From c8659d9fe06f44a7616a0a75269cfbb639a6989a Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Mon, 1 Sep 2025 14:16:46 +0100 Subject: [PATCH 1/6] Add OpenSSL 3.5, build with instead of 3.0 This means all supported Unix platforms (CPython 3.9+), and Windows from CPython 3.11+. This initial attempt copies what we did for OpenSSL 3.0. --- cpython-unix/Makefile | 4 +++ cpython-unix/build-openssl-3.5.sh | 50 +++++++++++++++++++++++++++++++ cpython-unix/build.py | 3 +- cpython-unix/targets.yml | 50 +++++++++++++++---------------- cpython-windows/build.py | 4 +-- pythonbuild/downloads.py | 13 ++++++-- src/verify_distribution.py | 4 +-- 7 files changed, 95 insertions(+), 33 deletions(-) create mode 100755 cpython-unix/build-openssl-3.5.sh diff --git a/cpython-unix/Makefile b/cpython-unix/Makefile index 7e564145..8fdcc94a 100644 --- a/cpython-unix/Makefile +++ b/cpython-unix/Makefile @@ -177,6 +177,9 @@ $(OUTDIR)/openssl-1.1-$(OPENSSL_1.1_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP $(OUTDIR)/openssl-3.0-$(OPENSSL_3.0_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.0.sh $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.0 +$(OUTDIR)/openssl-3.5-$(OPENSSL_3.5_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.5.sh + $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.5 + LIBEDIT_DEPENDS = \ $(PYTHON_DEP_DEPENDS) \ $(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar \ @@ -263,6 +266,7 @@ PYTHON_DEPENDS_$(1) := \ $$(if $$(NEED_NCURSES),$$(OUTDIR)/ncurses-$$(NCURSES_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_1_1),$$(OUTDIR)/openssl-1.1-$$(OPENSSL_1.1_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_3_0),$$(OUTDIR)/openssl-3.0-$$(OPENSSL_3.0_VERSION)-$$(PACKAGE_SUFFIX).tar) \ + $$(if $$(NEED_OPENSSL_3_5),$$(OUTDIR)/openssl-3.5-$$(OPENSSL_3.5_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_PATCHELF),$$(OUTDIR)/patchelf-$$(PATCHELF_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_SQLITE),$$(OUTDIR)/sqlite-$$(SQLITE_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_TCL),$$(OUTDIR)/tcl-$$(TCL_VERSION)-$$(PACKAGE_SUFFIX).tar) \ diff --git a/cpython-unix/build-openssl-3.5.sh b/cpython-unix/build-openssl-3.5.sh new file mode 100755 index 00000000..952098c5 --- /dev/null +++ b/cpython-unix/build-openssl-3.5.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +set -ex + +ROOT=`pwd` + +export PATH=${TOOLS_PATH}/${TOOLCHAIN}/bin:${TOOLS_PATH}/host/bin:$PATH + +tar -xf openssl-${OPENSSL_3_5_VERSION}.tar.gz + +pushd openssl-${OPENSSL_3_5_VERSION} + +# Otherwise it gets set to /tools/deps/ssl by default. +case "${TARGET_TRIPLE}" in + *apple*) + EXTRA_FLAGS="--openssldir=/private/etc/ssl" + ;; + *) + EXTRA_FLAGS="--openssldir=/etc/ssl" + ;; +esac + +# musl is missing support for various primitives. +# TODO disable secure memory is a bit scary. We should look into a proper +# workaround. +if [ "${CC}" = "musl-clang" ]; then + EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY" +fi + +# The -arch cflags confuse Configure. And OpenSSL adds them anyway. +# Strip them. +EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch arm64/} +EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch x86_64/} + +EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}" + +/usr/bin/perl ./Configure \ + --prefix=/tools/deps \ + --libdir=lib \ + ${OPENSSL_TARGET} \ + no-legacy \ + no-shared \ + no-tests \ + ${EXTRA_FLAGS} + +make -j ${NUM_CPUS} +make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out diff --git a/cpython-unix/build.py b/cpython-unix/build.py index c5d73a1c..8a5e35ab 100755 --- a/cpython-unix/build.py +++ b/cpython-unix/build.py @@ -274,7 +274,7 @@ def simple_build( add_target_env(env, host_platform, target_triple, build_env) - if entry in ("openssl-1.1", "openssl-3.0"): + if entry.startswith("openssl-"): settings = get_targets(TARGETS_CONFIG)[target_triple] env["OPENSSL_TARGET"] = settings["openssl_target"] @@ -1114,6 +1114,7 @@ def main(): "ncurses", "openssl-1.1", "openssl-3.0", + "openssl-3.5", "patchelf", "sqlite", "tcl", diff --git a/cpython-unix/targets.yml b/cpython-unix/targets.yml index 451b9840..c4196388 100644 --- a/cpython-unix/targets.yml +++ b/cpython-unix/targets.yml @@ -102,7 +102,7 @@ aarch64-apple-darwin: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - tcl - tk @@ -149,7 +149,7 @@ aarch64-apple-ios: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -190,7 +190,7 @@ aarch64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -244,7 +244,7 @@ arm64-apple-tvos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -279,7 +279,7 @@ armv7-unknown-linux-gnueabi: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -320,7 +320,7 @@ armv7-unknown-linux-gnueabihf: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -361,7 +361,7 @@ mips-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -402,7 +402,7 @@ mipsel-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -443,7 +443,7 @@ ppc64le-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -484,7 +484,7 @@ riscv64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -525,7 +525,7 @@ s390x-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -574,7 +574,7 @@ thumb7k-apple-watchos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -627,7 +627,7 @@ x86_64-apple-darwin: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - tcl - tk @@ -674,7 +674,7 @@ x86_64-apple-ios: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -717,7 +717,7 @@ x86_64-apple-tvos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -760,7 +760,7 @@ x86_64-apple-watchos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -799,7 +799,7 @@ x86_64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -846,7 +846,7 @@ x86_64_v2-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -893,7 +893,7 @@ x86_64_v3-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -940,7 +940,7 @@ x86_64_v4-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -985,7 +985,7 @@ x86_64-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1030,7 +1030,7 @@ x86_64_v2-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1075,7 +1075,7 @@ x86_64_v3-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1120,7 +1120,7 @@ x86_64_v4-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1167,7 +1167,7 @@ aarch64-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl diff --git a/cpython-windows/build.py b/cpython-windows/build.py index 5fce1abf..19e5b969 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -470,7 +470,7 @@ def hack_props( raise Exception("unhandled architecture: %s" % arch) try: - # CPython 3.11+ builds with OpenSSL 3.0 by default. + # CPython 3.11+ builds with OpenSSL 3.x by default. static_replace_in_file( openssl_props, b"<_DLLSuffix>-3", @@ -1874,7 +1874,7 @@ def main() -> None: if args.python in ("cpython-3.9", "cpython-3.10"): openssl_entry = "openssl-1.1" else: - openssl_entry = "openssl-3.0" + openssl_entry = "openssl-3.5" openssl_archive = BUILD / ( "%s-%s-%s.tar" % (openssl_entry, target_triple, build_options) diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index 4332d680..cde93057 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -247,9 +247,6 @@ "licenses": ["OpenSSL"], "license_file": "LICENSE.openssl-1.1.txt", }, - # We use OpenSSL 3.0 because it is an LTS release and has a longer support - # window. If CPython ends up gaining support for 3.1+ releases, we can consider - # using the latest available. # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. "openssl-3.0": { "url": "https://www.openssl.org/source/openssl-3.0.16.tar.gz", @@ -260,6 +257,16 @@ "licenses": ["Apache-2.0"], "license_file": "LICENSE.openssl-3.txt", }, + # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. + "openssl-3.5": { + "url": "https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz", + "size": 53180161, + "sha256": "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec", + "version": "3.5.2", + "library_names": ["crypto", "ssl"], + "licenses": ["Apache-2.0"], + "license_file": "LICENSE.openssl-3.txt", + }, "nasm-windows-bin": { "url": "https://github.com/python/cpython-bin-deps/archive/nasm-2.11.06.tar.gz", "size": 384826, diff --git a/src/verify_distribution.py b/src/verify_distribution.py index 2a9abda1..2c44c256 100644 --- a/src/verify_distribution.py +++ b/src/verify_distribution.py @@ -147,12 +147,12 @@ def test_ssl(self): self.assertTrue(ssl.HAS_TLSv1_2) self.assertTrue(ssl.HAS_TLSv1_3) - # OpenSSL 1.1 on older CPython versions on Windows. 