please provide binaries

Ooh, actually there are a couple of reasons why it wouldn't be this easy.

First of all, "bdist_egg" isn't a command of distutils, so we would have to patch pyOpenSSL to use setuptools for that purpose. Secondly, it looks like such bdists are dynamically linked against libcrypto and/or libssl, at least on Mac OS X -- I haven't looked at other platforms yet. Therefore, while doing this *would* relieve users of having to have openssl development headers installed, it would not relieve them of the need to have the right version of libssl and libcrypto .so's installed.

So, further study is warranted...

eGenix provides binary packages: http://www.egenix.com/products/python/pyOpenSSL/

For the time being, I think that's sufficient.

I agree with zooko. It would be best if there were eggs for pyOpenSSL so that people could depend on/install it easily. I work for a company that distributes eggs for pyOpenSSL across many different platforms and so I would be willing to help submit my existing patch for pyOpenSSL's setup.py that allows this to work. We currently distribute eggs for win32, universal os x 10.3-10.5 and red hat 3. The red hat binary would not work with setuptools as-is, since it needs to run a post-install script at the end to fix some rpaths, but on the other platforms I mentioned it works just fine. Who would I talk to about fixing this?

Would the binary eggs be statically linked or dynamically linked? Or would they include both? Does this cause problems if users install a binary egg without a compatible version of OpenSSL installed?

On Windows, the binaries are statically linked, which is why we ship the necessary openssl runtime .dll's inside the egg, which allows the extension to find it without the binaries having to be on the system PATH. On OS X, they are also dynamically linked against the system ssl libraries, which I know for a fact are binary compatible between OS X 10.4 and 10.5(intel and ppc), because I had to test my pyOpenSSL egg on all of these platform combinations.

On Windows there would not be any problems since the openSSL binaries would be inside the egg itself, and on OS X there would only potentially be problems if they overwrite the standard openSSL libraries that come with the system. If someone had a different version of openSSL that they got through fink or macports it wouldn't interfere with the pyOpenSSL egg.

I'd be happy to look at your setup.py patch. I'd rather not make setuptools *required* by pyOpenSSL, but optionally using it for things like building binary eggs is fine. You can attach the patch here or push a branch of trunk which includes it.

Here is my patch to take advantage of setuptools in order to create Windows binaries. Sorry about the late response, I have been rather swamped lately :) Let me know what you think.

I glanced at the patch. It is nice and simple.

One problem this introduces for me is that it breaks `setup.py install --prefix ...´. This makes it harder to test pyOpenSSL (and it's already too hard, I need to start making it easier).

Is there some way to prevent this from happening?

exarkun@boson:~/Projects/pyOpenSSL/trunk$ python setup.py install --prefix /tmp/testing
running install
Checking .pth file support in /tmp/testing/lib/python2.5/site-packages/
error: can't create or remove files in install directory

The following error occurred while trying to add or remove files in the
installation directory:

    [Errno 2] No such file or directory: '/tmp/testing/lib/python2.5/site-packages/test-easy-install-3426.pth'

The installation directory you specified (via --install-dir, --prefix, or
the distutils default setting) was:

    /tmp/testing/lib/python2.5/site-packages/

This directory does not currently exist. Please create it and try again, or
choose a different installation directory (using the -d or --install-dir
option).

You can add "--single-version-externally-managed" and "--record=anyfilename.txt" to the command-line.

The setup.py could be hacked to added those options automatically.

{{{
import sys
sys.argv.append("--single-version-externally-managed")
sys.argv.append("--record=anyfilename.txt")
}}}

Hello, I would like to let people who want to use allmydata-tahoe on Windows do so without having to manually install OpenSSL and pyOpenSSL themselves. It appears that Chris Galvan's patch would make this work for me. What can I do to accelerate the acceptance of this patch?

