gh-123418: Update Android build to use OpenSSL 3.0.15 #123685
Conversation
zware
added
type-security
|
@zware Seen; I'll poke the computermachine to get a new OpenSSL build. As a bigger picture issue, I think it would be desirable to decouple the specific binary versions from the Android sources. This means there's a marginally more complex startup process for new developers as the full set of dependencies won't be auto-downloaded - but "download requirements before building" isn't an especially unusual or onerous requirement for building from source. |
|
Android build of OpenSSL 3.0.15 has been published. |
|
Thanks @zware for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13. |
…-123685) (cherry picked from commit 1fdfce9) Co-authored-by: Zachary Ware <[email protected]>
|
GH-123715 is a backport of this pull request to the 3.13 branch. |
I think it's worth keeping a set of known-good versions in the build script, but it's actually pretty easy to use different ones if you want. All you have to do is create the |
The downside is that every time there's a security update to OpenSSL, there's a need for a patch to the CPython source tree. That's not a huge overhead, but it's busy work that doesn't really need to be done. I've we're going to keep the "auto download" behavior for developer convenience, I'd argue it would be better to replace a static list of "known-good" versions with a mechanism that retrieves the list of available artefacts and looks for the latest one (either by manually probing for predictable URLs, or by hitting the GitHub API and sorting the results). |
Note: this will require an update to https://github.com/beeware/cpython-android-source-deps to add an openssl 3.0.15-0 release before this will actually build. (cc @freakboy3742, @mhsmith)