Bug 260552

Summary: lang/python36: Fails to build & package with security/openssl SSL3=OFF: _ssl.so: Undefined symbol "SSLv3_method"
Product: Ports & Packages Reporter: John W. O'Brien <john>
Component: Individual Port(s)Assignee: freebsd-python (Nobody) <python>
Status: Closed Overcome By Events    
Severity: Affects Some People CC: rene, yasu
Priority: --- Keywords: needs-qa
Version: LatestFlags: bugzilla: maintainer-feedback? (python)
koobs: maintainer-feedback+
koobs: maintainer-feedback+
Hardware: Any   
OS: Any   

Description John W. O'Brien 2021-12-19 21:33:06 UTC 
When DEFAULT_VERSIONS includes ssl=openssl, and security/openssl has SSL3 UNSET (the default), lang/python36 fails in the package phase with

pkg-static: Unable to access file /wrkdirs/usr/ports/lang/python36/work/stage/usr/local/lib/python3.6/lib-dynload/_ssl.so:No such file or directory

Earlier, in the build phase, the proximate cause is evidenced by:

*** WARNING: renaming "_ssl" since importing it failed: build/lib.freebsd-12.3-RELEASE-amd64-3.6/_ssl.so: Undefined symbol "SSLv3_method"
Comment 1 John W. O'Brien 2021-12-19 21:50:58 UTC 
CPython has a preprocessor guard against trying to use SSLv3 when it is not available [0], and security/openssl appears to be correctly advertising the lack of SSLv3 on my system:

% grep "ifndef OPENSSL_NO_SSL3" -A2 /usr/local/include/openssl/opensslconf.h
#ifndef OPENSSL_NO_SSL3
# define OPENSSL_NO_SSL3
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
# define OPENSSL_NO_SSL3_METHOD
#endif

So, not clear why the preprocessor guard is failing.

[0] https://github.com/python/cpython/blob/v3.6.15/Modules/_ssl.c#L2781-L2784
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2021-12-19 23:09:23 UTC 
This appears to have been reported here: https://www.mail-archive.com/freebsd-ports@freebsd.org/msg86654.html

Do we know when this regressed in ports? (commit, issue?)

@Yasuhiro Can you advise?
Comment 3 John W. O'Brien 2021-12-20 00:02:13 UTC 
For me, this is as of ports/main@7a3cf55 (2021-12-19T18:56:18Z) and lang/python37 through lang/python311 all build successfully against security/openssl with SSL3=OFF. poudriere logs available upon request.
Comment 4 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-12-20 01:11:03 UTC 
I tried build of lang/python36 on 13.0-RELEASE amd64 with 'DEFAULT_VERSIONS+=ssl=openssl' and SSL3 option of security/openssl is off. And it succeeds as following.

https://people.freebsd.org/~yasu/poudriere/data/logs/bulk/130amd64-default-python/2021-12-20_09h55m30s/logs/python36-3.6.15_1.log

What is your OS version and architecture?
Comment 5 John W. O'Brien 2021-12-20 04:13:40 UTC 
(In reply to Yasuhiro Kimura from comment #4)

12.3-RELEASE amd64
Comment 6 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-12-20 04:53:58 UTC 
(In reply to John W. O'Brien from comment #5)

I tried build on 12.3-RELEASE amd64 with same conditions and it succeeds without any error.

https://people.freebsd.org/~yasu/poudriere/data/logs/bulk/123amd64-default-python/2021-12-20_13h45m19s/logs/python36-3.6.15_1.log

Do you have any non-default option settings and/or customization in make.conf other than 'DEFAULT_VERSIONS+=ssl=openssl'?
Comment 7 Bernard Spil freebsd_committer freebsd_triage 2021-12-20 13:17:55 UTC 
Doesn't make sense for me to spend time on a port that's about to be removed from the tree.

> DEPRECATED=     Upgrade to a newer Python version. 3.6 is in maintenance status and gets security fixes only. End-of-Life: 2021-12-23. See https://devguide.python.org/#status-of-python-branches
> EXPIRATION_DATE=        2021-12-31
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2021-12-20 22:24:19 UTC 
(In reply to Bernard Spil from comment #7)

It would be great to leave the port in a non-broken state.

@John Are you able to assist bisecting/investigating commits to >3.6 ports that didn't or weren't applied to 3.6?
Comment 9 John W. O'Brien 2021-12-24 16:29:30 UTC 
(In reply to Kubilay Kocak from comment #8)

After removing all but a few non-default settings in make.conf, and updating my ports tree to e903284, I confirmed that lang/python36 builds successfully against security/openssl in a 12.2-RELEASE-p11 jail [0], and fails in a 12.3-RELEASE jail [1].

I will be glad to take a look through the post-3.6 commits to see if anything jumps out, but, like @brnrd, I can't really justify spending much time on this since 3.6 is due for removal. This came up because I was trying to test updates to two ports I maintain against as many of the python versions in the tree as possible.

[0] https://pkg.saltant.net/poudriere/data/122amd64-default-sslport/2021-12-23_21h02m20s/logs/python36-3.6.15_1.log
[1] https://pkg.saltant.net/poudriere/data/123amd64-default-sslport/2021-12-24_10h30m44s/logs/errors/python36-3.6.15_1.log
Comment 10 John W. O'Brien 2021-12-24 18:44:29 UTC 
(In reply to John W. O'Brien from comment #9)

The build success on 12.2 is not repeatable. There must have been some kind of caching effect in play (ccache or other).
Comment 11 John W. O'Brien 2021-12-24 19:32:53 UTC 
(In reply to John W. O'Brien from comment #10)

After disabling ccache, lang/python36 builds successfully in the 12.2 and 12.3 jails.

See also: bug 234568

# make.conf
# ...
.if ${.CURDIR:M*/lang/python36*}
NOCCACHE=yes
.endif
# ...

Unless there is a way for an individual port to be tagged as intolerant of ccache, I don't think this ticket warrants any more of our attention. I'm not sure whether OBE, duplicate, or some other status would be the most appropriate.
Comment 12 Rene Ladan freebsd_committer freebsd_triage 2021-12-31 13:01:51 UTC 
Looks like this has been overcome by events. The port expired today.