Charalampos Stratakis <cstratak(a)redhat.com> writes:
Unfortunately that effort is moot, it's really not possible to
make
python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python
versions are not 100% compatible for various reasons.
In trying to make it compatible there are also ABI changes introduced,
it's not only about having the tests pass. The ssl module is already
complex enough in backporting changes from the master Python branch to
previous 3.x versions, doing that for 2.7 without a full fledged
effort from SSL and the Python C API experts guarantee there's gonna
be regressions. And that's not even taking into account the security
implications of randomly cherry-picking commits just to have the
package compile.
I'm having trouble understanding this because Debian seems to have
carried out what you're saying is impossible: in testing, they ship a
python2.7 that appears to be using openssl 3, and do not ship openssl
1.1 at all. There are also a handful of clearly openssl 3-related
patches in their tree
https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches
Have folks looked at how they do this, and whether we could adapt it to
Fedora?
Be well,
--Robbie