From b8b7567aeecca104ae526e92800fa1de0fee1758 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Tue, 15 Apr 2025 07:50:41 -0400 Subject: [PATCH 01/14] =?UTF-8?q?In=20the=20CI=20smoke=20test,=20do=20not?= =?UTF-8?q?=20check=20for=20a=20=E2=80=98server=E2=80=99=20header?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It no longer seems to be present, and this particular header was not the point of the test. --- tests/smoke/test.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/smoke/test.py b/tests/smoke/test.py index d622ddd..9ac5805 100644 --- a/tests/smoke/test.py +++ b/tests/smoke/test.py @@ -3,7 +3,6 @@ import urllib3 http = urllib3.PoolManager() r = http.request('GET', 'http://example.com/') print('status = {0}'.format(r.status)) -print("headers['server'] = {0}".format(r.headers['server'])) print(r.data) if r.status != 200 or not r.data: raise SystemExit(1) From 85033d9c3d0b4fdaedf1b6351868fe5f92416fc4 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Sat, 12 Apr 2025 07:35:04 -0400 Subject: [PATCH 02/14] Update to 2.4.0 (close RHBZ#2358892) --- .gitignore | 1 + python-urllib3.spec | 81 +++++++++++++++++++++------------------------ sources | 2 +- 3 files changed, 39 insertions(+), 45 deletions(-) diff --git a/.gitignore b/.gitignore index 08d4b37..f08b3a1 100644 --- a/.gitignore +++ b/.gitignore @@ -49,3 +49,4 @@ /urllib3-2.2.2.tar.gz /urllib3-2.2.3.tar.gz /urllib3-2.3.0.tar.gz +/urllib3-2.4.0.tar.gz diff --git a/python-urllib3.spec b/python-urllib3.spec index 999385c..d0dba77 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -5,7 +5,7 @@ %bcond extradeps %{undefined rhel} Name: python-urllib3 -Version: 2.3.0 +Version: 2.4.0 Release: %autorelease Summary: HTTP library with thread-safe connection pooling, file post, and more @@ -20,9 +20,10 @@ Source0: %{url}/archive/%{version}/urllib3-%{version}.tar.gz # Upstream would like to get the necessary changes merged into Hypercorn, but # explained clearly why the forked copy is needed for now. # -# Note that dev-requirements.txt references the urllib3-changes branch of -# https://github.com/urllib3/hypercorn/, and we should use the latest commit -# from that branch, but we package using a commit hash for reproducibility. +# Note that tool.uv.sources.hypercorn in pyproject.toml references the +# urllib3-changes branch of https://github.com/urllib3/hypercorn/, and we +# should use the latest commit from that branch, but we package using a commit +# hash for reproducibility. # # We do not need to treat this as a bundled dependency because it is not # installed in the buildroot or otherwise included in any of the binary RPMs. @@ -33,46 +34,10 @@ Source1: %{hypercorn_url}/archive/%{hypercorn_commit}/hypercorn-%{hyperco BuildArch: noarch BuildRequires: python3-devel - +# The conditional is important: we benefit from tomcli for editing dependency +# groups, but we do not want it when bootstrapping or in RHEL. %if %{with tests} -# Test dependencies are listed only in dev-requirements.txt. Because there are -# linters and coverage tools mixed in, and exact versions are pinned, we resort -# to manual listing. -# h2==4.1.0: also in the h2 extra -BuildRequires: %{py3_dist h2} -# coverage==7.6.4: omitted linter/coverage tool -# PySocks==1.7.1 -BuildRequires: %{py3_dist PySocks} -# pytest==8.0.2 -BuildRequires: %{py3_dist pytest} -# pytest-timeout==2.1.0 -BuildRequires: %{py3_dist pytest-timeout} -# pyOpenSSL==24.2.1 -BuildRequires: %{py3_dist pyOpenSSL} -# idna==3.7 -BuildRequires: %{py3_dist idna} -# trustme==1.2.0 -BuildRequires: %{py3_dist trustme} -# cryptography==43.0.1 -BuildRequires: %{py3_dist cryptography} -# towncrier==23.6.0: used for generating a changelog -# pytest-memray==1.5.0;python_version<"3.14" and sys_platform!