libressl 2.7.0 was released on 21 March, and it introduced support for many OpenSSL 1.0.2 and 1.1 APIs. However, this has broken builds of the affected lang/python ports when DEFAULT_VERSIONS contains ssl=libressl-devel (currently). Both the OpenBSD ports team and upstream have tracked this issue separately. OpenBSD has patched their ports tree [1], but when applied here, their patch breaks builds for both ssl=openssl and ssl=openssl-devel. Meanwhile, upstream will not release their patch until libressl 2.7.1 is released. Thus, this PR mainly exists to coordinate downstream patching efforts until upstream releases something. [1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/2.7/patches/patch-Modules__ssl_c?rev=1.6&content-type=text/x-cvsweb-markup and http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/3.6/patches/patch-Modules__ssl_c?rev=1.2&content-type=text/x-cvsweb-markup
Upstream has released patches. Putting them in Phabricator in a bit.
Thank you for your report Charlie, Could you confirm/clarify some points that might be slightly ambiguous: - Is D14837 the same as the OpenBSD patches, or different, fixing "both ssl=openssl and ssl=openssl-devel" build failures referenced in comment 0? - In D14837, Does "Fails otherwise" mean the same as "breaks both ssl=openssl and ssl=openssl-devel" as referenced in comment 0 here, or some other subset/combination? - I interpreted 'upstream' in 'upstream will not release their patch' to mean Python (waiting for libressl upstream to 'release' before committing code). Is this correct? An explicit/accurate/complete list of what succeeds/fails would be super handy to figure out where/what needs work from here: From the standpoint of Python (team) and python ports, we'd ideally like to take changesets from upstream after they're committed and backported there. We're happy to carry local patches prior to next point releases in each branch. If we can confidently get to the point where we have a candidate changeset with thorough QA passing and no regressions, we can consider landing it early (before upstream (Python)). For clarity purposes, if the changeset in D14837 is incomplete (in that it regresses certain ssl combinations), then it should be abandoned in favour of a 'work in progress' patch here for someone (Bernard, CC'd, is the point on libressl things) to review and improve upon. At the point where a QA passing/complete patch is ready, we can put it back up on Phabricator for broader review, if necessary beyond here.
Upstream refers to the Python project themselves, not OpenBSD. The stuff on Phabricator came directly from them. "Fails otherwise" referred to earlier testport runs of mine where ccache interfered with proper testing, ie used a cached copy with wrong symbols when the ssl= value was changed. Disabling ccache fixed this, and all ssl= values work. So everything succeeds.
Builds with amd64 2.7 https://keg.brnrd.eu/data/111amd64-default-libressldev/2018-03-25_13h07m22s/logs/python27-2.7.14_1.log 3.6 https://keg.brnrd.eu/data/111amd64-default-libressldev/2018-03-25_11h09m25s/logs/python36-3.6.4.log (borked patch for 3.5)
Bug 227090 updates lang/python36 to 3.6.5. This patch is still needed there, as upstream released 3.6.5rc1 before landing it, thus missing the merge window there.
Landing this after bug 227090 is easier/faster than moving the python36 specific patch to that update. Make this bug block on it.
A commit references this bug: Author: brnrd Date: Sat Apr 28 19:11:14 UTC 2018 New revision: 468566 URL: https://svnweb.freebsd.org/changeset/ports/468566 Log: lang/python27: Fix build with LibreSSL 2.7 PR: 226883 Submitted by: Charlie Li <ml+freebsd vishwin info> Approved by: python (koobs) Differential Revision: https://reviews.freebsd.org/D14837 Changes: head/lang/python27/files/patch-issue33127
A commit references this bug: Author: brnrd Date: Sat Apr 28 19:17:34 UTC 2018 New revision: 468567 URL: https://svnweb.freebsd.org/changeset/ports/468567 Log: lang/python35: Fix build with LibreSSL 2.7 PR: 226883 Submitted by: Charlie Li <ml+freebsd vishwin info> Approved by: python (koobs) Differential Revision: https://reviews.freebsd.org/D14837 Changes: head/lang/python35/files/patch-issue33127
A commit references this bug: Author: brnrd Date: Sat Apr 28 19:30:01 UTC 2018 New revision: 468569 URL: https://svnweb.freebsd.org/changeset/ports/468569 Log: lang/python36: Fix build with LibreSSL 2.7 PR: 226883 Submitted by: Charlie Li <ml+freebsd vishwin info> Approved by: python (koobs) Differential Revision: https://reviews.freebsd.org/D14837 Changes: head/lang/python36/files/patch-issue33127
FYI while python builds with libressl now, py-cryptography does not: https://pkg.andoriyu.xyz/data/live-system-nimble/2018-05-01_10h53m35s/logs/errors/py27-cryptography-2.1.4.log
(In reply to Andrey Cherkashin from comment #10) Please refer to bug 226906.
Assign to committer that resolved.
A commit references this bug: Author: feld Date: Fri May 25 17:46:42 UTC 2018 New revision: 470858 URL: https://svnweb.freebsd.org/changeset/ports/470858 Log: MFH: r468566 r469635 lang/python27: Fix build with LibreSSL 2.7 PR: 226883 Submitted by: Charlie Li <ml+freebsd vishwin info> Approved by: python (koobs) Differential Revision: https://reviews.freebsd.org/D14837 - Update to 2.7.15(include security fix) PR: 228028 Submitted by: wen@(myself) Exp-run by: antoine@ Changes: _U branches/2018Q2/ branches/2018Q2/lang/python-doc-html/distinfo branches/2018Q2/lang/python27/Makefile branches/2018Q2/lang/python27/Makefile.version branches/2018Q2/lang/python27/distinfo branches/2018Q2/lang/python27/files/patch-issue30622 branches/2018Q2/lang/python27/pkg-plist