Created attachment 685134 [details] sys-apps:pkgcore-0.10.14-r1.build.log I've recently dropped USE=sslv3 from dev-libs/openssl again, and some revdeps of python (which had been built against dev-libs/openssl[ssl,sslv3]) now show breakage, such as: Generating plugin cache Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/snakeoil/modules.py", line 78, in load_any return import_module(name) File "/usr/lib/python3.9/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1030, in _gcd_import File "<frozen importlib._bootstrap>", line 1007, in _find_and_load File "<frozen importlib._bootstrap>", line 972, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed File "<frozen importlib._bootstrap>", line 1030, in _gcd_import File "<frozen importlib._bootstrap>", line 1007, in _find_and_load File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 680, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 790, in exec_module File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed File "/var/tmp/portage/sys-apps/pkgcore-0.10.14-r1/work/pkgcore-0.10.14-python3_9/src/pkgcore/sync/sqfs.py", line 4, in <module> from pkgcore.sync.http import http_syncer File "/var/tmp/portage/sys-apps/pkgcore-0.10.14-r1/work/pkgcore-0.10.14-python3_9/src/pkgcore/sync/http.py", line 5, in <module> import ssl File "/usr/lib/python3.9/ssl.py", line 98, in <module> import _ssl # if we can't import it, let the error propagate ImportError: /usr/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.so: undefined symbol: SSLv3_method, version OPENSSL_1_1_0
I guess we should just force not using SSLv3 unconditionally here, correct?
If there is a way in the build system yes, any revdep depending on such would have probably been found out about by now.
Of course there isn't. Apparently upstream is checking for some defines directly in the module code, e.g.: #if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3) case PY_SSL_VERSION_SSL3: ctx = SSL_CTX_new(SSLv3_method()); break; #endif I guess the simplest method would be to inject OPENSSL_NO_SSL3 somehow.
Actually, it would be probably easier to just patch the code out than manage to inject the #define without actually hardcoding it in sysconfig.
A fix is included in 3.10.0a5 patchset. Will backport to older versions when they have a release or we have a security fix to backport.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae90c3fb460cd008653638b0221292d932bc6052 commit ae90c3fb460cd008653638b0221292d932bc6052 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-02-03 09:15:59 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-02-03 11:56:31 +0000 dev-lang/python: Bump to 3.10.0a5 The patchset now force-disables SSLv3. Bug: https://bugs.gentoo.org/767886 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 3 + dev-lang/python/python-3.10.0_alpha5.ebuild | 353 ++++++++++++++++++++++++++++ 2 files changed, 356 insertions(+)