rpms / pypy3.9

Clone
Source Code
GIT

#38 Update to 7.3.12
Merged 2 months ago by churchyard. Opened 2 months ago by churchyard.
rpms/ churchyard/pypy3.9 7.3.12  into  rawhide

file modified
+1 
@@ -22,3 +22,4 @@ 
 

  /pypy3.9-v7.3.8-src.tar.bz2
 

  /pypy3.9-v7.3.9-src.tar.bz2
 

  /pypy3.9-v7.3.11-src.tar.bz2
 

+ /pypy3.9-v7.3.12-src.tar.bz2

file modified
+1 -1 
@@ -37,7 +37,7 @@ 
 

   

  -__all__ = ["version", "bootstrap"]
 

  -_SETUPTOOLS_VERSION = "58.1.0"
 

- -_PIP_VERSION = "22.0.4"
 

+ -_PIP_VERSION = "23.0.1"
 

   _PROJECTS = [
 

       ("setuptools", _SETUPTOOLS_VERSION, "py3"),
 

       ("pip", _PIP_VERSION, "py3"),

file removed
-140 
@@ -1,140 +0,0 @@ 
 

- From c18699b668c9f1e1a239f94748c9ac059ab9baff Mon Sep 17 00:00:00 2001
 

- From: "Miss Islington (bot)"
 

-  <31488909+miss-islington@users.noreply.github.com>
 

- Date: Mon, 22 May 2023 03:42:37 -0700
 

- Subject: [PATCH] 00399: CVE-2023-24329
 

- 

- gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
 

- 

- `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
 

- 

- This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
 

- 

- (cherry picked from commit f48a96a28012d28ae37a2f4587a780a5eb779946)
 

- 

- Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
 

- Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>
 

- ---
 

-  lib-python/3/test/test_urlparse.py | 61 +++++++++++++++++++++++++++++-
 

-  lib-python/3/urllib/parse.py       | 12 ++++++
 

-  2 files changed, 72 insertions(+), 1 deletion(-)
 

- 

- diff --git a/lib-python/3/test/test_urlparse.py b/lib-python/3/test/test_urlparse.py
 

- index 31943f3..574da5b 100644
 

- --- a/lib-python/3/test/test_urlparse.py
 

- +++ b/lib-python/3/test/test_urlparse.py
 

- @@ -649,6 +649,65 @@ class UrlParseTestCase(unittest.TestCase):
 

-              self.assertEqual(p.scheme, "http")
 

-              self.assertEqual(p.geturl(), "http://www.python.org/javascript:alert('msg')/?query=something#fragment")
 

-  

- +    def test_urlsplit_strip_url(self):
 

- +        noise = bytes(range(0, 0x20 + 1))
 

- +        base_url = "http://User:Pass@www.python.org:080/doc/?query=yes#frag"
 

- +
 

- +        url = noise.decode("utf-8") + base_url
 

- +        p = urllib.parse.urlsplit(url)
 

- +        self.assertEqual(p.scheme, "http")
 

- +        self.assertEqual(p.netloc, "User:Pass@www.python.org:080")
 

- +        self.assertEqual(p.path, "/doc/")
 

- +        self.assertEqual(p.query, "query=yes")
 

- +        self.assertEqual(p.fragment, "frag")
 

- +        self.assertEqual(p.username, "User")
 

- +        self.assertEqual(p.password, "Pass")
 

- +        self.assertEqual(p.hostname, "www.python.org")
 

- +        self.assertEqual(p.port, 80)
 

- +        self.assertEqual(p.geturl(), base_url)
 

- +
 

- +        url = noise + base_url.encode("utf-8")
 

- +        p = urllib.parse.urlsplit(url)
 

- +        self.assertEqual(p.scheme, b"http")
 

- +        self.assertEqual(p.netloc, b"User:Pass@www.python.org:080")
 

- +        self.assertEqual(p.path, b"/doc/")
 

- +        self.assertEqual(p.query, b"query=yes")
 

- +        self.assertEqual(p.fragment, b"frag")
 

- +        self.assertEqual(p.username, b"User")
 

- +        self.assertEqual(p.password, b"Pass")
 

- +        self.assertEqual(p.hostname, b"www.python.org")
 

- +        self.assertEqual(p.port, 80)
 

- +        self.assertEqual(p.geturl(), base_url.encode("utf-8"))
 

- +
 

- +        # Test that trailing space is preserved as some applications rely on
 

- +        # this within query strings.
 

