Toshaan Bharvani
2 weeks ago
commit
849f38d8c1
7 changed files with 828 additions and 0 deletions
@ -0,0 +1,78 @@
@@ -0,0 +1,78 @@
|
||||
Minimal patch for pip |
||||
|
||||
diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py |
||||
--- pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 |
||||
+++ pip-22.3.1/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 |
||||
@@ -184,6 +184,13 @@ |
||||
"outside target directory ({})" |
||||
) |
||||
raise InstallationError(message.format(filename, path, location)) |
||||
+ |
||||
+ # Call the `data` filter for its side effect (raising exception) |
||||
+ try: |
||||
+ tarfile.data_filter(member.replace(name=fn), location) |
||||
+ except tarfile.LinkOutsideDestinationError: |
||||
+ pass |
||||
+ |
||||
if member.isdir(): |
||||
ensure_dir(path) |
||||
elif member.issym(): |
||||
|
||||
|
||||
Test from https://github.com/pypa/pip/pull/12214 |
||||
|
||||
diff -rU3 pip-22.3.1-orig/tests/unit/test_utils_unpacking.py pip-22.3.1/tests/unit/test_utils_unpacking.py |
||||
--- pip-22.3.1-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 |
||||
+++ pip-22.3.1/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 |
||||
@@ -171,6 +171,23 @@ |
||||
test_tar = self.make_tar_file("test_tar.tar", files) |
||||
untar_file(test_tar, self.tempdir) |
||||
|
||||
+ def test_unpack_tar_filter(self) -> None: |
||||
+ """ |
||||
+ Test that the tarfile.data_filter is used to disallow dangerous |
||||
+ behaviour (PEP-721) |
||||
+ """ |
||||
+ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar") |
||||
+ with tarfile.open(test_tar, "w") as mytar: |
||||
+ file_tarinfo = tarfile.TarInfo("bad-link") |
||||
+ file_tarinfo.type = tarfile.SYMTYPE |
||||
+ file_tarinfo.linkname = "../../../../pwn" |
||||
+ mytar.addfile(file_tarinfo, io.BytesIO(b"")) |
||||
+ with pytest.raises(InstallationError) as e: |
||||
+ untar_file(test_tar, self.tempdir) |
||||
+ |
||||
+ assert "is outside the destination" in str(e.value) |
||||
+ |
||||
+ |
||||
|
||||
def test_unpack_tar_unicode(tmpdir: Path) -> None: |
||||
test_tar = tmpdir / "test.tar" |
||||
|
||||
|
||||
Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 |
||||
|
||||
diff --git a/distlib/util.py b/distlib/util.py |
||||
index e0622e4..4349d0b 100644 |
||||
--- a/src/pip/_vendor/distlib/util.py |
||||
+++ b/src/pip/_vendor/distlib/util.py |
||||
@@ -1249,6 +1249,19 @@ def check_path(path): |
||||
for tarinfo in archive.getmembers(): |
||||
if not isinstance(tarinfo.name, text_type): |
||||
tarinfo.name = tarinfo.name.decode('utf-8') |
||||
+ |
||||
+ # Limit extraction of dangerous items, if this Python |
||||
+ # allows it easily. If not, just trust the input. |
||||
+ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters |
||||
+ def extraction_filter(member, path): |
||||
+ """Run tarfile.tar_fillter, but raise the expected ValueError""" |
||||
+ # This is only called if the current Python has tarfile filters |
||||
+ try: |
||||
+ return tarfile.tar_filter(member, path) |
||||
+ except tarfile.FilterError as exc: |
||||
+ raise ValueError(str(exc)) |
||||
+ archive.extraction_filter = extraction_filter |
||||
+ |
||||
archive.extractall(dest_dir) |
||||
|
||||
finally: |
@ -0,0 +1,128 @@
@@ -0,0 +1,128 @@
|
||||
From 09c983fdeabe3fa0b90b73f32ddf84a61e498e09 Mon Sep 17 00:00:00 2001 |
||||
From: Karolina Surma <ksurma@redhat.com> |
||||
Date: Tue, 15 Nov 2022 09:22:46 +0100 |
||||
Subject: [PATCH] Dummy certifi patch |
||||
|
||||
--- |
||||
src/pip/_vendor/certifi/core.py | 105 ++------------------------------ |
||||
1 file changed, 6 insertions(+), 99 deletions(-) |
||||
|
||||
diff --git a/src/pip/_vendor/certifi/core.py b/src/pip/_vendor/certifi/core.py |
||||
index c3e5466..eb297f7 100644 |
||||
--- a/src/pip/_vendor/certifi/core.py |
||||
+++ b/src/pip/_vendor/certifi/core.py |
||||
@@ -4,105 +4,12 @@ certifi.py |
||||
|
||||
This module returns the installation location of cacert.pem or its contents. |
||||
""" |
||||
-import sys |
||||
|
||||
+# The RPM-packaged certifi always uses the system certificates |
||||
+def where() -> str: |
||||
+ return '/etc/pki/tls/certs/ca-bundle.crt' |
||||
|
||||
-if sys.version_info >= (3, 11): |
||||
+def contents() -> str: |
||||
+ with open(where(), encoding='utf=8') as data: |
||||
+ return data.read() |
||||
|
||||
- from importlib.resources import as_file, files |
||||
- |
||||
- _CACERT_CTX = None |
||||
- _CACERT_PATH = None |
||||
- |
||||
- def where() -> str: |
||||
- # This is slightly terrible, but we want to delay extracting the file |
