Bump python to 2.7.10

[wsnipex]

this bumps unified depends platforms python to the latest 2,7 release 2.7.10

I'd appreciate testing.

fixes (#15883)

[wsnipex]

jenkins build this please

[wsnipex]

jenkins build this please

[wsnipex]

jenkins build this please

[MartijnKaijser]

Let me know and I'll do some droid runtime

[wsnipex]

@MartijnKaijser: yes please.
@Memphiz I need help with IOS. can't for the life of me get PIL to build

[Paxxi]

We've been running 2.7 on windows for ages do hopefully it shouldn't be any issues. You want me to bump win32 as well so we're 2.7.10 across the board?

[wsnipex]

@Paxxi python is by far the worst nightmare depend we have to cross-compile, so proper testing is warranted. Bumping windows as well would probably make sense, if you have time for it.

[zag2me]

Sorry for the question, but does this mean Python will be the same version on all platforms?

I'm writing a tutorial on python scripting and a couple of users commented that you couldn't rely on some functions working on some platforms.

[wsnipex]

jenkins build this please

[wsnipex]

@zag2me part from platform specific differences, it should be the same, yes. But this is only valid for unified depends platforms. Standard linux uses system python and win32 has its own build as well.

jenkins build this please

[wsnipex]

got IOS to build. OSX32 build error unrelated
Can someone please runtime test?

[wsnipex]

test builds:
droid arm: http://mirrors.kodi.tv/test-builds/android/arm/kodi-20151015-f71dcbb--armeabi-v7a.apk
droid x86: http://mirrors.kodi.tv/test-builds/android/x86/kodi-20151015-f71dcbb--x86.apk
ios: http://mirrors.kodi.tv/test-builds/darwin/ios/kodi-20151015-f71dcbb--ios.deb
osx64: http://mirrors.kodi.tv/test-builds/osx/x86_64/kodi-20151015-f71dcbb--x86_64.dmg

[MartijnKaijser]

doing some initial testing on Android ARM doesn't show any problems

[MartijnKaijser]

@wsnipex not sure if related?
http://xbmclogs.com/pjxwb5khf#line-5958

edit:
nightly build on my phone works fine

edit2:
installed nightly on same box and it also worked so something missing in this build

[Rondom]

@wsnipex Tested this for an hour on Android-ARM. So far no problems for me. Needs more testing though.

@MartijnKaijser The SSL-Issue you are pointing to might indeed be related. Python's SSL-stack got an update some time in the 2.7-cycle which amongst others enables by-default certificate verification.
This is something addon authors have to consider. On Desktop Linux Kodi is running with the system python, i.e. any problems caused by stricter checks occur there even with old versions of Kodi without this pull request.
Disclaimer: I have not had a look at the specific request and the specific addon. This is just what I can see from the error message. So debugging this specific HTTPS-Request is something left to do to confirm what I said above.

@wsnipex Therefore it might be worthwhile to put some small note regarding this into the documentation for addon authors.

[MartijnKaijser]

@Rondom on win32 we already run 2.7.9 which doesn't have this problem.

[Rondom]

@MartijnKaijser You are right, this is some other problem.
@wsnipex As far as I can see any HTTPS-Request using urllib such as for example urllib.urlopen('https://kodi.tv') does not work

[Paxxi]

Could this be the reason for the ssl issue?
https://github.com/wsnipex/xbmc/blob/bump-python/tools/depends/target/python27/modules.setup#L214 Maybe somethings changed in the build system so we need to do what the comment says.

[wsnipex]

https should be fixed: http://mirrors.kodi.tv/test-builds/android/arm/kodi-20151020-12399e7-bump-python-armeabi-v7a.apk

[Rondom]

Not sure if this is the right place to bring this up: Do we really want to disable SSL-cert validation by default?
If an addon breaks because it connects to "broken" HTTPS-sites, addon authors can make an informed decision and manually switch off validation on a case-by-base basis.

[wsnipex]

jenkins build this please

[tamland]

Wondering about that as well. Just patching out the default doesn't seem like a fix. If SSL is broken then everything not relying on the default behavior would still be broken.

[wsnipex]

@tamland any idea how we'd best pass a cacert to python on droid?

[razzeee]

This might fix this trac ticket? http://trac.kodi.tv/ticket/15883
Can you put the ticket number into the title if I'm correct?

[wsnipex]

@Paxxi do you have time to bump windows as well?

[MartijnKaijser]

i could take a try this weekend. Shouldn't be too difficult. PIL still has to be changed to Pillow on win32?

[Paxxi]

Correct @martijn we build pillow as pil is mostly dead? It's not hard to build python but a bit annoying with the depends it has, afaik Berkley dB took me some time last try.
@wsnipex unfortunately I won't have any time this week or the next but lack of win32 build isn't an issue, we're already on 2.7.9 afaik, it's mostly because it's nice to keep them in sync.

[MartijnKaijser]

jenkins build this please

[MartijnKaijser]

@Paxxi python bump for windows is done (it is just downloading the .msi and repackaging) #8491. The pillow change still needs to be done.

[FernetMenta]

@wsnipex @Memphiz I get this error on OSX. related?

  URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
                                           -->End of Python script error report<--

[popcornmix]

@FernetMenta to get SSL working with python on Pi I needed to:
cp tools/depends/target/openssl/cacert.pem /opt/xbmc-dbg2/arm-linux-gnueabihf/cert.pem
Something missing in install scripts?

[wsnipex]

I've simply assumed that every platform besides android already has a trust cert provided by the OS.
If not, you'll have to copy tools/depends/target/openssl/cacert.pem to the proper location for openssl to find it.

[FernetMenta]

Where is this location on systems that don't have OpenSSL?

[popcornmix]

I ran strace on the python in my kodi install directory and tried to open "https://amazon.co.uk" with urllib. Then grepped the strace output for cert.pem to find out where it expected it. Kodi seemed happy with the same path as python called directly.

[wsnipex]

after reading https://hynek.me/articles/apple-openssl-verification-surprises/ I think we might need the same hack for OSX as for android.

[wsnipex]

openssl version -d should print the default path. Take care to use our depends openssl binary

[FernetMenta]

depends does not build a openssl binary, just a lib

[wsnipex]

https://github.com/xbmc/xbmc/blob/master/xbmc/interfaces/python/XBPython.cpp#L599-L601 should work for OSX as well

[popcornmix]

@wsnipex I'm running on Pi using unified build, so python, openssl, curl etc are built from kodi tree which installs no cert.pem and doesn't look for it on system paths (it looks in kodi install tree but fails to find it).

Would it make sense to install the certificate in kodi's install tree (and set SSL_CERT_FILE if necessary) by default when building with unified build system?

[FernetMenta]

works on OSX after having copied the cert to system/cert

[wsnipex]

@popcornmix yeah, I guess we should do that, but also take care to not override it on platforms/installations where certs are available.

btw, another method to find default paths is:
strings /usr/lib/x86_64-linux-gnu/libcrypto.a | grep -E "/cert|SSL_CERT"
/usr/lib/ssl/certs
/usr/lib/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE