From c5a5dd0a7f39c7faa0f98169ebcf98a7e42ea65e Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Mon, 1 Sep 2025 14:16:46 +0100 Subject: [PATCH 1/6] Add OpenSSL 3.5, build with instead of 3.0 This means all supported Unix platforms (CPython 3.9+), and Windows from CPython 3.11+. This initial attempt copies what we did for OpenSSL 3.0. --- cpython-unix/Makefile | 4 +++ cpython-unix/build-openssl-3.5.sh | 50 +++++++++++++++++++++++++++++ cpython-unix/build.py | 3 +- cpython-unix/targets.yml | 52 +++++++++++++++---------------- cpython-windows/build.py | 4 +-- pythonbuild/downloads.py | 13 ++++++-- src/verify_distribution.py | 4 +-- 7 files changed, 96 insertions(+), 34 deletions(-) create mode 100755 cpython-unix/build-openssl-3.5.sh diff --git a/cpython-unix/Makefile b/cpython-unix/Makefile index 7e564145..8fdcc94a 100644 --- a/cpython-unix/Makefile +++ b/cpython-unix/Makefile @@ -177,6 +177,9 @@ $(OUTDIR)/openssl-1.1-$(OPENSSL_1.1_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP $(OUTDIR)/openssl-3.0-$(OPENSSL_3.0_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.0.sh $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.0 +$(OUTDIR)/openssl-3.5-$(OPENSSL_3.5_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.5.sh + $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.5 + LIBEDIT_DEPENDS = \ $(PYTHON_DEP_DEPENDS) \ $(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar \ @@ -263,6 +266,7 @@ PYTHON_DEPENDS_$(1) := \ $$(if $$(NEED_NCURSES),$$(OUTDIR)/ncurses-$$(NCURSES_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_1_1),$$(OUTDIR)/openssl-1.1-$$(OPENSSL_1.1_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_3_0),$$(OUTDIR)/openssl-3.0-$$(OPENSSL_3.0_VERSION)-$$(PACKAGE_SUFFIX).tar) \ + $$(if $$(NEED_OPENSSL_3_5),$$(OUTDIR)/openssl-3.5-$$(OPENSSL_3.5_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_PATCHELF),$$(OUTDIR)/patchelf-$$(PATCHELF_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_SQLITE),$$(OUTDIR)/sqlite-$$(SQLITE_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_TCL),$$(OUTDIR)/tcl-$$(TCL_VERSION)-$$(PACKAGE_SUFFIX).tar) \ diff --git a/cpython-unix/build-openssl-3.5.sh b/cpython-unix/build-openssl-3.5.sh new file mode 100755 index 00000000..952098c5 --- /dev/null +++ b/cpython-unix/build-openssl-3.5.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +set -ex + +ROOT=`pwd` + +export PATH=${TOOLS_PATH}/${TOOLCHAIN}/bin:${TOOLS_PATH}/host/bin:$PATH + +tar -xf openssl-${OPENSSL_3_5_VERSION}.tar.gz + +pushd openssl-${OPENSSL_3_5_VERSION} + +# Otherwise it gets set to /tools/deps/ssl by default. +case "${TARGET_TRIPLE}" in + *apple*) + EXTRA_FLAGS="--openssldir=/private/etc/ssl" + ;; + *) + EXTRA_FLAGS="--openssldir=/etc/ssl" + ;; +esac + +# musl is missing support for various primitives. +# TODO disable secure memory is a bit scary. We should look into a proper +# workaround. +if [ "${CC}" = "musl-clang" ]; then + EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY" +fi + +# The -arch cflags confuse Configure. And OpenSSL adds them anyway. +# Strip them. +EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch arm64/} +EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch x86_64/} + +EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}" + +/usr/bin/perl ./Configure \ + --prefix=/tools/deps \ + --libdir=lib \ + ${OPENSSL_TARGET} \ + no-legacy \ + no-shared \ + no-tests \ + ${EXTRA_FLAGS} + +make -j ${NUM_CPUS} +make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out diff --git a/cpython-unix/build.py b/cpython-unix/build.py index c5d73a1c..8a5e35ab 100755 --- a/cpython-unix/build.py +++ b/cpython-unix/build.py @@ -274,7 +274,7 @@ def