||||
- # in cases where we're inside of a zipimport situation until someone |
||||
- # actually calls where(), but we don't want to re-extract the file |
||||
- # on every call of where(), so we'll do it once then store it in a |
||||
- # global variable. |
||||
- global _CACERT_CTX |
||||
- global _CACERT_PATH |
||||
- if _CACERT_PATH is None: |
||||
- # This is slightly janky, the importlib.resources API wants you to |
||||
- # manage the cleanup of this file, so it doesn't actually return a |
||||
- # path, it returns a context manager that will give you the path |
||||
- # when you enter it and will do any cleanup when you leave it. In |
||||
- # the common case of not needing a temporary file, it will just |
||||
- # return the file system location and the __exit__() is a no-op. |
||||
- # |
||||
- # We also have to hold onto the actual context manager, because |
||||
- # it will do the cleanup whenever it gets garbage collected, so |
||||
- # we will also store that at the global level as well. |
||||
- _CACERT_CTX = as_file(files("pip._vendor.certifi").joinpath("cacert.pem")) |
||||
- _CACERT_PATH = str(_CACERT_CTX.__enter__()) |
||||
- |
||||
- return _CACERT_PATH |
||||
- |
||||
- def contents() -> str: |
||||
- return files("pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii") |
||||
- |
||||
-elif sys.version_info >= (3, 7): |
||||
- |
||||
- from importlib.resources import path as get_path, read_text |
||||
- |
||||
- _CACERT_CTX = None |
||||
- _CACERT_PATH = None |
||||
- |
||||
- def where() -> str: |
||||
- # This is slightly terrible, but we want to delay extracting the |
||||
- # file in cases where we're inside of a zipimport situation until |
||||
- # someone actually calls where(), but we don't want to re-extract |
||||
- # the file on every call of where(), so we'll do it once then store |
||||
- # it in a global variable. |
||||
- global _CACERT_CTX |
||||
- global _CACERT_PATH |
||||
- if _CACERT_PATH is None: |
||||
- # This is slightly janky, the importlib.resources API wants you |
||||
- # to manage the cleanup of this file, so it doesn't actually |
||||
- # return a path, it returns a context manager that will give |
||||
- # you the path when you enter it and will do any cleanup when |
||||
- # you leave it. In the common case of not needing a temporary |
||||
- # file, it will just return the file system location and the |
||||
- # __exit__() is a no-op. |
||||
- # |
||||
- # We also have to hold onto the actual context manager, because |
||||
- # it will do the cleanup whenever it gets garbage collected, so |
||||
- # we will also store that at the global level as well. |
||||
- _CACERT_CTX = get_path("pip._vendor.certifi", "cacert.pem") |
||||
- _CACERT_PATH = str(_CACERT_CTX.__enter__()) |
||||
- |
||||
- return _CACERT_PATH |
||||
- |
||||
- def contents() -> str: |
||||
- return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii") |
||||
- |
||||
-else: |
||||
- import os |
||||
- import types |
||||
- from typing import Union |
||||
- |
||||
- Package = Union[types.ModuleType, str] |
||||
- Resource = Union[str, "os.PathLike"] |
||||
- |
||||
- # This fallback will work for Python versions prior to 3.7 that lack the |
||||
- # importlib.resources module but relies on the existing `where` function |
||||
- # so won't address issues with environments like PyOxidizer that don't set |
||||
- # __file__ on modules. |
||||
- def read_text( |
||||
- package: Package, |
||||
- resource: Resource, |
||||
- encoding: str = 'utf-8', |
||||
- errors: str = 'strict' |
||||
- ) -> str: |
||||
- with open(where(), encoding=encoding) as data: |
||||
- return data.read() |
||||
- |
||||
- # If we don't have importlib.resources, then we will just do the old logic |
||||
- # of assuming we're on the filesystem and munge the path directly. |
||||
- def where() -> str: |
||||
- f = os.path.dirname(__file__) |
||||
- |
||||
- return os.path.join(f, "cacert.pem") |
||||
- |
||||
- def contents() -> str: |
||||
- return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii") |
||||
-- |
||||
2.37.3 |
||||
|
@ -0,0 +1,16 @@
@@ -0,0 +1,16 @@
|
||||
diff --git a/src/pip/_vendor/packaging/version.py b/src/pip/_vendor/packaging/version.py |
||||
index de9a09a..154e94d 100644 |
||||
--- a/src/pip/_vendor/packaging/version.py |
||||
+++ b/src/pip/_vendor/packaging/version.py |
||||
@@ -108,11 +108,6 @@ class LegacyVersion(_BaseVersion): |
||||
self._version = str(version) |
||||
self._key = _legacy_cmpkey(self._version) |
||||
|
||||
- warnings.warn( |
