Skip to content

RFC: python: use openssl without legacy configuration #247754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
de11n wants to merge 1 commit into from
Closed

RFC: python: use openssl without legacy configuration #247754

de11n wants to merge 1 commit into from

Conversation

@de11n
Copy link

@de11n de11n commented Aug 7, 2023
edited
Loading

Description of changes

Our internal Hydra builds of Nixpkgs have not noticed any additional breakage from removing the legacy module the OpenSSL used by Python.

On the flip side, we have encountered Segfaults which seem similar to openssl/openssl#18049. We've found that removing the legacy module has resolved these issues. (Using OpenSSL 3.0.9, specifically.)

All the same, this is a "big" change that may have unforeseen consequences. For prior art, there is a discussion here where some have also gone the route of OpenSSL 3 + no legacy module.

I'd love to start the discussion on this and see if Nixpkgs is ready for this change.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.11 Release Notes (or backporting 23.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@de11n de11n requested a review from FRidh as a code owner August 7, 2023 15:10
@github-actions github-actions bot added the 6.topic: python Python is a high-level, general-purpose programming language. label Aug 7, 2023
@ofborg ofborg bot added 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Aug 7, 2023
@ajs124
Copy link
Member

ajs124 commented Aug 8, 2023

#202126 might also have a little context, as that is where this hack was introduced.

@figsoda figsoda added the 12.approvals: 1 This PR was reviewed and approved by one person. label Aug 9, 2023
@ajs124 ajs124 requested a review from mweinelt January 31, 2024 23:57
@ajs124
Copy link
Member

ajs124 commented Jan 31, 2024

probably superseded by #285158

@mweinelt mweinelt closed this Feb 2, 2024
@de11n de11n deleted the python-no-legacy-openssl branch February 2, 2024 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fpletz fpletz fpletz approved these changes

@FRidh FRidh Awaiting requested review from FRidh

@mweinelt mweinelt Awaiting requested review from mweinelt

Assignees

No one assigned

Labels

6.topic: python Python is a high-level, general-purpose programming language. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

No open projects
Staging
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@de11n @ajs124 @fpletz @mweinelt @figsoda