In troubleshooting a recurring problem of 'pip install cryptography' failing to build on OpenBSD, I took the long and winded road to end up at this GitHub issue:

https://github.com/pyca/cryptography/issues/10817

It can be summarized as "rust-openssl pins the known versions of LibreSSL that are verified to work as LibreSSL does not offer API or ABI stability between major versions".

So 3.9.0 fails to build because it's not 3.8.1, and so on.

The LibreSSL release page has made no claims about stability since 2016: "subsequent 2.4.x releases have a stable API and ABI".

Should consumers assume that minor versions (eg 3.9.x) to be a stable API/ABI? Is there a better solution I can point the pyca folks at? If they continue to pin exact versions, that is just a chore I would like to avoid, if possible.


-- 
Alex Holst