||||
- "Creating a LegacyVersion has been deprecated and will be " |
||||
- "removed in the next major release", |
||||
- DeprecationWarning, |
||||
- ) |
||||
|
||||
def __str__(self) -> str: |
||||
return self._version |
@ -0,0 +1,76 @@
@@ -0,0 +1,76 @@
|
||||
From 8dd3793d1bab226cec9c5c49b01718a9634bc403 Mon Sep 17 00:00:00 2001 |
||||
From: Karolina Surma <ksurma@redhat.com> |
||||
Date: Mon, 10 May 2021 16:48:49 +0200 |
||||
Subject: [PATCH] Don't warn the user about pip._internal.main() entrypoint |
||||
|
||||
In Fedora, we use that in ensurepip and users cannot do anything about it, |
||||
this warning is juts moot. Also, the warning breaks CPython test suite. |
||||
|
||||
Co-Authored-By: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz> |
||||
--- |
||||
src/pip/_internal/__init__.py | 2 +- |
||||
src/pip/_internal/utils/entrypoints.py | 19 ++++++++++--------- |
||||
tests/functional/test_cli.py | 3 ++- |
||||
3 files changed, 13 insertions(+), 11 deletions(-) |
||||
|
||||
diff --git a/src/pip/_internal/__init__.py b/src/pip/_internal/__init__.py |
||||
index 6afb5c6..faf25af 100755 |
||||
--- a/src/pip/_internal/__init__.py |
||||
+++ b/src/pip/_internal/__init__.py |
||||
@@ -16,4 +16,4 @@ def main(args: (Optional[List[str]]) = None) -> int: |
||||
""" |
||||
from pip._internal.utils.entrypoints import _wrapper |
||||
|
||||
- return _wrapper(args) |
||||
+ return _wrapper(args, _nowarn=True) |
||||
diff --git a/src/pip/_internal/utils/entrypoints.py b/src/pip/_internal/utils/entrypoints.py |
||||
index f292c64..2e29a5e 100644 |
||||
--- a/src/pip/_internal/utils/entrypoints.py |
||||
+++ b/src/pip/_internal/utils/entrypoints.py |
||||
@@ -20,7 +20,7 @@ if WINDOWS: |
||||
] |
||||
|
||||
|
||||
-def _wrapper(args: Optional[List[str]] = None) -> int: |
||||
+def _wrapper(args: Optional[List[str]] = None, _nowarn: bool = False) -> int: |
||||
"""Central wrapper for all old entrypoints. |
||||
|
||||
Historically pip has had several entrypoints defined. Because of issues |
||||
@@ -32,14 +32,15 @@ def _wrapper(args: Optional[List[str]] = None) -> int: |
||||
directing them to an appropriate place for help, we now define all of |
||||
our old entrypoints as wrappers for the current one. |
||||
""" |
||||
- sys.stderr.write( |
||||
- "WARNING: pip is being invoked by an old script wrapper. This will " |
||||
- "fail in a future version of pip.\n" |
||||
- "Please see https://github.com/pypa/pip/issues/5599 for advice on " |
||||
- "fixing the underlying issue.\n" |
||||
- "To avoid this problem you can invoke Python with '-m pip' instead of " |
||||
- "running pip directly.\n" |
||||
- ) |
||||
+ if not _nowarn: |
||||
+ sys.stderr.write( |
||||
+ "WARNING: pip is being invoked by an old script wrapper. This will " |
||||
+ "fail in a future version of pip.\n" |
||||
+ "Please see https://github.com/pypa/pip/issues/5599 for advice on " |
||||
+ "fixing the underlying issue.\n" |
||||
+ "To avoid this problem you can invoke Python with '-m pip' instead of " |
||||
+ "running pip directly.\n" |
||||
+ ) |
||||
return main(args) |
||||
|
||||
|
||||
diff --git a/tests/functional/test_cli.py b/tests/functional/test_cli.py |
||||
index 3e85703..f86c392 100644 |
||||
--- a/tests/functional/test_cli.py |
||||
+++ b/tests/functional/test_cli.py |
||||
@@ -43,4 +43,5 @@ def test_entrypoints_work(entrypoint: str, script: PipTestEnvironment) -> None: |
||||
result = script.pip("-V") |
||||
result2 = script.run("fake_pip", "-V", allow_stderr_warning=True) |
||||
assert result.stdout == result2.stdout |
||||
- assert "old script wrapper" in result2.stderr |
||||
+ if entrypoint[0] != "fake_pip = pip._internal:main": |
||||
+ assert "old script wrapper" in result2.stderr |
||||
-- |
||||
2.35.3 |
||||
|
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
--- /usr/bin/pip3 2019-11-12 17:37:34.793131862 +0100 |
||||
+++ pip3 2019-11-12 17:40:42.014107134 +0100 |
||||
@@ -2,7 +2,23 @@ |
||||
# -*- coding: utf-8 -*- |
||||
import re |
||||
import sys |
||||
-from pip._internal.cli.main import main |
||||
+ |
||||
+try: |
||||
+ from pip._internal.cli.main import main |
||||
+except ImportError: |
||||
+ try: |
||||
+ from pip._internal.main import main |
||||
+ except ImportError: |
||||
+ try: |
||||
+ # If the user has downgraded pip, the above import will fail. |
||||
+ # Let's try older methods of invoking it: |
||||
+ |
||||
+ # pip 19 uses this |
||||
+ from pip._internal import main |
||||
+ except ImportError: |
||||
+ # older pip versions use this |
||||
