Update to 2.6.3 (close RHBZ#2427603)

[skip changelog]

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -41,4 +41,17 @@
 /urllib3-1.26.17.tar.gz
 /urllib3-1.26.18.tar.gz
 /urllib3-1.26.19.tar.gz
-/urllib3-1.26.20.tar.gz
+/urllib3-2.0.7.tar.gz
+/urllib3-2.1.0.tar.gz
+/urllib3-2.2.0.tar.gz
+/hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz
+/urllib3-2.2.1.tar.gz
+/urllib3-2.2.2.tar.gz
+/urllib3-2.2.3.tar.gz
+/urllib3-2.3.0.tar.gz
+/urllib3-2.4.0.tar.gz
+/urllib3-2.5.0.tar.gz
+/urllib3-2.6.0.tar.gz
+/urllib3-2.6.1.tar.gz
+/urllib3-2.6.2.tar.gz
+/urllib3-2.6.3.tar.gz

changelog

@@ -1,10 +1,16 @@
-* Wed Jun 26 2024 Lumír Balhar <lbalhar@redhat.com> - 1.26.19-1
-- Update to 1.26.19 to fix CVE-2024-37891 (rhbz#2292790)
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.26.18-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.26.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
 * Tue Oct 17 2023 Maxwell G <maxwell@gtmx.me> - 1.26.18-1
 - Update to 1.26.18.
 - Mitigates CVE-2023-45803 / GHSA-g4mx-q9vg-27p4.
 
+* Mon Oct 09 2023 Miro Hrončok <mhroncok@redhat.com> - 1.26.17-2
+- Switch the hardcoded dependency on urllib3[socks] to a weak one
+
 * Mon Oct 02 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 1.26.17-1
 - Update to 1.26.17: fix CVE-2023-43804 (GHSA-v845-jxx5-vc9f)
 

plans.fmf

@@ -0,0 +1,4 @@
+discover:
+    how: fmf
+execute:
+    how: tmt

python-urllib3.rpmlintrc

@@ -0,0 +1 @@
+addFilter(r"spelling-error \('(gzip|brotli|zstd)',")

python-urllib3.spec

@@ -1,50 +1,43 @@
 # When bootstrapping Python, we cannot test this yet
-# RHEL does not include the test dependencies
-%if 0%{?rhel}
-%bcond_with tests
-%else
-%bcond_without tests
-%endif
+# RHEL does not include the test dependencies and the dependencies for extras
+%bcond tests %{undefined rhel}
+%bcond extras %[%{undefined rhel} || %{defined eln}]
+%bcond extradeps %{undefined rhel}
 
 Name:           python-urllib3
-Version:        1.26.20
+Version:        2.6.3
 Release:        %autorelease
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 
 # SPDX
 License:        MIT
 URL:            https://github.com/urllib3/urllib3
-Source:         %{url}/archive/%{version}/urllib3-%{version}.tar.gz
+Source0:        %{url}/archive/%{version}/urllib3-%{version}.tar.gz
+# A special forked copy of Hypercorn is required for testing. We asked about
+# the possiblility of using a released version in the future in:
+#   Path toward testing with a released version of hypercorn?
+#   https://github.com/urllib3/urllib3/3334
+# Upstream would like to get the necessary changes merged into Hypercorn, but
+# explained clearly why the forked copy is needed for now.
+#
+# Note that tool.uv.sources.hypercorn in pyproject.toml references the
+# urllib3-changes branch of https://github.com/urllib3/hypercorn/, and we
+# should use the latest commit from that branch, but we package using a commit
+# hash for reproducibility.
+#
+# We do not need to treat this as a bundled dependency because it is not
+# installed in the buildroot or otherwise included in any of the binary RPMs.
+%global hypercorn_url https://github.com/urllib3/hypercorn
+%global hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
+Source1:        %{hypercorn_url}/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
 
