commit 849f38d8c1be55da59fb6f025c2702c44d601a6f Author: Toshaan Bharvani Date: Fri Oct 18 12:43:58 2024 +0200 initial package creation Signed-off-by: Toshaan Bharvani diff --git a/SOURCES/cve-2007-4559-tarfile.patch b/SOURCES/cve-2007-4559-tarfile.patch new file mode 100644 index 0000000..0073fc1 --- /dev/null +++ b/SOURCES/cve-2007-4559-tarfile.patch @@ -0,0 +1,78 @@ +Minimal patch for pip + +diff -rU3 pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py pip-22.3.1/src/pip/_internal/utils/unpacking.py +--- pip-22.3.1-orig/src/pip/_internal/utils/unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip-22.3.1/src/pip/_internal/utils/unpacking.py 2023-08-08 13:17:47.705613554 +0200 +@@ -184,6 +184,13 @@ + "outside target directory ({})" + ) + raise InstallationError(message.format(filename, path, location)) ++ ++ # Call the `data` filter for its side effect (raising exception) ++ try: ++ tarfile.data_filter(member.replace(name=fn), location) ++ except tarfile.LinkOutsideDestinationError: ++ pass ++ + if member.isdir(): + ensure_dir(path) + elif member.issym(): + + +Test from https://github.com/pypa/pip/pull/12214 + +diff -rU3 pip-22.3.1-orig/tests/unit/test_utils_unpacking.py pip-22.3.1/tests/unit/test_utils_unpacking.py +--- pip-22.3.1-orig/tests/unit/test_utils_unpacking.py 2022-11-05 16:25:43.000000000 +0100 ++++ pip-22.3.1/tests/unit/test_utils_unpacking.py 2023-08-08 13:17:35.151540108 +0200 +@@ -171,6 +171,23 @@ + test_tar = self.make_tar_file("test_tar.tar", files) + untar_file(test_tar, self.tempdir) + ++ def test_unpack_tar_filter(self) -> None: ++ """ ++ Test that the tarfile.data_filter is used to disallow dangerous ++ behaviour (PEP-721) ++ """ ++ test_tar = os.path.join(self.tempdir, "test_tar_filter.tar") ++ with tarfile.open(test_tar, "w") as mytar: ++ file_tarinfo = tarfile.TarInfo("bad-link") ++ file_tarinfo.type = tarfile.SYMTYPE ++ file_tarinfo.linkname = "../../../../pwn" ++ mytar.addfile(file_tarinfo, io.BytesIO(b"")) ++ with pytest.raises(InstallationError) as e: ++ untar_file(test_tar, self.tempdir) ++ ++ assert "is outside the destination" in str(e.value) ++ ++ + + def test_unpack_tar_unicode(tmpdir: Path) -> None: + test_tar = tmpdir / "test.tar" + + +Patch for vendored distlib from https://github.com/pypa/distlib/pull/201 + +diff --git a/distlib/util.py b/distlib/util.py +index e0622e4..4349d0b 100644 +--- a/src/pip/_vendor/distlib/util.py ++++ b/src/pip/_vendor/distlib/util.py +@@ -1249,6 +1249,19 @@ def check_path(path): + for tarinfo in archive.getmembers(): + if not isinstance(tarinfo.name, text_type): + tarinfo.name = tarinfo.name.decode('utf-8') ++ ++ # Limit extraction of dangerous items, if this Python ++ # allows it easily. If not, just trust the input. ++ # See: https://docs.python.org/3/library/tarfile.html#extraction-filters ++ def extraction_filter(member, path): ++ """Run tarfile.tar_fillter, but raise the expected ValueError""" ++ # This is only called if the current Python has tarfile filters ++ try: ++ return tarfile.tar_filter(member, path) ++ except tarfile.FilterError as exc: ++ raise ValueError(str(exc)) ++ archive.extraction_filter = extraction_filter ++ + archive.extractall(dest_dir) + + finally: diff --git a/SOURCES/dummy-certifi.patch b/SOURCES/dummy-certifi.patch new file mode 100644 index 0000000..8896ce8 --- /dev/null +++ b/SOURCES/dummy-certifi.patch @@ -0,0 +1,128 @@ +From 09c983fdeabe3fa0b90b73f32ddf84a61e498e09 Mon Sep 17 00:00:00 2001 +From: Karolina Surma +Date: Tue, 15 Nov 2022 09:22:46 +0100 +Subject: [PATCH] Dummy certifi patch + +--- + src/pip/_vendor/certifi/core.py | 105 ++------------------------------ + 1 file changed, 6 insertions(+), 99 deletions(-) + +diff --git a/src/pip/_vendor/certifi/core.py b/src/pip/_vendor/certifi/core.py +index c3e5466..eb297f7 100644 +--- a/src/pip/_vendor/certifi/core.py ++++ b/src/pip/_vendor/certifi/core.py +@@ -4,105 +4,12 @@ certifi.py + + This module returns the installation location of cacert.pem or its contents. + """ +-import sys + ++# The