Opened 8 months ago
Closed 8 months ago
#32580 closed enhancement (fixed)
{ubuntu-trusty, debian-jessie, linuxmint-17, fedora-{26,27,28}}-standard: system openssl too old for python3
Reported by: | mkoeppe | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | sage-9.5 |
Component: | packages: standard | Keywords: | |
Cc: | tmonteil, dimpase, mjo, jhpalmieri, gh-kliem | Merged in: | |
Authors: | Matthias Koeppe | Reviewers: | Jonathan Kliem |
Report Upstream: | N/A | Work issues: | |
Branch: | 38c0d54 (Commits, GitHub, GitLab) | Commit: | 38c0d54e761b242b381ea9d4899be9ed40ac4236 |
Dependencies: | Stopgaps: |
Description (last modified by )
Following https://www.python.org/dev/peps/pep-0644/ PEP 644, python requires OpenSSL 1.1.1 or newer. This was planned to be included in Python 3.10, but apparently Python 3.9.7 (the version of our spkg after #32443) has already broken compatibility with some older openssl releases. For example ubuntu-trusty
uses 1.0.1f.
https://github.com/sagemath/sage/runs/3712854824?check_suite_focus=true
Also python's own configure script does not notice that this version of SSL does not work, but then building the _ssl
extension fails:
building '_ssl' extension gcc -pthread -fPIC -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -Wno-unused -O2 -g -march=native -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -I./Include/internal -I./Include -I/sage/local/include -I. -I/usr/local/include -I/sage/local/var/tmp/sage/build/python3-3.9.7/src/Include -I/sage/local/var/tmp/sage/build/python3-3.9.7/src -c /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c -o build/temp.linux-x86_64-3.9/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.o /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c: In function '_ssl__SSLContext_impl': /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:3116:27: error: implicit declaration of function 'SSLv3_method'; did you mean 'SSLv23_method'? [-Werror=implicit-function-declaration] ctx = SSL_CTX_new(SSLv3_method()); ^~~~~~~~~~~~ SSLv23_method /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:3116:27: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [-Wint-conversion] In file included from /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:59:0: /usr/include/openssl/ssl.h:1341:17: note: expected 'const SSL_METHOD * {aka const struct ssl_method_st *}' but argument is of type 'int' __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); ^~~~~~~~~~~
We should update build/pkgs/openssl/spkg-configure.m4
to detect that we have a suitable version. Currently there is no version check whatsoever.
Change History (18)
comment:1 Changed 8 months ago by
- Priority changed from major to critical
comment:2 Changed 8 months ago by
- Description modified (diff)
- Summary changed from ubuntu-trusty-standard, debian-jessie-standard, linuxmint-17: openssl too old for python3 to {ubuntu-trusty, debian-jessie, linuxmint-17, fedora-{26,27,28}}-standard: system openssl too old for python3
comment:3 Changed 8 months ago by
- Cc dimpase mjo jhpalmieri added
comment:4 Changed 8 months ago by
comment:5 Changed 8 months ago by
We have ticket for this standard reaction, #32074. Let's please not repeat it on every ticket.
comment:6 Changed 8 months ago by
- Description modified (diff)
comment:7 Changed 8 months ago by
comment:8 Changed 8 months ago by
- Branch set to u/mkoeppe/_ubuntu_trusty__debian_jessie__linuxmint_17__fedora__26_27_28___standard__system_openssl_too_old_for_python3
comment:9 Changed 8 months ago by
- Commit set to 0926d3986665111653e105657a8964695a8c676b
- Status changed from new to needs_review
Tested as follows:
- on homebrew, correctly accepts openssl
tox -e docker-ubuntu-trusty-standard -- config.status
... correctly rejects openssl
New commits:
0926d39 | build/pkgs/openssl/spkg-configure.m4: Reject openssl < 1.1.1
|
comment:10 Changed 8 months ago by
- Commit changed from 0926d3986665111653e105657a8964695a8c676b to 82e08b5ddd72b5ab0f2299e7f3e9b026c3f5dc3c
Branch pushed to git repo; I updated commit sha1. New commits:
82e08b5 | build/pkgs/openssl/spkg-configure.m4: Do not require openssl if system python3 is used
|
comment:11 Changed 8 months ago by
tox -e docker-ubuntu-focal-standard -- config.status
now notices that openssl is not required
comment:12 Changed 8 months ago by
- Cc gh-kliem added
comment:13 Changed 8 months ago by
- Reviewers set to Jonathan Kliem
- Status changed from needs_review to needs_work
- #if OPENSSL_VERSION_NUMBER < 0x10100010L + #if OPENSSL_VERSION_NUMBER < 0x10101000L
Once done, you can set it on positive review on my behalf.
comment:14 Changed 8 months ago by
- Commit changed from 82e08b5ddd72b5ab0f2299e7f3e9b026c3f5dc3c to 38c0d54e761b242b381ea9d4899be9ed40ac4236
Branch pushed to git repo; I updated commit sha1. New commits:
38c0d54 | build/pkgs/openssl/spkg-configure.m4: Fix OPENSSL_VERSION_NUMBER format
|
comment:15 Changed 8 months ago by
Thanks for catching this, you are right
comment:16 Changed 8 months ago by
- Status changed from needs_work to positive_review
comment:17 Changed 8 months ago by
Well it did confuse me, when I was testing it. I have openssl 1.1.1 and raising the requirement to 1.1.2 did not do anything.
comment:18 Changed 8 months ago by
- Branch changed from u/mkoeppe/_ubuntu_trusty__debian_jessie__linuxmint_17__fedora__26_27_28___standard__system_openssl_too_old_for_python3 to 38c0d54e761b242b381ea9d4899be9ed40ac4236
- Resolution set to fixed
- Status changed from positive_review to closed
There aren't enough of us to support every package combination on every distro going back a decade. This is most thoroughly solved by setting
--with-system-python3=force
(or better yet, by deleting the SPKG) and documenting how to install a newer version of python3 with Nix, Conda, or unofficial deb/RPMs.For Ubuntu, there's a PPA that provides them:
https://launchpad.net/~deadsnakes/+archive/ubuntu/ppa