Commit 5d3febf0 authored by Ned Deily's avatar Ned Deily

Issue #17128: Use private version of OpenSSL for 3.x OS X 10.5+ installers.

Among other issues, the Apple-supplied 0.9.7 libs for the 10.5 ABI cannot
verify newer SHA-256 certs as now used by python.org services.  Document
in the installer ReadMe some of the certificate management issues that
users now need to be more concerned with due to PEP 476's enabling cert
verification by default.  For now, continue to use the Apple-supplied
0.9.8 libs for the 10.6+ installer since they use Apple private APIs to
verify certificates using the system- and user-managed CA keychain stores.
parent 90783ebf
......@@ -654,9 +654,9 @@ OpenSSL
The modules :mod:`hashlib`, :mod:`posix`, :mod:`ssl`, :mod:`crypt` use
the OpenSSL library for added performance if made available by the
operating system. Additionally, the Windows installers for Python
include a copy of the OpenSSL libraries, so we include a copy of the
OpenSSL license here::
operating system. Additionally, the Windows and Mac OS X installers for
Python may include a copy of the OpenSSL libraries, so we include a copy
of the OpenSSL license here::
LICENSE ISSUES
......
This diff is collapsed.
# openssl_sdk_makedepend.patch
#
# using openssl 1.0.1j
#
# - support building with an OS X SDK
# - allow "make depend" to use compilers with names other than "gcc"
diff Configure
--- a/Configure Fri Dec 05 01:24:16 2014 -0800
+++ b/Configure Fri Dec 05 01:52:29 2014 -0800
@@ -577,11 +577,11 @@
##### MacOS X (a.k.a. Rhapsody or Darwin) setup
"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
-"darwin-ppc-cc","cc:-arch ppc -O3 -DB_ENDIAN -Wa,-force_cpusubtype_ALL::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-arch ppc -isysroot \$(OSX_SDK) -O3 -DB_ENDIAN -Wa,-force_cpusubtype_ALL::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-ppc-cc","cc:-arch ppc64 -isysroot \$(OSX_SDK) -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-arch i386 -isysroot \$(OSX_SDK) -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"debug-darwin-i386-cc","cc:-arch i386 -isysroot \$(OSX_SDK) -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-x86_64-cc","cc:-arch x86_64 -isysroot \$(OSX_SDK) -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
# iPhoneOS/iOS
"iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
@@ -1624,7 +1624,7 @@
s/^CC=.*$/CC= $cc/;
s/^AR=\s*ar/AR= $ar/;
s/^RANLIB=.*/RANLIB= $ranlib/;
- s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
+ s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/;
}
s/^CFLAG=.*$/CFLAG= $cflags/;
s/^DEPFLAG=.*$/DEPFLAG=$depflags/;
diff util/domd
--- a/util/domd Fri Dec 05 01:24:16 2014 -0800
+++ b/util/domd Fri Dec 05 01:52:29 2014 -0800
@@ -14,7 +14,7 @@
cp Makefile Makefile.save
# fake the presence of Kerberos
touch $TOP/krb5.h
-if expr "$MAKEDEPEND" : '.*gcc$' > /dev/null; then
+if true ; then # was: if expr "$MAKEDEPEND" : '.*gcc$' > /dev/null; then
args=""
while [ $# -gt 0 ]; do
if [ "$1" != "--" ]; then args="$args $1"; fi
This diff is collapsed.
......@@ -6,8 +6,27 @@
\f0\fs24 \cf0 This package will install Python $FULL_VERSION for Mac OS X $MACOSX_DEPLOYMENT_TARGET for the following architecture(s): $ARCHITECTURES.\
\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\b \ul Update your version of Tcl/Tk to use IDLE or other Tk applications
\b \cf0 \ul \ulc0 Which installer variant should I use?
\b0 \ulnone \
\
Python.org provides two installer variants for download: one that installs a
\i 64-bit/32-bit Intel
\i0 Python capable of running on
\i Mac OS X 10.6 (Snow Leopard)
\i0 or later; and one that installs a
\i 32-bit-only (Intel and PPC)
\i0 Python capable of running on
\i Mac OS X 10.5 (Leopard)
\i0 or later. This ReadMe was installed with the
\i $MACOSX_DEPLOYMENT_TARGET
\i0 variant. Unless you are installing to an 10.5 system or you need to build applications that can run on 10.5 systems, use the 10.6 variant if possible. There are some additional operating system functions that are supported starting with 10.6 and you may see better performance using 64-bit mode. By default, Python will automatically run in 64-bit mode if your system supports it. Also see
\i Certificate verification and OpenSSL
\i0 below.
\b \ul \
\
Update your version of Tcl/Tk to use IDLE or other Tk applications
\b0 \ulnone \
\
To use IDLE or other programs that use the Tkinter graphical user interface toolkit, you need to install a newer third-party version of the
......@@ -18,16 +37,19 @@ To use IDLE or other programs that use the Tkinter graphical user interface tool
\b \ul \
Installing on OS X 10.8 (Mountain Lion) or later systems\
\ulnone [CHANGED for Python 3.4.2]
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\cf0 \ulnone [CHANGED for Python 3.4.2]
\b0 \
\
As of Python 3.4.2, installer packages from python.org are now compatible with the Gatekeeper security feature introduced in OS X 10.8. Downloaded packages can now be directly installed by double-clicking with the default system security settings. Python.org installer packages for OS X are signed with the Developer ID of the builder, as identified on the download page for this release ({\field{\*\fldinst{HYPERLINK "https://www.python.org/downloads/"}}{\fldrslt https://www.python.org/downloads/}}). To inspect the digital signature of the package, click on the lock icon in the upper right corner of the
As of Python 3.4.2, installer packages from python.org are now compatible with the Gatekeeper security feature introduced in OS X 10.8. Downloaded packages can now be directly installed by double-clicking with the default system security settings. Python.org installer packages for OS X are signed with the Developer ID of the builder, as identified on {\field{\*\fldinst{HYPERLINK "https://www.python.org/downloads/"}}{\fldrslt the download page}} for this release. To inspect the digital signature of the package, click on the lock icon in the upper right corner of the
\i Install Python
\i0 installer window. Refer to Apple\'92s support pages for more information on Gatekeeper ({\field{\*\fldinst{HYPERLINK "http://support.apple.com/kb/ht5290"}}{\fldrslt http://support.apple.com/kb/ht5290}}).\
\i0 installer window. Refer to Apple\'92s support pages for {\field{\*\fldinst{HYPERLINK "http://support.apple.com/kb/ht5290"}}{\fldrslt more information on Gatekeeper}}.\
\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\b \ul Simplified web-based installs\
\ulnone [NEW for Python 3.4.2]
\b \cf0 \ul Simplified web-based installs\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\cf0 \ulnone [NEW for Python 3.4.2]
\b0 \
\
With the change to the newer flat format installer package, the download file now has a
......@@ -38,8 +60,9 @@ With the change to the newer flat format installer package, the download file no
\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\b \cf0 \ul \ulc0 New Installation Options and Defaults\
\ulnone [NEW for Python 3.4.0]
\b \cf0 \ul New Installation Options and Defaults\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\cf0 \ulnone [NEW for Python 3.4.0]
\b0 \
\
The Python installer now includes an option to automatically install or upgrade
......@@ -68,8 +91,65 @@ To make it easier to use scripts installed by third-party Python packages, with
\
For other changes in this release, see the Release Notes link for this release at {\field{\*\fldinst{HYPERLINK "https://www.python.org/downloads/"}}{\fldrslt https://www.python.org/downloads/}}.\
\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\b \cf0 \ul Certificate verification and OpenSSL\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\cf0 \ulnone [CHANGED for Python 3.4.3]
\b0 \
\
Python 3.4.3 includes a number of network security enhancements that have been approved for inclusion in Python 3.4 maintenance releases. {\field{\*\fldinst{HYPERLINK "https://www.python.org/dev/peps/pep-0476/"}}{\fldrslt PEP 476}} changes several standard library modules, like
\i httplib
\i0 ,
\i urllib
\i0 , and
\i xmlrpclib
\i0 , to by default verify certificates presented by servers over secure (TLS) connections. The verification is performed by the OpenSSL libraries that Python is linked to. Prior to 3.4.3, the python.org installers dynamically linked with Apple-supplied OpenSSL libraries shipped with OS X. OS X provides a multiple level security framework that stores trust certificates in system and user keychains managed by the
\i Keychain Access
\i0 application and the
\i security
\i0 command line utility.\
\
For OS X 10.5, Apple provides
\i OpenSSL 0.9.7
\i0 libraries. This version of Apple's OpenSSL
\b does not
\b0 use the certificates from the system security framework, even when used on newer versions of OS X. Instead it consults a traditional OpenSSL concatenated certificate file (
\i cafile
\i0 ) or certificate directory (
\i capath
\i0 ), located in
\f1 /System/Library/OpenSSL
\f0 . These directories are typically empty and not managed by OS X; you must manage them yourself or supply your own SSL contexts. OpenSSL 0.9.7 is obsolete by current security standards, lacking a number of important features found in later versions. Among the problems this causes is the inability to verify higher-security certificates now used by python.org services, including
\i t{\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi"}}{\fldrslt he Python Package Index, PyPI}}
\i0 . To solve this problem, as of 3.4.3 the
\i 10.5+ 32-bit-only python.org variant
\i0 is linked with a private copy of
\i OpenSSL 1.0.1j
\i0 ; it consults the same default certificate directory,
\f1 /System/Library/OpenSSL
\f0 . As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certificate verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust. If you use this Python variant to build standalone applications with third-party tools like {\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/py2app/"}}{\fldrslt
\f1 py2app}}, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.\
\
For OS X 10.6+, Apple also provides
\i OpenSSL
\i0
\i 0.9.8 libraries
\i0 . Apple's 0.9.8 version includes an important additional feature: if a certificate cannot be verified using the manually administered certificates in
\f1 /System/Library/OpenSSL
\f0 , the certificates managed by the system security framework In the user and system keychains are also consulted (using Apple private APIs). For this reason, for 3.4.3 the
\i 64-bit/32-bit 10.6+ python.org variant
\i0 continues to be dynamically linked with Apple's OpenSSL 0.9.8 since it was felt that the loss of the system-provided certificates and management tools outweighs the additional security features provided by newer versions of OpenSSL. This will likely change in future releases of the python.org installers as Apple has deprecated use of the system-supplied OpenSSL libraries. If you do need features from newer versions of OpenSSL, there are third-party OpenSSL wrapper packages available through
\i PyPI
\i0 .\
\
The bundled
\f1 pip
\f0 included with 3.4.3 has its own default certificate store for verifying download connections.\
\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
\b \ul Python 3 and Python 2 Co-existence\
\b \cf0 \ul \
Python 3 and Python 2 Co-existence\
\b0 \ulnone \
Python.org Python $VERSION and 2.7.x versions can both be installed on your system and will not conflict. Command names for Python 3 contain a 3 in them,
......@@ -96,7 +176,5 @@ Python.org Python $VERSION and 2.7.x versions can both be installed on your syst
\f1 idle2.7
\f0 or
\f1 idle
\f0 ), etc. If you want to use
\f1 pip
\f0 with Python 2.7.x, download and install a separate copy of it from the Python Package Index ({\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/pip/"}}{\fldrslt https://pypi.python.org/pypi/pip/}}).\
\f0 ), etc.\
}
\ No newline at end of file
This package will install Python $FULL_VERSION for Mac OS X $MACOSX_DEPLOYMENT_TARGET for the following architecture(s): $ARCHITECTURES.
=============================
Update your version of Tcl/Tk to use IDLE or other Tk applications
=============================
To use IDLE or other programs that use the Tkinter graphical user interface toolkit, you need to install a newer third-party version of the Tcl/Tk frameworks. Visit https://www.python.org/download/mac/tcltk/ for current information about supported and recommended versions of Tcl/Tk for this version of Python and of Mac OS X.
=============================
Installing on OS X 10.8 (Mountain Lion) or later systems
[CHANGED for Python 3.4.2]
=============================
As of Python 3.4.2, installer packages from python.org are now compatible with the Gatekeeper security feature introduced in OS X 10.8. Downloaded packages can now be directly installed by double-clicking with the default system security settings. Python.org installer packages for OS X are signed with the Developer ID of the builder, as identified on the download page for this release (https://www.python.org/downloads/). To inspect the digital signature of the package, click on the lock icon in the upper right corner of the Install Python installer window. Refer to Apple’s support pages for more information on Gatekeeper (http://support.apple.com/kb/ht5290).
=============================
Simplified web-based installs
[NEW for Python 3.4.2]
=============================
With the change to the newer flat format installer package, the download file now has a .pkg extension as it is no longer necessary to embed the installer within a disk image (.dmg) container. If you download the Python installer through a web browser, the OS X installer application may open automatically to allow you to perform the install. If your browser settings do not allow automatic open, double click on the downloaded installer file.
=============================
New Installation Options and Defaults
[NEW for Python 3.4.0]
=============================
The Python installer now includes an option to automatically install or upgrade pip, a tool for installing and managing Python packages. This option is enabled by default and no Internet access is required. If you do not want the installer to do this, select the Customize option at the Installation Type step and uncheck the Install or ugprade pip option.
To make it easier to use scripts installed by third-party Python packages, with pip or by other means, the Shell profile updater option is now enabled by default, as has been the case with Python 2.7.x installers. You can also turn this option off by selecting Customize and unchecking the Shell profile updater option. You can also update your shell profile later by launching the Update Shell Profile command found in the /Applications/Python $VERSION folder. You may need to start a new terminal window for the changes to take effect.
For other changes in this release, see the Release Notes link for this release at https://www.python.org/downloads/.
=============================
Python 3 and Python 2 Co-existence
=============================
Python.org Python $VERSION and 2.7.x versions can both be installed on your system and will not conflict. Command names for Python 3 contain a 3 in them, python3 (or python$VERSION), idle3 (or idle$VERSION), pip3 (or pip$VERSION), etc. Python 2.7 command names contain a 2 or no digit: python2 (or python2.7 or python), idle2 (or idle2.7 or idle), etc. If you want to use pip with Python 2.7.x, download and install a separate copy of it from the Python Package Index (https://pypi.python.org/pypi/pip/).
{\rtf1\ansi\ansicpg1252\cocoartf1265\cocoasubrtf210
{\rtf1\ansi\ansicpg1252\cocoartf1343\cocoasubrtf160
\cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fmodern\fcharset0 CourierNewPSMT;}
{\colortbl;\red255\green255\blue255;}
\paperw11905\paperh16837\margl1440\margr1440\vieww12200\viewh10880\viewkind0
......@@ -17,16 +17,10 @@
\b0 .\
\
\b NEW for Python 3.4:
\b0 This package now updates your shell profile by default to make $FULL_VERSION the default Python 3 version. This version can co-exist with other installed versions of Python 3 and Python 2. This package also installs a version of
\f1 pip
\f0 , the recommended tool for installing and managing Python packages. Type\
\
\f1 pip3.4 --help
\f0 \
\
for an overview. See the ReadMe file and the Python documentation for more information.\
\b NEW for Python 3.4.3:
\b0 3.4.3 includes network security enhancements that may require changes to your Python applications. See the
\f1 ReadMe
\f0 file and {\field{\*\fldinst{HYPERLINK "https://docs.python.org/3/whatsnew/3.4.html#changed-in-3-4-3"}}{\fldrslt the Python documentation}} for more information.\
\
\b IMPORTANT:
......
......@@ -246,6 +246,8 @@ Build
- Issue #17219: Add library build dir for Python extension cross-builds.
- Issue #17128: Use private version of OpenSSL for 2.7.9 OS X 10.5+ installer.
Documentation
-------------
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment