#29555 closed enhancement (fixed)

Upgrade: OpenSSL 3.0, make it a standard package

Reported by: slelievre Owned by:
Priority: major Milestone: sage-9.3
Component: packages: optional Keywords: openssl
Cc: slelievre, dunfield, tmonteil, mjo, dimpase, gh-posita, vbraun Merged in:
Authors: Matthias Koeppe Reviewers: Dima Pasechnik
Report Upstream: N/A Work issues:
Branch: 383a100 (Commits, GitHub, GitLab) Commit: 383a10029e5ab56b0ba58950635ccdb75fd6d611
Dependencies: Stopgaps:

Status badges

Description (last modified by slelievre)

Upgrade to OpenSSL 3.0 and make openssl a standard package.

License is now Apache 2.0, which is GPL-compatible. https://github.com/openssl/openssl/blob/master/LICENSE

Once Sage macOS binaries ship OpenSSL, they will allow easily pip-installing extra packages.

Download tarball from:

Change History (31)

comment:1 Changed 20 months ago by slelievre

Last edited 20 months ago by slelievre (previous) (diff)

comment:2 Changed 20 months ago by slelievre

  • Cc slelievre added

Time to make openssl a standard package too. Related tickets:

  • #24107 Inclusion of OpenSSL, stage 1
  • #23893 make openssl a dependency for pip packages

comment:3 Changed 20 months ago by slelievre

  • Description modified (diff)

comment:4 Changed 20 months ago by slelievre

  • Description modified (diff)
  • Keywords openssl added

comment:5 Changed 20 months ago by dunfield

  • Cc dunfield added

comment:7 Changed 18 months ago by mkoeppe

  • Branch set to u/mkoeppe/upgrade__openssl_3_0

comment:8 Changed 18 months ago by mkoeppe

  • Commit set to e37e813157fc7405cd4b3299be13937fe869a533

Of course it's too early to merge, but I wanted to check whether our python3 compiles with it. It does, at least on macOS.


New commits:

54387b8build/pkgs/openssl: Update to 3.0.0-alpha3
e37e813build/pkgs/openssl/spkg-install.in: Remove old build workarounds, hoping for the best

comment:9 Changed 18 months ago by git

  • Commit changed from e37e813157fc7405cd4b3299be13937fe869a533 to 125a68324b11085e4f6aaa5a891d0e6227f75562

Branch pushed to git repo; I updated commit sha1. New commits:

d6eaab7build/pkgs/python3/dependencies: Add openssl
125a683build/pkgs/openssl/type: Make standard

comment:10 Changed 18 months ago by mkoeppe

  • Cc mjo dimpase added
  • Work issues set to Add spkg-configure.m4

Next (other than waiting for the release), we need an spkg-configure.m4 for openssl

comment:11 Changed 18 months ago by mkoeppe

  • Summary changed from Upgrade: OpenSSL 3.0 to Upgrade: OpenSSL 3.0, make it a standard package

comment:12 Changed 17 months ago by mkoeppe

Now there's openssl-3.0.0-alpha4

comment:13 Changed 16 months ago by slelievre

OpenSSL 3.0.0.alpha6 is out.

comment:14 Changed 16 months ago by mkoeppe

  • Milestone changed from sage-9.2 to sage-9.3

comment:15 Changed 16 months ago by gh-posita

  • Cc gh-posita added

comment:16 Changed 12 months ago by mkoeppe

alpha9 is out...

comment:17 Changed 11 months ago by mkoeppe

alpha10 is out

comment:18 Changed 10 months ago by slelievre

alpha11

comment:19 Changed 10 months ago by git

  • Commit changed from 125a68324b11085e4f6aaa5a891d0e6227f75562 to 29af657b8d08818628aa0f3f6730f08d951819c6

Branch pushed to git repo; I updated commit sha1. New commits:

48c801bMerge tag '9.3.beta6' into t/29555/upgrade__openssl_3_0
29af657build/pkgs/openssl: Update to 3.0.0-alpha11

comment:20 Changed 10 months ago by git

  • Commit changed from 29af657b8d08818628aa0f3f6730f08d951819c6 to 383a10029e5ab56b0ba58950635ccdb75fd6d611

