On 2023-05-14, Judah Kocher <[email protected]> wrote: > Some web searching has not turned up any details around this. I also do > not see python 3.9 as an installable option via pkg_add, just 3.10 and > 3.11.
3.9 is still there. > Does this mean that installing python via pkg_add installs a > python version that is incompatible with LibreSSL? 3.10 from packages works well with LibreSSL. There are some small local patches to disable a couple of things which aren't supported and are not at all widely used. Python's policy for 3.10+ is essentially "don't go out of the way to prevent running it with LibreSSL, but don't jump through hoops to make it work". urllib3 is going beyond that and explicitly checking for OpenSSL 1.1.1+ and refusing to run otherwise (including on 3.7-3.9 for which urllib3 claims support). > When I look at the > info for the OpenSSL package it includes this warning: > > This package is not intended for general-purpose use in OpenBSD - it > is present for test/comparison purposes, and occasionally to provide > support for applications which cannot be made compatible with LibreSSL > (mostly due to use of removed APIs); in the latter case care must be > taken - it will conflict if library dependencies use LibreSSL libraries. Essentially: if we built Python using OpenSSL instead of LibreSSL, things would break for any compiled modules linked to libraries which themselves link to LibreSSL's libssl/libcrypto - e.g. including things like py-curl, py-ldap, py-psycopg2, ...) > What would be the best way to resolve this issue? I would guess that > plenty of others are using python with OpenBSD so there must be a > recommended resolution, but I have not found it documented anywhere yet. I'd suggest installing urllib3 from OpenBSD packages instead. If you have some particular requirement to install some version via pip instead, pin to an older (pre 2.x) urllib3 for now. urllib3 seem to be considering relaxing this again (possibly largely thanks to Apple widely distributing a libressl-linked version of Python), https://github.com/urllib3/urllib3/issues/3020#issuecomment-1541523700) - I think that would be the right thing for them to do.