simple_build( add_target_env(env, host_platform, target_triple, build_env) - if entry in ("openssl-1.1", "openssl-3.0"): + if entry.startswith("openssl-"): settings = get_targets(TARGETS_CONFIG)[target_triple] env["OPENSSL_TARGET"] = settings["openssl_target"] @@ -1114,6 +1114,7 @@ def main(): "ncurses", "openssl-1.1", "openssl-3.0", + "openssl-3.5", "patchelf", "sqlite", "tcl", diff --git a/cpython-unix/targets.yml b/cpython-unix/targets.yml index 221a0e46..cb1e77f3 100644 --- a/cpython-unix/targets.yml +++ b/cpython-unix/targets.yml @@ -102,7 +102,7 @@ aarch64-apple-darwin: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - tcl - tk @@ -149,7 +149,7 @@ aarch64-apple-ios: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -190,7 +190,7 @@ aarch64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -244,7 +244,7 @@ arm64-apple-tvos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -279,7 +279,7 @@ armv7-unknown-linux-gnueabi: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -320,7 +320,7 @@ armv7-unknown-linux-gnueabihf: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -361,7 +361,7 @@ loongarch64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -402,7 +402,7 @@ mips-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -443,7 +443,7 @@ mipsel-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -484,7 +484,7 @@ ppc64le-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -525,7 +525,7 @@ riscv64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -566,7 +566,7 @@ s390x-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -615,7 +615,7 @@ thumb7k-apple-watchos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -668,7 +668,7 @@ x86_64-apple-darwin: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - tcl - tk @@ -715,7 +715,7 @@ x86_64-apple-ios: - libffi - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -758,7 +758,7 @@ x86_64-apple-tvos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -801,7 +801,7 @@ x86_64-apple-watchos: - expat - m4 - mpdecimal - - openssl-3.0 + - openssl-3.5 - sqlite - xz - zstd @@ -840,7 +840,7 @@ x86_64-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -887,7 +887,7 @@ x86_64_v2-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -934,7 +934,7 @@ x86_64_v3-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -981,7 +981,7 @@ x86_64_v4-unknown-linux-gnu: - m4 - mpdecimal - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1026,7 +1026,7 @@ x86_64-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1071,7 +1071,7 @@ x86_64_v2-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1116,7 +1116,7 @@ x86_64_v3-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1161,7 +1161,7 @@ x86_64_v4-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl @@ -1208,7 +1208,7 @@ aarch64-unknown-linux-musl: - mpdecimal - musl - ncurses - - openssl-3.0 + - openssl-3.5 - patchelf - sqlite - tcl diff --git a/cpython-windows/build.py b/cpython-windows/build.py index 5fce1abf..19e5b969 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -470,7 +470,7 @@ def hack_props( raise Exception("unhandled architecture: %s" % arch) try: - # CPython 3.11+ builds with OpenSSL 3.0 by default. + # CPython 3.11+ builds with OpenSSL 3.x by default. static_replace_in_file( openssl_props, b"<_DLLSuffix>-3", @@ -1874,7 +1874,7 @@ def main() -> None: if args.python in ("cpython-3.9", "cpython-3.10"): openssl_entry = "openssl-1.1" else: - openssl_entry = "openssl-3.0" + openssl_entry = "openssl-3.5" openssl_archive = BUILD / ( "%s-%s-%s.tar" % (openssl_entry, target_triple, build_options) diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index e1562c04..2f2469c1 