Opened 8 months ago

Closed 8 months ago

#32580 closed enhancement (fixed)

{ubuntu-trusty, debian-jessie, linuxmint-17, fedora-{26,27,28}}-standard: system openssl too old for python3

Reported by: mkoeppe Owned by:
Priority: critical Milestone: sage-9.5
Component: packages: standard Keywords:
Cc: tmonteil, dimpase, mjo, jhpalmieri, gh-kliem Merged in:
Authors: Matthias Koeppe Reviewers: Jonathan Kliem
Report Upstream: N/A Work issues:
Branch: 38c0d54 (Commits, GitHub, GitLab) Commit: 38c0d54e761b242b381ea9d4899be9ed40ac4236
Dependencies: Stopgaps:

Status badges

Description (last modified by mkoeppe)

Following https://www.python.org/dev/peps/pep-0644/ PEP 644, python requires OpenSSL 1.1.1 or newer. This was planned to be included in Python 3.10, but apparently Python 3.9.7 (the version of our spkg after #32443) has already broken compatibility with some older openssl releases. For example ubuntu-trusty uses 1.0.1f. https://github.com/sagemath/sage/runs/3712854824?check_suite_focus=true

Also python's own configure script does not notice that this version of SSL does not work, but then building the _ssl extension fails:

building '_ssl' extension
gcc -pthread -fPIC -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -Wno-unused -O2 -g -march=native -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -I./Include/internal -I./Include -I/sage/local/include -I. -I/usr/local/include -I/sage/local/var/tmp/sage/build/python3-3.9.7/src/Include -I/sage/local/var/tmp/sage/build/python3-3.9.7/src -c /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c -o build/temp.linux-x86_64-3.9/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.o
/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c: In function '_ssl__SSLContext_impl':
/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:3116:27: error: implicit declaration of function 'SSLv3_method'; did you mean 'SSLv23_method'? [-Werror=implicit-function-declaration]
         ctx = SSL_CTX_new(SSLv3_method());
                           ^~~~~~~~~~~~
                           SSLv23_method
/sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:3116:27: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [-Wint-conversion]
In file included from /sage/local/var/tmp/sage/build/python3-3.9.7/src/Modules/_ssl.c:59:0:
/usr/include/openssl/ssl.h:1341:17: note: expected 'const SSL_METHOD * {aka const struct ssl_method_st *}' but argument is of type 'int'
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
                 ^~~~~~~~~~~

We should update build/pkgs/openssl/spkg-configure.m4 to detect that we have a suitable version. Currently there is no version check whatsoever.

Change History (18)

comment:1 Changed 8 months ago by mkoeppe

  • Priority changed from major to critical

comment:2 Changed 8 months ago by mkoeppe

  • Description modified (diff)
  • Summary changed from ubuntu-trusty-standard, debian-jessie-standard, linuxmint-17: openssl too old for python3 to {ubuntu-trusty, debian-jessie, linuxmint-17, fedora-{26,27,28}}-standard: system openssl too old for python3

comment:3 Changed 8 months ago by mkoeppe

  • Cc dimpase mjo jhpalmieri added

comment:4 Changed 8 months ago by mjo

There aren't enough of us to support every package combination on every distro going back a decade. This is most thoroughly solved by setting --with-system-python3=force (or better yet, by deleting the SPKG) and documenting how to install a newer version of python3 with Nix, Conda, or unofficial deb/RPMs.

For Ubuntu, there's a PPA that provides them:

https://launchpad.net/~deadsnakes/+archive/ubuntu/ppa

comment:5 Changed 8 months ago by mkoeppe

We have ticket for this standard reaction, #32074. Let's please not repeat it on every ticket.

comment:6 Changed 8 months ago by mkoeppe

  • Description modified (diff)

comment:7 Changed 8 months ago by mkoeppe

  • Authors set to Matthias Koeppe

comment:8 Changed 8 months ago by mkoeppe

  • Branch set to u/mkoeppe/_ubuntu_trusty__debian_jessie__linuxmint_17__fedora__26_27_28___standard__system_openssl_too_old_for_python3

comment:9 Changed 8 months ago by mkoeppe

  • Commit set to 0926d3986665111653e105657a8964695a8c676b
  • Status changed from new to needs_review

Tested as follows:

  • on homebrew, correctly accepts openssl
  • tox -e docker-ubuntu-trusty-standard -- config.status ... correctly rejects openssl

New commits:

0926d39build/pkgs/openssl/spkg-configure.m4: Reject openssl < 1.1.1

comment:10 Changed 8 months ago by git

  • Commit changed from 0926d3986665111653e105657a8964695a8c676b to 82e08b5ddd72b5ab0f2299e7f3e9b026c3f5dc3c

Branch pushed to git repo; I updated commit sha1. New commits:

82e08b5build/pkgs/openssl/spkg-configure.m4: Do not require openssl if system python3 is used

comment:11 Changed 8 months ago by mkoeppe

tox -e docker-ubuntu-focal-standard -- config.status now notices that openssl is not required

comment:12 Changed 8 months ago by mkoeppe

  • Cc gh-kliem added

comment:13 Changed 8 months ago by gh-kliem

  • Reviewers set to Jonathan Kliem
  • Status changed from needs_review to needs_work
-            #if OPENSSL_VERSION_NUMBER < 0x10100010L
+            #if OPENSSL_VERSION_NUMBER < 0x10101000L

Once done, you can set it on positive review on my behalf.

comment:14 Changed 8 months ago by git

  • Commit changed from 82e08b5ddd72b5ab0f2299e7f3e9b026c3f5dc3c to 38c0d54e761b242b381ea9d4899be9ed40ac4236

Branch pushed to git repo; I updated commit sha1. New commits:

38c0d54build/pkgs/openssl/spkg-configure.m4: Fix OPENSSL_VERSION_NUMBER format

comment:15 Changed 8 months ago by mkoeppe

Thanks for catching this, you are right

comment:16 Changed 8 months ago by mkoeppe

  • Status changed from needs_work to positive_review

comment:17 Changed 8 months ago by gh-kliem

Well it did confuse me, when I was testing it. I have openssl 1.1.1 and raising the requirement to 1.1.2 did not do anything.

comment:18 Changed 8 months ago by vbraun

  • Branch changed from u/mkoeppe/_ubuntu_trusty__debian_jessie__linuxmint_17__fedora__26_27_28___standard__system_openssl_too_old_for_python3 to 38c0d54e761b242b381ea9d4899be9ed40ac4236
  • Resolution set to fixed
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.