So I presume then that python2.7 in Debian works flawlessly with OpenSSL 3.0.0, no regressions, no security issues and no ABI problems right?

On Thu, Jun 30, 2022 at 5:13 PM Robbie Harwood <rharwood@redhat.com> wrote:
Charalampos Stratakis <cstratak@redhat.com> writes:

> Unfortunately that effort is moot, it's really not possible to make
> python2.7 compatible with OpenSSL 3.0.0, I mean even the latest Python
> versions are not 100% compatible for various reasons.
>
> In trying to make it compatible there are also ABI changes introduced,
> it's not only about having the tests pass. The ssl module is already
> complex enough in backporting changes from the master Python branch to
> previous 3.x versions, doing that for 2.7 without a full fledged
> effort from SSL and the Python C API experts guarantee there's gonna
> be regressions. And that's not even taking into account the security
> implications of randomly cherry-picking commits just to have the
> package compile.

I'm having trouble understanding this because Debian seems to have
carried out what you're saying is impossible: in testing, they ship a
python2.7 that appears to be using openssl 3, and do not ship openssl
1.1 at all.  There are also a handful of clearly openssl 3-related
patches in their tree
https://salsa.debian.org/cpython-team/python2/-/tree/master/debian/patches

Have folks looked at how they do this, and whether we could adapt it to
Fedora?

Be well,
--Robbie


--
Regards,

Charalampos Stratakis
Senior Software Engineer
Python Maintenance Team, Red Hat