Add SSL to our custom Python for MozBug 1924022

Bug 1924022 added a dependency on Python's built-in ssl module for compatibility with Python 3.13.

For some reason, the Python 3.11 we build by ourselves doesn't contain the binary part (_ssl) required by the Python bindings.

We need to fix it before 14.0.1.

added Build System Doing Linux labels

assigned to @pierov

marked this issue as related to #41192 (closed)

marked this issue as related to #41277 (closed)

This should also fix the nightly builds.

marked this issue as related to #41193 (closed)

This problem doesn't have a clean solution.

The main problem is that Python 3.11 requires OpenSSL 1.1.1, whereas our very old Debian ships OpenSSL 1.1.0.

We have several solutions here:

• use the OpenSSL we build for tor
  • Not good, we update it quite often. In case of an OpenSSL emergency patch we'd have to rebuild Python, which is used also by other build systems, such as Clang, Rust, ninja and node (only on Linux)
• we try to install OpenSSL 1.1.1 on the containers for Python and Firefox (I believe the actual OpenSSL is required only if you need the module)
• we create a new project for OpenSSL 1.1.1, or we build OpenSSL 1.1.1 with Python
• we patch Firefox not to depend on ssl, since the module should be used only for bootstrapping
  • on tor-browser-build, or for everybody in tor-browser.git? Maybe if it's in tor-browser.git we can use a try: rather than commenting
• we downgrade Python to 3.9 (or 3.8), which are compatible with mach and with OpenSSL 1.1.0 (1.1.1 is required since 3.10)
  • 3.9 goes EOL on 2025-10-31, so it's a good bet, 3.8 went EOL a couple of weeks ago
  • each Python series has a different singing key, maybe we could switch to hashes...

At the moment I think the last one would be the less intrusive for our build system, but Mozilla might bump the requirement for Python before bumping the minimum glibc.

@boklm do you have any preferences?

• we patch Firefox not to depend on ssl, since the module should be used only for bootstrapping

This one looks quite simple, since it's just reverting a small patch.

• we downgrade Python to 3.9 (or 3.8), which are compatible with mach and with OpenSSL 1.1.0 (1.1.1 is required since 3.10)

Do you know if Clang, Rust, ninja and node work with this version?

This one looks quite simple, since it's just reverting a small patch.

Yep, but I'd prefer avoiding it in tor-browser.git, as some people might actually want to bootstrap.

Also, my fear is that we apply that patch and then nobody remembers why we added it. So, maybe adding it to tor-browser-build could work, like the no NSIS patch.

Do you know if Clang, Rust, ninja and node work with this version?

Yes. I started a build around one hour ago, and I'm building the final dependencies for the browser project (e.g., fonts and the manual), so the build of Firefox worked.

Yes. I started a build around one hour ago, and I'm building the final dependencies for the browser project (e.g., fonts and the manual), so the build of Firefox worked.

Ok, so downgrading to Python 3.9 seems fine.

marked this issue as related to #41263 (closed)

mentioned in issue #41263 (closed)

mentioned in merge request !1074 (merged)

mentioned in merge request !1078 (merged)

removed the relation with #41193 (closed)

closed

removed Doing label