Open CtrlZmaster opened 1 day ago
That PR was closed without merging because we had follow up questions before it could be merged and never got a response.
Those questions remain, namely: Why RedHat's behavior here is different from upstream's no-engine
, which we support and test against.
If we can get a clear answer to that question, we can proceed, but from my perspective this is blocked on Red Hat, not us.
Ah, my bad, I read the discussion wrong in #11328.
I do not feel fully qualified to answer, I am just a cryptography user, so by no means an expert on OpenSSL. But I read the change proposal for Fedora and the discussion for a rejected proposal to remove OpenSSL engines. I think that I see what is going on here and I understand this step from maintenance/packaging perspective.
First, there were concerns that providers still have issues and prevent full switchover from engines. That prompted another approach (the second accepted proposal), deprecating engines but still keeping them for packages that cannot switch over to providers. So OpenSSL is not built with --no-engine
. Instead, the engine headers are simply moved from package openssl-devel
to openssl-devel-engines
which is marked as deprecated. And then OPENSSL_NO_ENGINE
is defined mimicking the build without engine support. Fedora Packaging Guidelines prevent additions of new packages with deprecated dependencies. Packages that are ready to switch can do it now. Then there are existing packages that might not know about the deprecation of engines or cannot switch to providers yet. This approach will give them time to coordinate the switch after their builds will start to fail (this has already happened). So, they can easily fix for now by depending on openssl-devel-engines
and start replacing them.
I would also like to point out that this is not a "Red Hat behavior" or a Red Hat decision. This approach was chosen by Fedora community, during a Fedora Change process and approved by FESCo (Fedora Engineering Steering Committee). CentOS Stream 10 is simply following the Fedora approach as its downstream.
Basically the same issue as #11331, result of OpenSSL engine deprecation. Fedora 41 is in beta now and CentOS Stream 10 is starting to be added to various CI tools, so I think this issue is getting more impactful.
Pip will build from source after specifying
--no-binary
or if wheel for an architecture is not available. Upstream cryptography is not installable by pip for s390x and ppc64le architectures on these distributions at all. There was #11328 which was closed without merging even though it looked like it worked and there were no objections. Could it be merged, please?Fedora 41
cryptography
,cffi
,pip
, andsetuptools
you're usingcryptography
pip install --verbose --no-binary :all: cryptography
dnf install gcc libffi-devel openssl-devel rust cargo python3-devel python3-pip pkg-config
pip install --verbose --no-binary :all: cryptography
CentOS Stream 10
cryptography
,cffi
,pip
, andsetuptools
you're usingcryptography
pip install --verbose --no-binary :all: cryptography
Clear steps for reproducing your bug
dnf install gcc libffi-devel openssl-devel rust-devel cargo python3-devel python3-pip pkg-config
pip install --verbose --no-binary :all: cryptography
warning: cryptography-cffi@0.1.0: /tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out/_openssl.c:638:10: fatal error: openssl/engine.h: No such file or directory warning: cryptography-cffi@0.1.0: 638 | #include <openssl/engine.h> warning: cryptography-cffi@0.1.0: | ^
~~~~~ warning: cryptography-cffi@0.1.0: compilation terminated.error: failed to run custom build command for
cryptography-cffi v0.1.0 (/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/cryptography-cffi)
Caused by: process didn't exit successfully:
/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-05f3521f571e1fe0/build-script-build
(exit status: 1) --- stdout cargo:rustc-check-cfg=cfg(python_implementation, values("CPython", "PyPy")) cargo:rerun-if-env-changed=PYO3_PYTHON cargo:rerun-if-changed=../../_cffi_src/ cargo:rerun-if-changed=../../cryptography/about.py cargo:rustc-cfg=python_implementation="CPython" OUT_DIR = Some(/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out) TARGET = Some(x86_64-unknown-linux-gnu) OPT_LEVEL = Some(3) HOST = Some(x86_64-unknown-linux-gnu) cargo:rerun-if-env-changed=CC_x86_64-unknown-linux-gnu CC_x86_64-unknown-linux-gnu = None cargo:rerun-if-env-changed=CC_x86_64_unknown_linux_gnu CC_x86_64_unknown_linux_gnu = None cargo:rerun-if-env-changed=HOST_CC HOST_CC = None cargo:rerun-if-env-changed=CC CC = None cargo:rerun-if-env-changed=CC_ENABLE_DEBUG_OUTPUT RUSTC_WRAPPER = None cargo:rerun-if-env-changed=CRATE_CC_NO_DEFAULTS CRATE_CC_NO_DEFAULTS = None DEBUG = Some(false) CARGO_CFG_TARGET_FEATURE = Some(avx,avx2,bmi1,bmi2,cmpxchg16b,f16c,fma,fxsr,lzcnt,movbe,popcnt,sse,sse2,sse3,sse4.1,sse4.2,ssse3,xsave) cargo:rerun-if-env-changed=CFLAGS_x86_64-unknown-linux-gnu CFLAGS_x86_64-unknown-linux-gnu = None cargo:rerun-if-env-changed=CFLAGS_x86_64_unknown_linux_gnu CFLAGS_x86_64_unknown_linux_gnu = None cargo:rerun-if-env-changed=HOST_CFLAGS HOST_CFLAGS = None cargo:rerun-if-env-changed=CFLAGS CFLAGS = None OUT_DIR = Some(/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out) cargo:rerun-if-env-changed=CC_ENABLE_DEBUG_OUTPUT cargo:rerun-if-env-changed=CRATE_CC_NO_DEFAULTS CRATE_CC_NO_DEFAULTS = None CARGO_CFG_TARGET_FEATURE = Some(avx,avx2,bmi1,bmi2,cmpxchg16b,f16c,fma,fxsr,lzcnt,movbe,popcnt,sse,sse2,sse3,sse4.1,sse4.2,ssse3,xsave) cargo:rerun-if-env-changed=CFLAGS_x86_64-unknown-linux-gnu CFLAGS_x86_64-unknown-linux-gnu = None cargo:rerun-if-env-changed=CFLAGS_x86_64_unknown_linux_gnu CFLAGS_x86_64_unknown_linux_gnu = None cargo:rerun-if-env-changed=HOST_CFLAGS HOST_CFLAGS = None cargo:rerun-if-env-changed=CFLAGS CFLAGS = None OUT_DIR = Some(/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out) cargo:rerun-if-env-changed=CC_ENABLE_DEBUG_OUTPUT cargo:rerun-if-env-changed=CRATE_CC_NO_DEFAULTS CRATE_CC_NO_DEFAULTS = None CARGO_CFG_TARGET_FEATURE = Some(avx,avx2,bmi1,bmi2,cmpxchg16b,f16c,fma,fxsr,lzcnt,movbe,popcnt,sse,sse2,sse3,sse4.1,sse4.2,ssse3,xsave) cargo:rerun-if-env-changed=CFLAGS_x86_64-unknown-linux-gnu CFLAGS_x86_64-unknown-linux-gnu = None cargo:rerun-if-env-changed=CFLAGS_x86_64_unknown_linux_gnu CFLAGS_x86_64_unknown_linux_gnu = None cargo:rerun-if-env-changed=HOST_CFLAGS HOST_CFLAGS = None cargo:rerun-if-env-changed=CFLAGS CFLAGS = None OUT_DIR = Some(/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out) cargo:rerun-if-env-changed=CC_ENABLE_DEBUG_OUTPUT cargo:rerun-if-env-changed=CRATE_CC_NO_DEFAULTS CRATE_CC_NO_DEFAULTS = None