diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index e3fee0e..5738ed4 100644 --- a/.gitignore +++ b/.gitignore @@ -41,17 +41,4 @@ /urllib3-1.26.17.tar.gz /urllib3-1.26.18.tar.gz /urllib3-1.26.19.tar.gz -/urllib3-2.0.7.tar.gz -/urllib3-2.1.0.tar.gz -/urllib3-2.2.0.tar.gz -/hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz -/urllib3-2.2.1.tar.gz -/urllib3-2.2.2.tar.gz -/urllib3-2.2.3.tar.gz -/urllib3-2.3.0.tar.gz -/urllib3-2.4.0.tar.gz -/urllib3-2.5.0.tar.gz -/urllib3-2.6.0.tar.gz -/urllib3-2.6.1.tar.gz -/urllib3-2.6.2.tar.gz -/urllib3-2.6.3.tar.gz +/urllib3-1.26.20.tar.gz diff --git a/changelog b/changelog index cb8c68f..f68b54b 100644 --- a/changelog +++ b/changelog @@ -1,16 +1,10 @@ -* Fri Jan 26 2024 Fedora Release Engineering - 1.26.18-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Mon Jan 22 2024 Fedora Release Engineering - 1.26.18-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild +* Wed Jun 26 2024 Lumír Balhar - 1.26.19-1 +- Update to 1.26.19 to fix CVE-2024-37891 (rhbz#2292790) * Tue Oct 17 2023 Maxwell G - 1.26.18-1 - Update to 1.26.18. - Mitigates CVE-2023-45803 / GHSA-g4mx-q9vg-27p4. -* Mon Oct 09 2023 Miro Hrončok - 1.26.17-2 -- Switch the hardcoded dependency on urllib3[socks] to a weak one - * Mon Oct 02 2023 Benjamin A. Beasley - 1.26.17-1 - Update to 1.26.17: fix CVE-2023-43804 (GHSA-v845-jxx5-vc9f) diff --git a/plans.fmf b/plans.fmf deleted file mode 100644 index 2bb6f53..0000000 --- a/plans.fmf +++ /dev/null @@ -1,4 +0,0 @@ -discover: - how: fmf -execute: - how: tmt \ No newline at end of file diff --git a/python-urllib3.rpmlintrc b/python-urllib3.rpmlintrc deleted file mode 100644 index e9bd352..0000000 --- a/python-urllib3.rpmlintrc +++ /dev/null @@ -1 +0,0 @@ -addFilter(r"spelling-error \('(gzip|brotli|zstd)',") diff --git a/python-urllib3.spec b/python-urllib3.spec index 5b863bf..a2e9555 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -1,43 +1,50 @@ # When bootstrapping Python, we cannot test this yet -# RHEL does not include the test dependencies and the dependencies for extras -%bcond tests %{undefined rhel} -%bcond extras %[%{undefined rhel} || %{defined eln}] -%bcond extradeps %{undefined rhel} +# RHEL does not include the test dependencies +%if 0%{?rhel} +%bcond_with tests +%else +%bcond_without tests +%endif Name: python-urllib3 -Version: 2.6.3 +Version: 1.26.20 Release: %autorelease Summary: HTTP library with thread-safe connection pooling, file post, and more # SPDX License: MIT URL: https://github.com/urllib3/urllib3 -Source0: %{url}/archive/%{version}/urllib3-%{version}.tar.gz -# A special forked copy of Hypercorn is required for testing. We asked about -# the possiblility of using a released version in the future in: -# Path toward testing with a released version of hypercorn? -# https://github.com/urllib3/urllib3/3334 -# Upstream would like to get the necessary changes merged into Hypercorn, but -# explained clearly why the forked copy is needed for now. -# -# Note that tool.uv.sources.hypercorn in pyproject.toml references the -# urllib3-changes branch of https://github.com/urllib3/hypercorn/, and we -# should use the latest commit from that branch, but we package using a commit -# hash for reproducibility. -# -# We do not need to treat this as a bundled dependency because it is not -# installed in the buildroot or otherwise included in any of the binary RPMs. -%global hypercorn_url https://github.com/urllib3/hypercorn -%global hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb -Source1: %{hypercorn_url}/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz +Source: %{url}/archive/%{version}/urllib3-%{version}.tar.gz BuildArch: noarch BuildRequires: python3-devel -# The conditional is important: we benefit from tomcli for editing dependency -# groups, but we do not want it when bootstrapping or in RHEL. + %if %{with tests} -BuildRequires: tomcli +# Test dependencies are listed only in dev-requirements.txt. Because there are +# linters and coverage tools mixed in, and exact versions are pinned, we resort +# to manual listing. +# mock==3.0.5: patched out in %%prep +# coverage~=6.0;python_version>="3.6": omitted linter/coverage tool +# tornado==6.1.0;python_version>="3.6" +BuildRequires: %{py3_dist tornado} >= 6.1 +# PySocks==1.7.1 +BuildRequires: %{py3_dist PySocks} >= 1.7.1 +# win-inet-pton==1.1.0: Windows-only workaround +# pytest==6.2.4; python_version>="3.10" +BuildRequires: %{py3_dist pytest} >= 6.2.4 +# pytest-timeout==1.4.2 +BuildRequires: %{py3_dist pytest-timeout} >= 1.4.2 +# pytest-freezegun==0.4.2 +BuildRequires: %{py3_dist pytest-freezegun} >= 0.4.2 +# flaky==3.7.0: not really required +# trustme==0.7.0 +BuildRequires: %{py3_dist trustme} >= 0.7 +# cryptography==38.0.3;python_version>="3.6": associated with the deprecated +# “secure” extra +# python-dateutil==2.8.1 +BuildRequires: %{py3_dist python-dateutil} >= 2.8.1 +# gcp-devrel-py-tools==0.0.16: not used in offline testing %endif %global _description %{expand: @@ -66,25 +73,25 @@ Requires: ca-certificates BuildRequires: %{py3_dist idna} Requires: %{py3_dist idna} -%if %{with extradeps} +# grep __version__ src/urllib3/packages/six.py +Provides: bundled(python3dist(six)) = 1.16.0 + # There has historically been a manual hard dependency on python3-pysocks; -# since bringing it in is the sole function of python3-urllib3+socks, -# we recommend it, so it is installed by default. -Recommends: python3-urllib3+socks -%endif +# since bringing it in is the sole function of python3-urllib3+socks, we just +# depend on that instead. +Requires: python3-urllib3+socks = %{version}-%{release} %description -n python3-urllib3 %{_description} -%if %{with extras} -%pyproject_extras_subpkg -n python3-urllib3 brotli zstd socks h2 -%endif +# We do NOT package the “secure” extra because it is deprecated; see: +# “Deprecate the pyOpenSSL TLS implementation and [secure] extra” +# https://github.com/urllib3/urllib3/issues/2680 +%pyproject_extras_subpkg -n python3-urllib3 brotli socks %prep %autosetup -n urllib3-%{version} -%setup -q -n urllib3-%{version} -T -D -b 1 - # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, @@ -103,85 +110,47 @@ Recommends: python3-urllib3+socks recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py -%if %{with tests} -# Possible improvements to dependency groups -# https://github.com/urllib3/urllib3/issues/3594 -# Adjust the contents of the "dev" dependency group by removing: -remove_from_dev() { - tomcli set pyproject.toml lists delitem 'dependency-groups.dev' "($1)\b.*" -} -# - Linters, coverage tools, profilers, etc.: -# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_linters -remove_from_dev 'coverage|pytest-memray' -# - Dependencies for maintainer tasks -remove_from_dev 'build|towncrier' -# - Dependencies that are not packaged and not strictly required -remove_from_dev 'pytest-socket' -# - Hypercorn, because we have a special forked version we must use for -# testing instead, so we do not want to generate a dependency on the system -# copy. Note that the system copy is still an indirect dependency via quart -# and quart-trio. -remove_from_dev 'hypercorn' - -# Remove all version bounds for test dependencies. We must attempt to make do -# with what we have. (This also removes any python version or platform -# constraints, which is currently fine, but could theoretically cause trouble -# in the future. We’ll cross that bridge if we ever arrive at it.) -tomcli set pyproject.toml lists replace --type regex_search \ - 'dependency-groups.dev' '[>=]=.