If you like, I will write a patch to pyOpenSSL's setup.py so that if someone passes "--prefix=$FOO" as an argument to "install" or "develop", it automatically does the "mkdir -p $FOO/lib/python$VER/site-packages" and the insertion of $FOO/lib/python$VER/site-packages into the sys.path. Or if you like I will make it so that when someone does "--prefix=$FOO" then it automatically does "--single-version-externally-managed" and "--record=log-of-installed-files.txt".

Or, I would be willing to help in some other way.

Here's my proposed code: https://code.launchpad.net/~zooko/pyopenssl/buildbinaries/+merge/1640

Note that I have submitted a patch for setuptools -- http://mail.python.org/pipermail/distutils-sig/2008-November/010488.html -- that would render this "tweak the sys.path" behavior unnecessary. However, could we please go ahead and build pyOpenSSL binaries for Windows so that the next release of Tahoe (which will be called tahoe-lafs-1.3.0), will be installable on Windows?

I would be willing to do some more work to make this happen, such as perhaps writing a buildbot config script to build binaries and upload them to pypi whenever a bzr commit happens.

I would even (ick) be willing to *manually* build a binary and upload it to pypi, at least this one last time (because hopefully in the future such icky manual labor will be automated).

The slave which builds two thirds of the Windows pyOpenSSL packages is currently offline. I hope that it will return very soon, but I can't build all of the pyOpenSSL Windows packages until it comes back.

However, this isn't the main obstacle here. Two issues have prevented me from doing anything on this ticket so far:

  - I haven't had a lot of time to work on pyOpenSSL lately
  - Windows isn't my primary platform and I don't have a good understanding of the implications of this change.

You've done a lot to help out with the first issue (by providing patches and a bzr branch) but relatively little has changed since this ticket was filed regarding the second point. Can you do anything about it? I am concerned about several things, although since my understanding of the issue isn't great, I'm also concerned that I'm missing being concerned about something important. In any case:

  - How does this change the experience for a Windows user who was previously satisfied with the current style of pyOpenSSL Windows installers?
  - What are the implications for the importance of the version of OpenSSL (not pyOpenSSL) installed on the host which builds the Windows installer for pyOpenSSL? I have very little control over these machines and I have the (unsubstantiated) feeling that this change makes the version of OpenSSL installed on them more important.
  - This isn't strictly Windows related, and I'd be happy to be told it is a complete red herring: What are the export implications of this change?

With the right answers to these questions, I think I'll feel comfortable about merging your branch.

> "The slave which builds two thirds of the Windows pyOpenSSL packages is currently offline. I hope that it will return very soon, but I can't build all of the pyOpenSSL Windows packages until it comes back."

I am willing to offer a Windows buildslave for pyOpenSSL. It will be the same machine that currently runs Twisted and Nevow Windows buildslaves.

Also I'm willing to manually (ick) use that machine to build packages.

I will now try to answer your questions. Unfortunately I do not know much about the current Windows Installer way to do things, so I will indicate where my answers are guesses.

> "- How does this change the experience for a Windows user who was previously satisfied with the current style of pyOpenSSL Windows installers"

I don't think that this ticket is about removing pyOpenSSL Windows installers, I think it is about adding a bdist_egg. This will have no effect on users who download and run a pyOpenSSL Windows installer. Even if someone for example *both* installs a pyOpenSSL Windows installer and installs a binary egg, I don't think it there will be a problem. I'm not entirely sure about that. Chris Galvan, could you comment?

> "- What are the implications for the importance of the version of OpenSSL (not pyOpenSSL) installed on the host which builds the Windows installer for pyOpenSSL? I have very little control over these machines and I have the (unsubstantiated) feeling that this change makes the version of OpenSSL installed on them more important."

Hm. What will happen is that the "setup.py bdist_egg" process will copy the OpenSSL DLL into the resulting .egg file. Therefore, whatever version of OpenSSL is installed on the build machine is the version that will be included in the binary egg. How is this different from what the current Windows Installers do?

> "- This isn't strictly Windows related, and I'd be happy to be told it is a complete red herring: What are the export implications of this change?"

This change doesn't have any effect on export issues.

> Hm. What will happen is that the "setup.py bdist_egg" process will copy the OpenSSL DLL into the resulting .egg file. Therefore, whatever version of OpenSSL is installed on the build machine is the version that will be included in the binary egg. How is this different from what the current Windows Installers do?

The Windows installers don't include the OpenSSL DLL. They link against it, or whatever it is that you do to DLLs on Windows. The user is required to install OpenSSL separately from pyOpenSSL such that the DLLs which are linked against can be found.

I see. Well, as I understand it (Chris Galvan -- please help!), the bdist_egg approach in this ticket will include a DLL inside the pyOpenSSL directory, so it will not interfere with (nor benefit from) an OpenSSL DLL which is installed into a system directory.

Sorry for the late reply, I was at school all day today :)

As Zooko already pointed out, the patch would include the OpenSSL DLLs inside the .egg file. On Windows, the Python extensions which are linked against these DLL's dynamically find the necessary DLLs by looking for them either:

1. In the same directory as the extension.
2. In one of the folders on the user's system PATH.
3. I believe that also Python extensions can find DLL's under <python root>/DLLs.

In any case, our proposed patch takes advantage of the (1) method of finding these DLLs. This would allow Windows users to not have to install OpenSSL on their system, since the DLL's would be dynamically found from inside the egg itself. Also, this would not interfere with any existing OpenSSL installation on the users' system because the directory inside the egg which these DLL's would be is not added to your system PATH, so the only thing that will know about these DLLs is the pyOpenSSL extensions.

Hopefully this cleared up some of your questions, is there anything else I can help to clear up?

Okay, what's the next step? I would be happy to set up a Windows buildslave.

Argh. I wasted my morning trying to build openssl and pyOpenSSL myself. It is apparent that both of their build scripts have many hardcoded assumptions which make it difficult for me to build native Windows binaries with cygwin gcc. I'm very frustrated. Feel free to enjoy my angry blog --

http://testgrid.allmydata.org:8123/uri/URI:DIR2-RO:hgvn7nhforxhfxbx3nbej53qoi:yhbnnuxl4o2hr4sxuocoi735t6lcosdin72axkrcboulfslwbfwq/wiki.html#2008-12-01

Anyway, it is increasingly urgent for me to be able to provide my users with a binary of pyOpenSSL. I would very much rather stop using pyOpenSSL and ~OpenSSL entirely in Tahoe, but unfortunately we still sort of rely on it for a couple of things. Please, please build binary eggs for Windows for me. Thank you.

Something which hasn't quite been implicit up to this point but which hasn't really been directly stated and which is really critical: there are two things actually being requested here. The first is that pyOpenSSL's distutils junk be changed so that it can build eggs. The second is that such an egg be uploaded to PyPI. One of these will be resolved by a commit to the repository and a subsequent release, the other will only be resolved when someone runs an `upload´ command of some sort.

I think that you (zooko) are more interested in the latter than in the former, except inasmuch as the former facilitates the latter. It occurs to me that your immediate difficulties can be resolved without committing anything to the repository though. If someone locally patches pyOpenSSL 0.8's setup.py so that it can build binary eggs and then runs the upload command, your issue will be resolved (one thing I'm not sure about is whether a subsequent 0.9 release without a binary egg being uploaded would ruin your day or not). Is this accurate? If so, I'm happy for that to happen ASAP so that your life gets easier before I have time to resolve this in a way that I'm confident in committing to trunk.

Dear JP:

Thank you for the prompt offer of help. You are right that all I currently need is for someone to build an egg and make it available to me.

(I remain interested in helping with other related things: making the pyOpenSSL setup.py script capable of building eggs, automating the building of such with buildbot, patching the OpenSSL config scripts so that you can build native OpenSSL libs with cygwin, etc.)

In fact, I don't even require that the egg is hosted on PyPI -- I could host that particular binary egg on allmydata.org. It would seem better for it to be hosted on PyPI, for various reasons.

Thanks!

Regards,

Zooko

Hi Zooko,

So can you generate the egg and host it yourself until I "officially" resolve this somehow? I can't generate the egg very easily, as I have no direct access to a Windows machine.

Well, that's what I tried to do this morning. But it appears I can't compile OpenSSL or pyOpenSSL without acquiring a Microsoft compiler.

Maybe Chris Galvan could build one for me.

Okay, I found these instructions:

http://bugpy.blogspot.com/2007/07/pyopenssl-installation.html

Which look like they might work, starting from the openssl official (???) binaries for Windows:

http://www.slproweb.com/products/Win32OpenSSL.html

I really hate redistributing binaries of unknown provenance, that I'm unable to build myself from source, and I really hate manually re-arranging the filesystem and/or patching setup scripts in order to build, but I'm willing to do it this time, in the hopes that it won't be necessary next time.

Okay, I'm sorry that I was so grumpy earlier. OpenSSL *does* come with instructions for how to build it in exactly the way that I want: using cygwin tools to produce native-win32 executables (which is a kind of cross-compiling).

I'm now trying that to generate OpenSSL binaries, then I'll try to patch the pyOpenSSL setup.py to use those binaries.

Ah, those instructions for building native libs using cygwin fail to produce shared libraries -- they can apparently only produce static libraries that way. Of course, static libraries are not sufficient to build pyOpenSSL. Having now spent more or less all day on this project, I give up for now. :-(

Ah, thanks to russians for posting howtos:

http://vitus.wagner.pp.ru/articles/openssl-mingw.html

Okay, I un-give-up. Maybe I should stop updating this ticket quite so often, but I didn't want Chris Galvan to start doing it and then find out that I was doing it.

Here is a letter that I wrote to openssl-dev:

Folks:

I'm trying to build a native win32 openssl-0.9.8i using cygwin gcc (this is a kind of cross-compilation). The goal is to build a binary distribution of the pyOpenSSL package for Python.

The INSTALL.W32 contains instructions, but they don't link shared libs correctly -- exhibit A "openssl-098i-pristine.make.log.txt.bz2". This problem is described on this web page -- http://vitus.wagner.pp.ru/articles/openssl-mingw.html .

I tried the patch to Configure from that page (attached as "Configure.patch.txt") and it did indeed cause the shared libs to be linked correctly and then "make test" passes. However, then when I try to build pyOpenSSL using the openssl-0.9.8i header files I get an error -- "ossl_typ.h:178: error: parse error before numeric constant". Please see attached "gcc.cmdline.txt" and "gcc.log.txt". The relevant part of the pyOpenSSL "connection.c" is visible here:

http://bazaar.launchpad.net/%7Eexarkun/pyopenssl/trunk/annotate/78?start_revid=78&file_id=connection.c-20080219014912-qyb7kjf196jhzlyv-149

It says "#include <openssl/err.h>".

I investigated a bit but I couldn't figure out what is wrong. OCSP_RESPONSE is being defined with a typedef in ossl_typ.h line 178, and that gives this parse error, which presumably has something to do with "DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)" over in asn1.h.

Hopefully someone on this list can easily spot the problem.

Thanks!

Regards,

Zooko

Here's just the patch part from the "details.tar.bz2" tarball:

Applying this patch -- http://rt.openssl.org/Ticket/Display.html?id=1749&user=guest&pass=guest -- to openssl-0.9.8i makes it possible to build pyOpenSSL against openssl-0.9.8i with mingw. However, once I've done that, and I produce a binary egg with "python ./setup.py bdist_egg", I get the same failure as I already had with Chris's egg (described on http://allmydata.org/trac/tahoe/ticket/456#comment:21 ):

$ PYTHONPATH=./pyOpenSSL-0.8-py2.5-win32.egg python -c "import OpenSSL"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "c:\Python25\lib\site-packages\pyopenssl-0.8-py2.5-win32.egg\OpenSSL\__init__.py", line 11, in <module>
  File "c:\Python25\lib\site-packages\pyopenssl-0.8-py2.5-win32.egg\OpenSSL\rand.py", line 7, in <module>
  File "c:\Python25\lib\site-packages\pyopenssl-0.8-py2.5-win32.egg\OpenSSL\rand.py", line 6, in __bootstrap__
ImportError: DLL load failed: The specified module could not be found.

