Python 2.5 support

Issue #91 on hold
Chris Adams created an issue

tox currently lists Python 2.5 as the earliest supported version. Unfortunately, it no longer works because PyPI changed to require SSL, which breaks on Python 2.5 unless you have installed the ssl backport (see

At first, I thought I could do this within my commands stanza but ran into two problems:

  • Due to #2, you cannot simply use curl to fetch the package ("test command found but not installed in testenv")
  • Even if that worked, #38 would mean that you'd be forced to copy and paste around the inability to do something like this:
deps =
    # Do nothing because pip is broken on Python 2.5
commands =
    curl -s -o {envtmpdir}/ssl-1.15.tar.gz
    pip install {envtmpdir}/ssl-1.15.tar.gz
    pip install -r {toxinidir}/tests/requirements_25.txt
    pip install django==1.3

I think it'd either make sense to have an automatic hook to install ssl on Python 2.5 or simply drop support for it as it's rather old and backport RPMs are available for legacy Red Hat users.

Comments (20)

  1. Holger Krekel repo owner

    I think there was talk to include ssl with pip for python2.5. If that doesn't happen we could install it ourselves.

  2. Holger Krekel repo owner

    Now i see why pip won't try to install ssl - it cannot use ssl for it. One solution would have been to include the particular ssl-1.15 MD5 in pip's source code. This is harder to do from the tox side.

  3. Chris Adams reporter

    I think the curl hackaround might be our best option: it's available just about everywhere and it seems reasonable to say that if you wish to run tests on Python 2.5, you should have curl somewhere in the path.

  4. Alfredo Deza

    I spoke briefly with @carljm and @jezdez about this problem and they seemed that a decision needs to be made as to where exactly the SSL library would need to end up.

    This is obviously a problem for me as well and would prefer an option where I am not required to curl something. That implementation would be painful in a production-like environment where I need to test 2.5

  5. Holger Krekel repo owner

    I don't see the point of using or requiring curl. On py25 We can just use urllib.urlopen() and download the file, hardcode the MD5 sum in the tox release, verify it and then call pip to install the tar file, and then proceed?

  6. Stephan Sokolow

    @acdha I wouldn't consider dropping Python 2.5 support on account of this until Jython 2.7 is complete and stable since Jython 2.5 seems to suffer from the same problem.

    Also, there are some things (eg. mIRC plugins) which still embed 2.5 and I currently support them in one of my projects but, if tox dropped support, my only remaining option of acceptable convenience would be pushing to Travis CI and praying.

    As for getting it to work right now, tox won't complain if you toss --insecure into the deps for py25 and, if I understand the situation correctly, that just gets you back the behaviour that was default when py25 was working.

    (Let's just hope that --insecure will become a no-op if SSL is available. I don't have time to code-dive right now.)

  7. Chris Adams reporter

    @ssokolow I would prefer to fix Python 2.5 support but I don't like the idea of running Python 2.5 in a known-insecure mode, particularly as PyPI continues to be a high-interest target. I think @hpk42 has a reasonably strategy of hard-coding the MD5 hash for the ssl package so tox can download, verify and install it when creating a Python 2.5 environment. This will be annoying if the SSL module is updated so it'd probably be a good idea to immediately follow it with pip install --upgrade ssl just in case.

  8. Holger Krekel repo owner

    Am open to patches - might be a while before i get to it myself, otherwise, because i have no need for python2.5 support myself.

  9. Marcus Smith

    not ideal, but know that you can do this now, and not get the "NoSSLError" exception

    setenv =
        PIP_INSECURE = 1

    this follow's pip's convention that any cli option can also be set as an environment variable.

    having py25 support at all, was a bonus in pip-1.3.1. there was a discussion to drop py25, but adding support for it in some form won out.

    pip-1.4 is dropping py25 btw.

  10. Stephan Sokolow

    @acdha No argument. I was just saying that, for the impatient, tox won't refuse --insecure for not being a package name or URL.

    @hpk42 I wish I could provide a patch but I've already patched my way into being about a week and a half behind on my French coursework.

    I'd rather not engage in any more "productive procrastination" in the near future but I'll keep it in mind in case I do get far enough ahead. Just setting up tox on one of my projects and fixing test failures ate up four hours yesterday and I'd only budgeted three for leisure.

  11. Stephan Sokolow

    We seem to have a problem with BitBucket's bugs system. Someone named Marcus Smith (two users have that name) has sent two messages and I received them but they haven't shown up on this page. I've reported a bug in BitBucket.

    I'd try replying to test if it's the "reply to this e-mail to respond" that's doing it, but BitBucket seems to use a generic reply-to address rather than the hash-style ones GitHub uses so I'm almost certain my use of multiple From addresses (none of which are my BitBucket one) would break things. (I've also reported that as well as the lack of hyperlinks in the notification e-mails)

  12. Stephan Sokolow

    Ok, so BitBucket's spam filter is overzealous and too stupid to also withhold the e-mail notifications for spam.

    @qwcode In reply to your comments that have been un-spammed so far, I tried the tox.ini snippet you gave but it seems to have no effect so I went back to listing --insecure as a dependency for [testenv:py25] and [testenv:jython].

  13. Marcus Smith

    @ssokolow , I used that config to test py25 locally in the 1.3 release branch for pip last week. I went back and forth now 3 times to confirm it. so, I'm not sure why you wouldn't see it work. the error you are getting is the "You don't have an importable ssl module..."?

  14. Marcus Smith

    @ssokolow and I talked offline. he did end up getting "PIP_INSECURE = 1" to work, and it works for me too, so that's a real option for people.

  15. Holger Krekel repo owner

    tox-1.6 has support for python2.5. See the announcements. It basically ships with a copy of virtualenv-1.9.1 and downgrades pip to <1.4, and adds default "--insecure" to the (new in tox-1.6) installer_command defaults.

    I went a bit too far, i guess, in that you can even run tox itself on python2.5. That is strictly speaking not neccessary. I am probably going to drop support for python2.5 for tox itself but try to keep it able to run the project-under-test against python2.5

  16. Log in to comment