- +        query_spaces_url = "https://www.python.org:88/doc/?query=    "
 

- +        p = urllib.parse.urlsplit(noise.decode("utf-8") + query_spaces_url)
 

- +        self.assertEqual(p.scheme, "https")
 

- +        self.assertEqual(p.netloc, "www.python.org:88")
 

- +        self.assertEqual(p.path, "/doc/")
 

- +        self.assertEqual(p.query, "query=    ")
 

- +        self.assertEqual(p.port, 88)
 

- +        self.assertEqual(p.geturl(), query_spaces_url)
 

- +
 

- +        p = urllib.parse.urlsplit("www.pypi.org ")
 

- +        # That "hostname" gets considered a "path" due to the
 

- +        # trailing space and our existing logic...  YUCK...
 

- +        # and re-assembles via geturl aka unurlsplit into the original.
 

- +        # django.core.validators.URLValidator (at least through v3.2) relies on
 

- +        # this, for better or worse, to catch it in a ValidationError via its
 

- +        # regular expressions.
 

- +        # Here we test the basic round trip concept of such a trailing space.
 

- +        self.assertEqual(urllib.parse.urlunsplit(p), "www.pypi.org ")
 

- +
 

- +        # with scheme as cache-key
 

- +        url = "//www.python.org/"
 

- +        scheme = noise.decode("utf-8") + "https" + noise.decode("utf-8")
 

- +        for _ in range(2):
 

- +            p = urllib.parse.urlsplit(url, scheme=scheme)
 

- +            self.assertEqual(p.scheme, "https")
 

- +            self.assertEqual(p.geturl(), "https://www.python.org/")
 

- +
 

-      def test_attributes_bad_port(self):
 

-          """Check handling of invalid ports."""
 

-          for bytes in (False, True):
 

- @@ -656,7 +715,7 @@ class UrlParseTestCase(unittest.TestCase):
 

-                  for port in ("foo", "1.5", "-1", "0x10"):
 

-                      with self.subTest(bytes=bytes, parse=parse, port=port):
 

-                          netloc = "www.example.net:" + port
 

- -                        url = "http://" + netloc
 

- +                        url = "http://" + netloc + "/"
 

-                          if bytes:
 

-                              netloc = netloc.encode("ascii")
 

-                              url = url.encode("ascii")
 

- diff --git a/lib-python/3/urllib/parse.py b/lib-python/3/urllib/parse.py
 

- index bd26813..f5d3662 100644
 

- --- a/lib-python/3/urllib/parse.py
 

- +++ b/lib-python/3/urllib/parse.py
 

- @@ -25,6 +25,10 @@ currently not entirely compliant with this RFC due to defacto
 

-  scenarios for parsing, and for backward compatibility purposes, some
 

-  parsing quirks from older RFCs are retained. The testcases in
 

-  test_urlparse.py provides a good indicator of parsing behavior.
 

- +
 

- +The WHATWG URL Parser spec should also be considered.  We are not compliant with
 

- +it either due to existing user code API behavior expectations (Hyrum's Law).
 

- +It serves as a useful guide when making changes.
 

-  """
 

-  

-  import re
 

- @@ -78,6 +82,10 @@ scheme_chars = ('abcdefghijklmnopqrstuvwxyz'
 

-                  '0123456789'
 

-                  '+-.')
 

-  

- +# Leading and trailing C0 control and space to be stripped per WHATWG spec.
 

- +# == "".join([chr(i) for i in range(0, 0x20 + 1)])
 

- +_WHATWG_C0_CONTROL_OR_SPACE = '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f '
 

- +
 

-  # Unsafe bytes to be removed per WHATWG spec
 

-  _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
 

-  

- @@ -456,6 +464,10 @@ def urlsplit(url, scheme='', allow_fragments=True):
 

-      """
 

-  

-      url, scheme, _coerce_result = _coerce_args(url, scheme)
 

- +    # Only lstrip url as some applications rely on preserving trailing space.
 

- +    # (https://url.spec.whatwg.org/#concept-basic-url-parser would strip both)
 

- +    url = url.lstrip(_WHATWG_C0_CONTROL_OR_SPACE)
 

- +    scheme = scheme.strip(_WHATWG_C0_CONTROL_OR_SPACE)
 

-  

-      for b in _UNSAFE_URL_BYTES_TO_REMOVE:
 

-          url = url.replace(b, "")
 

- -- 

- 2.40.1
 

-

file modified
+14 -34 
@@ -1,5 +1,5 @@ 
 

  %global basever 7.3
 

- %global micro 11
 

+ %global micro 12
 

  #global pre ...
 

  %global pyversion 3.9
 

  Name:           pypy%{pyversion}
 
@@ -10,7 +10,7 @@ 
 

  # by Python version as well.
 

  # This potentially allows tags like Obsoletes: pypy3 < %%{version}-%%{release}.
 

  # https://bugzilla.redhat.com/2053880
 

- %global baserelease 5
 

+ %global baserelease 1
 

  Release:        %{baserelease}.%{pyversion}%{?dist}
 

  Summary:        Python %{pyversion} implementation with a Just-In-Time compiler
 

  
@@ -27,12 +27,10 @@ 
 

  # before building).  If we restore those we'll have to work out the new
 

  # licensing terms
 

  License:        MIT and Python and UCD and BSD and (ASL 2.0 or BSD)
 

- URL:            http://pypy.org/
 

+ URL:            https://www.pypy.org/
 

  

  # https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval
 

- %if 0%{?fedora} >= 37 || 0%{?rhel} >= 10
 

  ExcludeArch:    %{ix86}
 

- %endif
 

  

  # High-level configuration of the build:
 

  
@@ -70,7 +68,6 @@ 
 

  # We refer to this subdir of the source tree in a few places during the build:
 

  %global goal_dir pypy/goal
 

  

- %if 0%{?fedora} >= 36
 

  # REMINDER: When updating the main pypy3 version for a certain Fedora release
 

  # make sure to update the python-classroom group in https://pagure.io/fedora-comps/
 

  #   1. locate comps-fXX.xml.in for each affected Fedora release
 
@@ -78,9 +75,6 @@ 
 

  #   3. change the package name to match the new version
 

  #   4. submit changes as a pull request and make sure somebody merges it
 

  %bcond_without main_pypy3
 

- %else
 

- %bcond_with main_pypy3
 

- %endif
 

  

  %ifarch %{ix86} x86_64 %{arm}
 

  %global _package_note_linker gold
 
@@ -120,16 +114,6 @@ 
 

  # We conditionally apply this, but we use autosetup, so we use Source here
 

  Source189: 189-use-rpm-wheels.patch
 

  

- # 00399 #
 

- # CVE-2023-24329
 

- #
 

- # gh-102153: Start stripping C0 control and space chars in `urlsplit` (GH-102508)
 

- #
 

- # `urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit GH-25595.
 

- #
 

- # This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%%20any%%20leading%%20and%%20trailing%%20C0%%20control%%20or%%20space%%20from%%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).
 

- Patch399: 399-cve-2023-24329.patch
 

- 

  # Build-time requirements:
 

  

  # pypy's can be rebuilt using pypy2, rather than with CPython 2; doing so
 
@@ -209,9 +193,7 @@ 
 

  Obsoletes: pypy3 < 7.3.4-4
 

  # This is when pypy3 was provided by pypy3.8:
 

  Conflicts: pypy3 < %{version}-%{release}
 

- %if 0%{?fedora} >= 37
 

  Obsoletes: pypy3.7 < 7.3.9-20
 

- %endif
 

  %if 0%{?fedora} >= 38
 

  Obsoletes: pypy3.8 < 7.3.11-20
 

  %endif
 
@@ -251,9 +233,7 @@ 
 

  Provides: pypy3-libs = %{version}-%{release}
 

  Provides: pypy3-libs%{?_isa} = %{version}-%{release}
 

  Obsoletes: pypy3-libs < 7.3.4-4
 

- %if 0%{?fedora} >= 37
 

  Obsoletes: pypy3.7-libs < 7.3.9-20
 

- %endif
 

  %if 0%{?fedora} >= 38
 

  Obsoletes: pypy3.8-libs < 7.3.11-20
 

  %endif
 
@@ -263,7 +243,7 @@ 
 

  Requires: python-setuptools-wheel
 

  Requires: python-pip-wheel
 

  %else
 

- Provides: bundled(python3dist(pip)) = 22.0.4
 

+ Provides: bundled(python3dist(pip)) = 23.0.1
 

  Provides: bundled(python3dist(setuptools)) = 58.1.0
 

  %endif
 

  
@@ -274,7 +254,7 @@ 
 

  }
 

  

  # Find the version in lib_pypy/cffi.dist-info/METADATA
 

- Provides: bundled(python3dist(cffi)) = 1.15.0
 

+ Provides: bundled(python3dist(cffi)) = 1.15.1
 

  

  # Find the version in lib_pypy/cffi/_pycparser/__init__.py
 

  Provides: bundled(python3dist(pycparser)) = 2.21
 
@@ -285,8 +265,8 @@ 
 

  # Find the version in lib_pypy/_cffi_ssl/cryptography/__about__.py
 

  Provides: bundled(python3dist(cryptography)) = 2.7
 

  

- # Find the version in lib_pypy/hpy.dist-info/METADATA
 

- Provides: bundled(python3dist(hpy)) = 0.0.3
 

+ # Find the version in lib_pypy/hpy-XXX.dist-info/METADATA
 

+ Provides: bundled(python3dist(hpy)) = 0.0.4~~dev179+g9b5d200
 

  

  %description libs
 

  Libraries required by the various PyPy implementations of Python %{pyversion}.
 
@@ -300,9 +280,7 @@ 
 

  %if %{with main_pypy3}
 

  Provides: pypy3-test = %{version}-%{release}
 

  Provides: pypy3-test%{?_isa} = %{version}-%{release}
 

- %if 0%{?fedora} >= 37
 

  Obsoletes: pypy3.7-test < 7.3.9-20
 

- %endif
 

  %if 0%{?fedora} >= 38
 

  Obsoletes: pypy3.8-test < 7.3.11-20
 

  %endif
 
@@ -322,9 +300,7 @@ 
 

  Provides: pypy3-devel = %{version}-%{release}
 

  Provides: pypy3-devel%{?_isa} = %{version}-%{release}
 

  Obsoletes: pypy3-devel < 7.3.4-4
 

- %if 0%{?fedora} >= 37
 

  Obsoletes: pypy3.7-devel < 7.3.9-20
 

- %endif
 

  %if 0%{?fedora} >= 38
 

  Obsoletes: pypy3.8-devel < 7.3.11-20
 

  %endif
 
@@ -796,7 +772,7 @@ 
 

  %license %{pypylibdir}/_cffi_ssl/LICENSE
 

  %license %{pypylibdir}/cffi.dist-info/LICENSE
 

  %license %{pypylibdir}/cffi/_pycparser/ply/LICENSE
 

- %license %{pypylibdir}/hpy.dist-info/LICENSE
 

+ %license %{pypylibdir}/hpy-*.dist-info/LICENSE
 

  %{pypylibdir}/
 

  %if %{with rpmwheels}
 

  %exclude %{pypylibdir}/ensurepip/_bundled
 
@@ -815,7 +791,7 @@ 
 

  %exclude %{pypylibdir}/_ctypes_test.*
 

  %exclude %{pypylibdir}/_pypy_testcapi.*
 

  %exclude %{pypylibdir}/_test*
 

- %exclude %{pypylibdir}/__pycache__/_ctypes_test.*
 

+ %exclude %{pypylibdir}/__pycache__/_ctypes_test*
 

  %exclude %{pypylibdir}/__pycache__/_pypy_testcapi.*
 

  %exclude %{pypylibdir}/__pycache__/_test*
 

  %exclude %{pypylibdir}/test/
 
@@ -835,7 +811,7 @@ 
 

  %{pypylibdir}/_ctypes_test.*
 

  %{pypylibdir}/_pypy_testcapi.*
 

  %{pypylibdir}/_test*
 

- %{pypylibdir}/__pycache__/_ctypes_test.*
 

+ %{pypylibdir}/__pycache__/_ctypes_test*
 

  %{pypylibdir}/__pycache__/_pypy_testcapi.*
 

  %{pypylibdir}/__pycache__/_test*
 

  %{pypylibdir}/test/
 
@@ -860,6 +836,10 @@ 
 

  

  

  %changelog
 

+ * Wed Jul 26 2023 Miro Hrončok <mhroncok@redhat.com> - 7.3.12-1.3.9
 

+ - Update to 7.3.12
 

+ - Fixes: rhbz#2203423
 

+ 

  * Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.11-5.3.9
 

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

file modified
+1 -1 
@@ -1,1 +1,1 @@ 
 

- SHA512 (pypy3.9-v7.3.11-src.tar.bz2) = 33c978ffbeeb39453028d1d1646ccfdace062ce48a5d939245bea41643038dd3687e80e34f88fa0622bcb175d7dd78f75cbe36b24229c8052f09d2d17dcdfd8c
 

+ SHA512 (pypy3.9-v7.3.12-src.tar.bz2) = 8e819a1ec3f3ce7fc5f901fb554660288a57e2a4834a3da35c1a57faf88ef4129240628a58334d2e0c2b1dda412da5d85ec943abe8046c0ce5d0cd0a0f7fc42a

no initial comment

rebased onto be598df
2 months ago

rebased onto ac0a72d
2 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/73688b8983a740e2be5eb78044f348d9

 
    File not found: /builddir/build/BUILDROOT/pypy3.9-7.3.12-1.3.9.fc39.x86_64/usr/lib64/pypy3.9/__pycache__/_ctypes_test.*
    File not found: /builddir/build/BUILDROOT/pypy3.9-7.3.12-1.3.9.fc39.x86_64/usr/lib64/pypy3.9/hpy.dist-info/LICENSE

rebased onto 7aa1286
2 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/5add3c2a06d4492aa87771ae3a692c85

3 new commits added

  • Remove outdated spec conditionals
  • Update the URL
  • Update the License tag to SPDX
2 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/fc2cfb4e5bc04960a0e69aac0df45846

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/7379d76dd1fe431cb882f1a89621a2d5

Could you point me on the license information for unicodedata?

[citest ]

Could you point me on the license information for unicodedata?

https://foss.heptapod.net/pypy/pypy/-/blob/branch/py3.9/rpython/rlib/copyright

Could you point me on the license information for unicodedata?

https://foss.heptapod.net/pypy/pypy/-/blob/branch/py3.9/rpython/rlib/copyright

I see there is a slight difference between the SPDX license text and the license of the unicode data within pypy. The SPDX one is up to 2015 and the one in pypy is up to 2014. The license was updated and to be fully compliant a Unicode-DFS-2014 should be added, although I don't think it's a blocker in this case.

What's your take on that?

Could you point me on the license information for unicodedata?

https://foss.heptapod.net/pypy/pypy/-/blob/branch/py3.9/rpython/rlib/copyright

I see there is a slight difference between the SPDX license text and the license of the unicode data within pypy. The SPDX one is up to 2015 and the one in pypy is up to 2014. The license was updated and to be fully compliant a Unicode-DFS-2014 should be added, although I don't think it's a blocker in this case.

What's your take on that?

Indeed I don't think that license is correct and another one should be added to the SPDX list.

More specifically checking https://github.com/spdx/license-list-XML/issues/1269 and https://github.com/spdx/license-list-XML/issues/1169 it seems that the 2016 license has the copyright years as optional, whereas that is not the case for the 2015 one.

Could you postpone the SPDX change for a later date? I see this being resolved two different ways. Either adding the license to SPDX or asking pypy to verify that this is the correct license (which I presume it can be updated.

I can postpone the SPDX license change, yes. Will not be able to juggle with commit here at this moment, but perhaps later today.

rebased onto aa479ce
2 months ago

I removed the SPDX commit. Preserved in my 7.3.12-spdx branch.

rebased onto 507d66c
2 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/71e74b236a70431591b73dd63a79c496

Everything looks good. Feel free to ship it.

Pull-Request has been merged by churchyard
2 months ago
Metadata
None
No Tags
Changes Summary 5
+1 -0
file changed
.gitignore
+1 -1
file changed
189-use-rpm-wheels.patch
-140
file removed
399-cve-2023-24329.patch
+14 -34
file changed
pypy3.9.spec
+1 -1
file changed
sources
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.