install requires pyOpenSSL (for secure mode)

It will take me some time to decide whether Foolscap will require pyOpenSSL unconditionally. While I agree with your and Ian's philosophy, there are users of foolscap who have preferred to not use crypto for various reasons, and I need to make sure I respect their interests (or convince them otherwise).

Adding it as an 'extras' seems feasible in the shorter term. If you want this for Tahoe #438, it sounds like we need a new Foolscap release at least a couple of days before the Tahoe release, which means this change needs to be in, like, yesterday.

Note that because of http://twistedmatrix.com/trac/ticket/3218 -- http://allmydata.org/trac/tahoe/ticket/402 , you might want to require a version of pyOpenSSL not == 0.7, which would be expressed.

extras_require = {
        'secure_connections':  ["pyOpenSSL>=0.6,!=0.6"],
}

Whoops, that should have said:

extras_require = {
        'secure_connections':  ["pyOpenSSL>=0.6,!=0.7"],
}

Now that https://bugs.launchpad.net/pyopenssl/+bug/236190 (funny permission bits in pyOpenSSL-0.6.tar.gz confuse tarfile.py) is resolved, people who use easy_install or setuptools (including the default process to install Tahoe from source) will be able to resolve the dependency on pyOpenSSL.

Currently, they will do this by getting pyOpenSSL v0.6, and in the future when a new pyOpenSSL is released, they will get that.

Hm. This means that if the pyOpenSSL maintainers release a new version of pyOpenSSL with a version number higher than 0.6 and not equal to 0.7, and if that new version still has this bug in it, then this bug will start hitting us again. Hm. Weird packaging issue.

I guess for the moment we are going to bet that the pyOpenSSL maintainers won't do that. I suppose the alternative is to require pyOpenSSL == 0.6, so that people can't conveniently use foolscap with a newer pyOpenSSL until Brian releases a new foolscap that loosens that requirement.

Hm. Actually writing "pyOpenSSL>=0.6,!=0.7" is incorrect.

Newer version of pyOpenSSL can come out which are unchanged with respect to this issue. Newer versions of Twisted, on the other hand, will hopefully fix this issue.

Since setuptools doesn't allow the expression of disjunctions of requirements, the only correct answer for now is "pyOpenSSL==0.6".

Here is a wishlist ticket for setuptools to support more expressive requirements:

http://bugs.python.org/setuptools/issue22 (wish: more expressive requirements)

I'm going to declare an "extras" dependency on pyOpenSSL (unversioned), because:

• pyOpenSSL 0.6 basically works, it just causes unit test failures (the #62 bug only affects waiting for connection shutdown, which is pretty rare in actual application code)
• debian/sid has pyOpenSSL 0.7 now, and is likely to until upstream makes a new release with a fix, and if foolscap refuses to run with 0.7 then those debian systems (on which the admins haven't pinned 0.6 in place) will unnecessarily fail

When pyOpenSSL 0.8 is in debian, I'll revisit the dependency declaration to make it avoid 0.7 .

done, in [9e8a43ae8550221b0c561bee04a67056e62a8c21].

I've opened a new ticket to consider whether foolscap should unconditionally require pyOpenSSL: #67.