diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index 5738ed4..e3fee0e 100644 --- a/.gitignore +++ b/.gitignore @@ -41,4 +41,17 @@ /urllib3-1.26.17.tar.gz /urllib3-1.26.18.tar.gz /urllib3-1.26.19.tar.gz -/urllib3-1.26.20.tar.gz +/urllib3-2.0.7.tar.gz +/urllib3-2.1.0.tar.gz +/urllib3-2.2.0.tar.gz +/hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz +/urllib3-2.2.1.tar.gz +/urllib3-2.2.2.tar.gz +/urllib3-2.2.3.tar.gz +/urllib3-2.3.0.tar.gz +/urllib3-2.4.0.tar.gz +/urllib3-2.5.0.tar.gz +/urllib3-2.6.0.tar.gz +/urllib3-2.6.1.tar.gz +/urllib3-2.6.2.tar.gz +/urllib3-2.6.3.tar.gz diff --git a/changelog b/changelog index f68b54b..cb8c68f 100644 --- a/changelog +++ b/changelog @@ -1,10 +1,16 @@ -* Wed Jun 26 2024 Lumír Balhar - 1.26.19-1 -- Update to 1.26.19 to fix CVE-2024-37891 (rhbz#2292790) +* Fri Jan 26 2024 Fedora Release Engineering - 1.26.18-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 1.26.18-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Tue Oct 17 2023 Maxwell G - 1.26.18-1 - Update to 1.26.18. - Mitigates CVE-2023-45803 / GHSA-g4mx-q9vg-27p4. +* Mon Oct 09 2023 Miro Hrončok - 1.26.17-2 +- Switch the hardcoded dependency on urllib3[socks] to a weak one + * Mon Oct 02 2023 Benjamin A. Beasley - 1.26.17-1 - Update to 1.26.17: fix CVE-2023-43804 (GHSA-v845-jxx5-vc9f) diff --git a/plans.fmf b/plans.fmf new file mode 100644 index 0000000..2bb6f53 --- /dev/null +++ b/plans.fmf @@ -0,0 +1,4 @@ +discover: + how: fmf +execute: + how: tmt \ No newline at end of file diff --git a/python-urllib3.rpmlintrc b/python-urllib3.rpmlintrc new file mode 100644 index 0000000..e9bd352 --- /dev/null +++ b/python-urllib3.rpmlintrc @@ -0,0 +1 @@ +addFilter(r"spelling-error \('(gzip|brotli|zstd)',") diff --git a/python-urllib3.spec b/python-urllib3.spec index a2e9555..5b863bf 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -1,50 +1,43 @@ # When bootstrapping Python, we cannot test this yet -# RHEL does not include the test dependencies -%if 0%{?rhel} -%bcond_with tests -%else -%bcond_without tests -%endif +# RHEL does not include the test dependencies and the dependencies for extras +%bcond tests %{undefined rhel} +%bcond extras %[%{undefined rhel} || %{defined eln}] +%bcond extradeps %{undefined rhel} Name: python-urllib3 -Version: 1.26.20 +Version: 2.6.3 Release: %autorelease Summary: HTTP library with thread-safe connection pooling, file post, and more # SPDX License: MIT URL: https://github.com/urllib3/urllib3 -Source: %{url}/archive/%{version}/urllib3-%{version}.tar.gz +Source0: %{url}/archive/%{version}/urllib3-%{version}.tar.gz +# A special forked copy of Hypercorn is required for testing. We asked about +# the possiblility of using a released version in the future in: +# Path toward testing with a released version of hypercorn? +# https://github.com/urllib3/urllib3/3334 +# Upstream would like to get the necessary changes merged into Hypercorn, but +# explained clearly why the forked copy is needed for now. +# +# Note that tool.uv.sources.hypercorn in pyproject.toml references the +# urllib3-changes branch of https://github.com/urllib3/hypercorn/, and we +# should use the latest commit from that branch, but we package using a commit +# hash for reproducibility. +# +# We do not need to treat this as a bundled dependency because it is not +# installed in the buildroot or otherwise included in any of the binary RPMs. +%global hypercorn_url https://github.com/urllib3/hypercorn +%global hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb +Source1: %{hypercorn_url}/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz BuildArch: noarch BuildRequires: python3-devel - +# The conditional is important: we benefit from tomcli for editing dependency +# groups, but we do not want it when bootstrapping or in