Update to 1.26.20

[skip changelog]

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -41,17 +41,4 @@
 /urllib3-1.26.17.tar.gz
 /urllib3-1.26.18.tar.gz
 /urllib3-1.26.19.tar.gz
-/urllib3-2.0.7.tar.gz
-/urllib3-2.1.0.tar.gz
-/urllib3-2.2.0.tar.gz
-/hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz
-/urllib3-2.2.1.tar.gz
-/urllib3-2.2.2.tar.gz
-/urllib3-2.2.3.tar.gz
-/urllib3-2.3.0.tar.gz
-/urllib3-2.4.0.tar.gz
-/urllib3-2.5.0.tar.gz
-/urllib3-2.6.0.tar.gz
-/urllib3-2.6.1.tar.gz
-/urllib3-2.6.2.tar.gz
-/urllib3-2.6.3.tar.gz
+/urllib3-1.26.20.tar.gz

changelog

@@ -1,16 +1,10 @@
-* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.26.18-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.26.18-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+* Wed Jun 26 2024 Lumír Balhar <lbalhar@redhat.com> - 1.26.19-1
+- Update to 1.26.19 to fix CVE-2024-37891 (rhbz#2292790)
 
 * Tue Oct 17 2023 Maxwell G <maxwell@gtmx.me> - 1.26.18-1
 - Update to 1.26.18.
 - Mitigates CVE-2023-45803 / GHSA-g4mx-q9vg-27p4.
 
-* Mon Oct 09 2023 Miro Hrončok <mhroncok@redhat.com> - 1.26.17-2
-- Switch the hardcoded dependency on urllib3[socks] to a weak one
-
 * Mon Oct 02 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 1.26.17-1
 - Update to 1.26.17: fix CVE-2023-43804 (GHSA-v845-jxx5-vc9f)
 

plans.fmf

@@ -1,4 +0,0 @@
-discover:
-    how: fmf
-execute:
-    how: tmt

python-urllib3.rpmlintrc

@@ -1 +0,0 @@
-addFilter(r"spelling-error \('(gzip|brotli|zstd)',")

python-urllib3.spec

@@ -1,43 +1,50 @@
 # When bootstrapping Python, we cannot test this yet
-# RHEL does not include the test dependencies and the dependencies for extras
-%bcond tests %{undefined rhel}
-%bcond extras %[%{undefined rhel} || %{defined eln}]
-%bcond extradeps %{undefined rhel}
+# RHEL does not include the test dependencies
+%if 0%{?rhel}
+%bcond_with tests
+%else
+%bcond_without tests
+%endif
 
 Name:           python-urllib3
-Version:        2.6.3
+Version:        1.26.20
 Release:        %autorelease
 Summary:        HTTP library with thread-safe connection pooling, file post, and more
 
 # SPDX
 License:        MIT
 URL:            https://github.com/urllib3/urllib3
-Source0:        %{url}/archive/%{version}/urllib3-%{version}.tar.gz
-# A special forked copy of Hypercorn is required for testing. We asked about
-# the possiblility of using a released version in the future in:
-#   Path toward testing with a released version of hypercorn?
-#   https://github.com/urllib3/urllib3/3334
-# Upstream would like to get the necessary changes merged into Hypercorn, but
-# explained clearly why the forked copy is needed for now.
-#
-# Note that tool.uv.sources.hypercorn in pyproject.toml references the
-# urllib3-changes branch of https://github.com/urllib3/hypercorn/, and we
-# should use the latest commit from that branch, but we package using a commit
-# hash for reproducibility.
-#
-# We do not need to treat this as a bundled dependency because it is not
-# installed in the buildroot or otherwise included in any of the binary RPMs.
-%global hypercorn_url https://github.com/urllib3/hypercorn
-%global hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
-Source1:        %{hypercorn_url}/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
+Source:         %{url}/archive/%{version}/urllib3-%{version}.tar.gz
 
