Conditionalize python3-devel runtime dependencies on RPM packages

Installing python3-devel currently brings in many RPM-related packages.

For somebody who needs python3-devel to build extension modules,
those are all useless, so we conditionalize it on rpm-build.

(cherry picked from commit e9ba67b74b9849d00cfc8e332b711db142dfd3e3)

.fmf/version

@@ -0,0 +1 @@
+1

00001-rpath.patch

@@ -1,10 +1,10 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Malcolm <dmalcolm@redhat.com>
 Date: Wed, 13 Jan 2010 21:25:18 +0000
-Subject: =?UTF-8?q?00001:=20Fixup=20distutils/unixccompiler.py=20to=20remo?=
- =?UTF-8?q?ve=20standard=20library=20path=20from=20rpath=0AWas=20Patch0=20?=
- =?UTF-8?q?in=20ivazquez'=20python3000=20specfile?=
+Subject: 00001: Fixup distutils/unixccompiler.py to remove standard library
+ path from rpath
 
+Was Patch0 in ivazquez' python3000 specfile
 ---
  Lib/distutils/unixccompiler.py | 9 +++++++++
  1 file changed, 9 insertions(+)

00435-gh-121650-encode-newlines-in-headers-and-verify.patch

@@ -1,8 +1,8 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
 Date: Fri, 16 Aug 2024 14:12:58 +0200
-Subject: =?UTF-8?q?00435:=20gh-121650:=20Encode=20newlines=20in=20headers,?=
- =?UTF-8?q?=20and=20verify=0A=20headers=20are=20sound=20(GH-122233)?=
+Subject: 00435: gh-121650: Encode newlines in headers, and verify headers are
+ sound (GH-122233)
 
 Per RFC 2047:
 