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -247,9 +247,6 @@ "licenses": ["OpenSSL"], "license_file": "LICENSE.openssl-1.1.txt", }, - # We use OpenSSL 3.0 because it is an LTS release and has a longer support - # window. If CPython ends up gaining support for 3.1+ releases, we can consider - # using the latest available. # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. "openssl-3.0": { "url": "https://www.openssl.org/source/openssl-3.0.16.tar.gz", @@ -260,6 +257,16 @@ "licenses": ["Apache-2.0"], "license_file": "LICENSE.openssl-3.txt", }, + # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. + "openssl-3.5": { + "url": "https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz", + "size": 53180161, + "sha256": "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec", + "version": "3.5.2", + "library_names": ["crypto", "ssl"], + "licenses": ["Apache-2.0"], + "license_file": "LICENSE.openssl-3.txt", + }, "nasm-windows-bin": { "url": "https://github.com/python/cpython-bin-deps/archive/nasm-2.11.06.tar.gz", "size": 384826, diff --git a/src/verify_distribution.py b/src/verify_distribution.py index 62d58f97..a4704f3f 100644 --- a/src/verify_distribution.py +++ b/src/verify_distribution.py @@ -147,12 +147,12 @@ def test_ssl(self): self.assertTrue(ssl.HAS_TLSv1_2) self.assertTrue(ssl.HAS_TLSv1_3) - # OpenSSL 1.1 on older CPython versions on Windows. 3.0 everywhere + # OpenSSL 1.1 on older CPython versions on Windows. 3.5 everywhere # else. if os.name == "nt" and sys.version_info[0:2] < (3, 11): wanted_version = (1, 1, 1, 23, 15) else: - wanted_version = (3, 0, 0, 16, 0) + wanted_version = (3, 5, 0, 2, 0) self.assertEqual(ssl.OPENSSL_VERSION_INFO, wanted_version) From 17ad0ac545e3487ce38cc279213a7d267aa66a76 Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 10:18:27 +0100 Subject: [PATCH 2/6] Bump minimum supported s390x arch-level to z10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This has been done to support OpenSSL 3.5 that uses the `cijne` opcode. This is still a very conservative arch-level. Gentoo also made this change when updating to OpenSSL 3.5, and to quote the news item from Andreas K. Hüttel: > The z10 Enterprise Class (2097 series) was introduced in February 2008, > which essentially means everyone except hardware archaeologists should be fine. --- cpython-unix/targets.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cpython-unix/targets.yml b/cpython-unix/targets.yml index cb1e77f3..73fe43cc 100644 --- a/cpython-unix/targets.yml +++ b/cpython-unix/targets.yml @@ -552,6 +552,9 @@ s390x-unknown-linux-gnu: host_cxx: /usr/bin/x86_64-linux-gnu-g++ target_cc: /usr/bin/s390x-linux-gnu-gcc target_cxx: /usr/bin/s390x-linux-gnu-g++ + target_cflags: + # set the minimum compatibility level to z10 (released 2008) + - '-march=z10' needs: - autoconf - bdb From 12d9b63bd13459cd0bd26d0841523cef809129fb Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 10:31:02 +0100 Subject: [PATCH 3/6] Bump NASM version to 2.16.03 This is to support building OpenSSL 3.5. Version 2.16.03 is the latest stable version at the time of writing. --- cpython-windows/build.py | 4 ++-- pythonbuild/downloads.py | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cpython-windows/build.py b/cpython-windows/build.py index 19e5b969..26023247 100644 --- a/cpython-windows/build.py +++ b/cpython-windows/build.py @@ -720,11 +720,11 @@ def build_openssl_for_arch( log("extracting %s to %s" % (openssl_archive, build_root)) extract_tar_to_directory(openssl_archive, build_root) log("extracting %s to %s" % (nasm_archive, build_root)) - extract_tar_to_directory(nasm_archive, build_root) + extract_zip_to_directory(nasm_archive, build_root) log("extracting %s to %s" % (jom_archive, build_root)) extract_zip_to_directory(jom_archive, build_root / "jom") - nasm_path = build_root / ("cpython-bin-deps-nasm-%s" % nasm_version) + nasm_path = build_root / ("nasm-%s" % nasm_version) jom_path = build_root / "jom" env = dict(os.environ) diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index 2f2469c1..c63fba2b 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -268,10 +268,10 @@ "license_file": "LICENSE.openssl-3.txt", }, "nasm-windows-bin": { - "url": "https://github.com/python/cpython-bin-deps/archive/nasm-2.11.06.tar.gz", - "size": 384826, - "sha256": "8af0ae5ceed63fa8a2ded611d44cc341027a91df22aaaa071efedc81437412a5", - "version": "2.11.06", + "url": "https://www.nasm.us/pub/nasm/releasebuilds/2.16.03/win64/nasm-2.16.03-win64.zip", + "size": 513543, + "sha256": "3ee4782247bcb874378d02f7eab4e294a84d3d15f3f6ee2de2f47a46aa7226e6", + "version": "2.16.03", }, "patchelf": { "url": "https://github.com/NixOS/patchelf/releases/download/0.13.1/patchelf-0.13.1.tar.bz2", From 457cc860454b087f0025d33937c561c72203a58e Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 10:50:39 +0100 Subject: [PATCH 4/6] Patch OpenSSL 3.5 to hardcode the vlenb CSR address on RISC-V Our GCC version doesn't know it, so replace the `vlenb` variable with `0xc22`. See openssl/openssl#23011. --- cpython-unix/build-openssl-3.5.sh | 6 ++++++ cpython-unix/build.py | 4 ++++ .../patch-openssl-3.5-riscv-vlenb-register.patch | 15 +++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch diff --git a/cpython-unix/build-openssl-3.5.sh b/cpython-unix/build-openssl-3.5.sh index 952098c5..ea7d5c60 100755 --- a/cpython-unix/build-openssl-3.5.sh +++ b/cpython-unix/build-openssl-3.5.sh @@ -13,6 +13,12 @@ tar -xf openssl-${OPENSSL_3_5_VERSION}.tar.gz pushd openssl-${OPENSSL_3_5_VERSION} +# hardcode the vlenb CSR address (0xc22) as our GCC version doesn't know it +# https://github.com/riscv/riscv-isa-manual/blob/c001fa237cdd8b6079384044462a89eb0e3fd9cf/src/v-st-ext.adoc?plain=1#L74 +if [[ "${TARGET_TRIPLE}" = "riscv64-unknown-linux-gnu" ]]; then + patch -p1 -i "${ROOT}/patch-openssl-3.5-riscv-vlenb-register.patch" +fi + # Otherwise it gets set to /tools/deps/ssl by default. case "${TARGET_TRIPLE}" in *apple*) diff --git a/cpython-unix/build.py b/cpython-unix/build.py index 8a5e35ab..cef7be61 100755 --- a/cpython-unix/build.py +++ b/cpython-unix/build.py @@ -274,9 +274,13 @@ def simple_build( add_target_env(env, host_platform, target_triple, build_env) + # for OpenSSL, set the OPENSSL_TARGET environment variable and copy in patches if entry.startswith("openssl-"): settings = get_targets(TARGETS_CONFIG)[target_triple] env["OPENSSL_TARGET"] = settings["openssl_target"] + build_env.copy_file( + SUPPORT / "patch-openssl-3.5-riscv-vlenb-register.patch" + ) build_env.run("build-%s.sh" % entry, environment=env) diff --git a/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch b/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch new file mode 100644 index 00000000..dacedeef --- /dev/null +++ b/cpython-unix/patch-openssl-3.5-riscv-vlenb-register.patch @@ -0,0 +1,15 @@ +diff --git a/crypto/riscv64cpuid.pl b/crypto/riscv64cpuid.pl +index 5dcdc5c584..7751ad50d9 100644 +--- a/crypto/riscv64cpuid.pl ++++ b/crypto/riscv64cpuid.pl +@@ -94,8 +94,8 @@ $code .= <<___; + .globl riscv_vlen_asm + .type riscv_vlen_asm,\@function + riscv_vlen_asm: +- csrr $ret, vlenb +- slli $ret, $ret, 3 ++ csrr a0, 0xc22 ++ slli a0, a0, 3 + ret + .size riscv_vlen_asm,.