GitLab

at 2025-12-10T21:38:25+01:00

Bug 41627: Build OpenSSL in the Python package.

Build OpenSSL with Python, so that the ssl module can be imported.
We do not use the openssl project to avoid re-building a consistent
part of the Linux toolchain every time we bump it.

Also, bump the Python version since we are at it (we downgraded to be
able to build it with OpenSSL 1.1.x, now we don't have that requirement
anymore), and bump ninja, as the old version didn't build with our new
version of Python.

@@ -159,7 +159,7 @@ if (m/^\\s*MINIMUM_MINOR_VERSION = ([0-9]+)/) {
+ }
  EOF
  needed=3.$(cat python/mozboot/bin/bootstrap.py | perl -ne "$p")
 -current="3.9" # 3.11.x on Debian bookworm, 3.9.20 on our python project
 +current="3.9" # 3.11.x on Debian bookworm, 3.13.11 on our python project
  check_update_needed python "$needed" "$current"

@@ -34,6 +34,8 @@ export PATH="/var/tmp/dist/rust/bin:/var/tmp/dist/cbindgen:/var/tmp/dist/node/bi
    tar -C /var/tmp/dist -xf [% c('input_files_by_name/clang') %]
    tar -C /var/tmp/dist -xf [% c('input_files_by_name/python') %]
    export PATH="/var/tmp/dist/python/bin:$PATH"
 +  # For OpenSSL, see Python's README.md.
 +  export LD_LIBRARY_PATH=/var/tmp/dist/python/lib:$LD_LIBRARY_PATH
    [% IF ! c("var/linux-cross") -%]
      tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/binutils') %]
      export PATH="/var/tmp/dist/binutils/bin:$PATH"
@@ -48,6 +50,9 @@ export PATH="/var/tmp/dist/rust/bin:/var/tmp/dist/cbindgen:/var/tmp/dist/node/bi
      # down properly in that case. Thus, we set it here in the build script.
      export PKG_CONFIG_PATH="${PKG_CONFIG_PATH}:/usr/lib/[% c("var/crosstarget") %]/pkgconfig"
    [% END -%]
 +  [% IF c("var/dev_artifacts") -%]
 +    python3 -m pip install $rootdir/[% c('input_files_by_name/python-zstandard') %]/*.whl
 +  [% END -%]
  [% END -%]
  [% IF c("var/macos") && c("var/dev_artifacts") %]

@@ -154,6 +154,7 @@ targets:
        arch_deps:
          - python3
          - python3-distutils
 +        - python3-zstandard
          - rsync
    windows:
@@ -161,6 +162,7 @@ targets:
        arch_deps:
          - python3
          - python3-distutils
 +        - python3-zstandard
          - wine
  input_files:
@@ -228,6 +230,9 @@ input_files:
      enable: '[% c("var/mullvad-browser") && c("var/has_l10n") %]'
    - filename: marsigner.der
      enable: '[% c("var/override_updater_url") %]'
 +  - project: python-zstandard
 +    enable: '[% c("var/linux") && c("var/dev_artifacts") %]'
 +    name: python-zstandard
    - filename: dmg-root
      enable: '[% c("var/macos") && c("var/dev_artifacts") %]'
    - project: hfsplus-tools

@@ -12,8 +12,6 @@ mkdir -p /var/tmp/build
  tar -C /var/tmp/build -xf [% project %]-[% c('version') %].tar.[% c('compress_tar') %]
  cd /var/tmp/build/[% project %]-[% c('version') %]
 -patch -p1 < "$rootdir/python3.patch"
+-
  ./configure.py --bootstrap
  mkdir -p $distdir

  # vim: filetype=yaml sw=2
 -version: '[% c("abbrev") %]'
 +version: '1.13.2'
  git_url: https://github.com/ninja-build/ninja.git
 -git_hash: a524bf3f6bacd1b4ad85d719eed2737d8562f27a #v1.11.1
 +git_hash: 3441b633c2fe2c494e958780ba0f4227b1327634  # v1.13.2
  filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]'
  container:
    use_container: 1
@@ -16,4 +16,3 @@ input_files:
    - name: python
      project: python
      enable: '[% c("var/linux") %]'
 -  - filename: python3.patch

Pier Angelo Vendrame pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

12 changed files:

Changes:

 -From 6a17e84370064eec6f22cfb1717ab80cf898d82b Mon Sep 17 00:00:00 2001
 -From: Nico Weber <thakis@chromium.org>
 -Date: Tue, 10 Jan 2023 10:46:45 -0500
 -Subject: [PATCH] Use python3 in all run lines
+-
 -We already did this in some, this converts the rest.
 -Also chmod +x on write_fake_manifests.py while here.
 ----
 - configure.py                 | 4 +---
 - misc/measure.py              | 4 +---
 - misc/ninja_syntax_test.py    | 2 +-
 - misc/write_fake_manifests.py | 2 +-
 - src/browse.py                | 4 +---
 - 5 files changed, 5 insertions(+), 11 deletions(-)
 - mode change 100644 => 100755 misc/write_fake_manifests.py
+-
 -diff --git a/configure.py b/configure.py
 -index 09c5b283e0..588250aa8a 100755
 ---- a/configure.py
 -+++ b/configure.py
 -@@ -1,4 +1,4 @@
 --#!/usr/bin/env python
 -+#!/usr/bin/env python3
 - #
 - # Copyright 2001 Google Inc. All Rights Reserved.
 - #
 -@@ -19,8 +19,6 @@
 - Projects that use ninja themselves should either write a similar script
 - or use a meta-build system that supports Ninja output."""
+-
 --from __future__ import print_function
 --
 - from optparse import OptionParser
 - import os
 - import pipes
 -diff --git a/misc/measure.py b/misc/measure.py
 -index 8ce95e696b..f3825efbb0 100755
 ---- a/misc/measure.py
 -+++ b/misc/measure.py
 -@@ -1,4 +1,4 @@
 --#!/usr/bin/env python
 -+#!/usr/bin/env python3
+-
 - # Copyright 2011 Google Inc. All Rights Reserved.
 - #
 -@@ -17,8 +17,6 @@
 - """measure the runtime of a command by repeatedly running it.
 - """
+-
 --from __future__ import print_function
 --
 - import time
 - import subprocess
 - import sys
 -diff --git a/misc/ninja_syntax_test.py b/misc/ninja_syntax_test.py
 -index 90ff9c6bdb..61fb177d43 100755
 ---- a/misc/ninja_syntax_test.py
 -+++ b/misc/ninja_syntax_test.py
 -@@ -1,4 +1,4 @@
 --#!/usr/bin/env python
 -+#!/usr/bin/env python3
+-
 - # Copyright 2011 Google Inc. All Rights Reserved.
 - #
 -diff --git a/misc/write_fake_manifests.py b/misc/write_fake_manifests.py
 -old mode 100644
 -new mode 100755
 -index abcb677e18..bf9cf7de92
 ---- a/misc/write_fake_manifests.py
 -+++ b/misc/write_fake_manifests.py
 -@@ -1,4 +1,4 @@
 --#!/usr/bin/env python
 -+#!/usr/bin/env python3
+-
 - """Writes large manifest files, for manifest parser performance testing.
+-
 -diff --git a/src/browse.py b/src/browse.py
 -index 653cbe91f6..b125e805a9 100755
 ---- a/src/browse.py
 -+++ b/src/browse.py
 -@@ -1,4 +1,4 @@
 --#!/usr/bin/env python
 -+#!/usr/bin/env python3
 - #
 - # Copyright 2001 Google Inc. All Rights Reserved.
 - #
 -@@ -20,8 +20,6 @@
 - it when needed.
 - """
+-
 --from __future__ import print_function
 --
 - try:
 -     import http.server as httpserver
 -     import socketserver

 +Mozilla uses the python-zstandard module for various tasks in their CI, but
 +they do not vendor it in Firefox's source tree.
++
 +Since we build our own Python on Linux, we also need to build this module.

 +#!/bin/bash
 +[% c("var/set_default_env") -%]
 +outdir=[%  dest_dir _ '/' _ c('filename') %]
 +mkdir -p /var/tmp/dist $outdir
++
 +tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/python') %]
 +export PATH=/var/tmp/dist/python/bin:$PATH
++
 +python3 -m pip install *.whl
++
 +tar -xf [% project %]-[% c('version') %].tar.[% c('compress_tar') %]
 +cd [% project %]-[% c('version') %]
 +python3 setup.py bdist_wheel
 +mv dist/*.whl $outdir/

 +version: 0.24.0
 +filename: 'python-zstandard-[% c("version") %]-[% c("var/build_id") %]'
 +git_url: https://github.com/indygreg/python-zstandard.git
 +git_hash: 9223924b1db8f36cf1c7c2dcd55232093890d145  # 0.24.0
 +container:
 +  use_container: 1
++
 +input_files:
 +  - project: container-image
 +  - project: python
 +    name: python
 +  # This contains only binaries for Windows.
 +  - name: setuptools
 +    URL: https://files.pythonhosted.org/packages/a3/dc/17031897dae0efacfea57dfd3a82fdd2a2aeb58e0ff71b77b87e44edc772/setuptools-80.9.0-py3-none-any.whl
 +    sha256sum: 062d34222ad13e0cc312a4c02d73f059e86a4acbfbdea8f8f76b28c99f306922
 +  # This contains only Python.
 +  - name: packaging
 +    URL: https://files.pythonhosted.org/packages/20/12/38679034af332785aac8774540895e234f4d07f7545804097de4b666afd8/packaging-25.0-py3-none-any.whl
 +    sha256sum: 29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484

@@ -17,3 +17,17 @@ image.
  `browser` is a notable exception: we redefine `var/deps` for all platforms and
  already add `python3` there.
++
 +## OpenSSL
++
 +Some Python module complain about the OpenSSL version of the container being
 +too old. Therefore, we also build OpenSSL in this project, and other projects
 +needing it must add `/var/tmp/dist/python/lib` to `LD_LIBRARY_PATH`.
++
 +We do it here instead of using the `openssl` project because we do not want to
 +rebuild a big part of the toolchain for each OpenSSL update (the module would
 +be used mostly for HTTP requests, which will not go through in our builds,
 +since they happen offline).
++
 +When updating to a newever version of Debian for Linux containers, we might
 +stop building OpenSSL and go back to using the system library.

@@ -6,14 +6,28 @@
  [% END -%]
  distdir=/var/tmp/dist/[% project %]
 -mkdir -p $distdir
 +openssldir=/var/tmp/dist/openssl
 +mkdir -p $distdir $openssldir
++
 +tar -xf $rootdir/[% c('input_files_by_name/openssl') %]
 +pushd openssl-3.5.4
 +./Configure --prefix=$openssldir --libdir=lib
 +make -j[% c("num_procs") %]
 +make -j[% c("num_procs") %] install
 +# Python will try to load OpenSSL during its build process.
 +export LD_LIBRARY_PATH=$openssldir/lib:$LD_LIBRARY_PATH
 +popd
++
  tar xf [% c('input_files_by_name/python') %]
  cd Python-[% c('version') %]
 -./configure --prefix=$distdir --enable-optimizations
 +./configure --prefix=$distdir --enable-optimizations --with-openssl=$openssldir
  make -j[% c("num_procs") %]
  make prefix=$distdir install
++
 +cp -a $openssldir/lib/lib*.so* $distdir/lib/
++
  cd /var/tmp/dist
  [% c('tar', {
 -	tar_src => 'python',
 -	tar_args => '-caf ' _ dest_dir _ '/' _ c('filename'),
 -    }) %]
 +    tar_src => 'python',
 +    tar_args => '-caf ' _ dest_dir _ '/' _ c('filename'),
 +  }) %]

  # vim: filetype=yaml sw=2
 -version: 3.9.20
 -filename: 'python-[% c("var/build_id") %].tar.[% c("compress_tar") %]'
 +version: 3.13.11
 +filename: 'python-[% c("version") %]-[% c("var/build_id") %].tar.[% c("compress_tar") %]'
  container:
    use_container: 1
  var:
@@ -12,7 +12,6 @@ var:
      - libffi-dev
      - libncurses-dev
      - libsqlite3-dev
 -    - libssl-dev
      - zlib1g-dev
    setup: |
@@ -24,7 +23,14 @@ input_files:
    - project: container-image
    - name: python
      URL: 'https://www.python.org/ftp/python/[% c("version") %]/Python-[% c("version") %].tar.xz'
 -    sha256sum: 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c
 +    sha256sum: 16ede7bb7cdbfa895d11b0642fa0e523f291e6487194d53cf6d3b338c3a17ea2
    - name: '[% c("var/compiler") %]'
      project: '[% c("var/compiler") %]'
      enable: '[% c("var/linux") %]'
 +  # We do not use the same we use as tor dependency because we do not want to
 +  # rebuild Clang, Rust and other projects at each OpenSSL update.
 +  # FWIW, these OpenSSL would be used for requests that will not go through,
 +  # as our builds run offline.
 +  - name: openssl
 +    URL: 'https://github.com/openssl/openssl/releases/download/openssl-3.5.4/openssl-3.5.4.tar.gz'
 +    sha256sum: 967311f84955316969bdb1d8d4b983718ef42338639c621ec4c34fddef355e99