 BuildArch:      noarch
 
 BuildRequires:  python3-devel
-
+# The conditional is important: we benefit from tomcli for editing dependency
+# groups, but we do not want it when bootstrapping or in RHEL.
 %if %{with tests}
-# Test dependencies are listed only in dev-requirements.txt. Because there are
-# linters and coverage tools mixed in, and exact versions are pinned, we resort
-# to manual listing.
-# mock==3.0.5: patched out in %%prep
-# coverage~=6.0;python_version>="3.6": omitted linter/coverage tool
-# tornado==6.1.0;python_version>="3.6"
-BuildRequires:  %{py3_dist tornado} >= 6.1
-# PySocks==1.7.1
-BuildRequires:  %{py3_dist PySocks} >= 1.7.1
-# win-inet-pton==1.1.0: Windows-only workaround
-# pytest==6.2.4; python_version>="3.10"
-BuildRequires:  %{py3_dist pytest} >= 6.2.4
-# pytest-timeout==1.4.2
-BuildRequires:  %{py3_dist pytest-timeout} >= 1.4.2
-# pytest-freezegun==0.4.2
-BuildRequires:  %{py3_dist pytest-freezegun} >= 0.4.2
-# flaky==3.7.0: not really required
-# trustme==0.7.0
-BuildRequires:  %{py3_dist trustme} >= 0.7
-# cryptography==38.0.3;python_version>="3.6": associated with the deprecated
-#                                             “secure” extra
-# python-dateutil==2.8.1
-BuildRequires:  %{py3_dist python-dateutil} >= 2.8.1
-# gcp-devrel-py-tools==0.0.16: not used in offline testing
+BuildRequires:  tomcli
 %endif
 
 %global _description %{expand:
@@ -73,25 +66,25 @@ Requires:       ca-certificates
 BuildRequires:  %{py3_dist idna}
 Requires:       %{py3_dist idna}
 
-# grep __version__ src/urllib3/packages/six.py
-Provides:       bundled(python3dist(six)) = 1.16.0
-
+%if %{with extradeps}
 # There has historically been a manual hard dependency on python3-pysocks;
-# since bringing it in is the sole function of python3-urllib3+socks, we just
-# depend on that instead.
-Requires:       python3-urllib3+socks = %{version}-%{release}
+# since bringing it in is the sole function of python3-urllib3+socks,
+# we recommend it, so it is installed by default.
+Recommends:     python3-urllib3+socks
+%endif
 
 %description -n python3-urllib3 %{_description}
 
 
-# We do NOT package the “secure” extra because it is deprecated; see:
-# “Deprecate the pyOpenSSL TLS implementation and [secure] extra”
-# https://github.com/urllib3/urllib3/issues/2680
-%pyproject_extras_subpkg -n python3-urllib3 brotli socks
+%if %{with extras}
+%pyproject_extras_subpkg -n python3-urllib3 brotli zstd socks h2
+%endif
 
 
 %prep
 %autosetup -n urllib3-%{version}
+%setup -q -n urllib3-%{version} -T -D -b 1
+
 # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
 # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
 # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
@@ -110,47 +103,85 @@ Requires:       python3-urllib3+socks = %{version}-%{release}
 recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d")
 sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py
 
-# Use the standard library instead of a backport
-sed -i -e 's/^import mock/from unittest import mock/' \
-       -e 's/^from mock import /from unittest.mock import /' \
-    test/*.py docs/conf.py
+%if %{with tests}
+# Possible improvements to dependency groups
+# https://github.com/urllib3/urllib3/issues/3594
+# Adjust the contents of the "dev" dependency group by removing:
+remove_from_dev() {
+  tomcli set pyproject.toml lists delitem 'dependency-groups.dev' "($1)\b.*"
+}
+#   - Linters, coverage tools, profilers, etc.:
+#     https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_linters
+remove_from_dev 'coverage|pytest-memray'
+#   - Dependencies for maintainer tasks
+remove_from_dev 'build|towncrier'
+#   - Dependencies that are not packaged and not strictly required
+remove_from_dev 'pytest-socket'
+#   - Hypercorn, because we have a special forked version we must use for
+#     testing instead, so we do not want to generate a dependency on the system
+#     copy. Note that the system copy is still an indirect dependency via quart
+#     and quart-trio.
+remove_from_dev 'hypercorn'
+
+# Remove all version bounds for test dependencies. We must attempt to make do
+# with what we have. (This also removes any python version or platform
+# constraints, which is currently fine, but could theoretically cause trouble
+# in the future. We’ll cross that bridge if we ever arrive at it.)
+tomcli set pyproject.toml lists replace --type regex_search \
+    'dependency-groups.dev' '[>=]=.*' ''
+%endif
 
