Use latest version of OpenSSL by redorlik · Pull Request #1349 · python/devguide

All commit authors signed the Contributor License Agreement.

OpenSSL was updated from 1.1 to 3.0 in:

• #1111
• #1112

The changes LGTM unless there is some reason to prefer pinning 3.0.

The changes LGTM unless there is some reason to prefer pinning 3.0.

IIRC, when we finally switched from recommending OpenSSL 1.x to OpenSSL 3.0.x, the thinking was that 3.0.x was the OpenSSL stable Long Term Support (LTS) branch with the longest support life and that is still the case. Whether that should be the deciding factor today isn't clear to me. Other opinions? @gpshead ? @tiran ?

Yep, so long as OpenSSL project is providing the concept of "long term support" releases as you linked to above, we should stick with those in our binary release builds shipped by CPython. We want to ship builds made with the OpenSSL version having the latest EOL date to minimize potentially disruptive changes in Python patch releases.

Regardless, this PR is about the "getting-started" guide. I doubt it hurts most of the time for people getting their own local dev environments setup to use a more recent version rather than pinning to the LTS 3.0.

Just be aware that when a new OpenSSL release comes out, not all branches of CPython may be ready to build and link against it yet (including main). If we accept this PR and that hurts us in the future we could revisit this change.

Just be aware that when a new OpenSSL release comes out, not all branches of CPython may be ready to build and link against it yet (including main). If we accept this PR and that hurts us in the future we could revisit this change.

I agree with the above though the net effect of the change in the PR is that upgrades from one branch of OpenSSL to another will happen somewhat unpredictably as it will depend on when Homebrew updates their openssl3 recipe to a different OpenSSL 3.x branch and then when the user of the devguide suggestion updates their installation of Homebrew.