="win32" and -# implementation_name=="cpython": not packaged, unwanted profiler -# trio==0.26.2 -BuildRequires: %{py3_dist trio} -# # https://github.com/pallets/quart/pull/369 -# Quart @ git+https://github.com/pallets/quart@67110bf383d8973bce1619e957b4b6ea088ad9f2 -BuildRequires: %{py3_dist Quart} -# quart-trio==0.11.1 -BuildRequires: %{py3_dist quart-trio} -# # https://github.com/pgjones/hypercorn/issues/62 -# # https://github.com/pgjones/hypercorn/issues/168 -# # https://github.com/pgjones/hypercorn/issues/169 -# hypercorn @ git+https://github.com/urllib3/hypercorn@urllib3-changes -# hypercorn is packaged, but we need the forked/bundled version -# httpx==0.25.2 -BuildRequires: %{py3_dist httpx} -# pytest-socket==0.7.0: not packaged, not strictly required +BuildRequires: tomcli %endif %global _description %{expand: @@ -138,12 +103,40 @@ Recommends: python3-urllib3+socks recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py +%if %{with tests} +# Possible improvements to dependency groups +# https://github.com/urllib3/urllib3/issues/3594 +# Adjust the contents of the "dev" dependency group by removing: +remove_from_dev() { + tomcli set pyproject.toml lists delitem 'dependency-groups.dev' "($1)\b.*" +} +# - Linters, coverage tools, profilers, etc.: +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_linters +remove_from_dev 'coverage|pytest-memray' +# - Dependencies for maintainer tasks +remove_from_dev 'build|towncrier' +# - Dependencies that are not packaged and not strictly required +remove_from_dev 'pytest-socket' +# - Hypercorn, because we have a special forked version we must use for +# testing instead, so we do not want to generate a dependency on the system +# copy. Note that the system copy is still an indirect dependency via quart +# and quart-trio. +remove_from_dev 'hypercorn' + +# Remove all version bounds for test dependencies. We must attempt to make do +# with what we have. (This also removes any python version or platform +# constraints, which is currently fine, but could theoretically cause trouble +# in the future. We’ll cross that bridge if we ever arrive at it.) +tomcli set pyproject.toml lists replace --type regex_search \ + 'dependency-groups.dev' '[>=]=.*' '' +%endif + %generate_buildrequires export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}' # Generate BR’s from packaged extras even when tests are disabled, to ensure # the extras metapackages are installable if the build succeeds. -%pyproject_buildrequires %{?with_extradeps:-x brotli,zstd,socks,h2} +%pyproject_buildrequires %{?with_extradeps:-x brotli,zstd,socks,h2} %{?with_tests:-g dev} %build diff --git a/sources b/sources index 6c51285..2812134 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (urllib3-2.3.0.tar.gz) = 7b4b8732f4a4cddb8a6f6854d21febcbecba0762bff65d2291d95d1f54a972c3168f8d7ca1786edfb5c0a0c955cf3812ff6fe1b7925973d3fe31077fbfbdc39c +SHA512 (urllib3-2.4.0.tar.gz) = 78afd6daea5594381783cae2cc3efbfcc89455da7f86994a17bd86c3c840d2e304fd3b744e8c0789cbbe6704502ef03a1bbaaadd2b1713b084adb250cfdffb9f SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b From e2a4d0479834d85eaeceb7ecc263f3369b9ed2d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 29 May 2025 11:46:29 +0200 Subject: [PATCH 03/14] Unpin hatch-vcs version --- python-urllib3.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/python-urllib3.spec b/python-urllib3.spec index d0dba77..1f8532b 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -85,6 +85,10 @@ Recommends: python3-urllib3+socks %autosetup -n urllib3-%{version} %setup -q -n urllib3-%{version} -T -D -b 1 +# Unpin hatch-vcs version +# See https://github.com/urllib3/urllib3/issues/3612 +sed -i 's/hatch-vcs==/hatch-vcs>=/' pyproject.toml + # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, From da087985d09435caf96c61f2f9a26a7845159e9e Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 09:58:05 +0200 Subject: [PATCH 04/14] Bootstrap for Python 3.14 --- python-urllib3.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-urllib3.spec b/python-urllib3.spec index 1f8532b..a65a8af 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -1,3 +1,5 @@ +%global _without_extradeps 1 +%global _without_tests 1 # When bootstrapping Python, we cannot test this yet # RHEL does not include the test dependencies and the dependencies for extras %bcond tests %{undefined rhel} From 50a131c01cecedd5ad415b51ad64183293236c7f Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Fri, 13 Jun 2025 08:13:47 -0400 Subject: [PATCH 05/14] Non-bootstrap build for Python 3.14 --- python-urllib3.