+ from pip import main |
||||
+ |
||||
if __name__ == '__main__': |
||||
sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0]) |
||||
sys.exit(main()) |
@ -0,0 +1,115 @@
@@ -0,0 +1,115 @@
|
||||
From 2c3f3a590ddfc151a456b44a5f96f0f603d178e9 Mon Sep 17 00:00:00 2001 |
||||
From: Lumir Balhar <lbalhar@redhat.com> |
||||
Date: Wed, 16 Feb 2022 08:36:21 +0100 |
||||
Subject: [PATCH] Prevent removing of the system packages installed under |
||||
/usr/lib when pip install --upgrade is executed. |
||||
MIME-Version: 1.0 |
||||
Content-Type: text/plain; charset=UTF-8 |
||||
Content-Transfer-Encoding: 8bit |
||||
|
||||
Resolves: rhbz#1550368 |
||||
|
||||
Co-Authored-By: Michal Cyprian <m.cyprian@gmail.com> |
||||
Co-Authored-By: Victor Stinner <vstinner@redhat.com> |
||||
Co-Authored-By: Petr Viktorin <pviktori@redhat.com> |
||||
Co-Authored-By: Lumir Balhar <lbalhar@redhat.com> |
||||
Co-Authored-By: Miro Hrončok <miro@hroncok.cz> |
||||
Co-Authored-By: Karolina Surma <ksurma@redhat.com> |
||||
--- |
||||
src/pip/_internal/metadata/base.py | 12 +++++++++++- |
||||
src/pip/_internal/req/req_install.py | 2 +- |
||||
src/pip/_internal/resolution/legacy/resolver.py | 4 +++- |
||||
src/pip/_internal/resolution/resolvelib/factory.py | 12 ++++++++++++ |
||||
4 files changed, 27 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/src/pip/_internal/metadata/base.py b/src/pip/_internal/metadata/base.py |
||||
index 151fd6d..f9109cd 100644 |
||||
--- a/src/pip/_internal/metadata/base.py |
||||
+++ b/src/pip/_internal/metadata/base.py |
||||
@@ -28,7 +28,7 @@ from pip._vendor.packaging.utils import NormalizedName |
||||
from pip._vendor.packaging.version import LegacyVersion, Version |
||||
|
||||
from pip._internal.exceptions import NoneMetadataError |
||||
-from pip._internal.locations import site_packages, user_site |
||||
+from pip._internal.locations import get_scheme, site_packages, user_site |
||||
from pip._internal.models.direct_url import ( |
||||
DIRECT_URL_METADATA_NAME, |
||||
DirectUrl, |
||||
@@ -560,6 +560,16 @@ class BaseDistribution(Protocol): |
||||
for extra in self._iter_egg_info_extras(): |
||||
metadata["Provides-Extra"] = extra |
||||
|
||||
+ @property |
||||
+ def in_install_path(self) -> bool: |
||||
+ """ |
||||
+ Return True if given Distribution is installed in |
||||
+ path matching distutils_scheme layout. |
||||
+ """ |
||||
+ norm_path = normalize_path(self.installed_location) |
||||
+ return norm_path.startswith(normalize_path( |
||||
+ get_scheme("").purelib.split('python')[0])) |
||||
+ |
||||
|
||||
class BaseEnvironment: |
||||
"""An environment containing distributions to introspect.""" |
||||
diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py |
||||
index a1e376c..ed7facf 100644 |
||||
--- a/src/pip/_internal/req/req_install.py |
||||
+++ b/src/pip/_internal/req/req_install.py |
||||
@@ -416,7 +416,7 @@ class InstallRequirement: |
||||
f"lack sys.path precedence to {existing_dist.raw_name} " |
||||
f"in {existing_dist.location}" |
||||
) |
||||
- else: |
||||
+ elif existing_dist.in_install_path: |
||||
self.should_reinstall = True |
||||
else: |
||||
if self.editable: |
||||
diff --git a/src/pip/_internal/resolution/legacy/resolver.py b/src/pip/_internal/resolution/legacy/resolver.py |
||||
index fb49d41..040f2c1 100644 |
||||
--- a/src/pip/_internal/resolution/legacy/resolver.py |
||||
+++ b/src/pip/_internal/resolution/legacy/resolver.py |
||||
@@ -325,7 +325,9 @@ class Resolver(BaseResolver): |
||||
""" |
||||
# Don't uninstall the conflict if doing a user install and the |
||||
# conflict is not a user install. |
||||
- if not self.use_user_site or req.satisfied_by.in_usersite: |
||||
+ if ((not self.use_user_site |
||||
+ or req.satisfied_by.in_usersite) |
||||
+ and req.satisfied_by.in_install_path): |
||||
req.should_reinstall = True |
||||
req.satisfied_by = None |
||||
|
||||
diff --git a/src/pip/_internal/resolution/resolvelib/factory.py b/src/pip/_internal/resolution/resolvelib/factory.py |
||||
index a4c24b5..e7e2da9 100644 |
||||
--- a/src/pip/_internal/resolution/resolvelib/factory.py |
||||
+++ b/src/pip/_internal/resolution/resolvelib/factory.py |
||||
@@ -1,6 +1,8 @@ |
||||
import contextlib |
||||
import functools |
||||
import logging |
||||
+import sys |
||||
+import sysconfig |
||||
from typing import ( |
||||
TYPE_CHECKING, |
||||
Dict, |
||||
@@ -549,6 +551,16 @@ class Factory: |
||||
if dist is None: # Not installed, no uninstallation required. |
||||
return None |
||||
|
||||
+ # Prevent uninstalling packages from /usr |
||||