 
 %generate_buildrequires
+export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}'
 # Generate BR’s from packaged extras even when tests are disabled, to ensure
 # the extras metapackages are installable if the build succeeds.
-%pyproject_buildrequires -x brotli,socks
+%pyproject_buildrequires %{?with_extradeps:-x brotli,zstd,socks,h2} %{?with_tests:-g dev}
 
 
 %build
+export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}'
 %pyproject_wheel
 
 
 %install
 %pyproject_install
 
-%pyproject_save_files urllib3
+%pyproject_save_files -l urllib3
 
 
+%check
+# urllib3.contrib.socks requires urllib3[socks]
+#
+# urllib3.contrib.emscripten is “special” (import js will fail)
+# urllib3.contrib.ntlmpool is deprecated and requires ntlm
+# urllib3.contrib.securetransport is macOS only
+# urllib3.contrib.pyopenssl requires pyOpenSSL
+%{pyproject_check_import %{!?with_extradeps:-e urllib3.contrib.socks -e urllib3.http2*}
+                         -e urllib3.contrib.emscripten*
+                         -e urllib3.contrib.ntlmpool
+                         -e urllib3.contrib.securetransport
+                         -e urllib3.contrib.pyopenssl}
+
+# Increase the “long timeout” for slower environments; as of this writing, it
+# is increased from 0.1 to 0.5 second.
+export CI=1
+# Interpose the special forked copy of Hypercorn.
+hypercorndir="${PWD}/../hypercorn-%{hypercorn_commit}/src"
+export PYTHONPATH="${hypercorndir}:%{buildroot}%{python3_sitelib}"
+
 %if %{with tests}
-%check
-# Drop the dummyserver tests in koji.  They fail there in real builds, but not
-# in scratch builds (weird).
-ignore="${ignore-} --ignore=test/with_dummyserver/"
-# Don't run the Google App Engine tests
-ignore="${ignore-} --ignore=test/appengine/"
-# Lots of these tests started failing, even for old versions, so it has something
-# to do with Fedora in particular. They don't fail in upstream build infrastructure
-ignore="${ignore-} --ignore=test/contrib/"
-# Tests for Python built without SSL, but Fedora builds with SSL. These tests
-# fail when combined with the unbundling of backports-ssl_match_hostname
-ignore="${ignore-} --ignore=test/test_no_ssl.py"
-%pytest -v ${ignore-}
+# This test still times out sometimes, especially on certain architectures,
+# even when we export the CI environment variable to increase timeouts.
+k="${k-}${k+ and }not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])"
+
+%pytest -v -rs ${ignore-} -k "${k-}"
+%pytest -v -rs ${ignore-} -k "${k-}" --integration
 %endif
 
 
 %files -n python3-urllib3 -f %{pyproject_files}
-%doc CHANGES.rst README.rst
+%doc CHANGES.rst README.md
 
 
 %changelog

sources

@@ -1 +1,2 @@
-SHA512 (urllib3-1.26.20.tar.gz) = 63c4263c5e61adf28344e79b6c864c70e555b715a93e735aca5b6e169f041f3e4518961993c86c83dd13bcb149f7dd77b6e90140cf4aa2310c14fcaa0a52179b
+SHA512 (urllib3-2.6.3.tar.gz) = 554cedfd97d411fffa9a8ba46f592eab9e58c5fa8822ecd5a73ab45d6adfc188a6b9c4e238d02a4fbd3a1067a25a1de841a33d398d0641e22a32ea414876b615
+SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b

tests/smoke/smoke.fmf

@@ -0,0 +1,5 @@
+test: python3 test.py
+framework: shell
+require:
+- python3
+- python3-urllib3

tests/smoke/test.py

@@ -0,0 +1,8 @@
+import urllib3
+
+http = urllib3.PoolManager()
+r = http.request('GET', 'http://example.com/')
+print('status = {0}'.format(r.status))
+print(r.data)
+if r.status != 200 or not r.data:
+    raise SystemExit(1)