00467-tarfile-cve-2025-8194.patch

@@ -0,0 +1,212 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alexander Urieles <aeurielesn@users.noreply.github.com>
+Date: Mon, 28 Jul 2025 17:37:26 +0200
+Subject: 00467: tarfile CVE-2025-8194
+
+tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
+
+Co-authored-by: Gregory P. Smith <greg@krypto.org>
+---
+ Lib/tarfile.py                                |   3 +
+ Lib/test/test_tarfile.py                      | 156 ++++++++++++++++++
+ ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst |   3 +
+ 3 files changed, 162 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 1a7d5f772a..4f536cb002 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1582,6 +1582,9 @@ class TarInfo(object):
+         """Round up a byte count by BLOCKSIZE and return it,
+            e.g. _block(834) => 1024.
+         """
++        # Only non-negative offsets are allowed
++        if count < 0:
++            raise InvalidHeaderError("invalid offset")
+         blocks, remainder = divmod(count, BLOCKSIZE)
+         if remainder:
+             blocks += 1
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index c5d837e716..484f114180 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -43,6 +43,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2")
+ xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
+ tmpname = os.path.join(TEMPDIR, "tmp.tar")
+ dotlessname = os.path.join(TEMPDIR, "testtar")
++SPACE = b" "
+ 
+ md5_regtype = "65f477c818ad9e15f7feab0c6d37742f"
+ md5_sparse = "a54fbc4ca4f4399a90e1b27164012fc6"
+@@ -4005,6 +4006,161 @@ class TestExtractionFilters(unittest.TestCase):
+             self.expect_exception(TypeError)  # errorlevel is not int
+ 
+ 
++class OffsetValidationTests(unittest.TestCase):
++    tarname = tmpname
++    invalid_posix_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011407" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 6 bytes, version: 2 bytes
++        + tarfile.POSIX_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # devminor, space, null terminator: 8 bytes
++        + tarfile.NUL * 6 + SPACE + tarfile.NUL
++        # prefix: 155 bytes
++        + tarfile.NUL * tarfile.LENGTH_PREFIX
++        # padding: 12 bytes
++        + tarfile.NUL * 12
++    )
++    invalid_gnu_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, null terminator: 8 bytes
++        + b"0000755" + tarfile.NUL
++        # uid, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"0000001" + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0011327" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # magic: 8 bytes
++        + tarfile.GNU_MAGIC
++        # uname: 32 bytes
++        + tarfile.NUL * 32
++        # gname: 32 bytes
++        + tarfile.NUL * 32
++        # devmajor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # devminor, null terminator: 8 bytes
++        + tarfile.NUL * 8
++        # padding: 167 bytes
++        + tarfile.NUL * 167
++    )
++    invalid_v7_header = (
++        # name: 100 bytes
++        tarfile.NUL * tarfile.LENGTH_NAME
++        # mode, space, null terminator: 8 bytes
++        + b"000755" + SPACE + tarfile.NUL
++        # uid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # gid, space, null terminator: 8 bytes
++        + b"000001" + SPACE + tarfile.NUL
++        # size, space: 12 bytes
++        + b"\xff" * 11 + SPACE
++        # mtime, space: 12 bytes
++        + tarfile.NUL * 11 + SPACE
++        # chksum: 8 bytes
++        + b"0010070" + tarfile.NUL
++        # type: 1 byte
++        + tarfile.REGTYPE
++        # linkname: 100 bytes
++        + tarfile.NUL * tarfile.LENGTH_LINK
++        # padding: 255 bytes
++        + tarfile.NUL * 255
++    )
++    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
++    data_block = b"\xff" * tarfile.BLOCKSIZE
++
++    def _write_buffer(self, buffer):
++        with open(self.tarname, "wb") as f:
++            f.write(buffer)
++
++    def _get_members(self, ignore_zeros=None):
++        with open(self.tarname, "rb") as f:
++            with tarfile.open(
++                mode="r", fileobj=f, ignore_zeros=ignore_zeros
++            ) as tar:
++                return tar.getmembers()
++
++    def _assert_raises_read_error_exception(self):
++        with self.assertRaisesRegex(
++            tarfile.ReadError, "file could not be opened successfully"
++        ):
++            self._get_members()
++
++    def test_invalid_offset_header_validations(self):
++        for tar_format, invalid_header in (
++            ("posix", self.invalid_posix_header),
++            ("gnu", self.invalid_gnu_header),
++            ("v7", self.invalid_v7_header),
++        ):
++            with self.subTest(format=tar_format):
++                self._write_buffer(invalid_header)
++                self._assert_raises_read_error_exception()
++
++    def test_early_stop_at_invalid_offset_header(self):
++        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
++        self._write_buffer(buffer)
++        members = self._get_members()
++        self.assertEqual(len(members), 1)
++        self.assertEqual(members[0].name, "filename")
++        self.assertEqual(members[0].offset, 0)
++
++    def test_ignore_invalid_archive(self):
++        # 3 invalid headers with their respective data
++        buffer = (self.invalid_gnu_header + self.data_block) * 3
++        self._write_buffer(buffer)
++        members = self._get_members(ignore_zeros=True)
++        self.assertEqual(len(members), 0)
++
++    def test_ignore_invalid_offset_headers(self):
++        for first_block, second_block, expected_offset in (
++            (
++                (self.valid_gnu_header),
++                (self.invalid_gnu_header + self.data_block),
++                0,
++            ),
++            (
++                (self.invalid_gnu_header + self.data_block),
++                (self.valid_gnu_header),
++                1024,
++            ),
++        ):
++            self._write_buffer(first_block + second_block)
++            members = self._get_members(ignore_zeros=True)
++            self.assertEqual(len(members), 1)
++            self.assertEqual(members[0].name, "filename")
++            self.assertEqual(members[0].offset, expected_offset)
++
++
+ def setUpModule():
+     support.unlink(TEMPDIR)
+     os.makedirs(TEMPDIR)
+diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+new file mode 100644
+index 0000000000..342cabbc86
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
+@@ -0,0 +1,3 @@
++:mod:`tarfile` now validates archives to ensure member offsets are
++non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
++:gh:`130577`.)

plan.fmf

@@ -0,0 +1,38 @@
+execute:
+  how: tmt
+
+environment:
+  pybasever: '3.6'
+
+discover:
+  - name: tests_python
+    how: shell
+    url: https://src.fedoraproject.org/tests/python.git
+    tests:
+    - name: smoke
+      path: /smoke
+      test: "VERSION=${pybasever} TOX_REQUIRES='virtualenv<20.22.0' ./venv.sh"
+    - name: debugsmoke
+      path: /smoke
+      test: "PYTHON=python${pybasever}dm TOX=false VERSION=${pybasever} INSTALL_OR_SKIP=true ./venv.sh"
+    - name: marshalparser
+      path: /marshalparser
+      test: "VERSION=${pybasever} SAMPLE=10 ./test_marshalparser_compatibility.sh"
+
+prepare:
+  - name: Install dependencies
+    how: install
+    package:
+    - gcc
+    - python3-tox
+    - python${pybasever}
+    - glibc-all-langpacks # for locale tests
+    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
+    - dnf  # for upgrade
+  - name: Update packages
+    how: shell
+    script: dnf upgrade -y
+  - name: rpm_qa
+    order: 100
+    how: shell
+    script: rpm -qa | sort | tee $TMT_PLAN_DATA/rpmqa.txt