 BuildArch:      noarch
 
 BuildRequires:  python3-devel
-# The conditional is important: we benefit from tomcli for editing dependency
-# groups, but we do not want it when bootstrapping or in RHEL.
+
 %if %{with tests}
-BuildRequires:  tomcli
+# Test dependencies are listed only in dev-requirements.txt. Because there are
+# linters and coverage tools mixed in, and exact versions are pinned, we resort
+# to manual listing.
+# mock==3.0.5: patched out in %%prep
+# coverage~=6.0;python_version>="3.6": omitted linter/coverage tool
+# tornado==6.1.0;python_version>="3.6"
+BuildRequires:  %{py3_dist tornado} >= 6.1
+# PySocks==1.7.1
+BuildRequires:  %{py3_dist PySocks} >= 1.7.1
+# win-inet-pton==1.1.0: Windows-only workaround
+# pytest==6.2.4; python_version>="3.10"
+BuildRequires:  %{py3_dist pytest} >= 6.2.4
+# pytest-timeout==1.4.2
+BuildRequires:  %{py3_dist pytest-timeout} >= 1.4.2
+# pytest-freezegun==0.4.2
+BuildRequires:  %{py3_dist pytest-freezegun} >= 0.4.2
+# flaky==3.7.0: not really required
+# trustme==0.7.0
+BuildRequires:  %{py3_dist trustme} >= 0.7
+# cryptography==38.0.3;python_version>="3.6": associated with the deprecated
+#                                             “secure” extra
+# python-dateutil==2.8.1
+BuildRequires:  %{py3_dist python-dateutil} >= 2.8.1
+# gcp-devrel-py-tools==0.0.16: not used in offline testing
 %endif
 
 %global _description %{expand:
@@ -66,25 +73,25 @@ Requires:       ca-certificates
 BuildRequires:  %{py3_dist idna}
 Requires:       %{py3_dist idna}
 
-%if %{with extradeps}
+# grep __version__ src/urllib3/packages/six.py
+Provides:       bundled(python3dist(six)) = 1.16.0
+
 # There has historically been a manual hard dependency on python3-pysocks;
-# since bringing it in is the sole function of python3-urllib3+socks,
-# we recommend it, so it is installed by default.
-Recommends:     python3-urllib3+socks
-%endif
+# since bringing it in is the sole function of python3-urllib3+socks, we just
+# depend on that instead.
+Requires:       python3-urllib3+socks = %{version}-%{release}
 
 %description -n python3-urllib3 %{_description}
 
 
-%if %{with extras}
-%pyproject_extras_subpkg -n python3-urllib3 brotli zstd socks h2
-%endif
+# We do NOT package the “secure” extra because it is deprecated; see:
+# “Deprecate the pyOpenSSL TLS implementation and [secure] extra”
+# https://github.com/urllib3/urllib3/issues/2680
+%pyproject_extras_subpkg -n python3-urllib3 brotli socks
 
 
 %prep
 %autosetup -n urllib3-%{version}
-%setup -q -n urllib3-%{version} -T -D -b 1
-
 # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
 # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
 # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
@@ -103,85 +110,47 @@ Recommends:     python3-urllib3+socks
 recent_date=$(date --date "7 month ago" +"%Y, %_m, %_d")
 sed -i "s/^RECENT_DATE = datetime.date(.*)/RECENT_DATE = datetime.date($recent_date)/" src/urllib3/connection.py
 
-%if %{with tests}
-# Possible improvements to dependency groups
-# https://github.com/urllib3/urllib3/issues/3594
-# Adjust the contents of the "dev" dependency group by removing:
-remove_from_dev() {
-  tomcli set pyproject.toml lists delitem 'dependency-groups.dev' "($1)\b.*"
-}
-#   - Linters, coverage tools, profilers, etc.:
-#     https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_linters
-remove_from_dev 'coverage|pytest-memray'
-#   - Dependencies for maintainer tasks
-remove_from_dev 'build|towncrier'
-#   - Dependencies that are not packaged and not strictly required
-remove_from_dev 'pytest-socket'
-#   - Hypercorn, because we have a special forked version we must use for
-#     testing instead, so we do not want to generate a dependency on the system
-#     copy. Note that the system copy is still an indirect dependency via quart
-#     and quart-trio.
-remove_from_dev 'hypercorn'
-
-# Remove all version bounds for test dependencies. We must attempt to make do
-# with what we have. (This also removes any python version or platform
-# constraints, which is currently fine, but could theoretically cause trouble
-# in the future. We’ll cross that bridge if we ever arrive at it.)
-tomcli set pyproject.toml lists replace --type regex_search \
-    'dependency-groups.dev' '[>=]=.*' ''
-%endif
+# Use the standard library instead of a backport
+sed -i -e 's/^import mock/from unittest import mock/' \
+       -e 's/^from mock import /from unittest.mock import /' \
+    test/*.py docs/conf.py
 
