Enable vendor C libraries on non-Windows platforms #4835
Conversation
pradyunsg
added
type: enhancement
|
Some history:
@alex in #4142 (comment):
|
|
I'm not sure what has to be done for the point that @alex raised. My intuition is that all of pip's traffic goes through requests which would somehow use the correct user-agent. I've not verified this though. |
pradyunsg
changed the title
pradyunsg
force-pushed
the
vendoring/enable-c-libs
branch
from
c187f2f
to
0a2c524
Compare
pradyunsg
force-pushed
the
vendoring/enable-c-libs
branch
from
0a2c524
to
88924a4
Compare
There was a problem hiding this comment.
Regarding @alex 's ssl-point this would happen here:
pip/src/pip/_internal/download.py
Lines 121 to 122 in fb56eb9
But I'm not sure we want to change that, the openssl version of the ssl module gives an interesting statistic and the openssl version used to actually download packages would be an other one.
|
I think we'd want to expose the version of OpenSSL we're actually using to talk to the internet with, although I'm not sure offhand how to do that with cryptography or how to know if requests is going to use |
|
I came up with something. Relavent lines that make me think this is what we want to do: urllib3/util/ssl_.py:14 |
pradyunsg
force-pushed
the
vendoring/enable-c-libs
branch
from
f4f6fe7
to
0c684a3
Compare
pradyunsg
dismissed
xavfernandez’s stale review
There have since been changes made.
|
What do we want to do about these lines? PS: On MacOS with OpenSSL < 1.0.1, were we posting the wrong version of openssl due to the fact that urllib3 was injected but not actually used? (edit: rephrased as a question) |
🔥 them. (edit: no dum dum me, they stay) |
src/pip/_internal/__init__.py
Outdated
| if (sys.platform == "darwin" and | ||
| ssl.OPENSSL_VERSION_NUMBER < 0x1000100f): # OpenSSL 1.0.1 | ||
| try: | ||
| from pip._vendor.urllib3.contrib import securetransport |
There was a problem hiding this comment.
Why are we removing this? This is needed to support macOS < High Sierra once PyPI is TLSv1.2+.
|
Your most recent commit appears to totally disable SecureTransport -- I don't see any other code which enables it. Am I misreading? |
|
Whoops. I misread the import. :/ |
pradyunsg
force-pushed
the
vendoring/enable-c-libs
branch
from
c61e1b6
to
945196e
Compare
|
Reverted. |
|
Is there anything outstanding on this? |
src/pip/_internal/download.py
Outdated
| @@ -46,11 +48,22 @@ | |||
| from pip._internal.utils.ui import DownloadProgressProvider | |||
| from pip._internal.vcs import vcs | |||
|
|
|||
| # We don't try to import OpenSSL on Windows since that might result in it | |||
| # loading C libraries, which can then not be uninstalled. | |||
| if not WINDOWS: | |||
There was a problem hiding this comment.
It might be a good idea to not duplicate this logic, and instead use the variables that urllib3 sets, see:
https://github.com/shazow/urllib3/blob/master/urllib3/contrib/pyopenssl.py#L109-L118
There was a problem hiding this comment.
orig_util_SSLContext is never None -- https://github.com/shazow/urllib3/blob/master/urllib3/util/ssl_.py#L90
I do think calling _validate_dependencies_met is a good idea.
|
Looks OK to me, one comment about duplicating some logic. |
|
@pradyunsg Are you planning on merging this? There's a minor review commend from @dstufft to consider. |
|
I am. One minute. |
src/pip/_internal/download.py
Outdated
| @@ -119,7 +137,10 @@ def user_agent(): | |||
| data["cpu"] = platform.machine() | |||
|
|
|||
| if HAS_TLS: | |||
| data["openssl_version"] = ssl.OPENSSL_VERSION | |||
| if IS_PYOPENSSL: | |||
| data["openssl_version"] = OpenSSL.SSL.OPENSSL_VERSION_NUMBER | |||
There was a problem hiding this comment.