python3.6.spec

@@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 45%{?dist}
+Release: 50%{?dist}
 # Python is Python
 # pip MIT is and bundles:
 #   appdirs: MIT
@@ -59,12 +59,22 @@ License: LicenseRef-Callaway-Python AND LicenseRef-Callaway-MIT AND Apache-2.0 A
 # Note that the bcond macros are named for the CLI option they create.
 # "%%bcond_without" means "ENABLE by default and create a --without option"
 
+# Main Python, i.e. whether this is the main Python version in the distribution
+# that owns /usr/bin/python3 and other unique paths
+# This also means the built subpackages are called python3 rather than python3X
+# WARNING: This also influences the flatpackage bcond below.
+# By default, this is disabled.
+%bcond_with main_python
+
 # Flat package, i.e. python36, python37, python38 for tox etc.
-# warning: changes some other defaults
-# in Fedora, never turn this on for the python3 package
-# and always keep it on for python36 etc.
-# WARNING: This does not change the package name and summary above
+# Default (in Fedora >= 44): disabled
+# Default (in Fedora < 44): enabled when this is not the main Python
+# Not supported: Combination of flatpackage enabled and main_python enabled
+%if %{with main_python} || 0%{?fedora} >= 44
+%bcond_with flatpackage
+%else
 %bcond_without flatpackage
+%endif
 
 # Whether to use RPM build wheels from the python-{pip,setuptools}-wheel package
 # Uses upstream bundled prebuilt wheels otherwise
@@ -161,6 +171,8 @@ License: LicenseRef-Callaway-Python AND LicenseRef-Callaway-MIT AND Apache-2.0 A
 # General global macros
 # =====================
 
+%global pkgname python%{pybasever}
+
 %global pylibdir %{_libdir}/python%{pybasever}
 %global dynload_dir %{pylibdir}/lib-dynload
 
@@ -300,6 +312,9 @@ BuildRequires: /usr/sbin/ifconfig
 %if %{with rpmwheels}
 BuildRequires: python-setuptools-wheel
 BuildRequires: python-pip-wheel
+%else
+# For %%python_wheel_inject_sbom
+BuildRequires: python-rpm-macros
 %endif
 
 
@@ -338,6 +353,7 @@ Source102: setuptools-CVE-2024-6345.patch
 
 # 00001 # d06a8853cf4bae9e115f45e1d531d2dc152c5cc8
 # Fixup distutils/unixccompiler.py to remove standard library path from rpath
+#
 # Was Patch0 in ivazquez' python3000 specfile
 Patch1: 00001-rpath.patch
 
@@ -737,8 +753,7 @@ Patch427: 00427-zipextfile-tell-and-seek-cve-2024-0450.patch
 Patch431: 00431-cve-2024-4032.patch
 
 # 00435 # f80b87e6a67eebe0693b895261bad2e9a58a4825
-# gh-121650: Encode newlines in headers, and verify
-#  headers are sound (GH-122233)
+# gh-121650: Encode newlines in headers, and verify headers are sound (GH-122233)
 #
 # Per RFC 2047:
 #
@@ -825,6 +840,33 @@ Patch452: 00452-properly-apply-exported-cflags-for-dtrace-systemtap-builds.patch
 # https://github.com/python/cpython/pull/127361
 Patch457: 00457-ssl-raise-oserror-for-err_lib_sys.patch
 