RHEL. %if %{with tests} -# Test dependencies are listed only in dev-requirements.txt. Because there are -# linters and coverage tools mixed in, and exact versions are pinned, we resort -# to manual listing. -# mock==3.0.5: patched out in %%prep -# coverage~=6.0;python_version>="3.6": omitted linter/coverage tool -# tornado==6.1.0;python_version>="3.6" -BuildRequires: %{py3_dist tornado} >= 6.1 -# PySocks==1.7.1 -BuildRequires: %{py3_dist PySocks} >= 1.7.1 -# win-inet-pton==1.1.0: Windows-only workaround -# pytest==6.2.4; python_version>="3.10" -BuildRequires: %{py3_dist pytest} >= 6.2.4 -# pytest-timeout==1.4.2 -BuildRequires: %{py3_dist pytest-timeout} >= 1.4.2 -# pytest-freezegun==0.4.2 -BuildRequires: %{py3_dist pytest-freezegun} >= 0.4.2 -# flaky==3.7.0: not really required -# trustme==0.7.0 -BuildRequires: %{py3_dist trustme} >= 0.7 -# cryptography==38.0.3;python_version>="3.6": associated with the deprecated -# “secure” extra -# python-dateutil==2.8.1 -BuildRequires: %{py3_dist python-dateutil} >= 2.8.1 -# gcp-devrel-py-tools==0.0.16: not used in offline testing +BuildRequires: tomcli %endif %global _description %{expand: @@ -73,25 +66,25 @@ Requires: ca-certificates BuildRequires: %{py3_dist idna} Requires: %{py3_dist idna} -# grep __version__ src/urllib3/packages/six.py -Provides: bundled(python3dist(six)) = 1.16.0 - +%if %{with extradeps} # There has historically been a manual hard dependency on python3-pysocks; -# since bringing it in is the sole function of python3-urllib3+socks, we just -# depend on that instead. -Requires: python3-urllib3+socks = %{version}-%{release} +# since bringing it in is the sole function of python3-urllib3+socks, +# we recommend it, so it is installed by default. +Recommends: python3-urllib3+socks +%endif %description -n python3-urllib3 %{_description} -# We do NOT package the “secure” extra because it is deprecated; see: -# “Deprecate the pyOpenSSL TLS implementation and [secure] extra” -# https://github.com/urllib3/urllib3/issues/2680 -%pyproject_extras_subpkg -n python3-urllib3 brotli socks +%if %{with extras} +%pyproject_extras_subpkg -n python3-urllib3 brotli zstd socks h2 +%endif %prep %autosetup -n urllib3-%{version} +%setup -q -n urllib3-%{version} -T -D -b 1 + # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, @@ -110,47 +103,85 @@ Requires: python3-urllib3+socks = %{version}-%{release} recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d") sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py -# Use the standard library instead of a backport -sed -i -e 's/^import mock/from unittest import mock/' \ - -e 's/^from mock import /from unittest.mock import /' \ - test/*.py docs/conf.py +%if %{with tests} +# Possible improvements to dependency groups +# https://github.com/urllib3/urllib3/issues/3594 +# Adjust the contents of the "dev" dependency group by removing: +remove_from_dev() { + tomcli set pyproject.toml lists delitem 'dependency-groups.dev' "($1)\b.*" +} +# - Linters, coverage tools, profilers, etc.: +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_linters +remove_from_dev 'coverage|pytest-memray' +# - Dependencies for maintainer tasks +remove_from_dev 'build|towncrier' +# - Dependencies that are not packaged and not strictly required +remove_from_dev 'pytest-socket' +# - Hypercorn, because we have a special forked version we must use for +# testing instead, so we do not want to generate a dependency on the system +# copy. Note that the system copy is still an indirect dependency via quart +# and quart-trio. +remove_from_dev 'hypercorn' + +# Remove all version bounds for test dependencies. We must attempt to make do +# with what we have. (This also removes any python version or platform +# constraints, which is currently fine, but could theoretically cause trouble +# in the future. We’ll cross that bridge if we ever arrive at it.) +tomcli set pyproject.toml lists replace --type regex_search \ + 'dependency-groups.dev' '[>=]=.