Branch pushed to git repo; I updated commit sha1. New commits:

909f796build/pkgs/openssl/SPKG.rst: Update license
383a100build/pkgs/openssl/spkg-configure.m4: Add warning about alpha release

comment:21 Changed 10 months ago by mkoeppe

  • Authors set to Matthias Koeppe
  • Cc vbraun added
  • Status changed from new to needs_review
  • Work issues Add spkg-configure.m4 deleted

Wondering how people would feel about this one. Solves our openssl license compatibility problem. Includes big fat warning that it's an alpha release. To my understanding, the way that current jupyter depends on the ssl module (via tornado - see 30674), it is merely a dependency and no SSL is actually spoken to anyone but possibly localhost.

SSL would still kick in when pip packages are installed - but these are all optional and users have been warned.

comment:22 follow-up: Changed 10 months ago by tmonteil

I would prefer that we stick to 1.1.1* until openssl 3.0 is released, the current 3.0 is not even beta !

comment:23 in reply to: ↑ 22 Changed 10 months ago by dunfield

Replying to tmonteil:

I would prefer that we stick to 1.1.1* until openssl 3.0 is released, the current 3.0 is not even beta !

Currently, the macOS binaries don't have any version of openssl at all. So there, the choice is 3.0 alpha or nothing, meaning the user is unable to run Jupyter notebooks, which is a pretty core feature of Sage for many users.

I say go for it, the current situation is causing a lot of people problems, see all the posts to sage-support and sage-devel.

comment:24 follow-ups: Changed 10 months ago by tmonteil

Could this be only shipped with macOS binaries ?

comment:25 in reply to: ↑ 24 Changed 10 months ago by dunfield

Replying to tmonteil:

Could this be only shipped with macOS binaries ?

On Linux, Sage doesn't need to provide its own copy of openssl, it just uses the system library. The problem is macOS deprecated openssl in favor of their own APIs and only provides openssl 0.9.8, which is too old to be useful.

comment:26 Changed 10 months ago by mkoeppe

Another idea could be to make openssl 3.0 standard (as on this ticket) but keep the stable (but license-incompatible) openssl 1.1.x as an optional package. So people who need to deploy a secure system but cannot do so using a system installation of openssl would be enable this optional package. But it is not clear whether this is a convincing use case that would warrant adding this kind of build system complexity for it.

comment:27 in reply to: ↑ 24 ; follow-up: Changed 10 months ago by mkoeppe

Replying to tmonteil:

Could this be only shipped with macOS binaries ?

These issues with ssl also affect people who build from source.

comment:28 Changed 10 months ago by dimpase

  • Reviewers set to Dima Pasechnik
  • Status changed from needs_review to positive_review

I suppose this is tested on macOS. On Linux it's fine.

comment:29 in reply to: ↑ 27 Changed 10 months ago by tmonteil

Replying to mkoeppe:

Replying to tmonteil:

Could this be only shipped with macOS binaries ?

These issues with ssl also affect people who build from source.

I imagine the people that build from source use a decent distribution of packages that includes openssl like homebrew, as recommended in the Sage installation documenation.

I do not like the current way as it will install an immature implementation of SSL within Sage for most people, since even on some OS that ship openssl-dev, this latter is rarely installed by default, see e.g. https://ask.sagemath.org/question/47513/rise-in-jupyter/

The warning are probably not enough (and probably lost among tons of configure lines) since people will just go ahead and "prefer" using the standard openssl spkg over installing the lib from their distro.

comment:30 Changed 10 months ago by slelievre

I'm also uneasy with an alpha stage OpenSSL 3 becoming standard.

Maybe we can create an "openssl3" optional package for now?

We should advertise the fix_mac_sage scripts by the 3-manifolds group

that can "fix" a Sage install on macOS by adding SSL and tkinter to its Python.

We should advertise it

  • in the README file that is shipped with macOS binaries
  • on the macOS download page of the SageMath website

comment:31 Changed 10 months ago by vbraun

  • Branch changed from u/mkoeppe/upgrade__openssl_3_0 to 383a10029e5ab56b0ba58950635ccdb75fd6d611
  • Resolution set to fixed
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.