A-ha! I cleverly notice that the stack trace that I pasted clearly shows that it is trying to import pyopenssl from C:\Python25, not the one from ./pyOpenSSL-0.8-py25-win32.egg

Ooh, I figured something out. If I add zip_safe=False to setup(), then I get an .egg which still doesn't work when I do "PYTHONPATH=that.egg python -c 'import OpenSSL'", but *does* work if I do "easy_install that.egg".
Something about the zipping of the egg is breaking the import of the rand.pyd and the other .pyd files.

Now proceeding to deploy my home-grown pyopenssl binary egg with zip_safe=False...

Further improvements to this process and a way for it to be zip_safe would be most welcome...

Note that I still need a python 2.4 egg. I can produce one myself, of course, now, but help would be appreciated.

http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:snrfwfxatrci35zdgjnzxxx2ke:unarxv347edtku3xzmefy4mcdmfngxzeb72iyqcadbjzjpczjx5a

^-- build dependencies for tahoe, stored on tahoe!

I got this far:

Traceback (most recent call last):
  File "setup.py", line 102, in ?
    data_files = [("OpenSSL", glob(os.path.join(ssl_lib, '*.dll')))]
  File "c:\python23\lib\ntpath.py", line 89, in join
    assert len(path) > 0
AssertionError

I don't have SSL_LIB or SSL_INC set, so that'd be why. I need some more help from Windows people to get any further. The data files we want seem to be cryptoeay32-0.9.8.dll and ssleay32-0.9.8.dll. Zooko got this by building OpenSSL himself following some procedure which I haven't read through in detail. I can't build OpenSSL for Windows without a lot of work (Zooko figured out most of the hard stuff, probably, but I don't even have direct access to a Windows machine) and I'd rather *not* build it myself, anyway. So I need to see if there are other possibilities for getting these dlls. I already have *some* OpenSSL libraries (I can use pyOpenSSL, after all). If there's some way to leverage those, that would be great.

There are a couple Windows people in particular I am going to track down to try to find the answers to these questions, but any input from anyone else is more than welcome.

allmydata.com is working on making a Windows machine accessible to JP over RDP.

Chris Galvan has been building bdist_egg's of pyOpenSSL for Windows for various Python's. See notes here:

http://allmydata.org/trac/tahoe/ticket/456

A new user of Tahoe tried to use it on Windows and got a failure to use the OpenSSL DLL from the binary egg:

http://allmydata.org/trac/tahoe/ticket/664 # Unable to start.

I've just released 0.9. I uploaded a Python 2.3 binary egg and a Python 2.5 binary egg to PyPI. It would be nice to hear whether these are working for people or not.

I'm currently unable to build Python 2.4 or Python 2.6 versions, as I lack properly configured Windows machines with those versions of Python installed (I have improperly configured Windows machines with those versions installed, though). If anyone can give me some assistance in getting these machines configured properly, then I should be able to build binary eggs for those versions of Python as well.

Hooray! Good news! I have a Windows machine here that has Python 2.6. I guess I have to take it away from my son who is playing Battle For Wesnoth and reboot it to Windows first, though. Shall I just run "python2.6 ./setup.py bdist_egg" and send you the resulting .egg file?

Sounds great

Sigh. No can do. This issue makes it impossible to build pyopenssl using only free software tools on Windows:

http://bugs.python.org/issue3308

Please find someone who is willing to use the Microsoft compiler for this purpose and ask them to build a py2.6 binary. :-(

Oh, there may be another option. http://bugs.python.org/issue3308 suggests that the problem manifests itself only when the extension module needs to link to localtime(). How much work would it be to change pyOpenSSL so it doesn't need that symbol? Ideally by removing code that uses localtime() -- I love removing code -- but possibly also by substituting some other function?