+# 00465 # 2224c823bcc1b62b85f516883151459ae51cdb7d
+# tarfile cves
+#
+# Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435 on tarfile
+#
+# The backported fixes do not contain changes for ntpath.py and related tests,
+# because the support for symlinks and junctions were added later in Python 3.9,
+# and it does not make sense to backport them to 3.6 here.
+#
+# The patch is contains the following changes:
+# - https://github.com/python/cpython/commit/42deeab5b2efc2930d4eb73416e1dde9cf790dd2
+#   fixes symlink handling for tarfile.data_filter
+# - https://github.com/python/cpython/commit/9d2c2a8e3b8fe18ee1568bfa4a419847b3e78575
+#   fixes handling of existing files/symlinks in tarfile
+# - https://github.com/python/cpython/commit/00af9794dd118f7b835dd844b2b609a503ad951e
+#   adds a new "strict" argument to realpath()
+# - https://github.com/python/cpython/commit/dd8f187d0746da151e0025c51680979ac5b4cfb1
+#   fixes mulriple CVE fixes in the tarfile module
+# - downstream only fixes that makes the changes work and compatible with Python 3.6
+Patch465: 00465-tarfile-cves.patch
+
+# 00467 # f0b2819ec35fe1f732f661aea68863a5e4dd829f
+# tarfile CVE-2025-8194
+#
+# tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
+Patch467: 00467-tarfile-cve-2025-8194.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -843,12 +885,16 @@ Patch457: 00457-ssl-raise-oserror-for-err_lib_sys.patch
 Provides:  python%{pyshortver} = %{version}-%{release}
 Obsoletes: python%{pyshortver} < %{version}-%{release}
 
-%if %{without flatpackage}
-
 # Packages with Python modules in standard locations automatically
-# depend on python(abi). Provide that here.
+# depend on python(abi). Provide that here only for the main Python.
+%if %{with main_python}
 Provides: python(abi) = %{pybasever}
+%else
+%global __requires_exclude ^python\\(abi\\) = 3\\..+
+%global __provides_exclude ^python\\(abi\\) = 3\\..+
+%endif
 
+%if %{without flatpackage}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 # In order to support multiple Python interpreters for development purposes,
@@ -863,18 +909,16 @@ Provides: python%{pyshortver} = %{version}-%{release}
 # replace python36-3.6.2.
 Obsoletes: python%{pyshortver}
 
-# Shall be removed in Fedora 31
-# The release is bumped to 20, so we can do f27 platform-python updates
-# If the release in f27 ever goes >= 20, raise it here
-# If platform-python is ever reintroduced, make it higher version than this:
-%global platpyver 3.6.2-20
-Obsoletes: platform-python < %{platpyver}
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{name} < 3.6.15-50
 
+%if %{with main_python}
 # Previously, this was required for our rewheel patch to work.
 # This is technically no longer needed, but we keep it recommended
 # for the developer experience.
 Recommends: python3-setuptools
 Recommends: python3-pip
+%endif
 
 # This prevents ALL subpackages built from this spec to require
 # /usr/bin/python3*. Granularity per subpackage is impossible.
@@ -957,9 +1001,8 @@ Provides: bundled(libmpdec) = %{libmpdec_version}
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1547131
 Recommends: %{name}%{?_isa} = %{version}-%{release}
 
-# Shall be removed in Fedora 31
-Obsoletes: platform-python-libs < %{platpyver}
-Obsoletes: platform-python-libs-devel < %{platpyver}
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{name} < 3.6.15-50
 
 %description libs
 This package contains runtime libraries for use by Python:
@@ -973,17 +1016,21 @@ Summary: Libraries and header files needed for Python development
 Requires: %{name} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 BuildRequires: python-rpm-macros
-Requires: python-rpm-macros
-Requires: python3-rpm-macros
-Requires: python3-rpm-generators
+# The RPM related dependencies bring nothing to a non-RPM Python developer
+# But we want them when packages BuildRequire python3-devel
+Requires: (python-rpm-macros if rpm-build)
+Requires: (python3-rpm-macros if rpm-build)
+Requires: (python3-rpm-generators if rpm-build)
 
 Provides: %{name}-2to3 = %{version}-%{release}
+%if %{with main_python}
 Provides: 2to3 = %{version}-%{release}
+%endif
 
 Conflicts: %{name} < %{version}-%{release}
 
-# Shall be removed in Fedora 31
-Obsoletes: platform-python-devel < %{platpyver}
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{name} < 3.6.15-50
 
 %description devel
 This package contains the header files and configuration needed to compile
@@ -999,14 +1046,16 @@ Summary: A basic graphical development environment for Python
 Requires: %{name} = %{version}-%{release}
 Requires: %{name}-tkinter = %{version}-%{release}
 
+%if %{with main_python}
 Provides: idle3 = %{version}-%{release}
+%endif
 
 Provides: %{name}-tools = %{version}-%{release}
 Provides: %{name}-tools%{?_isa} = %{version}-%{release}
 Obsoletes: %{name}-tools < %{version}-%{release}
 
-# Shall be removed in Fedora 31
-Obsoletes: platform-python-tools < %{platpyver}
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{name} < 3.6.15-50
 
 %description idle
 IDLE is Python’s Integrated Development and Learning Environment.
@@ -1025,8 +1074,8 @@ configuration, browsers, and other dialogs.
 Summary: A GUI toolkit for Python
 Requires: %{name} = %{version}-%{release}
 
-# Shall be removed in Fedora 31
-Obsoletes: platform-python-tkinter < %{platpyver}
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{name} < 3.6.15-50
 
 %description tkinter
 The Tkinter (Tk interface) library is a graphical user interface toolkit for
@@ -1037,8 +1086,8 @@ the Python programming language.
 Summary: The self-test suite for the main python3 package
 Requires: %{name} = %{version}-%{release}
 
-# Shall be removed in Fedora 31
-Obsoletes: platform-python-test < %{platpyver}
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/#_one_to_many_replacement
+Obsoletes: %{name} < 3.6.15-50
 
 %description test
 The self-test suite for the Python interpreter.
@@ -1083,11 +1132,6 @@ so extensions for both versions can co-exist in the same directory.
 
 %else  # with flatpackage
 
-# We'll not provide this, on purpose
-# No package in Fedora shall ever depend on flatpackage via this
-%global __requires_exclude ^python\\(abi\\) = 3\\..$
-%global __provides_exclude ^python\\(abi\\) = 3\\..$
-
 %if %{with rpmwheels}
 Requires: python-setuptools-wheel
 Requires: python-pip-wheel
@@ -1131,6 +1175,16 @@ Provides: bundled(python3dist(appdirs)) = 1.4.3
 Provides: bundled(mpdecimal) = %{libmpdec_version}
 Provides: bundled(libmpdec) = %{libmpdec_version}
 
+# Provides of the subpackages contained in flatpackage
+Provides: %{pkgname}-libs = %{version}-%{release}
+Provides: %{pkgname}-devel = %{version}-%{release}
+Provides: %{pkgname}-idle = %{version}-%{release}
+Provides: %{pkgname}-tkinter = %{version}-%{release}
+Provides: %{pkgname}-test = %{version}-%{release}
+%if %{with debug_build}
+Provides: %{pkgname}-debug = %{version}-%{release}
+%endif
+
 # The description for the flat package
 %description
 Python %{pybasever} package for developers.
@@ -1428,7 +1482,7 @@ install -d -m 0755 %{buildroot}%{pylibdir}/site-packages/__pycache__
 install -d -m 0755 %{buildroot}%{_prefix}/lib/python%{pybasever}/site-packages/__pycache__
 %endif
 
-%if %{without flatpackage}
+%if %{with main_python}
 # add idle3 to menu
 install -D -m 0644 Lib/idlelib/Icons/idle_16.png %{buildroot}%{_datadir}/icons/hicolor/16x16/apps/idle3.png
 install -D -m 0644 Lib/idlelib/Icons/idle_32.png %{buildroot}%{_datadir}/icons/hicolor/32x32/apps/idle3.png
@@ -1518,13 +1572,18 @@ find %{buildroot} -perm 555 -exec chmod 755 {} \;
 # Create "/usr/bin/python3-debug", a symlink to the python3 debug binary, to
 # avoid the user having to know the precise version and ABI flags.
 # See e.g. https://bugzilla.redhat.com/show_bug.cgi?id=676748
-%if %{with debug_build} && %{without flatpackage}
+%if %{with debug_build} && %{with main_python}
 ln -s \
   %{_bindir}/python%{LDVERSION_debug} \
   %{buildroot}%{_bindir}/python3-debug
 %endif
 
-%if %{with flatpackage}
+%if %{without rpmwheels}
+# Inject SBOM into the installed wheels (if the macro is available)
+%{?python_wheel_inject_sbom:%python_wheel_inject_sbom %{buildroot}%{pylibdir}/ensurepip/_bundled/*.whl}
+%endif
+
+%if %{without main_python}
 # Remove stuff that would conflict with python3 package
 rm %{buildroot}%{_bindir}/python3
 rm %{buildroot}%{_bindir}/pydoc3
@@ -1641,11 +1700,15 @@ CheckPython optimized
 %doc README.rst
 