RPM-packaged certifi always uses the system certificates ++def where() -> str: ++ return '/etc/pki/tls/certs/ca-bundle.crt' + +-if sys.version_info >= (3, 11): ++def contents() -> str: ++ with open(where(), encoding='utf=8') as data: ++ return data.read() + +- from importlib.resources import as_file, files +- +- _CACERT_CTX = None +- _CACERT_PATH = None +- +- def where() -> str: +- # This is slightly terrible, but we want to delay extracting the file +- # in cases where we're inside of a zipimport situation until someone +- # actually calls where(), but we don't want to re-extract the file +- # on every call of where(), so we'll do it once then store it in a +- # global variable. +- global _CACERT_CTX +- global _CACERT_PATH +- if _CACERT_PATH is None: +- # This is slightly janky, the importlib.resources API wants you to +- # manage the cleanup of this file, so it doesn't actually return a +- # path, it returns a context manager that will give you the path +- # when you enter it and will do any cleanup when you leave it. In +- # the common case of not needing a temporary file, it will just +- # return the file system location and the __exit__() is a no-op. +- # +- # We also have to hold onto the actual context manager, because +- # it will do the cleanup whenever it gets garbage collected, so +- # we will also store that at the global level as well. +- _CACERT_CTX = as_file(files("pip._vendor.certifi").joinpath("cacert.pem")) +- _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- +- return _CACERT_PATH +- +- def contents() -> str: +- return files("pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii") +- +-elif sys.version_info >= (3, 7): +- +- from importlib.resources import path as get_path, read_text +- +- _CACERT_CTX = None +- _CACERT_PATH = None +- +- def where() -> str: +- # This is slightly terrible, but we want to delay extracting the +- # file in cases where we're inside of a zipimport situation until +- # someone actually calls where(), but we don't want to re-extract +- # the file on every call of where(), so we'll do it once then store +- # it in a global variable. +- global _CACERT_CTX +- global _CACERT_PATH +- if _CACERT_PATH is None: +- # This is slightly janky, the importlib.resources API wants you +- # to manage the cleanup of this file, so it doesn't actually +- # return a path, it returns a context manager that will give +- # you the path when you enter it and will do any cleanup when +- # you leave it. In the common case of not needing a temporary +- # file, it will just return the file system location and the +- # __exit__() is a no-op. +- # +- # We also have to hold onto the actual context manager, because +- # it will do the cleanup whenever it gets garbage collected, so +- # we will also store that at the global level as well. +- _CACERT_CTX = get_path("pip._vendor.certifi", "cacert.pem") +- _CACERT_PATH = str(_CACERT_CTX.__enter__()) +- +- return _CACERT_PATH +- +- def contents() -> str: +- return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii") +- +-else: +- import os +- import types +- from typing import Union +- +- Package = Union[types.ModuleType, str] +- Resource = Union[str, "os.PathLike"] +- +- # This fallback will work for Python versions prior to 3.7 that lack the +- # importlib.resources module but relies on the existing `where` function +- # so won't address issues with environments like PyOxidizer that don't set +- # __file__ on modules. +- def read_text( +- package: Package, +- resource: Resource, +- encoding: str = 'utf-8', +- errors: str = 'strict' +- ) -> str: +- with open(where(), encoding=encoding) as data: +- return data.read() +- +- # If we don't have importlib.resources, then we will just do the old logic +- # of assuming we're on the filesystem and munge the path directly. +- def where() -> str: +- f = os.path.dirname(__file__) +- +- return os.path.join(f, "cacert.pem") +- +- def contents() -> str: +- return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii") +-- +2.37.3 + diff --git a/SOURCES/no-version-warning.patch b/SOURCES/no-version-warning.patch new file mode 100644 index 0000000..6c34bec --- /dev/null +++ b/SOURCES/no-version-warning.patch @@ -0,0 +1,16 @@ +diff --git a/src/pip/_vendor/packaging/version.py b/src/pip/_vendor/packaging/version.py +index de9a09a..154e94d 100644 +--- a/src/pip/_vendor/packaging/version.py ++++ b/src/pip/_vendor/packaging/version.py +@@ -108,11 +108,6 @@ class LegacyVersion(_BaseVersion): + self._version = str(version) + self._key = _legacy_cmpkey(self._version) + +- warnings.warn( +- "Creating a LegacyVersion has been deprecated and will be " +- "removed in the next major release", +- DeprecationWarning, +- ) + + def __str__(self) -> str: + return self._version diff --git a/SOURCES/nowarn-pip._internal.main.patch b/SOURCES/nowarn-pip._internal.main.patch new file mode 100644 index 0000000..68f5971 --- /dev/null +++ b/SOURCES/nowarn-pip._internal.main.patch @@ -0,0 +1,76 @@ +From 8dd3793d1bab226cec9c5c49b01718a9634bc403 Mon Sep 17 00:00:00 2001 +From: Karolina Surma +Date: Mon, 10 May 2021 16:48:49 +0200 +Subject: [PATCH] Don't warn the user about pip._internal.main() entrypoint + +In Fedora, we use that in ensurepip and users cannot do anything about it, +this warning is juts moot. Also, the warning breaks CPython test suite. + +Co-Authored-By: =?UTF-8?q?Miro=20Hron=C4=8Dok?= +--- + src/pip/_internal/__init__.py | 2 +- + src/pip/_internal/utils/entrypoints.py | 19 ++++++++++--------- + tests/functional/test_cli.py | 3 ++- + 3 files changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/pip/_internal/__init__.py b/src/pip/_internal/__init__.py +index 6afb5c6..faf25af 100755 +--- a/src/pip/_internal/__init__.py ++++ b/src/pip/_internal/__init__.py +@@ -16,4 +16,4 @@ def main(args: (Optional[List[str]]) = None) -> int: + """ + from pip._internal.utils.entrypoints import _wrapper + +- return _wrapper(args) ++ return _wrapper(args, _nowarn=True) +diff --git a/src/pip/_internal/utils/entrypoints.py b/src/pip/_internal/utils/entrypoints.py +index f292c64..2e29a5e 100644 +--- a/src/pip/_internal/utils/entrypoints.py ++++ b/src/pip/_internal/utils/entrypoints.py +@@ -20,7 +20,7 @@ if WINDOWS: + ] + + +-def _wrapper(args: Optional[List[str]] = None) -> int: ++def _wrapper(args: Optional[List[str]] = None, _nowarn: bool = False) -> int: + """Central wrapper for all old entrypoints. + + Historically pip has had several entrypoints defined. Because of issues +@@ -32,14 +32,15 @@ def _wrapper(args: Optional[List[str]] = None) -> int: + directing them to an appropriate place for help, we now define all of + our old entrypoints as wrappers for the current one. + """ +- sys.stderr.write( +- "WARNING: pip is being invoked by an old script wrapper. This will " +- "fail in a future version of pip.\n" +- "Please see https://github.com/pypa/pip/issues/5599 for advice on " +- "fixing the underlying issue.\n" +- "To avoid this problem you can invoke Python with '-m pip' instead of " +- "running pip directly.\n" +- ) ++ if not _nowarn: ++ sys.stderr.write( ++ "WARNING: pip is being invoked by an old script wrapper. This will " ++ "fail in a future version of pip.\n" ++ "Please see https://github.com/pypa/pip/issues/5599 for advice on " ++ "fixing the underlying issue.\n" ++ "To avoid this problem you can invoke Python with '-m pip' instead of " ++ "running pip directly.\n" ++ ) + return main(args) + + +diff --git a/tests/functional/test_cli.py b/tests/functional/test_cli.py +index 3e85703..f86c392 100644 +--- a/tests/functional/test_cli.py ++++ b/tests/functional/test_cli.py +@@ -43,4 +43,5 @@ def test_entrypoints_work(entrypoint: str, script: PipTestEnvironment) -> None: + result = script.pip("-V") + result2 = script.run("fake_pip", "-V", allow_stderr_warning=True) + assert result.stdout == result2.stdout +- assert "old script wrapper" in result2.stderr ++ if entrypoint[0] != "fake_pip = pip._internal:main": ++ assert "old script wrapper" in result2.stderr +-- +2.35.3 + diff --git