Hm. I'm not sure I fully understand, but:

exarkun@charm:~/Projects/pyOpenSSL/trunk$ grep localtime ./ -r --include '*.c'
exarkun@charm:~/Projects/pyOpenSSL/trunk$ grep localtime /home/exarkun/Scratch/Source/openssl-0.9.8g/ -r --include '*.c'
/home/exarkun/Scratch/Source/openssl-0.9.8g/crypto/mem_dbg.c: lcl = localtime(&m->time);
/home/exarkun/Scratch/Source/openssl-0.9.8g/ssl/kssl.c: tm_l = localtime(&now); tl = mktime(tm_l);

Well, I still don't really understand, but I built a Python 2.6 binary egg using VSE.

Alas, this doesn't work for me. The following starts with the cmd.exe command shell and uses the standard python 2.6.2 for Windows from python.org:

C:\Documents and Settings\Zooko Brillnonywonx\Desktop>python -i
Python 2.6.2 (r262:71605, Apr 14 2009, 22:40:02) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> sys.path.append("pyOpenSSL-0.9-py2.6-win32.egg")
>>> import OpenSSL
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "pyOpenSSL-0.9-py2.6-win32.egg\OpenSSL\__init__.py", line 11, in <module>
  File "pyOpenSSL-0.9-py2.6-win32.egg\OpenSSL\SSL.py", line 7, in <module>
    Object types:
  File "pyOpenSSL-0.9-py2.6-win32.egg\OpenSSL\SSL.py", line 6, in __bootstrap__

ImportError: DLL load failed: The specified module could not be found.
>>>

And here I first unzipped it using winrar:

C:\Documents and Settings\Zooko Brillnonywonx\Desktop\tmp\unzipped>dir
 Volume in drive C is S3A3305D001
 Volume Serial Number is 14EE-EB5A

 Directory of C:\Documents and Settings\Zooko Brillnonywonx\Desktop\tmp\unzipped

02/06/2009 02:42 PM <DIR> .
02/06/2009 02:42 PM <DIR> ..
02/06/2009 02:42 PM <DIR> EGG-INFO
02/06/2009 02:42 PM <DIR> OpenSSL
               0 File(s) 0 bytes
               4 Dir(s) 22,211,915,776 bytes free

C:\Documents and Settings\Zooko Brillnonywonx\Desktop\tmp\unzipped>python -i
Python 2.6.2 (r262:71605, Apr 14 2009, 22:40:02) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import OpenSSL
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "OpenSSL\__init__.py", line 11, in <module>
    import rand, crypto, SSL, tsafe
ImportError: DLL load failed: The specified module could not be found.
>>>

Chris Galvan built a pyOpenSSL win32 py2.6 binary egg, attached. He wrote:

"""
I have attached the pyOpenSSL egg I built. The main differences I saw between mine and the one exarkun built is that his was zip-safe and was missing ssleay32.dll. Let me know if mine works for you!
"""

I haven't tried it yet.

I wonder how Chris built this. I'm very keen to have build automation which does this stuff right. I don't want to bother anyone when I release 0.10 to build another egg, I just want it to happen. :)

Chris, can you provide details on what you did?

By the way, before Zooko reminded me of the last comment on this ticket, I spent a long time reworking setup.py. I've gotten it to the point where it can build the other kinds of bdists for Windows, but it's presently placing the dlls in the wrong place when bdist_egg is used. I wonder if there is some trick to being able to put the dlls in the right place in all cases.

That work is in <lp:~exarkun/pyopenssl/working-windows-build>, for what it's worth.

I think working-windows-build is now in somewhat decent shape. The build it is capable of doing still has certain requirements on the environment in which it is run which I would prefer to avoid, but I think this is still a significant improvement from current trunk. And specifically, I think that at least *I* can use it to build working binary Windows distributions of pyOpenSSL, which I will undertake to do for each release.

I would like someone else to test the binaries created by this branch before I merge it, though. I'll attach several here shortly.

Alright, perhaps now this is resolved. The working-windows-build branch should make things better. When I release 0.10, there'll be binaries on PyPI.