[Cryptography-dev] Ancient OpenSSL Support

[alexs]

I think we should ship it but document that we *require* OpenSSL 0.9.8e 
and deny all knowledge of any earlier versions. It really has to be made 
very explicit that we do not support and can not test versions earlier 
than RedHat EL 5 if we do accept this.

If we end up breaking it in future and someone feels like sending us an 
equally small PR I think we should also accept that. I am entirely OK 
with us providing zero guarantees about this functionality but still 
accepting fixes for it.

The whole 0.9.8 ABI is pretty stable. It's mostly because we compile 
from source that we have problems on Linux so I expect most of the 
changes required to keep 0.9.8b working will be similar simple but 
tedious conditional binding things.

If we in future decide to drop support for an older OpenSSL I think we 
should just drop all of 0.9.8 at once, but I guess that's a discussion 
for a different thread.

On 09.03.2014 21:51, Paul Kehrer wrote:

> A user filed an issue today asking us to support 0.9.8b
> 
> (https://github.com/pyca/cryptography/issues/727#issuecomment-37133554),
> which shipped in Fedora 8 (apparently used by 
> http://www.planet-lab.org).
> The patch is actually very small, but we don't have CI coverage for 
> any
> distribution using OpenSSL that ancient (Fedora 8 was released 7 
> years
> ago and has been out of support for over 5). I'm also concerned that 
> this
> sets a precedent where we'll have difficulty *ever* removing support 
> for
> an OpenSSL version (and the 0.9.8e patches would be very nice to 
> remove
> in a few years).
>
> So, what do we want to do here? I'm -1 on landing it and claiming it 
> as
> an officially supported version, but -0.5 on landing it with no
> guarantees of future functionality since we're not testing against 
> it.
>
> On a related note, we should probably document our official minimum
> OpenSSL version somewhere in the docs (currently 0.9.8e).
>
> -Paul