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/python-urllib3.spec b/python-urllib3.spec index a65a8af..1f8532b 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -1,5 +1,3 @@ -%global _without_extradeps 1 -%global _without_tests 1 # When bootstrapping Python, we cannot test this yet # RHEL does not include the test dependencies and the dependencies for extras %bcond tests %{undefined rhel} From 30af009037c3510c9f30a7b0c78061aba3e6480b Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 10:59:26 +0000 Subject: [PATCH 06/14] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From e5f7f4eaa8f27aecfebf26af53bb5500cb7755bf Mon Sep 17 00:00:00 2001 From: Karolina Surma Date: Thu, 7 Aug 2025 16:09:56 +0200 Subject: [PATCH 07/14] Update to 2.5.0 (rhbz#2375401) --- .gitignore | 1 + python-urllib3.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index f08b3a1..cbe6feb 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,4 @@ /urllib3-2.2.3.tar.gz /urllib3-2.3.0.tar.gz /urllib3-2.4.0.tar.gz +/urllib3-2.5.0.tar.gz diff --git a/python-urllib3.spec b/python-urllib3.spec index 1f8532b..d56aabc 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -5,7 +5,7 @@ %bcond extradeps %{undefined rhel} Name: python-urllib3 -Version: 2.4.0 +Version: 2.5.0 Release: %autorelease Summary: HTTP library with thread-safe connection pooling, file post, and more diff --git a/sources b/sources index 2812134..c289b5f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (urllib3-2.4.0.tar.gz) = 78afd6daea5594381783cae2cc3efbfcc89455da7f86994a17bd86c3c840d2e304fd3b744e8c0789cbbe6704502ef03a1bbaaadd2b1713b084adb250cfdffb9f +SHA512 (urllib3-2.5.0.tar.gz) = 492ebb3e0481ee5433f45bef184ddb01714dedcbe2eb61665c781f3dcd0d9a226204052d64215c02e8972155560bc146395022723f79c076cb59abe1c0ef51ff SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b From 53699eb0701d033a32eddf1643c63303c13942b1 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 15:06:11 +0200 Subject: [PATCH 08/14] Rebuilt for Python 3.14.0rc2 bytecode From b97cc1ac48029944152d8227cd8a0476a5014fc0 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 14:42:14 +0200 Subject: [PATCH 09/14] Rebuilt for Python 3.14.0rc3 bytecode From 9b878192d61ca16c137dc73e869f255df013da44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Mon, 8 Dec 2025 12:37:59 +0100 Subject: [PATCH 10/14] Allow building with setuptools_scm 9 --- python-urllib3.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-urllib3.spec b/python-urllib3.spec index d56aabc..7d4d9ba 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -88,6 +88,8 @@ Recommends: python3-urllib3+socks # Unpin hatch-vcs version # See https://github.com/urllib3/urllib3/issues/3612 sed -i 's/hatch-vcs==/hatch-vcs>=/' pyproject.toml +# Allow setuptools_scm 9, https://github.com/urllib3/urllib3/commit/1ce1b59ec6 +sed -i 's/setuptools-scm>=8,<9/setuptools-scm>=8,<10/' pyproject.toml # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date From 5baec5bbecb9d967237ff5c28d36298997feeb8a Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Mon, 8 Dec 2025 11:12:58 +0000 Subject: [PATCH 11/14] Update to 2.6.1 (close RHBZ#2419408) - Fixes CVE-2025-66471 / GHSA-2xpw-w6gg-jr37 - Fixes CVE-2025-66418 / GHSA-gm62-xv2j-4w53 --- .gitignore | 2 ++ python-urllib3.spec | 8 +------- sources | 2 +- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index cbe6feb..12cf6b3 100644 --- a/.gitignore +++ b/.gitignore @@ -51,3 +51,5 @@ /urllib3-2.3.0.tar.gz /urllib3-2.4.0.tar.gz /urllib3-2.5.0.tar.gz +/urllib3-2.6.0.tar.gz +/urllib3-2.6.1.tar.gz diff --git a/python-urllib3.spec b/python-urllib3.spec index 7d4d9ba..17659fd 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -5,7 +5,7 @@ %bcond extradeps %{undefined rhel} Name: python-urllib3 -Version: 2.5.0 +Version: 2.6.1 Release: %autorelease Summary: HTTP library with thread-safe connection pooling, file post, and more @@ -85,12 +85,6 @@ Recommends: python3-urllib3+socks %autosetup -n urllib3-%{version} %setup -q -n urllib3-%{version} -T -D -b 1 -# Unpin hatch-vcs version -# See https://github.com/urllib3/urllib3/issues/3612 -sed -i 's/hatch-vcs==/hatch-vcs>=/' pyproject.toml -# Allow setuptools_scm 9, https://github.com/urllib3/urllib3/commit/1ce1b59ec6 -sed -i 's/setuptools-scm>=8,<9/setuptools-scm>=8,<10/' pyproject.toml - # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, diff --git a/sources b/sources index c289b5f..ecf4691 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (urllib3-2.5.0.tar.gz) = 492ebb3e0481ee5433f45bef184ddb01714dedcbe2eb61665c781f3dcd0d9a226204052d64215c02e8972155560bc146395022723f79c076cb59abe1c0ef51ff +SHA512 (urllib3-2.6.1.tar.gz) = a5935e42cfa843688f68e2c71de3eff4c505907bd155f41a6f3406000cfaa060db0184a18448e269192c3f69861f5630a112fe207874da45bf475bebbdeb2b83 SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b From 994f0a13b1a5689dd47975ada30224d3cecdea3d Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Fri, 12 Dec 2025 06:59:19 +0000 Subject: [PATCH 12/14] Update to 2.6.2 (close RHBZ#2421420) --- .gitignore | 1 + python-urllib3.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 12cf6b3..bd674b9 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,4 @@ /urllib3-2.5.0.tar.gz /urllib3-2.6.0.tar.gz /urllib3-2.6.1.tar.gz +/urllib3-2.6.2.tar.gz diff --git a/python-urllib3.spec b/python-urllib3.spec index 17659fd..7b2af84 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -5,7 +5,7 @@ %bcond extradeps %{undefined rhel} Name: python-urllib3 -Version: 2.6.1 +Version: 2.6.2 Release: %autorelease Summary: HTTP library with thread-safe connection pooling, file post, and more diff --git a/sources b/sources index ecf4691..a84bd3c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (urllib3-2.6.1.tar.gz) = a5935e42cfa843688f68e2c71de3eff4c505907bd155f41a6f3406000cfaa060db0184a18448e269192c3f69861f5630a112fe207874da45bf475bebbdeb2b83 +SHA512 (urllib3-2.6.2.tar.gz) = 7d2167924922f27cd618bb3f8b56a3c4c6a49254ec5ee7ee48aba6d39cd924e40c58db9b759b0a41ac676f7273b56fe8978d6e20b798ff9b8c8c745c74cf9a15 SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b From 78aa0cc35e74f25a92ba0538c60af2eef0c771db Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Wed, 7 Jan 2026 23:24:55 +0000 Subject: [PATCH 13/14] Update .rpmlintrc file [skip changelog] --- python-urllib3.rpmlintrc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/python-urllib3.rpmlintrc b/python-urllib3.rpmlintrc index 0b83833..e9bd352 100644 --- a/python-urllib3.rpmlintrc +++ b/python-urllib3.rpmlintrc @@ -1,6 +1 @@ -# It is normal that extras metapackages should not have documentation, or any -# files at all. -addFilter(r"\+\w+\.\w+: W: no-documentation") -# Not real spelling errors -addFilter(r"spelling-error \('([Mm]etapackage)s?',") addFilter(r"spelling-error \('(gzip|brotli|zstd)',") From cd3e490d533b1b4c3aaea5cddbc7aec5e0e82fb0 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Wed, 7 Jan 2026 23:19:39 +0000 Subject: [PATCH 14/14] Update to 2.6.3 (close RHBZ#2427603) --- .gitignore | 1 + python-urllib3.spec | 2 +- sources | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index bd674b9..e3fee0e 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,4 @@ /urllib3-2.6.0.tar.gz /urllib3-2.6.1.tar.gz /urllib3-2.6.2.tar.gz +/urllib3-2.6.3.tar.gz diff --git a/python-urllib3.spec b/python-urllib3.spec index 7b2af84..5b863bf 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -5,7 +5,7 @@ %bcond extradeps %{undefined rhel} Name: python-urllib3 -Version: 2.6.2 +Version: 2.6.3 Release: %autorelease Summary: HTTP library with thread-safe connection pooling, file post, and more diff --git a/sources b/sources index a84bd3c..d7b27ef 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (urllib3-2.6.2.tar.gz) = 7d2167924922f27cd618bb3f8b56a3c4c6a49254ec5ee7ee48aba6d39cd924e40c58db9b759b0a41ac676f7273b56fe8978d6e20b798ff9b8c8c745c74cf9a15 +SHA512 (urllib3-2.6.3.tar.gz) = 554cedfd97d411fffa9a8ba46f592eab9e58c5fa8822ecd5a73ab45d6adfc188a6b9c4e238d02a4fbd3a1067a25a1de841a33d398d0641e22a32ea414876b615 SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b