 %if %{without flatpackage}
+%if %{with main_python}
 %{_bindir}/pydoc*
 %{_bindir}/python3
 %{_bindir}/pyvenv
 %{_mandir}/*/*
-%{_bindir}/pyvenv
+%else
+%{_bindir}/pydoc%{pybasever}
+%{_mandir}/*/python%{pybasever}*
+%endif
 %else
 %{_bindir}/pydoc%{pybasever}
 %{_mandir}/*/python%{pybasever}*
@@ -1790,6 +1853,10 @@ CheckPython optimized
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
+
+%exclude %{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py
+%exclude %{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@@ -1873,27 +1940,29 @@ CheckPython optimized
 %{_includedir}/python%{LDVERSION_optimized}/%{_pyconfig_h}
 
 %{_libdir}/%{py_INSTSONAME_optimized}
-%if %{without flatpackage}
+%if %{with main_python}
 %{_libdir}/libpython3.so
 %endif
 
 %if %{without flatpackage}
 %files devel
+%if %{with main_python}
 %{_bindir}/2to3
 # TODO: Remove 2to3-3.7 once rebased to 3.7
 %{_bindir}/2to3-%{pybasever}
 %endif
+%endif
 
 %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/*
 %if %{without flatpackage}
 %exclude %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/Makefile
 %exclude %{_includedir}/python%{LDVERSION_optimized}/%{_pyconfig_h}
 %endif
-%{pylibdir}/distutils/command/wininst-*.exe
+%exclude %{pylibdir}/distutils/command/wininst-*.exe
 %{_includedir}/python%{LDVERSION_optimized}/*.h
 %doc Misc/README.valgrind Misc/valgrind-python.supp Misc/gdbinit
 
-%if %{without flatpackage}
+%if %{with main_python}
 %{_bindir}/python3-config
 %{_libdir}/pkgconfig/python3.pc
 %{_bindir}/pathfix.py
@@ -1921,7 +1990,7 @@ CheckPython optimized
 
 %{pylibdir}/idlelib
 
-%if %{without flatpackage}
+%if %{with main_python}
 %{_metainfodir}/idle3.appdata.xml
 %{_datadir}/applications/idle3.desktop
 %{_datadir}/icons/hicolor/*/apps/idle3.*
@@ -1969,8 +2038,10 @@ CheckPython optimized
 %if %{with debug_build}
 %if %{without flatpackage}
 %files debug
+%if %{with main_python}
 %{_bindir}/python3-debug
 %endif
+%endif
 
 # Analog of the core subpackage's files:
 %{_bindir}/python%{LDVERSION_debug}
@@ -2043,6 +2114,9 @@ CheckPython optimized
 %{dynload_dir}/unicodedata.%{SOABI_debug}.so
 %{dynload_dir}/zlib.%{SOABI_debug}.so
 
+%{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py
+%{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes}
+
 # No need to split things out the "Makefile" and the config-32/64.h file as we
 # do for the regular build above (bug 531901), since they're all in one package
 # now; they're listed below, under "-devel":
@@ -2094,6 +2168,22 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Thu Nov 06 2025 Miro Hrončok <mhroncok@redhat.com> - 3.6.15-50
+- On Fedora 44+, split this package into multiple subpackages
+- This mimics newer Python versions
+
+* Mon Aug 11 2025 Lumír Balhar <lbalhar@redhat.com> - 3.6.15-49
+- Security fix for CVE-2025-8194
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 3.6.15-48
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Thu Jun 26 2025 Lumír Balhar <lbalhar@redhat.com> - 3.6.15-47
+- Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
+
+* Wed Apr 23 2025 Miro Hrončok <mhroncok@redhat.com> - 3.6.15-46
+- Add RPM Provides for python3.6-libs, python3.6-devel, python3.6-idle, python3.6-tkinter, python3.6-test
+
 * Wed Apr 16 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.6.15-45
 - Fix the flakiness of test_ftplib
 

tests/tests.yml

@@ -1,22 +0,0 @@
----
-- hosts: localhost
-  roles:
-  - role: standard-test-basic
-    tags:
-    - classic
-    repositories:
-    - repo: "https://src.fedoraproject.org/tests/python.git"
-      dest: "python"
-    tests:
-    - smoke:
-        dir: python/smoke
-        run: VERSION=3.6 TOX_REQUIRES="virtualenv<20.22.0" ./venv.sh
-    - marshalparser:
-        dir: python/marshalparser
-        run: VERSION=3.6 SAMPLE=10 test_marshalparser_compatibility.sh
-    required_packages:
-    - gcc
-    - python3-tox
-    - python3.6
-    - glibc-all-langpacks # for locale tests
-    - marshalparser  # for testing compatibility (magic numbers) with marshalparser