*' '' +%endif %generate_buildrequires +export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}' # Generate BR’s from packaged extras even when tests are disabled, to ensure # the extras metapackages are installable if the build succeeds. -%pyproject_buildrequires -x brotli,socks +%pyproject_buildrequires %{?with_extradeps:-x brotli,zstd,socks,h2} %{?with_tests:-g dev} %build +export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}' %pyproject_wheel %install %pyproject_install -%pyproject_save_files urllib3 +%pyproject_save_files -l urllib3 +%check +# urllib3.contrib.socks requires urllib3[socks] +# +# urllib3.contrib.emscripten is “special” (import js will fail) +# urllib3.contrib.ntlmpool is deprecated and requires ntlm +# urllib3.contrib.securetransport is macOS only +# urllib3.contrib.pyopenssl requires pyOpenSSL +%{pyproject_check_import %{!?with_extradeps:-e urllib3.contrib.socks -e urllib3.http2*} + -e urllib3.contrib.emscripten* + -e urllib3.contrib.ntlmpool + -e urllib3.contrib.securetransport + -e urllib3.contrib.pyopenssl} + +# Increase the “long timeout” for slower environments; as of this writing, it +# is increased from 0.1 to 0.5 second. +export CI=1 +# Interpose the special forked copy of Hypercorn. +hypercorndir="${PWD}/../hypercorn-%{hypercorn_commit}/src" +export PYTHONPATH="${hypercorndir}:%{buildroot}%{python3_sitelib}" + %if %{with tests} -%check -# Drop the dummyserver tests in koji. They fail there in real builds, but not -# in scratch builds (weird). -ignore="${ignore-} --ignore=test/with_dummyserver/" -# Don't run the Google App Engine tests -ignore="${ignore-} --ignore=test/appengine/" -# Lots of these tests started failing, even for old versions, so it has something -# to do with Fedora in particular. They don't fail in upstream build infrastructure -ignore="${ignore-} --ignore=test/contrib/" -# Tests for Python built without SSL, but Fedora builds with SSL. These tests -# fail when combined with the unbundling of backports-ssl_match_hostname -ignore="${ignore-} --ignore=test/test_no_ssl.py" -%pytest -v ${ignore-} +# This test still times out sometimes, especially on certain architectures, +# even when we export the CI environment variable to increase timeouts. +k="${k-}${k+ and }not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])" + +%pytest -v -rs ${ignore-} -k "${k-}" +%pytest -v -rs ${ignore-} -k "${k-}" --integration %endif %files -n python3-urllib3 -f %{pyproject_files} -%doc CHANGES.rst README.rst +%doc CHANGES.rst README.md %changelog diff --git a/sources b/sources index 76d15c4..d7b27ef 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (urllib3-1.26.20.tar.gz) = 63c4263c5e61adf28344e79b6c864c70e555b715a93e735aca5b6e169f041f3e4518961993c86c83dd13bcb149f7dd77b6e90140cf4aa2310c14fcaa0a52179b +SHA512 (urllib3-2.6.3.tar.gz) = 554cedfd97d411fffa9a8ba46f592eab9e58c5fa8822ecd5a73ab45d6adfc188a6b9c4e238d02a4fbd3a1067a25a1de841a33d398d0641e22a32ea414876b615 +SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b diff --git a/tests/smoke/smoke.fmf b/tests/smoke/smoke.fmf new file mode 100644 index 0000000..69c01da --- /dev/null +++ b/tests/smoke/smoke.fmf @@ -0,0 +1,5 @@ +test: python3 test.py +framework: shell +require: +- python3 +- python3-urllib3 diff --git a/tests/smoke/test.py b/tests/smoke/test.py new file mode 100644 index 0000000..9ac5805 --- /dev/null +++ b/tests/smoke/test.py @@ -0,0 +1,8 @@ +import urllib3 + +http = urllib3.PoolManager() +r = http.request('GET', 'http://example.com/') +print('status = {0}'.format(r.status)) +print(r.data) +if r.status != 200 or not r.data: + raise SystemExit(1)