openbsd vs pyca-cryptography build

[Brian Warner]

On 3/19/16 5:52 PM, Kyle Markley wrote:
> My system must be funny - I don't have "pip wheel".  But I was able to
> python setup.py build from the tarball without any complaint.  Then,
> trying to run the tests gives me undefined symbol errors referencing the
> same symbols. The final line of output says:  7 failed, 725 passed, 1
> skipped, 131 error in 60.57 seconds
> 
> So, this is definitely an issue with the cryptography package. How can I
> help, if I don't have much time to do so?

Ok, I talked to the pyca folks (#cryptography-dev on freenode, if you're
into IRC), and they said that the LibreSSL-2.0 that appears to be
present in OpenBSD-5.6 is the "bad old one", where they changed the ABI
but didn't add anything to the version string so you can tell it's
LibreSSL instead of OpenSSL. They use an OPENSSL_VERSION_NUMBER check to
tell if the ALPN symbols are supposed to be present, but that particular
version of LibreSSL doesn't let that work.

They have Jenkins tests, not for OpenBSD in particular, but they do have
coverage of LibreSSL 2.2.5.

It looks like OpenBSD-5.8 is the current version. It's possible that 5.7
or 5.8 will work with current "cryptography". I'm going to spin up an
EC2 instance with OpenBSD-5.8 to confirm. If that works, I'll add some
release notes (and something to our platform-specific docs) to point out
that 5.6 has an incompatible LibreSSL, but 5.8 should work.

For the long term.. any interest in upgrading that buildslave to
OpenBSD-5.8 (once we confirm that will actually fix Tahoe's needs)? The
cryptography folks could also use a Jenkins buildslave to check
compatibility going forwards: Paul Kehrer ("reaperhulk" on IRC) offered
to configure your box to be a Jenkins buildslave, but he'd need root.

thanks,
 -Brian