*' '' -%endif +# Use the standard library instead of a backport +sed -i -e 's/^import mock/from unittest import mock/' \ + -e 's/^from mock import /from unittest.mock import /' \ + test/*.py docs/conf.py %generate_buildrequires -export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}' # Generate BR’s from packaged extras even when tests are disabled, to ensure # the extras metapackages are installable if the build succeeds. -%pyproject_buildrequires %{?with_extradeps:-x brotli,zstd,socks,h2} %{?with_tests:-g dev} +%pyproject_buildrequires -x brotli,socks %build -export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}' %pyproject_wheel %install %pyproject_install -%pyproject_save_files -l urllib3 +%pyproject_save_files urllib3 -%check -# urllib3.contrib.socks requires urllib3[socks] -# -# urllib3.contrib.emscripten is “special” (import js will fail) -# urllib3.contrib.ntlmpool is deprecated and requires ntlm -# urllib3.contrib.securetransport is macOS only -# urllib3.contrib.pyopenssl requires pyOpenSSL -%{pyproject_check_import %{!?with_extradeps:-e urllib3.contrib.socks -e urllib3.http2*} - -e urllib3.contrib.emscripten* - -e urllib3.contrib.ntlmpool - -e urllib3.contrib.securetransport - -e urllib3.contrib.pyopenssl} - -# Increase the “long timeout” for slower environments; as of this writing, it -# is increased from 0.1 to 0.5 second. -export CI=1 -# Interpose the special forked copy of Hypercorn. -hypercorndir="${PWD}/../hypercorn-%{hypercorn_commit}/src" -export PYTHONPATH="${hypercorndir}:%{buildroot}%{python3_sitelib}" - %if %{with tests} -# This test still times out sometimes, especially on certain architectures, -# even when we export the CI environment variable to increase timeouts. -k="${k-}${k+ and }not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])" - -%pytest -v -rs ${ignore-} -k "${k-}" -%pytest -v -rs ${ignore-} -k "${k-}" --integration +%check +# Drop the dummyserver tests in koji. They fail there in real builds, but not +# in scratch builds (weird). +ignore="${ignore-} --ignore=test/with_dummyserver/" +# Don't run the Google App Engine tests +ignore="${ignore-} --ignore=test/appengine/" +# Lots of these tests started failing, even for old versions, so it has something +# to do with Fedora in particular. They don't fail in upstream build infrastructure +ignore="${ignore-} --ignore=test/contrib/" +# Tests for Python built without SSL, but Fedora builds with SSL. These tests +# fail when combined with the unbundling of backports-ssl_match_hostname +ignore="${ignore-} --ignore=test/test_no_ssl.py" +%pytest -v ${ignore-} %endif %files -n python3-urllib3 -f %{pyproject_files} -%doc CHANGES.rst README.md +%doc CHANGES.rst README.rst %changelog diff --git a/sources b/sources index d7b27ef..76d15c4 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (urllib3-2.6.3.tar.gz) = 554cedfd97d411fffa9a8ba46f592eab9e58c5fa8822ecd5a73ab45d6adfc188a6b9c4e238d02a4fbd3a1067a25a1de841a33d398d0641e22a32ea414876b615 -SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b +SHA512 (urllib3-1.26.20.tar.gz) = 63c4263c5e61adf28344e79b6c864c70e555b715a93e735aca5b6e169f041f3e4518961993c86c83dd13bcb149f7dd77b6e90140cf4aa2310c14fcaa0a52179b diff --git a/tests/smoke/smoke.fmf b/tests/smoke/smoke.fmf deleted file mode 100644 index 69c01da..0000000 --- a/tests/smoke/smoke.fmf +++ /dev/null @@ -1,5 +0,0 @@ -test: python3 test.py -framework: shell -require: -- python3 -- python3-urllib3 diff --git a/tests/smoke/test.py b/tests/smoke/test.py deleted file mode 100644 index 9ac5805..0000000 --- a/tests/smoke/test.py +++ /dev/null @@ -1,8 +0,0 @@ -import urllib3 - -http = urllib3.PoolManager() -r = http.request('GET', 'http://example.com/') -print('status = {0}'.format(r.status)) -print(r.data) -if r.status != 200 or not r.data: - raise SystemExit(1)