[pypy-dev] pypy 5.10 release
Nathaniel Smith
njs at pobox.com
Wed Jan 3 20:15:54 EST 2018
On Wed, Jan 3, 2018 at 3:51 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
> If PyPy releases include a copy of OpenSSL (or LibreSSL) then we need to be
> in the business of issuing new releases whenever upstream has a security
> release, we can't be shipping people OpenSSLs with known security issues.
>
> Of LibreSSL and OpenSSL, I'd choose to ship OpenSSL -- I've found LibreSSL
> fairly frustrating to work with and OpenSSL upstream is considerably cleaned
> up in past years.
None of Linux, Windows, or MacOS provide reasonable pre-existing
OpenSSL installs you can use. So it seems to me that if PyPy's going
to ship any binaries at all and take that seriously, then it's going
to have to ship OpenSSL (or LibreSSL), and do whatever security
updates you all decide make sense.
It's also probably not worth spending a lot of time trying to figure
out how to avoid doing security updates for pypy2 on MacOS, if you're
still going to have to do them for other binaries on other platforms.
-n
--
Nathaniel J. Smith -- https://vorpus.org
More information about the pypy-dev
mailing list