 
 %generate_buildrequires
-export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}'
 # Generate BR’s from packaged extras even when tests are disabled, to ensure
 # the extras metapackages are installable if the build succeeds.
-%pyproject_buildrequires %{?with_extradeps:-x brotli,zstd,socks,h2} %{?with_tests:-g dev}
+%pyproject_buildrequires -x brotli,socks
 
 
 %build
-export SETUPTOOLS_SCM_PRETEND_VERSION='%{version}'
 %pyproject_wheel
 
 
 %install
 %pyproject_install
 
-%pyproject_save_files -l urllib3
+%pyproject_save_files urllib3
 
 
-%check
-# urllib3.contrib.socks requires urllib3[socks]
-#
-# urllib3.contrib.emscripten is “special” (import js will fail)
-# urllib3.contrib.ntlmpool is deprecated and requires ntlm
-# urllib3.contrib.securetransport is macOS only
-# urllib3.contrib.pyopenssl requires pyOpenSSL
-%{pyproject_check_import %{!?with_extradeps:-e urllib3.contrib.socks -e urllib3.http2*}
-                         -e urllib3.contrib.emscripten*
-                         -e urllib3.contrib.ntlmpool
-                         -e urllib3.contrib.securetransport
-                         -e urllib3.contrib.pyopenssl}
-
-# Increase the “long timeout” for slower environments; as of this writing, it
-# is increased from 0.1 to 0.5 second.
-export CI=1
-# Interpose the special forked copy of Hypercorn.
-hypercorndir="${PWD}/../hypercorn-%{hypercorn_commit}/src"
-export PYTHONPATH="${hypercorndir}:%{buildroot}%{python3_sitelib}"
-
 %if %{with tests}
-# This test still times out sometimes, especially on certain architectures,
-# even when we export the CI environment variable to increase timeouts.
-k="${k-}${k+ and }not (TestHTTPProxyManager and test_tunneling_proxy_request_timeout[https-https])"
-
-%pytest -v -rs ${ignore-} -k "${k-}"
-%pytest -v -rs ${ignore-} -k "${k-}" --integration
+%check
+# Drop the dummyserver tests in koji.  They fail there in real builds, but not
+# in scratch builds (weird).
+ignore="${ignore-} --ignore=test/with_dummyserver/"
+# Don't run the Google App Engine tests
+ignore="${ignore-} --ignore=test/appengine/"
+# Lots of these tests started failing, even for old versions, so it has something
+# to do with Fedora in particular. They don't fail in upstream build infrastructure
+ignore="${ignore-} --ignore=test/contrib/"
+# Tests for Python built without SSL, but Fedora builds with SSL. These tests
+# fail when combined with the unbundling of backports-ssl_match_hostname
+ignore="${ignore-} --ignore=test/test_no_ssl.py"
+%pytest -v ${ignore-}
 %endif
 
 
 %files -n python3-urllib3 -f %{pyproject_files}
-%doc CHANGES.rst README.md
+%doc CHANGES.rst README.rst
 
 
 %changelog

sources

@@ -1,2 +1 @@
-SHA512 (urllib3-2.6.3.tar.gz) = 554cedfd97d411fffa9a8ba46f592eab9e58c5fa8822ecd5a73ab45d6adfc188a6b9c4e238d02a4fbd3a1067a25a1de841a33d398d0641e22a32ea414876b615
-SHA512 (hypercorn-d1719f8c1570cbd8e6a3719ffdb14a4d72880abb.tar.gz) = 62d6787d88a2e716f0ac04fc49f6cdc586e473a660ee754ff66961922ae78bcc75d1f78b091e78557dd60f006e8e480114738c7b4ff71beac804e4fc9603240b
+SHA512 (urllib3-1.26.20.tar.gz) = 63c4263c5e61adf28344e79b6c864c70e555b715a93e735aca5b6e169f041f3e4518961993c86c83dd13bcb149f7dd77b6e90140cf4aa2310c14fcaa0a52179b

tests/smoke/smoke.fmf

@@ -1,5 +0,0 @@
-test: python3 test.py
-framework: shell
-require:
-- python3
-- python3-urllib3

tests/smoke/test.py

@@ -1,8 +0,0 @@
-import urllib3
-
-http = urllib3.PoolManager()
-r = http.request('GET', 'http://example.com/')
-print('status = {0}'.format(r.status))
-print(r.data)
-if r.status != 200 or not r.data:
-    raise SystemExit(1)