From: Colin Pinnell McAllister <colinmca242@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Colin Pinnell McAllister <colinmca242@gmail.com>
Subject: [PATCH v2] python3-cryptography: Add legacy-openssl packageconfig
Date: Sat, 7 Feb 2026 05:51:32 -0600 [thread overview]
Message-ID: <20260207115132.36854-1-colinmca242@gmail.com> (raw)
In-Reply-To: <20260122025736.187410-1-colinmca242@gmail.com>
Fixes [YOCTO #15416]
The OpenSSL legacy provider supplies algorithms that are either used
infrequently or have been deemed insecure by modern standards. The
Python3 cryptography module can optionally support this provider via the
openssl-ossl-module-legacy package.
Currently, the cryptography module builds with legacy provider support
enabled by default, regardless of whether the legacy modules are
actually included in the system. This patch makes that dependency
explicit by introducing a legacy-openssl packageconfig option that:
* Ensures runtime dependency on openssl-ossl-module-legacy when enabled
* Allows users to disable legacy algorithm support via build configuration
* Aligns python3-cryptography's defaults with OpenSSL's current defaults
The packageconfig option defaults to enabled for consistency with
OpenSSL's current configuration and to avoid breaking existing
deployments. A future security improvement will disable legacy modules
by default in OpenSSL, at which point this packageconfig can also
default to disabled.
Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
v2 changes:
* Updated commit message to clarify intent and rationale for the change
This patch stands on its own and can be merged without the related
OpenSSL patch. I will work on the OpenSSL patch separately, since
there's some work required to ensure ptests can run without the legacy
provider. Additionally, the libcrypto dependency needs to be
investigated. I do not want this change to be blocked by the OpenSSL
patch, since this is a bugfix that can be merged independently.
meta/recipes-devtools/python/python3-cryptography.bb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb
index b3b45cd172..366fda5e87 100644
--- a/meta/recipes-devtools/python/python3-cryptography.bb
+++ b/meta/recipes-devtools/python/python3-cryptography.bb
@@ -22,6 +22,11 @@ require ${BPN}-crates.inc
inherit pypi python_maturin cargo-update-recipe-crates pkgconfig
+PACKAGECONFIG ??= "legacy-openssl"
+PACKAGECONFIG[legacy-openssl] = ",,,openssl-ossl-module-legacy"
+
+export CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY = "${@bb.utils.contains('PACKAGECONFIG', 'legacy-openssl', '0', '1', d)}"
+
DEPENDS += " \
python3-cffi-native \
openssl \
--
2.52.0
prev parent reply other threads:[~2026-02-07 11:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 2:57 [PATCH] python3-cryptography: Add legacy-openssl packageconfig Colin Pinnell McAllister
2026-01-26 10:05 ` [OE-core] " Alexander Kanavin
2026-01-26 13:55 ` Colin
2026-01-26 20:03 ` Alexander Kanavin
2026-02-07 11:51 ` Colin Pinnell McAllister [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260207115132.36854-1-colinmca242@gmail.com \
--to=colinmca242@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox