From patrick at DREKER.DE  Mon Feb  6 03:08:08 2006
From: patrick at DREKER.DE (Patrick Dreker)
Date: Mon, 6 Feb 2006 03:08:08 +0100
Subject: [PYTHON-CRYPTO] m2crypto version confusion
Message-ID: <43E6AF88.5040500@dreker.de>

Hello...

I am looking into packaging m2crypto and I am slightly confused about
the current version. http://sandbox.rulemaker.net/ngps/m2/ which looks
like the official homepage has version 0.13 and a patch for 0.13.1 and
calls that the "latest release".

http://wiki.osafoundation.org/bin/view/Projects/MeTooCrypto on the other
hand has a 0.15 tarball, which is declared the current release...

So just to clarify the situation: Which version is the latest released
version? Is 0.15 a devel snapshot, or is it really a release?

Thanks in advance,
Patrick


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20060206/8138d0a1/attachment.pgp>

From guido at PYTHON.ORG  Mon Feb  6 04:07:39 2006
From: guido at PYTHON.ORG (Guido van Rossum)
Date: Sun, 5 Feb 2006 19:07:39 -0800
Subject: [PYTHON-CRYPTO] m2crypto version confusion
In-Reply-To: <43E6AF88.5040500@dreker.de>
References: <43E6AF88.5040500@dreker.de>
Message-ID: <ca471dc20602051907w4e4fbfe1u23d0ff02c57888ea@mail.gmail.com>

Amen. I really wish somebody made the time to pack up a proper release
rather than pointing people to svn or snapshot tarballs. (FWIW, I've
used 0.15, and AFAICT it's of release quality, fixing many of the
issues with 0.13.)

Oh, BTW, 0.13.1 is a bogus patch. It introduces a bug that happens to
changes the behavior in such a way that a certain memory leak no
longer occurs -- but it breaks a feature that works in 0.13. 0.15
solves both IIRC.

ISTM that M2Crypto's original author has lost interest or at least has no time.

--Guido

On 2/5/06, Patrick Dreker <patrick at dreker.de> wrote:
> Hello...
>
> I am looking into packaging m2crypto and I am slightly confused about
> the current version. http://sandbox.rulemaker.net/ngps/m2/ which looks
> like the official homepage has version 0.13 and a patch for 0.13.1 and
> calls that the "latest release".
>
> http://wiki.osafoundation.org/bin/view/Projects/MeTooCrypto on the other
> hand has a 0.15 tarball, which is declared the current release...
>
> So just to clarify the situation: Which version is the latest released
> version? Is 0.15 a devel snapshot, or is it really a release?
>
> Thanks in advance,
> Patrick
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFD5qzQcERm2vzC96cRArYJAJ9ZeNHiKXieu115nXTfhXFWC0cYYACghRb0
> 7Whrbyn4O7YMU4gTYdI05k8=
> =x3NF
> -----END PGP SIGNATURE-----
>
>
>


--
--Guido van Rossum (home page: http://www.python.org/~guido/)


From heikki at OSAFOUNDATION.ORG  Mon Feb  6 19:54:42 2006
From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen)
Date: Mon, 6 Feb 2006 10:54:42 -0800
Subject: [PYTHON-CRYPTO] m2crypto version confusion
In-Reply-To: <ca471dc20602051907w4e4fbfe1u23d0ff02c57888ea@mail.gmail.com>
References: <43E6AF88.5040500@dreker.de>
            <ca471dc20602051907w4e4fbfe1u23d0ff02c57888ea@mail.gmail.com>
Message-ID: <43E79B72.9040301@osafoundation.org>

Guido van Rossum wrote:
> Amen. I really wish somebody made the time to pack up a proper release
> rather than pointing people to svn or snapshot tarballs. (FWIW, I've
> used 0.15, and AFAICT it's of release quality, fixing many of the
> issues with 0.13.)

Originally I only had 0.15 svn information 'cos I assumed Ng would put
it up on the official M2Crypto homepage. He hasn't, and there were
requests for a 0.15 tarball which I did a few months ago. You can find
it from http://wiki.osafoundation.org/bin/view/Projects/MeTooCrypto

> ISTM that M2Crypto's original author has lost interest or at least has no time.

Yeah, Ng hasn't done any M2Crypto work since 0.13.1 so it seems I've
become the de facto maintainer. I don't have access to Ng's page, so
this sort of means that
http://wiki.osafoundation.org/bin/view/Projects/MeTooCrypto has also
become the de facto M2Crypto homepage.

-- 
  Heikki Toivonen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20060206/894a204a/attachment.pgp>

From heikki at OSAFOUNDATION.ORG  Tue Feb 14 00:41:18 2006
From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen)
Date: Mon, 13 Feb 2006 15:41:18 -0800
Subject: [PYTHON-CRYPTO] M2Crypto 0.16 mini-roadmap proposal
Message-ID: <43F1191E.9030603@osafoundation.org>

I think it would be time to start thinking about what the next M2Crypto
release should look like. There are a few patches with some new features
that are also waiting for checkins already, and there are some ideas for
more stuff as well.

Some of the new features that are waiting checkin depend on OpenSSL 0.9.8.

There are also a bunch of cleanup work that could be done if support for
older Python and SWIG versions were dropped.

Therefore I think M2Crypto 0.16 should require:
  * OpenSSL 0.9.8 or newer
  * Python 2.3 or newer
  * SWIG (not sure what yet)

The 0.15 branch would naturally remain available for older versions of
those, and if there is demand/need maintenance releases could be made to
fix security issues and the like.

As for timeline, a release sometime next summer (ideally sooner if
possible) would be my goal.

-- 
  Heikki Toivonen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20060213/8857f6ea/attachment.pgp>

From guido at PYTHON.ORG  Tue Feb 14 00:45:40 2006
From: guido at PYTHON.ORG (Guido van Rossum)
Date: Mon, 13 Feb 2006 15:45:40 -0800
Subject: [PYTHON-CRYPTO] M2Crypto 0.16 mini-roadmap proposal
In-Reply-To: <43F1191E.9030603@osafoundation.org>
References: <43F1191E.9030603@osafoundation.org>
Message-ID: <ca471dc20602131545v6f989a5mfdd3aaf91ce63b52@mail.gmail.com>

Is it really necessary to require such a recent OpenSSL version?

How about conditionally compiling the parts that don't work with older
OpenSSL versions?

If you already have an OpenSSL version installed it's rather a pain to
upgrade it -- somehow OpenSSL is a beast.

--Guido

On 2/13/06, Heikki Toivonen <heikki at osafoundation.org> wrote:
> I think it would be time to start thinking about what the next M2Crypto
> release should look like. There are a few patches with some new features
> that are also waiting for checkins already, and there are some ideas for
> more stuff as well.
>
> Some of the new features that are waiting checkin depend on OpenSSL 0.9.8.
>
> There are also a bunch of cleanup work that could be done if support for
> older Python and SWIG versions were dropped.
>
> Therefore I think M2Crypto 0.16 should require:
>   * OpenSSL 0.9.8 or newer
>   * Python 2.3 or newer
>   * SWIG (not sure what yet)
>
> The 0.15 branch would naturally remain available for older versions of
> those, and if there is demand/need maintenance releases could be made to
> fix security issues and the like.
>
> As for timeline, a release sometime next summer (ideally sooner if
> possible) would be my goal.
>
> --
>   Heikki Toivonen
>
>
>
>
>


--
--Guido van Rossum (home page: http://www.python.org/~guido/)


From MKRodriguez at LBL.GOV  Tue Feb 14 19:43:14 2006
From: MKRodriguez at LBL.GOV (Matt Rodriguez)
Date: Tue, 14 Feb 2006 10:43:14 -0800
Subject: [PYTHON-CRYPTO] M2Crypto 0.16 mini-roadmap proposal
In-Reply-To: <43F1191E.9030603@osafoundation.org>
References: <43F1191E.9030603@osafoundation.org>
Message-ID: <43F224C2.6020100@lbl.gov>

Heikki Toivonen wrote:

I think we should require SWIG version  1.3.24 or newer(The latest 
version 1.3.28). They were a lot of changes
between version 1.3.23 an d 1.3.24, which could make supporting older 
versions difficult.
I've made this a requirement for one of my projects.

I think we should have M2Crypto work with OpenSSL 0.9.7 and newer. We've 
already done
a lot of the work to make M2Crypto to work with 0.9.7 and 0.9.8 
versions. So I think it is worth the
effort and I believe that the cvs code compiles with 0.9.7 and 0.9.8 
versions.

Python 2.3 or newer seems like a reasonable requirement.

Matt Rodriguez

> I think it would be time to start thinking about what the next M2Crypto
> release should look like. There are a few patches with some new features
> that are also waiting for checkins already, and there are some ideas for
> more stuff as well.
>
> Some of the new features that are waiting checkin depend on OpenSSL 0.9.8.
>
> There are also a bunch of cleanup work that could be done if support for
> older Python and SWIG versions were dropped.
>
> Therefore I think M2Crypto 0.16 should require:
>   * OpenSSL 0.9.8 or newer
>   * Python 2.3 or newer
>   * SWIG (not sure what yet)
>
> The 0.15 branch would naturally remain available for older versions of
> those, and if there is demand/need maintenance releases could be made to
> fix security issues and the like.
>
> As for timeline, a release sometime next summer (ideally sooner if
> possible) would be my goal.
>
>   