+ try: |
||||
+ if dist.installed_location in ( |
||||
+ sysconfig.get_path('purelib', scheme='posix_prefix', vars={'base': sys.base_prefix}), |
||||
+ sysconfig.get_path('platlib', scheme='posix_prefix', vars={'platbase': sys.base_prefix}), |
||||
+ ): |
||||
+ return None |
||||
+ except KeyError: # this Python doesn't have 'rpm_prefix' scheme yet |
||||
+ pass |
||||
+ |
||||
# We're installing into global site. The current installation must |
||||
# be uninstalled, no matter it's in global or user site, because the |
||||
# user site installation has precedence over global. |
||||
-- |
||||
2.35.3 |
||||
|
@ -0,0 +1,388 @@
@@ -0,0 +1,388 @@
|
||||
%global __python3 /usr/bin/python3.11 |
||||
%global python3_pkgversion 3.11 |
||||
|
||||
%bcond_with tests |
||||
|
||||
%global srcname pip |
||||
%global base_version 22.3.1 |
||||
%global upstream_version %{base_version}%{?prerel} |
||||
%global python_wheel_name %{srcname}-%{upstream_version}-py3-none-any.whl |
||||
|
||||
%global bashcompdir %(pkg-config --variable=completionsdir bash-completion 2>/dev/null) |
||||
|
||||
Name: python%{python3_pkgversion}-%{srcname} |
||||
Version: %{base_version}%{?prerel:~%{prerel}} |
||||
Release: 5%{?dist} |
||||
Summary: A tool for installing and managing Python packages |
||||
|
||||
# We bundle a lot of libraries with pip, which itself is under MIT license. |
||||
# Here is the list of the libraries with corresponding licenses: |
||||
|
||||
# appdirs: MIT |
||||
# certifi: MPLv2.0 |
||||
# chardet: LGPLv2 |
||||
# colorama: BSD |
||||
# CacheControl: ASL 2.0 |
||||
# distlib: Python |
||||
# distro: ASL 2.0 |
||||
# html5lib: MIT |
||||
# idna: BSD |
||||
# ipaddress: Python |
||||
# msgpack: ASL 2.0 |
||||
# packaging: ASL 2.0 or BSD |
||||
# pep517: MIT |
||||
# progress: ISC |
||||
# pygments: BSD |
||||
# pyparsing: MIT |
||||
# requests: ASL 2.0 |
||||
# resolvelib: ISC |
||||
# rich: MIT |
||||
# setuptools: MIT |
||||
# six: MIT |
||||
# tenacity: ASL 2.0 |
||||
# tomli: MIT |
||||
# typing-extensions: Python |
||||
# urllib3: MIT |
||||
# webencodings: BSD |
||||
|
||||
License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) |
||||
URL: https://pip.pypa.io/ |
||||
Source0: https://github.com/pypa/pip/archive/%{upstream_version}/%{srcname}-%{upstream_version}.tar.gz |
||||
BuildArch: noarch |
||||
|
||||
# Prevent removing of the system packages installed under /usr/lib |
||||
# when pip install -U is executed. |
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1550368#c24 |
||||
# Could be replaced with https://www.python.org/dev/peps/pep-0668/ |
||||
Patch0: remove-existing-dist-only-if-path-conflicts.patch |
||||
|
||||
# Use the system level root certificate instead of the one bundled in certifi |
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1655253 |
||||
# The same patch is a part of the RPM-packaged python-certifi |
||||
Patch1: dummy-certifi.patch |
||||
|
||||
# Don't warn the user about pip._internal.main() entrypoint |
||||
# In Fedora, we use that in ensurepip and users cannot do anything about it, |
||||
# this warning is juts moot. Also, the warning breaks CPython test suite. |
||||
Patch2: nowarn-pip._internal.main.patch |
||||
|
||||
# Don't warn the user about packaging's LegacyVersion being deprecated. |
||||
# (This also breaks Python's test suite when warnings are treated as errors.) |
||||
# Upstream issue: https://github.com/pypa/packaging/issues/368 |
||||
Patch3: no-version-warning.patch |
||||
|
||||
# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting |
||||
# - Minimal downstream-only patch, to be replaced by upstream solution |
||||
# proposed in https://github.com/pypa/pip/pull/12214 |
||||
# - Test patch submitted upstream in the above pull request |
||||
# - Patch for vendored distlib, accepted upstream: |
||||
# https://github.com/pypa/distlib/pull/201 |
||||
Patch4: cve-2007-4559-tarfile.patch |
||||
|
||||
# Downstream only patch |
||||
# Users might have local installations of pip from using |
||||
# `pip install --user --upgrade pip` on older/newer versions. |
||||
# If they do that and they run `pip` or `pip3`, the one from /usr/bin is used. |
||||
# However that's the one from this RPM package and the import in there might |
||||
# fail (it tries to import from ~/.local, but older or newer pip is there with |
||||
# a bit different API). |
||||
# We add this patch as a dirty workaround to make /usr/bin/pip* work with |
||||
# both pip10+ (from this RPM) and older or newer (19.3+) pip (from whatever). |
||||
# A proper fix is to put ~/.local/bin in front of /usr/bin in the PATH, |
||||
# however others are against that and we cannot change it for existing |
||||
# installs/user homes anyway. |
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1569488 |
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1571650 |
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1767212 |
||||
# WARNING: /usr/bin/pip* are entrypoints, this cannot be applied in %%prep! |
||||
# %%patch10 doesn't work outside of %%prep, so we add it as a source |
||||
# Note that since pip 20, old main() import paths are preserved for backwards |
||||
# compatibility: https://github.com/pypa/pip/issues/7498 |
||||
# Meaning we don't need to update any of the older pips to support 20+ |
||||
# We also don't need to update Pythons to use new import path in ensurepip |
||||
Source10: pip-allow-different-versions.patch |
||||
|
||||
|
||||
# Virtual provides for the packages bundled by pip. |
||||
# You can generate it with: |
||||
# %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{1}dist' src/pip/_vendor/vendor.txt |
||||
%global bundled() %{expand: |
||||
Provides: bundled(python%{1}dist(cachecontrol)) = 0.12.11 |
||||
Provides: bundled(python%{1}dist(certifi)) = 2022.9.24 |
||||
Provides: bundled(python%{1}dist(chardet)) = 5 |
||||
Provides: bundled(python%{1}dist(colorama)) = 0.4.5 |
||||
Provides: bundled(python%{1}dist(distlib)) = 0.3.6 |
||||
Provides: bundled(python%{1}dist(distro)) = 1.7 |
||||
Provides: bundled(python%{1}dist(idna)) = 3.4 |
||||
Provides: bundled(python%{1}dist(msgpack)) = 1.0.4 |
||||
Provides: bundled(python%{1}dist(packaging)) = 21.3 |
||||
Provides: bundled(python%{1}dist(pep517)) = 0.13 |
||||
Provides: bundled(python%{1}dist(platformdirs)) = 2.5.2 |
||||
Provides: bundled(python%{1}dist(pygments)) = 2.13 |
||||
Provides: bundled(python%{1}dist(pyparsing)) = 3.0.9 |
||||
Provides: bundled(python%{1}dist(requests)) = 2.28.1 |
||||
Provides: bundled(python%{1}dist(resolvelib)) = 0.8.1 |
||||
Provides: bundled(python%{1}dist(rich)) = 12.5.1 |
||||
Provides: bundled(python%{1}dist(setuptools)) = 44 |
||||
Provides: bundled(python%{1}dist(six)) = 1.16 |
||||
Provides: bundled(python%{1}dist(tenacity)) = 8.1 |
||||
Provides: bundled(python%{1}dist(tomli)) = 2.0.1 |
||||
Provides: bundled(python%{1}dist(typing-extensions)) = 4.4 |
||||
Provides: bundled(python%{1}dist(urllib3)) = 1.26.12 |
||||
Provides: bundled(python%{1}dist(webencodings)) = 0.5.1 |
||||
} |
||||
|
||||
# Some manylinux1 wheels need libcrypt.so.1. |
||||
# Manylinux1, a common (as of 2019) platform tag for binary wheels, relies |
||||
# on a glibc version that included ancient crypto functions, which were |
||||
# moved to libxcrypt and then removed in: |
||||
# https://fedoraproject.org/wiki/Changes/FullyRemoveDeprecatedAndUnsafeFunctionsFromLibcrypt |
||||
# The manylinux1 standard assumed glibc would keep ABI compatibility, |
||||
# but that's only the case if libcrypt.so.1 (libxcrypt-compat) is around. |
||||
# This should be solved in the next manylinux standard (but it may be |
||||
# a long time until manylinux1 is phased out). |
||||
# See: https://github.com/pypa/manylinux/issues/305 |
||||
# Note that manylinux is only applicable to x86 (both 32 and 64 bits) |
||||
%global crypt_compat_recommends() %{expand: |
||||
Recommends: (libcrypt.so.1()(64bit) if python%{1}(x86-64)) |
||||
Recommends: (libcrypt.so.1 if python%{1}(x86-32)) |
||||
} |
||||
|
||||
BuildRequires: python%{python3_pkgversion}-devel |
||||
BuildRequires: python%{python3_pkgversion}-rpm-macros |
||||
# python3 bootstrap: this is rebuilt before the final build of python3, which |
||||
# adds the dependency on python3-rpm-generators, so we require it manually |
||||
# Note that the package prefix is always python3-, even if we build for 3.X |
||||
BuildRequires: python3-rpm-generators |
||||
# We utilize the main Python's stack sphinx to build the manual pages |
||||
BuildRequires: python3-sphinx |
||||
BuildRequires: python%{python3_pkgversion}-setuptools |
||||
BuildRequires: bash-completion |
||||
BuildRequires: python%{python3_pkgversion}-wheel |
||||
BuildRequires: ca-certificates |
||||
Requires: ca-certificates |
||||
|
||||
%if %{with tests} |
||||
BuildRequires: /usr/bin/git |
||||
BuildRequires: /usr/bin/hg |
||||
BuildRequires: /usr/bin/bzr |
||||
BuildRequires: /usr/bin/svn |
||||
BuildRequires: python%{python3_pkgversion}-setuptools-wheel |
||||
BuildRequires: python%{python3_pkgversion}-wheel-wheel |
||||