This is wrong:
>>> import OpenSSL
>>> OpenSSL.SSL.OPENSSL_VERSION_NUMBER
269484175
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2o 27 Mar 2018'
There was a problem hiding this comment.
I actually believe we should roll this back entirely and always send ssl.OPENSSL_VERSION, so the data is consistent. Sending different data in ways that can't be detected in teh database is a bad idea.
There was a problem hiding this comment.
Yea, after talking to Alex I think I agree.
There was a problem hiding this comment.
If there's some way to make a string representation of the version number, would that be fine?
|
No, I think we should always do the ssl module version
…On Fri, Mar 30, 2018, 9:18 AM Pradyun Gedam ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/pip/_internal/download.py
<#4835 (comment)>:
> @@ -119,7 +137,10 @@ def user_agent():
data["cpu"] = platform.machine()
if HAS_TLS:
- data["openssl_version"] = ssl.OPENSSL_VERSION
+ if IS_PYOPENSSL:
+ data["openssl_version"] = OpenSSL.SSL.OPENSSL_VERSION_NUMBER
If there's some way to make a string representation of the version number,
would that be fine?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4835 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAADBBVwUZ_EZoTa-xR2M_s1RLP3O252ks5tjjC4gaJpZM4QR7GI>
.
|
|
Awesome. That'll make this PR much lighter. |
|
@pradyunsg I assume you'll be merging this soon? I'll be cutting the 10.0 beta in about 12 hours (Saturday morning UK time). This and the author cleanup (#5118) are basically the last remaining PRs that I'm expecting to go in to 10.0. |
|
And, yeah, I expect this to be the last thing in pip 10.0 beta (and 10.0 if
there's no issues reported).
I guess I'll have 2 weeks for triaging all the issues once we hit the
freeze. :)
I'm cool if someone else clicks merge on this.
…On Sat, 31 Mar 2018, 02:55 Pradyun Gedam, ***@***.***> wrote:
Just merged the author cleanup after verifying locally.
I'll wait on Alex and Donald for this. I do think this is good to go.
On Sat, 31 Mar 2018, 02:53 Paul Moore, ***@***.***> wrote:
> @pradyunsg <https://github.com/pradyunsg> I assume you'll be merging
> this soon? I'll be cutting the 10.0 beta in about 12 hours (Saturday
> morning UK time).
>
> This and the author cleanup (#5118
> <#5118>) are basically the last
> remaining PRs that I'm expecting to go in to 10.0.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#4835 (comment)>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/ADH7SRQm_14uXP7HVdunOHVIuYjKNmb2ks5tjqJLgaJpZM4QR7GI>
> .
>
|
|
Just merged the author cleanup after verifying locally.
I'll wait on Alex and Donald for this. I do think this is good to go.
…On Sat, 31 Mar 2018, 02:53 Paul Moore, ***@***.***> wrote:
@pradyunsg <https://github.com/pradyunsg> I assume you'll be merging this
soon? I'll be cutting the 10.0 beta in about 12 hours (Saturday morning UK
time).
This and the author cleanup (#5118 <#5118>)
are basically the last remaining PRs that I'm expecting to go in to 10.0.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4835 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADH7SRQm_14uXP7HVdunOHVIuYjKNmb2ks5tjqJLgaJpZM4QR7GI>
.
|
|
I'm gonna go offline too. It's 3am. :P
…On Sat, 31 Mar 2018, 03:03 Paul Moore, ***@***.***> wrote:
OK. I'll be offline now until tomorrow morning, so I'll check back on this
PR then. We've had an approval; from @alex <https://github.com/alex> so
once @dstufft <https://github.com/dstufft> approves it, it can go. I can
do the merge if you're not around.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4835 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADH7SbLL3F4ElXGXPQX8RAoL3PCyDbZNks5tjqSfgaJpZM4QR7GI>
.
|
|
👍 @pradyunsg thanks for working this through |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
lock
bot
added
the
auto-locked
Closes #4612 (this is that PR updated)
Closes #4098 (original issue)
Closes #4142 (competing PR)
This essentially allows users with Py <2.7.9 to fix security warnings by upgrading the relevant packages, using pip on non-Windows platforms.