From heikki at OSAFOUNDATION.ORG  Tue Feb 14 19:23:12 2006
From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen)
Date: Tue, 14 Feb 2006 10:23:12 -0800
Subject: [PYTHON-CRYPTO] M2Crypto 0.16 mini-roadmap proposal
In-Reply-To: <ca471dc20602131545v6f989a5mfdd3aaf91ce63b52@mail.gmail.com>
References: <43F1191E.9030603@osafoundation.org>
            <ca471dc20602131545v6f989a5mfdd3aaf91ce63b52@mail.gmail.com>
Message-ID: <43F22010.9030608@osafoundation.org>

Guido van Rossum wrote:
> Is it really necessary to require such a recent OpenSSL version?
> 
> How about conditionally compiling the parts that don't work with older
> OpenSSL versions?

That's certainly possible, but I was hoping I could avoid that.
Currently all of M2Crypto functionality is available regardless of
OpenSSL version. If we go this route, we will have to document things
that only work with OpenSSL 0.9.8 and newer.

Also, I am not sure which is the best way to implement things on Python
side that depends on stuff that is only compiled with OpenSSL 0.9.8.
Implement the method, and rely on Python automatically raising an
exception if the OpenSSL function doesn't exist? Protect OpenSSL 0.9.8
only constructs with if statements in Python code so that they won't
even be visible if an older version of OpenSSL was used? Something else?
i.e.:

foo():
  m2.some_openssl_098_function()

or

if m2.opensslversion >= 098:
  foo():
    m2.some_openssl_098_function()

or

???

-- 
  Heikki Toivonen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-crypto/attachments/20060214/5db1a58d/attachment.pgp>

From guido at PYTHON.ORG  Tue Feb 14 20:24:19 2006
From: guido at PYTHON.ORG (Guido van Rossum)
Date: Tue, 14 Feb 2006 11:24:19 -0800
Subject: [PYTHON-CRYPTO] M2Crypto 0.16 mini-roadmap proposal
In-Reply-To: <43F22010.9030608@osafoundation.org>
References: <43F1191E.9030603@osafoundation.org>
            <ca471dc20602131545v6f989a5mfdd3aaf91ce63b52@mail.gmail.com>
            <43F22010.9030608@osafoundation.org>
Message-ID: <ca471dc20602141124r57d7dc4bme2a8f2d91405a24b@mail.gmail.com>

On 2/14/06, Heikki Toivonen <heikki at osafoundation.org> wrote:
> Guido van Rossum wrote:
> > How about conditionally compiling the parts that don't work with older
> > OpenSSL versions?
>
> That's certainly possible, but I was hoping I could avoid that.
> Currently all of M2Crypto functionality is available regardless of
> OpenSSL version. If we go this route, we will have to document things
> that only work with OpenSSL 0.9.8 and newer.

I think that's reasonable. Python does the same thing with its os
module and other os-specific code. Users who are currently using
OpenSSL 0.9.7 may want to upgrade to a newer M3Crypto just to get
bugfixes; but they don't need the new 0.9.8 functionality and forcing
them to upgrade is a pain (and will reduce acceptance of the new
M2Crypto). Also it will make it harder to distribute code that depends
on M2Crypto -- the users installing it won't want to upgrade OpenSSL
(which can be a lot of work, and could break dependencies of other
apps that requires 0.9.7).

> Also, I am not sure which is the best way to implement things on Python
> side that depends on stuff that is only compiled with OpenSSL 0.9.8.
> Implement the method, and rely on Python automatically raising an
> exception if the OpenSSL function doesn't exist?

As long that's safe (won't dump core), I'm fine with that. The C
extension presumably could have a stub that raises an exception with
an explanatory error message, e.g. "You need OpenSSL 0.9.8 or newer to
use function XYZZY". (Being specific about the function/method that's
missing is helpful.)

> Protect OpenSSL 0.9.8
> only constructs with if statements in Python code so that they won't
> even be visible if an older version of OpenSSL was used?

That's another reasonable alternative; then an app can query the
presence of certain attributes to determine whether it can provide
optional functionality that only works with OpenSSL 0.9.8. (I would
also add a way to query the full version of the underlying OpenSSL
library, if it's not already there.)

>  Something else?
> i.e.:
>
> foo():
>   m2.some_openssl_098_function()

Fine.

> or
>
> if m2.opensslversion >= 098:

Apart from the problem with octal numbers containing 8 and 9 :-), I'd
rather code this as

  if hasattr(m2, "some_openssl_098_function"):

>   foo():
>     m2.some_openssl_098_function()
>
> or
>
> ???

I guess I suggested the something else: check hasattr instead of
version number. :-)

--
--Guido van Rossum (home page: http://www.python.org/~guido/)