3.0 everywhere + # OpenSSL 1.1 on older CPython versions on Windows. 3.5 everywhere # else. if os.name == "nt" and sys.version_info[0:2] < (3, 11): wanted_version = (1, 1, 1, 23, 15) else: - wanted_version = (3, 0, 0, 16, 0) + wanted_version = (3, 5, 0, 2, 0) self.assertEqual(ssl.OPENSSL_VERSION_INFO, wanted_version) From 0aacfc09efe3c518b07dd3bd0bef6c620d2b9121 Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 10:18:27 +0100 Subject: [PATCH 2/6] Bump minimum supported s390x arch-level to z10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This has been done to support OpenSSL 3.5 that uses the `cijne` opcode. This is still a very conservative arch-level. Gentoo also made this change when updating to OpenSSL 3.5, and to quote the news item from Andreas K. Hüttel: > The z10 Enterprise Class (2097 series) was introduced in February 2008, > which essentially means everyone except hardware archaeologists should be fine. --- cpython-unix/targets.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cpython-unix/targets.yml b/cpython-unix/targets.yml index c4196388..b1efbae9 100644 --- a/cpython-unix/targets.yml +++ b/cpython-unix/targets.yml @@ -511,6 +511,9 @@ s390x-unknown-linux-gnu: host_cxx: /usr/bin/x86_64-linux-gnu-g++ target_cc: /usr/bin/s390x-linux-gnu-gcc target_cxx: /usr/bin/s390x-linux-gnu-g++ + target_cflags: + # set the minimum compatibility level to z10 (released 2008) + - '-march=z10' needs: - autoconf - bdb From cc6f9713e1c63bc7cab3b950807e615b868dc360 Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 10:31:02 +0100 Subject: [PATCH 3/6] Bump NASM version to 2.16.03 This is to support building OpenSSL 3.5. Version 2.16.03 is the latest stable version at the time of writing. --- cpython-windows/build.py | 4 ++-- pythonbuild/downloads.py | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cpython-windows/build.py b/cpython-windows/build.py index 19e5b969..26023247 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -720,11 +720,11 @@ def build_openssl_for_arch( log("extracting %s to %s" % (openssl_archive, build_root)) extract_tar_to_directory(openssl_archive, build_root) log("extracting %s to %s" % (nasm_archive, build_root)) - extract_tar_to_directory(nasm_archive, build_root) + extract_zip_to_directory(nasm_archive, build_root) log("extracting %s to %s" % (jom_archive, build_root)) extract_zip_to_directory(jom_archive, build_root / "jom") - nasm_path = build_root / ("cpython-bin-deps-nasm-%s" % nasm_version) + nasm_path = build_root / ("nasm-%s" % nasm_version) jom_path = build_root / "jom" env = dict(os.environ) diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index cde93057..411cb6c5 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -268,10 +268,10 @@ "license_file": "LICENSE.openssl-3.txt", }, "nasm-windows-bin": { - "url": "https://github.com/python/cpython-bin-deps/archive/nasm-2.11.06.tar.gz", - "size": 384826, - "sha256": "8af0ae5ceed63fa8a2ded611d44cc341027a91df22aaaa071efedc81437412a5", - "version": "2.11.06", + "url": "https://www.nasm.us/pub/nasm/releasebuilds/2.16.03/win64/nasm-2.16.03-win64.zip", + "size": 513543, + "sha256": "3ee4782247bcb874378d02f7eab4e294a84d3d15f3f6ee2de2f47a46aa7226e6", + "version": "2.16.03", }, "patchelf": { "url": "https://github.com/NixOS/patchelf/releases/download/0.13.1/patchelf-0.13.1.tar.bz2", From 9bd86fac7dce1a11831bc3ce9ee33f50aa5f573f Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 10:50:39 +0100 Subject: [PATCH 4/6] Patch OpenSSL 3.5 to hardcode the vlenb CSR address on RISC-V Our GCC version doesn't know it, so replace the `vlenb` variable with `0xc22`. See openssl/openssl#23011. --- cpython-unix/build-openssl-3.5.sh | 6 ++++++ cpython-unix/build.py | 4 ++++ .../patch-openssl-3.5-riscv-vlenb-register.patch | 15 +++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch diff --git a/cpython-unix/build-openssl-3.5.sh b/cpython-unix/build-openssl-3.5.sh index 952098c5..ea7d5c60 100755 --- a/cpython-unix/build-openssl-3.5.sh +++ b/cpython-unix/build-openssl-3.5.sh @@ -13,6 +13,12 @@ tar -xf openssl-${OPENSSL_3_5_VERSION}.tar.gz pushd openssl-${OPENSSL_3_5_VERSION} +# hardcode the vlenb