BuildRequires: python%{python3_pkgversion}-cryptography |
||||
BuildRequires: python%{python3_pkgversion}-mock |
||||
BuildRequires: python%{python3_pkgversion}-pytest |
||||
BuildRequires: python%{python3_pkgversion}-pretend |
||||
BuildRequires: python%{python3_pkgversion}-freezegun |
||||
BuildRequires: python%{python3_pkgversion}-scripttest |
||||
BuildRequires: python%{python3_pkgversion}-virtualenv |
||||
BuildRequires: python%{python3_pkgversion}-werkzeug |
||||
BuildRequires: python%{python3_pkgversion}-pyyaml |
||||
BuildRequires: python%{python3_pkgversion}-tomli-w |
||||
BuildRequires: python%{python3_pkgversion}-installer |
||||
%endif |
||||
|
||||
|
||||
# pip has to require explicit version of python that provides |
||||
# filters in tarfile module (fix for CVE-2007-4559). |
||||
Requires: python%{python3_pkgversion} >= 3.11.4-3 |
||||
|
||||
|
||||
# This was previously required and we keep it recommended because a lot of |
||||
# sdists installed via pip will try to import setuptools. |
||||
# But pip doesn't actually require setuptools. |
||||
# It can install wheels without them and it can build wheels in isolation mode |
||||
# (using setuptools/flit/poetry/... installed from PyPI). |
||||
# Side note: pip bundles pkg_resources from setuptools for internal usage. |
||||
Recommends: python%{python3_pkgversion}-setuptools |
||||
|
||||
# Virtual provides for the packages bundled by pip: |
||||
%{bundled %{python3_pkgversion}} |
||||
|
||||
%{crypt_compat_recommends %{python3_pkgversion}} |
||||
|
||||
%description -n python%{python3_pkgversion}-%{srcname} |
||||
pip is a package management system used to install and manage software packages |
||||
written in Python. Many packages can be found in the Python Package Index |
||||
(PyPI). pip is a recursive acronym that can stand for either "Pip Installs |
||||
Packages" or "Pip Installs Python". |
||||
|
||||
%package -n %{python_wheel_pkg_prefix}-%{srcname}-wheel |
||||
Summary: The pip wheel |
||||
Requires: ca-certificates |
||||
# Older Python does not provide tarfile filters (fix for CVE-2007-4559). |
||||
Conflicts: python%{python3_pkgversion} < 3.11.4-3 |
||||
|
||||
# Virtual provides for the packages bundled by pip: |
||||
%{bundled %{python3_pkgversion}} |
||||
|
||||
%{crypt_compat_recommends %{python3_pkgversion}} |
||||
|
||||
%description -n %{python_wheel_pkg_prefix}-%{srcname}-wheel |
||||
A Python wheel of pip to use with venv. |
||||
|
||||
%prep |
||||
%autosetup -p1 -n %{srcname}-%{upstream_version} |
||||
|
||||
# this goes together with patch4 |
||||
rm src/pip/_vendor/certifi/*.pem |
||||
|
||||
# Remove unneeded doc dependencies |
||||
sed -i '/myst_parser/d;/sphinx_copybutton/d;/sphinx_inline_tabs/d;/sphinxcontrib.towncrier/d' docs/html/conf.py |
||||
|
||||
# tests expect wheels in here |
||||
ln -s %{python_wheel_dir} tests/data/common_wheels |
||||
|
||||
# Remove windows executable binaries |
||||
rm -v src/pip/_vendor/distlib/*.exe |
||||
sed -i '/\.exe/d' setup.py |
||||
|
||||
%build |
||||
%py3_build_wheel |
||||
|
||||
# Build the man pages |
||||
export PYTHONPATH=./src/ |
||||
sphinx-build-3 -b man docs/man docs/build/man -c docs/html |
||||
|
||||
%install |
||||
# The following is similar to %%pyproject_install, but we don't have |
||||
# /usr/bin/pip yet, so we install using the wheel directly. |
||||
# (This is not standard wheel usage, but the pip wheel supports it -- see |
||||
# pip/__main__.py) |
||||
%{python3} dist/%{python_wheel_name}/pip install \ |
||||
--root %{buildroot} \ |
||||
--no-deps \ |
||||
--disable-pip-version-check \ |
||||
--progress-bar off \ |
||||
--verbose \ |
||||
--ignore-installed \ |
||||
--no-warn-script-location \ |
||||
--no-index \ |
||||
--no-cache-dir \ |
||||
--find-links dist \ |
||||
'pip==%{upstream_version}' |
||||
|
||||
# Install the man pages |
||||
pushd docs/build/man |
||||
install -d %{buildroot}%{_mandir}/man1 |
||||
for MAN in *1; do |
||||
install -pm0644 $MAN %{buildroot}%{_mandir}/man1/${MAN/pip/pip%{python3_pkgversion}} |
||||
install -pm0644 $MAN %{buildroot}%{_mandir}/man1/${MAN/pip/pip-%{python3_pkgversion}} |
||||
done |
||||
popd |
||||
|
||||
# before we ln -s anything, we apply Source10 patch to all pips: |
||||
for PIP in %{buildroot}%{_bindir}/pip*; do |
||||
patch -p1 --no-backup-if-mismatch $PIP < %{SOURCE10} |
||||
done |
||||
|
||||
mkdir -p %{buildroot}%{bashcompdir} |
||||
PYTHONPATH=%{buildroot}%{python3_sitelib} \ |
||||
%{buildroot}%{_bindir}/pip completion --bash \ |
||||
> %{buildroot}%{bashcompdir}/pip%{python3_pkgversion} |