a/SOURCES/pip-allow-different-versions.patch b/SOURCES/pip-allow-different-versions.patch new file mode 100644 index 0000000..4a11517 --- /dev/null +++ b/SOURCES/pip-allow-different-versions.patch @@ -0,0 +1,27 @@ +--- /usr/bin/pip3 2019-11-12 17:37:34.793131862 +0100 ++++ pip3 2019-11-12 17:40:42.014107134 +0100 +@@ -2,7 +2,23 @@ + # -*- coding: utf-8 -*- + import re + import sys +-from pip._internal.cli.main import main ++ ++try: ++ from pip._internal.cli.main import main ++except ImportError: ++ try: ++ from pip._internal.main import main ++ except ImportError: ++ try: ++ # If the user has downgraded pip, the above import will fail. ++ # Let's try older methods of invoking it: ++ ++ # pip 19 uses this ++ from pip._internal import main ++ except ImportError: ++ # older pip versions use this ++ from pip import main ++ + if __name__ == '__main__': + sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0]) + sys.exit(main()) diff --git a/SOURCES/remove-existing-dist-only-if-path-conflicts.patch b/SOURCES/remove-existing-dist-only-if-path-conflicts.patch new file mode 100644 index 0000000..3a9ea25 --- /dev/null +++ b/SOURCES/remove-existing-dist-only-if-path-conflicts.patch @@ -0,0 +1,115 @@ +From 2c3f3a590ddfc151a456b44a5f96f0f603d178e9 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Wed, 16 Feb 2022 08:36:21 +0100 +Subject: [PATCH] Prevent removing of the system packages installed under + /usr/lib when pip install --upgrade is executed. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: rhbz#1550368 + +Co-Authored-By: Michal Cyprian +Co-Authored-By: Victor Stinner +Co-Authored-By: Petr Viktorin +Co-Authored-By: Lumir Balhar +Co-Authored-By: Miro Hrončok +Co-Authored-By: Karolina Surma +--- + src/pip/_internal/metadata/base.py | 12 +++++++++++- + src/pip/_internal/req/req_install.py | 2 +- + src/pip/_internal/resolution/legacy/resolver.py | 4 +++- + src/pip/_internal/resolution/resolvelib/factory.py | 12 ++++++++++++ + 4 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/src/pip/_internal/metadata/base.py b/src/pip/_internal/metadata/base.py +index 151fd6d..f9109cd 100644 +--- a/src/pip/_internal/metadata/base.py ++++ b/src/pip/_internal/metadata/base.py +@@ -28,7 +28,7 @@ from pip._vendor.packaging.utils import NormalizedName + from pip._vendor.packaging.version import LegacyVersion, Version + + from pip._internal.exceptions import NoneMetadataError +-from pip._internal.locations import site_packages, user_site ++from pip._internal.locations import get_scheme, site_packages, user_site + from pip._internal.models.direct_url import ( + DIRECT_URL_METADATA_NAME, + DirectUrl, +@@ -560,6 +560,16 @@ class BaseDistribution(Protocol): + for extra in self._iter_egg_info_extras(): + metadata["Provides-Extra"] = extra + ++ @property ++ def in_install_path(self) -> bool: ++ """ ++ Return True if given Distribution is installed in ++ path matching distutils_scheme layout. ++ """ ++ norm_path = normalize_path(self.installed_location) ++ return norm_path.startswith(normalize_path( ++ get_scheme("").purelib.split('python')[0])) ++ + + class BaseEnvironment: + """An environment containing distributions to introspect.""" +diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py +index a1e376c..ed7facf 100644 +--- a/src/pip/_internal/req/req_install.py ++++ b/src/pip/_internal/req/req_install.py +@@ -416,7 +416,7 @@ class InstallRequirement: + f"lack sys.path precedence to {existing_dist.raw_name} " + f"in {existing_dist.location}" + ) +- else: ++ elif existing_dist.in_install_path: + self.should_reinstall = True + else: + if self.editable: +diff --git a/src/pip/_internal/resolution/legacy/resolver.py b/src/pip/_internal/resolution/legacy/resolver.py +index fb49d41..040f2c1 100644 +--- a/src/pip/_internal/resolution/legacy/resolver.py ++++ b/src/pip/_internal/resolution/legacy/resolver.py +@@ -325,7 +325,9 @@ class Resolver(BaseResolver): + """ + # Don't uninstall the conflict if doing a user install and the + # conflict is not a user install. +- if not self.use_user_site