Description of problem: Package python3 fails to build from source in Fedora rawhide. ====================================================================== FAIL: test_min_max_version (test.test_ssl.ContextTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builddir/build/BUILD/Python-3.8.0/Lib/test/test_ssl.py", line 1207, in test_min_max_version self.assertEqual( AssertionError: <TLSVersion.TLSv1_3: 772> != <TLSVersion.MAXIMUM_SUPPORTED: -1> ---------------------------------------------------------------------- Version-Release number of selected component (if applicable): 3.8.0-2.fc32 Steps to Reproduce: koji build --scratch f32 python3-3.8.0-2.fc32.src.rpm Additional info: This package is tracked by Koschei. See: https://koschei.fedoraproject.org/build/7322718 Koschei says glibc was updated: https://src.fedoraproject.org/rpms/glibc/c/17391589c0dd9b92cf9c61efee9b0f12d7d3d030?branch=master Is that possibly related?
I get a consistent result with glibc 2.30.9000-20.fc32. That was a red herring. ------- However, I've bisected the problem to crypto-policies-20191002-1.gitc93dc99.fc32 https://src.fedoraproject.org/rpms/crypto-policies/c/b7ce8f783ce01feb997c7aee323b8276a52777c4?branch=master https://koschei.fedoraproject.org/affected-by/crypto-policies?epoch1=0&version1=20191002&release1=1.gitc93dc99.fc32&epoch2=0&version2=20191128&release2=1.gitcd267a5.fc32&collection=f32 $ rpm -q crypto-policies crypto-policies-20191002-1.gitc93dc99.fc32.noarch $ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.MAXIMUM_SUPPORTED: -1> $ dnf -qy update crypto-policies $ rpm -q crypto-policies crypto-policies-20191128-1.gitcd267a5.fc32.noarch $ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.TLSv1_3: 772> Tomáš, has there been a deliberate change or is it a regression? I don't see anything related in the changelog. Thanks.
Yes, this was a deliberate change. It is related to the addition of OSPP subpolicy which requires setting the MaxProtocol to TLSv1.2. Ideally this test in Python should be written in a way that it would not depend on system-wide settings.
This is coming to RHEL-8.2 as well.
Thanks. I think this can be workarounded by reintroducing https://src.fedoraproject.org/rpms/python3/c/b33b4a5162e2b5873c5846dcba882f3569ab76cd?branch=master
Indeed: $ python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.TLSv1_3: 772> $ env OPENSSL_CONF=/non-existing-file python3 -c 'import ssl; ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER); print(repr(ctx.maximum_version))' <TLSVersion.MAXIMUM_SUPPORTED: -1>
First PR: https://src.fedoraproject.org/tests/python/pull-request/15
Second PR: https://src.fedoraproject.org/rpms/python3/pull-request/155
A workaround has been set. We keep this open until the fix is changed. It was done in upstream for the future versions of 3.9, 3.8 and 3.7.
s/the fix is changed/the test is changed/
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
We can probably drop the workaround now, someone needs to check & drop.
PR to drop workaround, it works without it. https://src.fedoraproject.org/rpms/python3/pull-request/180 https://src.fedoraproject.org/tests/python/pull-request/22