||||
|
||||
# Make bash completion apply to all the 5 symlinks we install |
||||
sed -i -e "s/^\\(complete.*\\) pip\$/\\1 pip{,-}%{python3_pkgversion}/" \ |
||||
-e s/_pip_completion/_pip%{python3_pkgversion}_completion/ \ |
||||
%{buildroot}%{bashcompdir}/pip%{python3_pkgversion} |
||||
|
||||
|
||||
# Provide symlinks to executables to comply with Fedora guidelines for Python |
||||
ln -s ./pip%{python3_pkgversion} %{buildroot}%{_bindir}/pip-%{python3_pkgversion} |
||||
|
||||
|
||||
# Make sure the INSTALLER is not pip and remove RECORD |
||||
# %%pyproject macros do this for all packages |
||||
echo rpm > %{buildroot}%{python3_sitelib}/pip-%{upstream_version}.dist-info/INSTALLER |
||||
rm %{buildroot}%{python3_sitelib}/pip-%{upstream_version}.dist-info/RECORD |
||||
|
||||
mkdir -p %{buildroot}%{python_wheel_dir} |
||||
install -p dist/%{python_wheel_name} -t %{buildroot}%{python_wheel_dir} |
||||
|
||||
# RHEL: Remove binaries conflicting with RHEL's main pip |
||||
rm %{buildroot}%{_bindir}/pip |
||||
rm %{buildroot}%{_bindir}/pip3 |
||||
|
||||
|
||||
%check |
||||
# Verify bundled provides are up to date |
||||
%{_rpmconfigdir}/pythonbundles.py src/pip/_vendor/vendor.txt --namespace 'python%{python3_pkgversion}dist' \ |
||||
--compare-with '%{bundled %{python3_pkgversion}}' |
||||
|
||||
%if %{with tests} |
||||
# Upstream tests |
||||
# bash completion tests only work from installed package |
||||
pytest_k='not completion' |
||||
|
||||
# --deselect'ed tests are not compatible with the latest virtualenv |
||||
# These files contain almost 500 tests so we should enable them back |
||||
# as soon as pip will be compatible upstream |
||||
# https://github.com/pypa/pip/pull/8441 |
||||
%pytest -m 'not network' -k "$(echo $pytest_k)" \ |
||||
--deselect tests/functional --deselect tests/lib/test_lib.py |
||||
%endif |
||||
|
||||
|
||||
%files -n python%{python3_pkgversion}-%{srcname} |
||||
%doc README.rst |
||||
%license %{python3_sitelib}/pip-%{upstream_version}.dist-info/LICENSE.txt |
||||
%{_mandir}/man1/pip%{python3_pkgversion}.* |
||||
%{_mandir}/man1/pip%{python3_pkgversion}-*.* |
||||
%{_mandir}/man1/pip-%{python3_pkgversion}.* |
||||
%{_mandir}/man1/pip-%{python3_pkgversion}-*.* |
||||
%{_bindir}/pip%{python3_pkgversion} |
||||
%{_bindir}/pip-%{python3_pkgversion} |
||||
%{python3_sitelib}/pip* |
||||
%dir %{bashcompdir} |
||||
%{bashcompdir}/pip%{python3_pkgversion} |
||||
|
||||
%files -n %{python_wheel_pkg_prefix}-%{srcname}-wheel |
||||
%license LICENSE.txt |
||||
# we own the dir for simplicity |
||||
%dir %{python_wheel_dir}/ |
||||
%{python_wheel_dir}/%{python_wheel_name} |
||||
|
||||
%changelog |
||||
* Wed Feb 14 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 22.3.1-5 |
||||
- Require Python with tarfile filters |
||||
Resolves: RHEL-25455 |
||||
|
||||
* Tue Aug 08 2023 Petr Viktorin <pviktori@redhat.com> - 22.3.1-4 |
||||
- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) |
||||
Resolves: RHBZ#2218247 |
||||
|
||||
* Mon Mar 06 2023 Lumír Balhar <lbalhar@redhat.com> - 22.3.1-3 |
||||
- Fix changelog to contain Fedora contributors |
||||
Resolves: RHEL-232 |
||||
|
||||
* Mon Jan 30 2023 Charalampos Stratakis <cstratak@redhat.com> - 22.3.1-2 |
||||
- Add BuildRequires on python3.11-rpm-macros |
||||
|
||||
* Wed Aug 03 2022 Charalampos Stratakis <cstratak@redhat.com> - 22.3.1-1 |
||||
- Initial package |
||||
- Fedora contributions by: |
||||
Bill Nottingham <notting@fedoraproject.org> |
||||
Charalampos Stratakis <cstratak@redhat.com> |
||||
David Malcolm <dmalcolm@redhat.com> |
||||
Dennis Gilmore <dennis@ausil.us> |
||||
Jon Ciesla <limburgher@gmail.com> |
||||
Karolina Surma <ksurma@redhat.com> |
||||
Kevin Fenzi <kevin@fedoraproject.org> |
||||
Kevin Kofler <Kevin@tigcc.ticalc.org> |
||||
Luke Macken <lmacken@redhat.com> |
||||
Lumir Balhar <lbalhar@redhat.com> |
||||
Marcel Plch <mplch@redhat.com> |
||||
Matej Stuchlik <mstuchli@redhat.com> |
||||
Michal Cyprian <m.cyprian@gmail.com> |
||||
Miro Hrončok <miro@hroncok.cz> |
||||
Orion Poplawski <orion@cora.nwra.com> |
||||
Pádraig Brady <P@draigBrady.com> |
||||
Peter Halliday <hoangelos@fedoraproject.org> |
||||
Petr Viktorin <pviktori@redhat.com> |
||||
Robert Kuska <rkuska@redhat.com> |
||||
Slavek Kabrda <bkabrda@redhat.com> |
||||
Tim Flink <tflink@fedoraproject.org> |
||||
Tomáš Hrnčiar <thrnciar@redhat.com> |
||||
Tomas Orsava <torsava@redhat.com> |
||||
Toshio Kuratomi <toshio@fedoraproject.org> |
||||
Ville Skyttä <ville.skytta@iki.fi> |
Loading…
Reference in new issue