or req.satisfied_by.in_usersite: ++ if ((not self.use_user_site ++ or req.satisfied_by.in_usersite) ++ and req.satisfied_by.in_install_path): + req.should_reinstall = True + req.satisfied_by = None + +diff --git a/src/pip/_internal/resolution/resolvelib/factory.py b/src/pip/_internal/resolution/resolvelib/factory.py +index a4c24b5..e7e2da9 100644 +--- a/src/pip/_internal/resolution/resolvelib/factory.py ++++ b/src/pip/_internal/resolution/resolvelib/factory.py +@@ -1,6 +1,8 @@ + import contextlib + import functools + import logging ++import sys ++import sysconfig + from typing import ( + TYPE_CHECKING, + Dict, +@@ -549,6 +551,16 @@ class Factory: + if dist is None: # Not installed, no uninstallation required. + return None + ++ # Prevent uninstalling packages from /usr ++ try: ++ if dist.installed_location in ( ++ sysconfig.get_path('purelib', scheme='posix_prefix', vars={'base': sys.base_prefix}), ++ sysconfig.get_path('platlib', scheme='posix_prefix', vars={'platbase': sys.base_prefix}), ++ ): ++ return None ++ except KeyError: # this Python doesn't have 'rpm_prefix' scheme yet ++ pass ++ + # We're installing into global site. The current installation must + # be uninstalled, no matter it's in global or user site, because the + # user site installation has precedence over global. +-- +2.35.3 + diff --git a/SPECS/python3.11-pip.spec b/SPECS/python3.11-pip.spec new file mode 100644 index 0000000..7e4e9d4 --- /dev/null +++ b/SPECS/python3.11-pip.spec @@ -0,0 +1,388 @@ +%global __python3 /usr/bin/python3.11 +%global python3_pkgversion 3.11 + +%bcond_with tests + +%global srcname pip +%global base_version 22.3.1 +%global upstream_version %{base_version}%{?prerel} +%global python_wheel_name %{srcname}-%{upstream_version}-py3-none-any.whl + +%global bashcompdir %(pkg-config --variable=completionsdir bash-completion 2>/dev/null) + +Name: python%{python3_pkgversion}-%{srcname} +Version: %{base_version}%{?prerel:~%{prerel}} +Release: 5%{?dist} +Summary: A tool for installing and managing Python packages + +# We bundle a lot of libraries with pip, which itself is under MIT license. +# Here is the list of the libraries with corresponding licenses: + +# appdirs: MIT +# certifi: MPLv2.0 +# chardet: LGPLv2 +# colorama: BSD +# CacheControl: ASL 2.0 +# distlib: Python +# distro: ASL 2.0 +# html5lib: MIT +# idna: BSD +# ipaddress: Python +# msgpack: ASL 2.0 +# packaging: ASL 2.0 or BSD +# pep517: MIT +# progress: ISC +# pygments: BSD +# pyparsing: MIT +# requests: ASL 2.0 +# resolvelib: ISC +# rich: MIT +# setuptools: MIT +# six: MIT +# tenacity: ASL 2.0 +# tomli: MIT +# typing-extensions: Python +# urllib3: MIT +# webencodings: BSD + +License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) +URL: https://pip.pypa.io/ +Source0: https://github.com/pypa/pip/archive/%{upstream_version}/%{srcname}-%{upstream_version}.tar.gz +BuildArch: noarch + +# Prevent removing of the system packages installed under /usr/lib +# when pip install -U is executed. +# https://bugzilla.redhat.com/show_bug.cgi?id=1550368#c24 +# Could be replaced with https://www.python.org/dev/peps/pep-0668/ +Patch0: remove-existing-dist-only-if-path-conflicts.patch + +# Use the system level root certificate instead of the one bundled in certifi +# https://bugzilla.redhat.com/show_bug.cgi?id=1655253 +# The same patch is a part of the RPM-packaged python-certifi +Patch1: dummy-certifi.patch + +# Don't warn the user about pip._internal.main() entrypoint +# In Fedora, we use that in ensurepip and users cannot do anything about it, +# this warning is juts moot. Also, the warning breaks CPython test suite. +Patch2: nowarn-pip._internal.main.patch + +# Don't warn the user about packaging's LegacyVersion being deprecated. +# (This also breaks Python's test suite when warnings are treated as errors.) +# Upstream issue: https://github.com/pypa/packaging/issues/368 +Patch3: no-version-warning.patch + +# CVE-2007-4559, PEP-721, PEP-706: Use tarfile.data_filter for extracting +# - Minimal downstream-only