-riscv_vlen_asm + ___ From 68b2bfe40c1f0c38cddec69e45c31169c00e0ca2 Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Tue, 2 Sep 2025 15:40:32 +0100 Subject: [PATCH 5/6] Add C++ to cross-compiling Docker images This is a follow-on from #512 / d0ed97f where we started always setting the CXX environment variable to ensure we don't accidentally try and use the host (non-cross-compiling) C++ compiler. In attempting to upgrade to a more modern s509x minimum arch-level (z10), we found that the configure script for bdb fails. It tries to check the C++ compiler is working (respecting the CXX environment variable that is set), but fails to run the pre-processor with `$CXX -E` (as the C++ compiler isn't actually installed). It then falls back to `/lib/cpp`, which up until now has been working fine. Now that we're specifying `-march=z10` this fails as `/lib/cpp` doesn't know about `z10`. I don't know if we actually need to use the C++ compiler, but I'm adding it in to at least satisfy the configure script, and do the correct thing should we need it (rather than the incorrect thing of falling back to the host compiler). --- cpython-unix/build.cross-loongarch64.Dockerfile | 1 + cpython-unix/build.cross-riscv64.Dockerfile | 9 +++++++++ cpython-unix/build.cross.Dockerfile | 8 ++++++++ 3 files changed, 18 insertions(+) diff --git a/cpython-unix/build.cross-loongarch64.Dockerfile b/cpython-unix/build.cross-loongarch64.Dockerfile index fc1f27bc..2e78250e 100644 --- a/cpython-unix/build.cross-loongarch64.Dockerfile +++ b/cpython-unix/build.cross-loongarch64.Dockerfile @@ -53,6 +53,7 @@ RUN apt-get install \ zlib1g-dev RUN apt-get install \ + g++-loongarch64-linux-gnu \ gcc-loongarch64-linux-gnu \ libc6-dev-loong64-cross diff --git a/cpython-unix/build.cross-riscv64.Dockerfile b/cpython-unix/build.cross-riscv64.Dockerfile index 6114fe75..2e43a152 100644 --- a/cpython-unix/build.cross-riscv64.Dockerfile +++ b/cpython-unix/build.cross-riscv64.Dockerfile @@ -48,6 +48,15 @@ RUN apt-get install \ # Cross-building. RUN apt-get install \ + g++-aarch64-linux-gnu \ + g++-arm-linux-gnueabi \ + g++-arm-linux-gnueabihf \ + g++-mips-linux-gnu \ + g++-mips64el-linux-gnuabi64 \ + g++-mipsel-linux-gnu \ + g++-powerpc64le-linux-gnu \ + g++-riscv64-linux-gnu \ + g++-s390x-linux-gnu \ gcc-aarch64-linux-gnu \ gcc-arm-linux-gnueabi \ gcc-arm-linux-gnueabihf \ diff --git a/cpython-unix/build.cross.Dockerfile b/cpython-unix/build.cross.Dockerfile index d8e557fe..3665f9ac 100644 --- a/cpython-unix/build.cross.Dockerfile +++ b/cpython-unix/build.cross.Dockerfile @@ -51,6 +51,14 @@ RUN apt-get install \ # Cross-building. RUN apt-get install \ + g++-aarch64-linux-gnu \ + g++-arm-linux-gnueabi \ + g++-arm-linux-gnueabihf \ + g++-mips-linux-gnu \ + g++-mips64el-linux-gnuabi64 \ + g++-mipsel-linux-gnu \ + g++-powerpc64le-linux-gnu \ + g++-s390x-linux-gnu \ gcc-aarch64-linux-gnu \ gcc-arm-linux-gnueabi \ gcc-arm-linux-gnueabihf \ From b78194ae0e78abe292cd28532e30038b0bb88c13 Mon Sep 17 00:00:00 2001 From: Edward Knight Date: Wed, 3 Sep 2025 11:11:29 +0100 Subject: [PATCH 6/6] Remove OpenSSL 3.0 Now we're building with OpenSSL 3.5 instead of 3.0, we no longer need the build configuration around. --- cpython-unix/Makefile | 4 --- cpython-unix/build-openssl-3.0.sh | 50 ------------------------------- cpython-unix/build.py | 1 - pythonbuild/downloads.py | 10 ------- 4 files changed, 65 deletions(-) delete mode 100755 cpython-unix/build-openssl-3.0.sh diff --git a/cpython-unix/Makefile b/cpython-unix/Makefile index 8fdcc94a..577f44fd 100644 --- a/cpython-unix/Makefile +++ b/cpython-unix/Makefile @@ -174,9 +174,6 @@ $(OUTDIR)/ncurses-$(NCURSES_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS $(OUTDIR)/openssl-1.1-$(OPENSSL_1.1_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-1.1.sh $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-1.1 -$(OUTDIR)/openssl-3.0-$(OPENSSL_3.0_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.0.sh - $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.0 - $(OUTDIR)/openssl-3.5-$(OPENSSL_3.5_VERSION)-$(PACKAGE_SUFFIX).tar: $(PYTHON_DEP_DEPENDS) $(HERE)/build-openssl-3.5.sh $(RUN_BUILD) --docker-image $(DOCKER_IMAGE_BUILD) openssl-3.5 @@ -265,7 +262,6 @@ PYTHON_DEPENDS_$(1) := \ $$(if $$(NEED_MPDECIMAL),$$(OUTDIR)/mpdecimal-$$(MPDECIMAL_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_NCURSES),$$(OUTDIR)/ncurses-$$(NCURSES_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_1_1),$$(OUTDIR)/openssl-1.1-$$(OPENSSL_1.1_VERSION)-$$(PACKAGE_SUFFIX).tar) \ - $$(if $$(NEED_OPENSSL_3_0),$$(OUTDIR)/openssl-3.0-$$(OPENSSL_3.0_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_OPENSSL_3_5),$$(OUTDIR)/openssl-3.5-$$(OPENSSL_3.5_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_PATCHELF),$$(OUTDIR)/patchelf-$$(PATCHELF_VERSION)-$$(PACKAGE_SUFFIX).tar) \ $$(if $$(NEED_SQLITE),$$(OUTDIR)/sqlite-$$(SQLITE_VERSION)-$$(PACKAGE_SUFFIX).tar) \ diff --git a/cpython-unix/build-openssl-3.0.sh b/cpython-unix/build-openssl-3.0.sh deleted file mode 100755 index 1d1f9134..00000000 --- a/cpython-unix/build-openssl-3.0.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env bash -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at https://mozilla.org/MPL/2.0/. - -set -ex - -ROOT=`pwd` - -export PATH=${TOOLS_PATH}/${TOOLCHAIN}/bin:${TOOLS_PATH}/host/bin:$PATH - -tar -xf openssl-${OPENSSL_3_0_VERSION}.tar.gz - -pushd openssl-${OPENSSL_3_0_VERSION} - -# Otherwise it gets set to /tools/deps/ssl by default. -case "${TARGET_TRIPLE}" in - *apple*) - EXTRA_FLAGS="--openssldir=/private/etc/ssl" - ;; - *) - EXTRA_FLAGS="--openssldir=/etc/ssl" - ;; -esac - -# musl is missing support for various primitives. -# TODO disable secure memory is a bit scary. We should look into a proper -# workaround. -if [ "${CC}" = "musl-clang" ]; then - EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY" -fi - -# The -arch cflags confuse Configure. And OpenSSL adds them anyway. -# Strip them. -EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch arm64/} -EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch x86_64/} - -EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}" - -/usr/bin/perl ./Configure \ - --prefix=/tools/deps \ - --libdir=lib \ - ${OPENSSL_TARGET} \ - no-legacy \ - no-shared \ - no-tests \ - ${EXTRA_FLAGS} - -make -j ${NUM_CPUS} -make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out diff --git a/cpython-unix/build.py b/cpython-unix/build.py index cef7be61..1fbb019b 100755 --- a/cpython-unix/build.py +++ b/cpython-unix/build.py @@ -1117,7 +1117,6 @@ def main(): "mpdecimal", "ncurses", "openssl-1.1", - "openssl-3.0", "openssl-3.5", "patchelf", "sqlite", diff --git a/pythonbuild/downloads.py b/pythonbuild/downloads.py index c63fba2b..e5f3c0ae 100644 --- a/pythonbuild/downloads.py +++ b/pythonbuild/downloads.py @@ -248,16 +248,6 @@ "license_file": "LICENSE.openssl-1.1.txt", }, # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. - "openssl-3.0": { - "url": "https://www.openssl.org/source/openssl-3.0.16.tar.gz", - "size": 15334967, - "sha256": "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86", - "version": "3.0.16", - "library_names": ["crypto", "ssl"], - "licenses": ["Apache-2.0"], - "license_file": "LICENSE.openssl-3.txt", - }, - # Remember to update OPENSSL_VERSION_INFO in verify_distribution.py whenever upgrading. "openssl-3.5": { "url": "https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz", "size": 53180161,