From 50e8b0d60fc77cd42a9eb2b8e1a5612c0b43559c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 16 2021 04:22:45 +0000 Subject: import python-pip-9.0.3-22.el8 --- diff --git a/SOURCES/skip_yanked_releases.patch b/SOURCES/skip_yanked_releases.patch new file mode 100644 index 0000000..ef3f8e5 --- /dev/null +++ b/SOURCES/skip_yanked_releases.patch @@ -0,0 +1,91 @@ +From b97ef609100fbdd5895dab48cdab578dfeba396c Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 10 Sep 2021 13:38:40 +0200 +Subject: [PATCH 1/2] Implement handling of yanked_reason from the HTML anchor + +--- + pip/index.py | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/pip/index.py b/pip/index.py +index f653f6e6a..ced52ce5a 100644 +--- a/pip/index.py ++++ b/pip/index.py +@@ -865,7 +865,11 @@ class HTMLPage(object): + ) + pyrequire = anchor.get('data-requires-python') + pyrequire = unescape(pyrequire) if pyrequire else None +- yield Link(url, self, requires_python=pyrequire) ++ yanked_reason = anchor.get('data-yanked', default=None) ++ # Empty or valueless attribute are both parsed as empty string ++ if yanked_reason is not None: ++ yanked_reason = unescape(yanked_reason) ++ yield Link(url, self, requires_python=pyrequire, yanked_reason=yanked_reason) + + _clean_re = re.compile(r'[^a-z0-9$&+,/:;=?@.#%_\\|-]', re.I) + +@@ -879,7 +883,7 @@ class HTMLPage(object): + + class Link(object): + +- def __init__(self, url, comes_from=None, requires_python=None): ++ def __init__(self, url, comes_from=None, requires_python=None, yanked_reason=None): + """ + Object representing a parsed link from https://pypi.python.org/simple/* + +@@ -900,6 +904,8 @@ class Link(object): + self.url = url + self.comes_from = comes_from + self.requires_python = requires_python if requires_python else None ++ self.yanked_reason = yanked_reason ++ self.yanked = yanked_reason is not None + + def __str__(self): + if self.requires_python: +-- +2.31.1 + +From d8dc6ee5d6809736dce43dc1e57d497f9ff91f26 Mon Sep 17 00:00:00 2001 +From: Lumir Balhar +Date: Fri, 10 Sep 2021 13:43:22 +0200 +Subject: [PATCH 2/2] Skip all yanked candidates if possible + +--- + pip/index.py | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/pip/index.py b/pip/index.py +index ced52ce5a..823bbaf7d 100644 +--- a/pip/index.py ++++ b/pip/index.py +@@ -489,6 +489,27 @@ class PackageFinder(object): + if applicable_candidates: + best_candidate = max(applicable_candidates, + key=self._candidate_sort_key) ++ # If we cannot find a non-yanked candidate, ++ # use the best one and print a warning about it. ++ # Otherwise, try to find another best candidate, ignoring ++ # all the yanked releases. ++ if getattr(best_candidate.location, "yanked", False): ++ nonyanked_candidates = [ ++ c for c in applicable_candidates ++ if not getattr(c.location, "yanked", False) ++ ] ++ ++ if set(nonyanked_candidates): ++ best_candidate = max(nonyanked_candidates, ++ key=self._candidate_sort_key) ++ else: ++ warning_message = ( ++ "WARNING: The candidate selected for download or install " ++ "is a yanked version: '{}' candidate (version {} at {})" ++ ).format(best_candidate.project, best_candidate.version, best_candidate.location) ++ if best_candidate.location.yanked_reason: ++ warning_message += "\nReason for being yanked: {}".format(best_candidate.location.yanked_reason) ++ logger.warning(warning_message) + else: + best_candidate = None + +-- +2.31.1 + diff --git a/SPECS/python-pip.spec b/SPECS/python-pip.spec index 36f242f..9ad42c0 100644 --- a/SPECS/python-pip.spec +++ b/SPECS/python-pip.spec @@ -14,7 +14,7 @@ Name: python-%{srcname} # When updating, update the bundled libraries versions bellow! Version: 9.0.3 -Release: 20%{?dist} +Release: 22%{?dist} Summary: A tool for installing and managing Python packages Group: Development/Libraries @@ -123,6 +123,12 @@ Patch10: pip-directory-traversal-security-issue-tests.patch # Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856 Patch11: CVE-2021-3572.patch +# Downstream-only implementation of support of yanked releases +# PEP 592 - Adding "Yank" Support to the Simple API: +# https://www.python.org/dev/peps/pep-0592/ +# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135 +Patch12: skip_yanked_releases.patch + %global _description \ pip is a package management system used to install and manage software packages \ written in Python. Many packages can be found in the Python Package Index \ @@ -265,6 +271,7 @@ popd %patch10 -p1 %endif %patch11 -p1 +%patch12 -p1 # this goes together with patch4 rm pip/_vendor/certifi/*.pem @@ -276,6 +283,9 @@ sed -i '1d' pip/__init__.py # Remove ordereddict as it is only required for python <= 2.6 rm pip/_vendor/ordereddict.py +# Remove windows executable binaries +rm -v pip/_vendor/distlib/*.exe +sed -i '/\.exe/d' setup.py %build %if %{without bootstrap} @@ -372,6 +382,14 @@ py.test-%{python3_version} -m 'not network' %endif %changelog +* Wed Oct 06 2021 Charalampos Stratakis - 9.0.3-22 +- Remove bundled windows executables +- Resolves: rhbz#2006788 + +* Tue Oct 05 2021 Lumír Balhar - 9.0.3-21 +- Support of yanked releases +Resolves: rhbz#2000135 + * Mon Jun 07 2021 Lumír Balhar - 9.0.3-20 - Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references Resolves: rhbz#1962856