Use OS-provided OpenSSL?

0 views
Skip to first unread message

Will Furnass

unread,
Nov 7, 2017, 4:58:26 PM11/7/17
to co...@continuum.io
Some of you may have heard of the Spack package manager, which has
similar objectives to conda but is source-based and allows for very
granular build and load-time config. One interesting design choice is
the ability to use OS-provided packages in specific cases e.g. use the
system OpenSSL rather than a Spack-built one:

http://spack.readthedocs.io/en/latest/getting_started.html#openssl

Has there been talk of allowing conda to pick up whitelisted OS
packages in cases like this, where the package perhaps has a
security-related component and its API is fairly stable?

More generally, do others have concerns re stagnant user-instantiated
conda envs containing old openssl packages?

Cheers,

Will

Ray Donnelly

unread,
Nov 7, 2017, 5:25:27 PM11/7/17
to Will Furnass, conda - Public
No there hasn't been such talk. My opinion is that we can only look after our own garden here.

The API does not matter (two versions of the same package could contain C macros that reorder the arguments to some functions for example while still presenting the same API), I guess you meant the ABI. The other thing that matters is all direct and transitive shared library dependencies. An example of where this *will* go wrong is some if Linux distro's OpenSSL pulls in an earlier version of libgcc from /usr/lib than is needed by a conda python module. Due to how the linux loader will load 1 and only 1 library per process matching an SONAME the following will work:

import other_module
import _ssl

.. while the following will fail:

import _ssl
import other_module

We must make our software as fast, secure, well behaved and compatible with itself as we can.


--
You received this message because you are subscribed to the Google Groups "conda - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to conda+un...@continuum.io.
To post to this group, send email to co...@continuum.io.
Visit this group at https://groups.google.com/a/continuum.io/group/conda/.
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/conda/CAHpBHzAyOyH5Z6hjkNJFyjzsHSL6VV95W7j2ph_oXDc9bnDmsQ%40mail.gmail.com.
For more options, visit https://groups.google.com/a/continuum.io/d/optout.

Reply all
Reply to author
Forward
0 new messages