CARGO_CFG_TARGET_FEATURE = Some(avx,avx2,bmi1,bmi2,cmpxchg16b,f16c,fma,fxsr,lzcnt,movbe,popcnt,sse,sse2,sse3,sse4.1,sse4.2,ssse3,xsave) cargo:rerun-if-env-changed=CFLAGS_x86_64-unknown-linux-gnu CFLAGS_x86_64-unknown-linux-gnu = None cargo:rerun-if-env-changed=CFLAGS_x86_64_unknown_linux_gnu CFLAGS_x86_64_unknown_linux_gnu = None cargo:rerun-if-env-changed=HOST_CFLAGS HOST_CFLAGS = None cargo:rerun-if-env-changed=CFLAGS CFLAGS = None OUT_DIR = Some(/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out) cargo:rerun-if-env-changed=CC_ENABLE_DEBUG_OUTPUT cargo:rerun-if-env-changed=CRATE_CC_NO_DEFAULTS CRATE_CC_NO_DEFAULTS = None CARGO_CFG_TARGET_FEATURE = Some(avx,avx2,bmi1,bmi2,cmpxchg16b,f16c,fma,fxsr,lzcnt,movbe,popcnt,sse,sse2,sse3,sse4.1,sse4.2,ssse3,xsave) cargo:rerun-if-env-changed=CFLAGS_x86_64-unknown-linux-gnu CFLAGS_x86_64-unknown-linux-gnu = None cargo:rerun-if-env-changed=CFLAGS_x86_64_unknown_linux_gnu CFLAGS_x86_64_unknown_linux_gnu = None cargo:rerun-if-env-changed=HOST_CFLAGS HOST_CFLAGS = None cargo:rerun-if-env-changed=CFLAGS CFLAGS = None cargo:warning=/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out/_openssl.c:638:10: fatal error: openssl/engine.h: No such file or directory cargo:warning= 638 | #include <openssl/engine.h> cargo:warning= | ^~~~~~ cargo:warning=compilation terminated.--- stderr
error occurred: Command "cc" "-O3" "-ffunction-sections" "-fdata-sections" "-fPIC" "-m64" "-I" "/usr/include" "-I" "/usr/include/python3.12" "-Wall" "-Wextra" "-Wconversion" "-Wno-error=sign-conversion" "-Wno-unused-parameter" "-fmacro-prefix-map=/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out=." "-DPy_LIMITED_API=0x030700f0" "-o" "/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out/f85f21c44af9c842-_openssl.o" "-c" "/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/target/release/build/cryptography-cffi-3885bb56678b35ca/out/_openssl.c" with args cc did not execute successfully (status code exit status: 1).
warning: build failed, waiting for other jobs to finish... π₯ maturin failed Caused by: Failed to build a native library through cargo Caused by: Cargo build finished with "exit status: 101":
env -u CARGO PYO3_ENVIRONMENT_SIGNATURE="cpython-3.12-64bit" PYO3_PYTHON="/usr/bin/python3" PYTHON_SYS_EXECUTABLE="/usr/bin/python3" "cargo" "rustc" "--features" "pyo3/abi3-py37" "--message-format" "json-render-diagnostics" "--locked" "--manifest-path" "/tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad/src/rust/Cargo.toml" "--release" "--lib"
Error: command ['maturin', 'pep517', 'build-wheel', '-i', '/usr/bin/python3', '--compatibility', 'off'] returned non-zero exit status 1 error: subprocess-exited-with-errorΓ Building wheel for cryptography (pyproject.toml) did not run successfully. β exit code: 1 β°β> See above for output.
note: This error originates from a subprocess, and is likely not a problem with pip. full command: /usr/bin/python3 /usr/lib/python3.12/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py build_wheel /tmp/tmpibb3_33o cwd: /tmp/pip-install-yu819v4f/cryptography_3f49648c66844330a99094e9c78232ad Building wheel for cryptography (pyproject.toml) ... error ERROR: Failed building wheel for cryptography Failed to build cryptography ERROR: Could not build wheels for cryptography, which is required to install pyproject.toml-based projects