patch, to be replaced by upstream solution +# proposed in https://github.com/pypa/pip/pull/12214 +# - Test patch submitted upstream in the above pull request +# - Patch for vendored distlib, accepted upstream: +# https://github.com/pypa/distlib/pull/201 +Patch4: cve-2007-4559-tarfile.patch + +# Downstream only patch +# Users might have local installations of pip from using +# `pip install --user --upgrade pip` on older/newer versions. +# If they do that and they run `pip` or `pip3`, the one from /usr/bin is used. +# However that's the one from this RPM package and the import in there might +# fail (it tries to import from ~/.local, but older or newer pip is there with +# a bit different API). +# We add this patch as a dirty workaround to make /usr/bin/pip* work with +# both pip10+ (from this RPM) and older or newer (19.3+) pip (from whatever). +# A proper fix is to put ~/.local/bin in front of /usr/bin in the PATH, +# however others are against that and we cannot change it for existing +# installs/user homes anyway. +# https://bugzilla.redhat.com/show_bug.cgi?id=1569488 +# https://bugzilla.redhat.com/show_bug.cgi?id=1571650 +# https://bugzilla.redhat.com/show_bug.cgi?id=1767212 +# WARNING: /usr/bin/pip* are entrypoints, this cannot be applied in %%prep! +# %%patch10 doesn't work outside of %%prep, so we add it as a source +# Note that since pip 20, old main() import paths are preserved for backwards +# compatibility: https://github.com/pypa/pip/issues/7498 +# Meaning we don't need to update any of the older pips to support 20+ +# We also don't need to update Pythons to use new import path in ensurepip +Source10: pip-allow-different-versions.patch + + +# Virtual provides for the packages bundled by pip. +# You can generate it with: +# %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{1}dist' src/pip/_vendor/vendor.txt +%global bundled() %{expand: +Provides: bundled(python%{1}dist(cachecontrol)) = 0.12.11 +Provides: bundled(python%{1}dist(certifi)) = 2022.9.24 +Provides: bundled(python%{1}dist(chardet)) = 5 +Provides: bundled(python%{1}dist(colorama)) = 0.4.5 +Provides: bundled(python%{1}dist(distlib)) = 0.3.6 +Provides: bundled(python%{1}dist(distro)) = 1.7 +Provides: bundled(python%{1}dist(idna)) = 3.4 +Provides: bundled(python%{1}dist(msgpack)) = 1.0.4 +Provides: bundled(python%{1}dist(packaging)) = 21.3 +Provides: bundled(python%{1}dist(pep517)) = 0.13 +Provides: bundled(python%{1}dist(platformdirs)) = 2.5.2 +Provides: bundled(python%{1}dist(pygments)) = 2.13 +Provides: bundled(python%{1}dist(pyparsing)) = 3.0.9 +Provides: bundled(python%{1}dist(requests)) = 2.28.1 +Provides: bundled(python%{1}dist(resolvelib)) = 0.8.1 +Provides: bundled(python%{1}dist(rich)) = 12.5.1 +Provides: bundled(python%{1}dist(setuptools)) = 44 +Provides: bundled(python%{1}dist(six)) = 1.16 +Provides: bundled(python%{1}dist(tenacity)) = 8.1 +Provides: bundled(python%{1}dist(tomli)) = 2.0.1 +Provides: bundled(python%{1}dist(typing-extensions)) = 4.4 +Provides: bundled(python%{1}dist(urllib3)) = 1.26.12 +Provides: bundled(python%{1}dist(webencodings)) = 0.5.1 +} + +# Some manylinux1 wheels need libcrypt.so.1. +# Manylinux1, a common (as of 2019) platform tag for binary wheels, relies +# on a glibc version that included ancient crypto functions, which were +# moved to libxcrypt and then removed in: +# https://fedoraproject.org/wiki/Changes/FullyRemoveDeprecatedAndUnsafeFunctionsFromLibcrypt +# The manylinux1 standard assumed glibc would keep ABI compatibility, +# but that's only the case if libcrypt.so.1 (libxcrypt-compat) is around. +# This should be solved in the next manylinux standard (but it may be +# a long time until manylinux1 is phased out). +# See: https://github.com/pypa/manylinux/issues/305 +# Note that manylinux is only applicable to x86 (both 32 and 64 bits) +%global crypt_compat_recommends() %{expand: +Recommends: (libcrypt.so.1()(64bit) if python%{1}(x86-64)) +Recommends: (libcrypt.so.1 if python%{1}(x86-32)) +} + +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-rpm-macros +# python3 bootstrap: this is rebuilt before the final build of python3, which +# adds the dependency on python3-rpm-generators, so we require it manually +# Note that the package prefix is always python3-, even if we build for 3.X +BuildRequires: python3-rpm-generators +# We utilize the main Python's stack sphinx to build the manual pages +BuildRequires: python3-sphinx +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: bash-completion +BuildRequires: python%{python3_pkgversion}-wheel +BuildRequires: ca-certificates +Requires: ca-certificates + +%if %{with tests} +BuildRequires: /usr/bin/git +BuildRequires: /usr/bin/hg +BuildRequires: /usr/bin/bzr +BuildRequires: /usr/bin/svn +BuildRequires: python%{python3_pkgversion}-setuptools-wheel +BuildRequires: python%{python3_pkgversion}-wheel-wheel +BuildRequires: python%{python3_pkgversion}-cryptography +BuildRequires: python%{python3_pkgversion}-mock +BuildRequires: python%{python3_pkgversion}-pytest +BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-freezegun +BuildRequires: python%{python3_pkgversion}-scripttest +BuildRequires: python%{python3_pkgversion}-virtualenv +BuildRequires: python%{python3_pkgversion}-werkzeug +BuildRequires: python%{python3_pkgversion}-pyyaml +BuildRequires: python%{python3_pkgversion}-tomli-w +BuildRequires: python%{python3_pkgversion}-installer +%endif + + +# pip has to require explicit version of python that provides +# filters in tarfile module (fix for CVE-2007-4559). +Requires: python%{python3_pkgversion} >= 3.11.4-3 + + +# This was previously required and we keep it recommended because a lot of +# sdists installed via pip will try to import setuptools. +# But pip doesn't actually require setuptools. +# It can install wheels without them and it can build wheels in isolation mode +# (using setuptools/flit/poetry/... installed from PyPI). +# Side note: pip bundles pkg_resources from setuptools for internal usage. +Recommends: python%{python3_pkgversion}-setuptools + +# Virtual provides for the packages bundled by pip: +%{bundled %{python3_pkgversion}} + +%{crypt_compat_recommends %{python3_pkgversion}} + +%description -n python%{python3_pkgversion}-%{srcname} +pip is a package management system used to install and manage software packages +written in Python. Many packages can be found in the Python Package Index +(PyPI). pip is a recursive acronym that can stand for either "Pip Installs +Packages" or "Pip Installs Python". + +%package -n %{python_wheel_pkg_prefix}-%{srcname}-wheel +Summary: The pip wheel +Requires: ca-certificates +# Older Python does not provide tarfile filters (fix for CVE-2007-4559). +Conflicts: python%{python3_pkgversion} < 3.11.4-3 + +# Virtual provides for the packages bundled by pip: +%{bundled %{python3_pkgversion}} + +%{crypt_compat_recommends %{python3_pkgversion}} + +%description -n %{python_wheel_pkg_prefix}-%{srcname}-wheel +A Python wheel of pip to use with venv. + +%prep +%autosetup -p1 -n %{srcname}-%{upstream_version} + +# this goes together with patch4 +rm src/pip/_vendor/certifi/*.pem + +# Remove unneeded doc dependencies +sed -i '/myst_parser/d;/sphinx_copybutton/d;/sphinx_inline_tabs/d;/sphinxcontrib.towncrier/d' docs/html/conf.py + +# tests expect wheels in here +ln -s %{python_wheel_dir} tests/data/common_wheels + +# Remove windows executable binaries +rm -v src/pip/_vendor/distlib/*.exe +sed -i '/\.exe/d' setup.py + +%build +%py3_build_wheel + +# Build the man pages +export PYTHONPATH=./src/ +sphinx-build-3 -b man docs/man docs/build/man -c docs/html + +%install +# The following is similar to %%pyproject_install, but we don't have +# /usr/bin/pip yet, so we install using the wheel directly. +# (This is not standard wheel usage, but the pip wheel supports it -- see +# pip/__main__.py) +%{python3} dist/%{python_wheel_name}/pip install \ + --root %{buildroot} \ + --no-deps \ + --disable-pip-version-check \ + --progress-bar off \ + --verbose \ + --ignore-installed \ + --no-warn-script-location \ + --no-index \ + --no-cache-dir \ + --find-links dist \ + 'pip==%{upstream_version}' + +# Install the man pages +pushd docs/build/man +install -d %{buildroot}%{_mandir}/man1 +for MAN in *1; do +install -pm0644 $MAN %{buildroot}%{_mandir}/man1/${MAN/pip/pip%{python3_pkgversion}} +install -pm0644 $MAN %{buildroot}%{_mandir}/man1/${MAN/pip/pip-%{python3_pkgversion}} +done +popd + +# before we ln -s anything, we apply Source10 patch to all pips: +for PIP in %{buildroot}%{_bindir}/pip*; do + patch -p1 --no-backup-if-mismatch $PIP < %{SOURCE10} +done + +mkdir -p %{buildroot}%{bashcompdir} +PYTHONPATH=%{buildroot}%{python3_sitelib} \ + %{buildroot}%{_bindir}/pip completion --bash \ + > %{buildroot}%{bashcompdir}/pip%{python3_pkgversion} + +# Make bash completion apply to all the 5 symlinks we install +sed -i -e "s/^\\(complete.*\\) pip\$/\\1 pip{,-}%{python3_pkgversion}/" \ + -e s/_pip_completion/_pip%{python3_pkgversion}_completion/ \ + %{buildroot}%{bashcompdir}/pip%{python3_pkgversion} + + +# Provide symlinks to executables to comply with Fedora guidelines for Python +ln -s ./pip%{python3_pkgversion} %{buildroot}%{_bindir}/pip-%{python3_pkgversion} + + +# Make sure the INSTALLER is not pip and remove RECORD +# %%pyproject macros do this for all packages +echo rpm > %{buildroot}%{python3_sitelib}/pip-%{upstream_version}.dist-info/INSTALLER +rm %{buildroot}%{python3_sitelib}/pip-%{upstream_version}.dist-info/RECORD + +mkdir -p %{buildroot}%{python_wheel_dir} +install -p dist/%{python_wheel_name} -t %{buildroot}%{python_wheel_dir} + +# RHEL: Remove binaries conflicting with RHEL's main pip +rm %{buildroot}%{_bindir}/pip +rm %{buildroot}%{_bindir}/pip3 + + +%check +# Verify bundled provides are up to date +%{_rpmconfigdir}/pythonbundles.py src/pip/_vendor/vendor.txt --namespace 'python%{python3_pkgversion}dist' \ + --compare-with '%{bundled %{python3_pkgversion}}' + +%if %{with tests} +# Upstream tests +# bash completion tests only work from installed package +pytest_k='not completion' + +# --deselect'ed tests are not compatible with the latest virtualenv +# These files contain almost 500 tests so we should enable them back +# as soon as pip will be compatible upstream +# https://github.com/pypa/pip/pull/8441 +%pytest -m 'not network' -k "$(echo $pytest_k)" \ + --deselect tests/functional --deselect tests/lib/test_lib.py +%endif + + +%files -n python%{python3_pkgversion}-%{srcname} +%doc README.rst +%license %{python3_sitelib}/pip-%{upstream_version}.dist-info/LICENSE.txt +%{_mandir}/man1/pip%{python3_pkgversion}.* +%{_mandir}/man1/pip%{python3_pkgversion}-*.* +%{_mandir}/man1/pip-%{python3_pkgversion}.* +%{_mandir}/man1/pip-%{python3_pkgversion}-*.* +%{_bindir}/pip%{python3_pkgversion} +%{_bindir}/pip-%{python3_pkgversion} +%{python3_sitelib}/pip* +%dir %{bashcompdir} +%{bashcompdir}/pip%{python3_pkgversion} + +%files -n %{python_wheel_pkg_prefix}-%{srcname}-wheel +%license LICENSE.txt +# we own the dir for simplicity +%dir %{python_wheel_dir}/ +%{python_wheel_dir}/%{python_wheel_name} + +%changelog +* Wed Feb 14 2024 Tomáš Hrnčiar - 22.3.1-5 +- Require Python with tarfile filters +Resolves: RHEL-25455 + +* Tue Aug 08 2023 Petr Viktorin - 22.3.1-4 +- Use tarfile.data_filter for extracting (CVE-2007-4559, PEP-721, PEP-706) +Resolves: RHBZ#2218247 + +* Mon Mar 06 2023 Lumír Balhar - 22.3.1-3 +- Fix changelog to contain Fedora contributors +Resolves: RHEL-232 + +* Mon Jan 30 2023 Charalampos Stratakis - 22.3.1-2 +- Add BuildRequires on python3.11-rpm-macros + +* Wed Aug 03 2022 Charalampos Stratakis - 22.3.1-1 +- Initial package +- Fedora contributions by: + Bill Nottingham + Charalampos Stratakis + David Malcolm + Dennis Gilmore + Jon Ciesla + Karolina Surma + Kevin Fenzi + Kevin Kofler + Luke Macken + Lumir Balhar + Marcel Plch + Matej Stuchlik + Michal Cyprian + Miro Hrončok + Orion Poplawski + Pádraig Brady + Peter Halliday + Petr Viktorin + Robert Kuska + Slavek Kabrda + Tim Flink + Tomáš Hrnčiar + Tomas Orsava + Toshio Kuratomi + Ville Skyttä