Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#66 closed defect (fixed)

install requires pyOpenSSL (for secure mode)

Reported by: zooko Owned by: warner
Priority: major Milestone: 0.2.8
Component: packaging Version: 0.2.5
Keywords: Cc:


Using easy_install to install foolscap with its ability to have secure connections fails because foolscap doesn't declare its dependency on pyOpenSSL, although it does declare its dependency on twisted:

We could define, in setuptools terms an "extra" feature of foolscap, which is secure connections.

This could be expressed in the as something like this:

extras_require = {
        'secure_connections':  ["pyOpenSSL>=0.6"],

However it might be better to simply make foolscap always require pyOpenSSL (and for that matter it might be better to make it always create and use secure connections). This idea in the general case has been persuasively advocated by Ian Grigg: There Is Only One Mode And It Is Secure..

In order to do that, of course, we simply need add "pyOpenSSL >= 0.6" to the list of install_requires in the

Change History (8)

comment:1 Changed 9 years ago by warner

It will take me some time to decide whether Foolscap will require pyOpenSSL unconditionally. While I agree with your and Ian's philosophy, there are users of foolscap who have preferred to not use crypto for various reasons, and I need to make sure I respect their interests (or convince them otherwise).

Adding it as an 'extras' seems feasible in the shorter term. If you want this for Tahoe #438, it sounds like we need a new Foolscap release at least a couple of days before the Tahoe release, which means this change needs to be in, like, yesterday.

comment:2 Changed 9 years ago by warner

  • Milestone changed from undecided to 0.2.8

comment:3 Changed 9 years ago by zooko

Note that because of -- , you might want to require a version of pyOpenSSL not == 0.7, which would be expressed.

extras_require = {
        'secure_connections':  ["pyOpenSSL>=0.6,!=0.6"],

comment:4 Changed 9 years ago by zooko

Whoops, that should have said:

extras_require = {
        'secure_connections':  ["pyOpenSSL>=0.6,!=0.7"],

comment:5 Changed 9 years ago by zooko

Now that (funny permission bits in pyOpenSSL-0.6.tar.gz confuse is resolved, people who use easy_install or setuptools (including the default process to install Tahoe from source) will be able to resolve the dependency on pyOpenSSL.

Currently, they will do this by getting pyOpenSSL v0.6, and in the future when a new pyOpenSSL is released, they will get that.

Hm. This means that if the pyOpenSSL maintainers release a new version of pyOpenSSL with a version number higher than 0.6 and not equal to 0.7, and if that new version still has this bug in it, then this bug will start hitting us again. Hm. Weird packaging issue.

I guess for the moment we are going to bet that the pyOpenSSL maintainers won't do that. I suppose the alternative is to require pyOpenSSL == 0.6, so that people can't conveniently use foolscap with a newer pyOpenSSL until Brian releases a new foolscap that loosens that requirement.

comment:6 Changed 9 years ago by zooko

Hm. Actually writing "pyOpenSSL>=0.6,!=0.7" is incorrect.

Newer version of pyOpenSSL can come out which are unchanged with respect to this issue. Newer versions of Twisted, on the other hand, will hopefully fix this issue.

Since setuptools doesn't allow the expression of disjunctions of requirements, the only correct answer for now is "pyOpenSSL==0.6".

Here is a wishlist ticket for setuptools to support more expressive requirements: (wish: more expressive requirements)

comment:7 Changed 9 years ago by warner

  • Owner set to warner
  • Status changed from new to assigned

I'm going to declare an "extras" dependency on pyOpenSSL (unversioned), because:

  • pyOpenSSL 0.6 basically works, it just causes unit test failures (the #62 bug only affects waiting for connection shutdown, which is pretty rare in actual application code)
  • debian/sid has pyOpenSSL 0.7 now, and is likely to until upstream makes a new release with a fix, and if foolscap refuses to run with 0.7 then those debian systems (on which the admins haven't pinned 0.6 in place) will unnecessarily fail

When pyOpenSSL 0.8 is in debian, I'll revisit the dependency declaration to make it avoid 0.7 .

comment:8 Changed 9 years ago by warner

  • Resolution set to fixed
  • Status changed from assigned to closed

done, in [62845f6621c42e1dd666023b17d82a3756a17278].

I've opened a new ticket to consider whether foolscap should unconditionally require pyOpenSSL: #67.

Note: See TracTickets for help on using tickets.