CSR address (0xc22) as our GCC version doesn't know it +# https://github.com/riscv/riscv-isa-manual/blob/c001fa237cdd8b6079384044462a89eb0e3fd9cf/src/v-st-ext.adoc?plain=1#L74 +if [[ "${TARGET_TRIPLE}" = "riscv64-unknown-linux-gnu" ]]; then + patch -p1 -i "${ROOT}/patch-openssl-3.5-riscv-vlenb-register.patch" +fi + # Otherwise it gets set to /tools/deps/ssl by default. case "${TARGET_TRIPLE}" in *apple*) diff --git a/cpython-unix/build.py b/cpython-unix/build.py index 8a5e35ab..cef7be61 100755 --- a/cpython-unix/build.py +++ b/cpython-unix/build.py @@ -274,9 +274,13 @@ def simple_build( add_target_env(env, host_platform, target_triple, build_env) + # for OpenSSL, set the OPENSSL_TARGET environment variable and copy in patches if entry.startswith("openssl-"): settings = get_targets(TARGETS_CONFIG)[target_triple] env["OPENSSL_TARGET"] = settings["openssl_target"] + build_env.copy_file( + SUPPORT / "patch-openssl-3.5-riscv-vlenb-register.patch" + ) build_env.run("build-%s.sh" % entry, environment=env) diff --git a/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch b/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch new file mode 100644 index 00000000..dacedeef --- /dev/null +++ b/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/riscv64cpuid.pl b/crypto/riscv64cpuid.pl +index 5dcdc5c584..7751ad50d9 100644 +--- a/crypto/riscv64cpuid.pl ++++ b/crypto/riscv64cpuid.pl +@@ -94,8 +94,8 @@ $code .= <<___; + .globl riscv_vlen_asm + .type riscv_vlen_asm,\@function + riscv_vlen_asm: +- csrr $ret, vlenb +- slli $ret, $ret, 3 ++ csrr a0, 0xc22 ++ slli a0, a0, 3 + ret + .size riscv_vlen_asm,.-riscv_vlen_asm + ___ From 6284af13f47a02fcbb61fc73cbb07779dfe1122b Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 15:40:32 +0100 Subject: [PATCH 5/6] Add C++ to cross-compiling Docker images This is a follow-on from #512 / d0ed97f where we started always setting the CXX environment variable to ensure we don't accidentally try and use the host (non-cross-compiling) C++ compiler. In attempting to upgrade to a more modern s509x minimum arch-level (z10), we found that the configure script for bdb fails. It tries to check the C++ compiler is working (respecting the CXX environment variable that is set), but fails to run the pre-processor with `$CXX -E` (as the C++ compiler isn't actually installed). It then falls back to `/lib/cpp`, which up until now has been working fine. Now that we're specifying `-march=z10` this fails as `/lib/cpp` doesn't know about `z10`. I don't know if we actually need to use the C++ compiler, but I'm adding it in to at least satisfy the configure script, and do the correct thing should we need it (rather than the incorrect thing of falling back to the host compiler). --- cpython-unix/build.cross-riscv64.Dockerfile | 9 +++++++++ cpython-unix/build.cross.Dockerfile | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/cpython-unix/build.cross-riscv64.Dockerfile b/cpython-unix/build.cross-riscv64.Dockerfile index 740a098b..27106896 100644 --- a/cpython-unix/build.cross-riscv64.Dockerfile +++ b/cpython-unix/build.cross-riscv64.Dockerfile @@ -48,6 +48,15 @@ RUN apt-get install \ # Cross-building. RUN apt-get install \ + g++-aarch64-linux-gnu \ + g++-arm-linux-gnueabi \ + g++-arm-linux-gnueabihf \ + g++-mips-linux-gnu \ + g++-mips64el-linux-gnuabi64 \ + g++-mipsel-linux-gnu \ + g++-powerpc64le-linux-gnu \ + g++-riscv64-linux-gnu \ + g++-s390x-linux-gnu \ gcc-aarch64-linux-gnu \ gcc-arm-linux-gnueabi \ gcc-arm-linux-gnueabihf \ diff --git a/cpython-unix/build.cross.Dockerfile b/cpython-unix/build.cross.Dockerfile index aa17d6c1..efef3b90 100644 --- a/cpython-unix/build.cross.Dockerfile +++ b/cpython-unix/build.cross.Dockerfile @@ -51,6 +51,14 @@ RUN apt-get install \ # Cross-building. RUN apt-get install \ + g++-aarch64-linux-gnu \ + g++-arm-linux-gnueabi \ + g++-arm-linux-gnueabihf \ + g++-mips-linux-gnu \ + g++-mips64el-linux-gnuabi64 \ + g++-mipsel-linux-gnu \ + g++-powerpc64le-linux-gnu \ + g++-s390x-linux-gnu \ gcc-aarch64-linux-gnu \ gcc-arm-linux-gnueabi \ gcc-arm-linux-gnueabihf \ From 1db0b75207a790c484d6400a8a467aa324fa883b Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Wed, 3 Sep 2025 11:11:29 +0100 Subject: [PATCH 6/6] Remove OpenSSL 3.0 Now we're building with OpenSSL 3.5 instead of 3.0, we no longer need the build configuration around. --- cpython-unix/Makefile | 4 --- cpython-unix/build-openssl-3.0.sh | 50 ------------------------------- cpython-unix/build.py | 1 - pythonbuild/downloads.py | 10 ------- 4 files changed, 65 deletions(-) delete mode 100755 cpython-unix/build-openssl-3.0.sh diff --git a/cpython-unix/Makefile b/cpython-unix/Makefile index 8fdcc94a..577f44fd 100644 --- a/cpython-unix/Makefile +++ b/cpython-unix/Makefile @@ -174,9 +174,6 @@ $(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS $(OUTDIR)/openssl-1.1-$(OPENSSL_1.1_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-1.1.sh $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-1.1 -$(OUTDIR)/openssl-3.0-$(OPENSSL_3.0_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.0.sh - $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.0 - $(OUTDIR)/openssl-3.5-$(OPENSSL_3.5_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.5.sh $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.5 @@ -265,7 +262,6 @@ PYTHON_DEPENDS_$(1) := \ $$(if $$(NEED_MPDECIMAL),$$(OUTDIR)/mpdecimal-$$(MPDECIMAL_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_NCURSES),$$(OUTDIR)/ncurses-$$(NCURSES_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_1_1),$$(OUTDIR)/openssl-1.1-$$(OPENSSL_1.1_VERSION)-$$(PACKAGE_SUFFIX).tar) \ - $$(if $$(NEED_OPENSSL_3_0),$$(OUTDIR)/openssl-3.0-$$(OPENSSL_3.0_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_3_5),$$(OUTDIR)/openssl-3.5-$$(OPENSSL_3.5_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_PATCHELF),$$(OUTDIR)/patchelf-$$(PATCHELF_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_SQLITE),$$(OUTDIR)/sqlite-$$(SQLITE_VERSION)-$$(PACKAGE_SUFFIX).tar) \ diff --git a/cpython-unix/build-openssl-3.0.sh b/cpython-unix/build-openssl-3.0.sh deleted file mode 100755 index 1d1f9134..00000000 --- a/cpython-unix/build-openssl-3.0.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at https://mozilla.org/MPL/2.0/. - -set -ex - -ROOT=`pwd` - -export PATH=${TOOLS_PATH}/${TOOLCHAIN}/bin:${TOOLS_PATH}/host/bin:$PATH - -tar -xf openssl-${OPENSSL_3_0_VERSION}.tar.gz - -pushd openssl-${OPENSSL_3_0_VERSION} - -# Otherwise it gets set to /tools/deps/ssl by default. -case "${TARGET_TRIPLE}" in - *apple*) - EXTRA_FLAGS="--openssldir=/private/etc/ssl" - ;; - *) - EXTRA_FLAGS="--openssldir=/etc/ssl" - ;; -esac - -# musl is missing support for various primitives. -# TODO disable secure memory is a bit scary. We should look into a proper -# workaround. -if [ "${CC}" = "musl-clang" ]; then - EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY" -fi - -# The -arch cflags confuse Configure. And OpenSSL adds them anyway. -# Strip them. -EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch arm64/} -EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch x86_64/} - -EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}" - -/usr/bin/perl ./Configure \ - --prefix=/tools/deps \ - --libdir=lib \ - ${OPENSSL_TARGET} \ - no-legacy \ - no-shared \ - no-tests \ - ${EXTRA_FLAGS} - -make -j ${NUM_CPUS} -make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out diff --git a/cpython-unix/build.py b/cpython-unix/build.py index cef7be61..1fbb019b 100755 --- a/cpython-unix/build.py +++ b/cpython-unix/build.py @@ -1117,7 +1117,6 @@ def main(): "mpdecimal", "ncurses", "openssl-1.1", - "openssl-3.0", "openssl-3.5", "patchelf", "sqlite", diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index 411cb6c5..1df70a45 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -248,16 +248,6 @@ "license_file": "LICENSE.openssl-1.1.txt", }, # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. - "openssl-3.0": { - "url": "https://www.openssl.org/source/openssl-3.0.16.tar.gz", - "size": 15334967, - "sha256": "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86", - "version": "3.0.16", - "library_names": ["crypto", "ssl"], - "licenses": ["Apache-2.0"], - "license_file": "LICENSE.openssl-3.txt", - }, - # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. "openssl-3.5": { "url": "https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz", "size": 53180161,