (31)
comment:1 Changed 2 years ago by
comment:2 Changed 2 years ago by
- Cc slelievre added
comment:3 Changed 2 years ago by
- Description modified (diff)
comment:4 Changed 2 years ago by
- Description modified (diff)
- Keywords openssl added
comment:5 Changed 2 years ago by
- Cc dunfield added
comment:6 Changed 2 years ago by
- Cc tmonteil added
comment:7 Changed 2 years ago by
- Branch set to u/mkoeppe/upgrade__openssl_3_0
comment:8 Changed 2 years ago by
- Commit set to e37e813157fc7405cd4b3299be13937fe869a533
comment:9 Changed 2 years ago by
- Commit changed from e37e813157fc7405cd4b3299be13937fe869a533 to 125a68324b11085e4f6aaa5a891d0e6227f75562
comment:10 Changed 2 years ago by
- Cc mjo dimpase added
- Work issues set to Add spkg-configure.m4
Next (other than waiting for the release), we need an spkg-configure.m4 for openssl
comment:11 Changed 2 years ago by
- Summary changed from Upgrade: OpenSSL 3.0 to Upgrade: OpenSSL 3.0, make it a standard package
comment:12 Changed 23 months ago by
Now there's openssl-3.0.0-alpha4
comment:13 Changed 22 months ago by
OpenSSL 3.0.0.alpha6 is out.
comment:14 Changed 22 months ago by
- Milestone changed from sage-9.2 to sage-9.3
comment:15 Changed 21 months ago by
- Cc gh-posita added
comment:16 Changed 17 months ago by
alpha9 is out...
comment:17 Changed 16 months ago by
alpha10 is out
comment:18 Changed 16 months ago by
alpha11
comment:19 Changed 16 months ago by
- Commit changed from 125a68324b11085e4f6aaa5a891d0e6227f75562 to 29af657b8d08818628aa0f3f6730f08d951819c6
comment:20 Changed 16 months ago by
- Commit changed from 29af657b8d08818628aa0f3f6730f08d951819c6 to 383a10029e5ab56b0ba58950635ccdb75fd6d611
comment:21 Changed 16 months ago by
- Cc vbraun added
- Status changed from new to needs_review
- Work issues Add spkg-configure.m4 deleted
Wondering how people would feel about this one. Solves our openssl license compatibility problem. Includes big fat warning that it's an alpha release. To my understanding, the way that current jupyter depends on the ssl module (via tornado
- see 30674), it is merely a dependency and no SSL is actually spoken to anyone but possibly localhost.
SSL would still kick in when pip packages are installed - but these are all optional and users have been warned.
comment:22 follow-up: ↓ 23 Changed 16 months ago by
I would prefer that we stick to 1.1.1* until openssl 3.0 is released, the current 3.0 is not even beta !
comment:23 in reply to: ↑ 22 Changed 16 months ago by
Replying to tmonteil:
I would prefer that we stick to 1.1.1* until openssl 3.0 is released, the current 3.0 is not even beta !
Currently, the macOS binaries don't have any version of openssl at all. So there, the choice is 3.0 alpha or nothing, meaning the user is unable to run Jupyter notebooks, which is a pretty core feature of Sage for many users.
I say go for it, the current situation is causing a lot of people problems, see all the posts to sage-support and sage-devel.
comment:24 follow-ups: ↓ 25 ↓ 27 Changed 16 months ago by
Could this be only shipped with macOS binaries ?
comment:25 in reply to: ↑ 24 Changed 16 months ago by
Replying to tmonteil:
Could this be only shipped with macOS binaries ?
On Linux, Sage doesn't need to provide its own copy of openssl, it just uses the system library. The problem is macOS deprecated openssl in favor of their own APIs and only provides openssl 0.9.8, which is too old to be useful.
comment:26 Changed 16 months ago by
Another idea could be to make openssl 3.0 standard (as on this ticket) but keep the stable (but license-incompatible) openssl 1.1.x as an optional package. So people who need to deploy a secure system but cannot do so using a system installation of openssl would be enable this optional package. But it is not clear whether this is a convincing use case that would warrant adding this kind of build system complexity for it.
comment:27 in reply to: ↑ 24 ; follow-up: ↓ 29 Changed 16 months ago by
Replying to tmonteil:
Could this be only shipped with macOS binaries ?
These issues with ssl also affect people who build from source.
comment:28 Changed 16 months ago by
- Reviewers set to Dima Pasechnik
- Status changed from needs_review to positive_review
I suppose this is tested on macOS. On Linux it's fine.
comment:29 in reply to: ↑ 27 Changed 16 months ago by
Replying to mkoeppe:
Replying to tmonteil:
Could this be only shipped with macOS binaries ?
These issues with ssl also affect people who build from source.
I imagine the people that build from source use a decent distribution of packages that includes openssl
like homebrew, as recommended in the Sage installation documenation.
I do not like the current way as it will install an immature implementation of SSL within Sage for most people, since even on some OS that ship openssl-dev
, this latter is rarely installed by default, see e.g. https://ask.sagemath.org/question/47513/rise-in-jupyter/
The warning are probably not enough (and probably lost among tons of configure lines) since people will just go ahead and "prefer" using the standard openssl
spkg over installing the lib from their distro.
comment:30 Changed 16 months ago by
I'm also uneasy with an alpha stage OpenSSL 3 becoming standard.
Maybe we can create an "openssl3" optional package for now?
We should advertise the fix_mac_sage
scripts by the 3-manifolds group
that can "fix" a Sage install on macOS by adding SSL and tkinter to its Python.
We should advertise it
- in the README file that is shipped with macOS binaries
- on the macOS download page of the SageMath website
comment:31 Changed 15 months ago by
- Branch changed from u/mkoeppe/upgrade__openssl_3_0 to 383a10029e5ab56b0ba58950635ccdb75fd6d611
- Resolution set to fixed
- Status changed from positive_review to closed
OpenSSL 3.0.0-alpha1 is out. Blog post: https://www.openssl.org/blog/blog/2020/04/23/OpenSSL3.0Alpha1/
OpenSSL 3.0.0-alpha1 tarball: