%bcond_with bootstrap %bcond_with tests %bcond_with doc %global srcname pip %global python_wheelname %{srcname}-%{version}-py2.py3-none-any.whl %global python2_wheeldir %{_datadir}/python2-wheels %if %{without bootstrap} %global python2_wheelname %python_wheelname %endif # Note that with disabled python3, bashcomp2 will be disabled as well because # bashcompdir will point to a different path than with python3 enabled. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) %if "%{bashcompdir}" != "%{_sysconfdir}/bash_completion.d" %global bashcomp2 1 %endif Name: python2-%{srcname} # When updating, update the bundled libraries versions bellow! Version: 9.0.3 Release: 18%{?dist} Summary: A tool for installing and managing Python 2 packages Group: Development/Libraries # We bundle a lot of libraries with pip, which itself is under MIT license. # Here is the list of the libraries with corresponding licenses: # appdirs: MIT # CacheControl: ASL 2.0 # certifi: MPLv2.0 # chardet: LGPLv2 # colorama: BSD # distlib: Python # distro: ASL 2.0 # html5lib: MIT # idna: BSD # ipaddress: Python # lockfile: MIT # packaging: ASL 2.0 or BSD # progress: ISC # pyparsing: MIT # requests: ASL 2.0 # retrying: ASL 2.0 # urllib3: MIT # six: MIT # urllib3: MIT # webencodings: BSD License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org Source0: https://files.pythonhosted.org/packages/source/p/%{srcname}/%{srcname}-%{version}.tar.gz # to get tests: # git clone https://github.com/pypa/pip && cd pip # git checkout 9.0.1 && tar -czvf ../pip-9.0.1-tests.tar.gz tests/ %if %{with tests} Source1: pip-%{version}-tests.tar.gz %endif # Manpage generated by sphinx from source tarball # cd pip-9.0.3/docs && make man && cp _build/man/pip.1 ../../pip2.1 Source2: pip2.1 BuildArch: noarch %if %{with tests} BuildRequires: git BuildRequires: bzr %endif # Patch until the following issue gets implemented upstream: # https://github.com/pypa/pip/issues/1351 Patch0: allow-stripping-given-prefix-from-wheel-RECORD-files.patch # Downstream only patch # Emit a warning to the user if pip install is run with root privileges # Issue upstream: https://github.com/pypa/pip/issues/4288 Patch1: emit-a-warning-when-running-with-root-privileges.patch # Do not show the "new version of pip" warning outside of venv # Upstream issue: https://github.com/pypa/pip/issues/5346 # Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1573755 Patch3: pip-nowarn-upgrade.patch # Use the system level root certificate instead of the one bundled in certifi # https://bugzilla.redhat.com/show_bug.cgi?id=1655253 Patch4: dummy-certifi.patch # Patch for CVE in the bundled urllib3 # CVE-2018-20060 Cross-host redirect does not remove Authorization header allow for credential exposure # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20060 Patch5: CVE-2018-20060.patch # Patch for CVE in the bundled urllib3 # CVE-2019-11236 CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11236 Patch6: CVE-2019-11236.patch # Patch for CVE in the bundled urllib3 # CVE-2019-11324 Certification mishandle when error should be thrown # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11324 Patch7: CVE-2019-11324.patch # Patch for CVE in the bundled requests # CVE-2018-18074 Redirect from HTTPS to HTTP does not remove Authorization header # This patch fixes both the CVE # https://bugzilla.redhat.com/show_bug.cgi?id=1643829 # and the subsequent regression # https://github.com/psf/requests/pull/4851 Patch8: CVE-2018-18074.patch # Patch for pip install allow directory traversal, leading to arbitrary file write # - Upstream PR: https://github.com/pypa/pip/pull/6418/files # - Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1870184 # Patch9 fixes the issue # Patch10 adds unit tests for the issue Patch9: pip-directory-traversal-security-issue.patch Patch10: pip-directory-traversal-security-issue-tests.patch BuildRequires: python2-devel BuildRequires: python2-setuptools %if %{with tests} BuildRequires: python2-mock BuildRequires: python2-pytest BuildRequires: python2-pretend BuildRequires: python2-freezegun BuildRequires: python2-pytest-capturelog BuildRequires: python2-scripttest BuildRequires: python2-virtualenv %endif %if %{without bootstrap} BuildRequires: python2-pip BuildRequires: python2-wheel %endif Requires: python2-setuptools # Virtual provides for the packages bundled by pip. # You can find the versions in pip/_vendor/vendor.txt file. # Don't forget to update this bellow for python3 as well. Provides: bundled(python2dist(appdirs)) = 1.4.0 Provides: bundled(python2dist(cachecontrol)) = 0.11.7 Provides: bundled(python2dist(colorama)) = 0.3.7 Provides: bundled(python2dist(distlib)) = 0.2.4 Provides: bundled(python2dist(distro)) = 1.0.1 Provides: bundled(python2dist(html5lib)) = 1.0b10 Provides: bundled(python2dist(ipaddress) = 1.0.17 Provides: bundled(python2dist(lockfile)) = 0.12.2 Provides: bundled(python2dist(packaging)) = 16.8 Provides: bundled(python2dist(setuptools)) = 28.8.0 Provides: bundled(python2dist(progress)) = 1.2 Provides: bundled(python2dist(pyparsing)) = 2.1.10 Provides: bundled(python2dist(requests)) = 2.11.1 Provides: bundled(python2dist(retrying)) = 1.3.3 Provides: bundled(python2dist(six)) = 1.10.0 Provides: bundled(python2dist(webencodings)) = 0.5 # Bundled within the requests bundle Provides: bundled(python2dist(chardet)) = 2.3.0 Provides: bundled(python2dist(urllib3)) = 1.16 %{?python_provide:%python_provide python2-%{srcname}} %description pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python". %if %{with doc} %package doc Summary: A documentation for a tool for installing and managing Python packages BuildRequires: python%{python3_pkgversion}-sphinx %description doc A documentation for a tool for installing and managing Python packages %endif %if %{without bootstrap} %package -n python2-pip-wheel Summary: The pip wheel # Virtual provides for the packages bundled by pip. # You can find the versions in pip/_vendor/vendor.txt file. Provides: bundled(python2dist(appdirs)) = 1.4.0 Provides: bundled(python2dist(cachecontrol)) = 0.11.7 Provides: bundled(python2dist(colorama)) = 0.3.7 Provides: bundled(python2dist(distlib)) = 0.2.4 Provides: bundled(python2dist(distro)) = 1.0.1 Provides: bundled(python2dist(html5lib)) = 1.0b10 Provides: bundled(python2dist(ipaddress) = 1.0.17 Provides: bundled(python2dist(lockfile)) = 0.12.2 Provides: bundled(python2dist(packaging)) = 16.8 Provides: bundled(python2dist(setuptools)) = 28.8.0 Provides: bundled(python2dist(progress)) = 1.2 Provides: bundled(python2dist(pyparsing)) = 2.1.10 Provides: bundled(python2dist(requests)) = 2.11.1 Provides: bundled(python2dist(retrying)) = 1.3.3 Provides: bundled(python2dist(six)) = 1.10.0 Provides: bundled(python2dist(webencodings)) = 0.5 %description -n python2-pip-wheel A Python wheel of pip to use with venv. %endif %prep %setup -q -n %{srcname}-%{version} %if %{with tests} tar -xf %{SOURCE1} %endif %patch0 -p1 %patch1 -p1 %patch3 -p1 %patch4 -p1 # Patching of bundled libraries pushd pip/_vendor/urllib3 %patch5 -p1 %patch6 -p1 %patch7 -p1 popd pushd pip/_vendor/requests %patch8 -p1 popd %patch9 -p1 %if %{with tests} %patch10 -p1 %endif # this goes together with patch4 rm pip/_vendor/certifi/*.pem rm pip/_vendor/requests/*.pem sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt sed -i '1d' pip/__init__.py # Remove ordereddict as it is only required for python <= 2.6 rm pip/_vendor/ordereddict.py %build export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 %if %{without bootstrap} %py2_build_wheel %else %py2_build %endif %if %{with doc} pushd docs make html make man rm _build/html/.buildinfo popd %endif %install %if %{with doc} install -d %{buildroot}%{_mandir}/man1 install -pm0644 docs/_build/man/*.1 %{buildroot}%{_mandir}/man1/pip2.1 %else # When building without doc, use pregenerated version of pip2 manual page mkdir -p %{buildroot}%{_mandir}/man1/ cp %{SOURCE2} %{buildroot}%{_mandir}/man1/ %endif # with doc export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 %if %{without bootstrap} %py2_install_wheel %{python2_wheelname} %else %py2_install %endif rm %{buildroot}%{_bindir}/pip{,%{python2_version}} # Provide symlinks to executables to comply with Fedora guidelines for Python ln -s ./pip2 %{buildroot}%{_bindir}/pip-%{python2_version} ln -s ./pip2 %{buildroot}%{_bindir}/pip%{python2_version} ln -s ./pip2 %{buildroot}%{_bindir}/pip-2 # Manpage symlink ln -s ./pip2.1.gz %{buildroot}%{_mandir}/man1/pip%{python2_version}.1.gz mkdir -p %{buildroot}%{bashcompdir} PYTHONPATH=%{buildroot}%{python2_sitelib} \ %{buildroot}%{_bindir}/pip2 completion --bash \ > %{buildroot}%{bashcompdir}/pip2 pips2="pip2" pips3=pip%{python3_version} for pip in %{buildroot}%{_bindir}/pip*; do pip=$(basename $pip) case $pip in pip2.*|pip-2*) pips2="$pips2 $pip" %if 0%{?bashcomp2} ln -s pip2 %{buildroot}%{bashcompdir}/$pip %endif ;; esac done sed -i -e "s/^\\(complete.*\\) pip\$/\\1 $pips2/" \ %{buildroot}%{bashcompdir}/pip2 # Make sure the INSTALLER is not pip, otherwise pip-nowarn-upgrade.patch # (Patch3) won't work mkdir -p %{buildroot}%{python2_sitelib}/pip-%{version}.dist-info echo rpm > %{buildroot}%{python2_sitelib}/pip-%{version}.dist-info/INSTALLER %if %{without bootstrap} mkdir -p %{buildroot}%{python2_wheeldir} install -p dist/%{python2_wheelname} -t %{buildroot}%{python2_wheeldir} %endif %if %{with tests} %check export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 py.test-%{python2_version} -m 'not network' %endif %files %license LICENSE.txt %doc README.rst %{_mandir}/man1/pip2.* %{_bindir}/pip2 %{_bindir}/pip-2 %{_bindir}/pip%{python2_version} %{_bindir}/pip-%{python2_version} %{python2_sitelib}/pip* %dir %{bashcompdir} %{bashcompdir}/pip2 %if 0%{?bashcomp2} %{bashcompdir}/pip2* %{bashcompdir}/pip-2* %dir %(dirname %{bashcompdir}) %endif %if %{with doc} %files doc %license LICENSE.txt %doc README.rst %doc docs/_build/html %endif # with doc %if %{without bootstrap} %files -n python2-pip-wheel %license LICENSE.txt # we own the dir for simplicity %dir %{python2_wheeldir}/ %{python2_wheeldir}/%{python2_wheelname} %endif %changelog * Wed Aug 19 2020 Tomas Orsava - 9.0.3-18 - Patch for pip install allow directory traversal, leading to arbitrary file write Resolves: rhbz#1870184 * Mon Mar 16 2020 Charalampos Stratakis - 9.0.3-17 - Remove unused CA bundle from the bundled requests library Resolves: rhbz#1775194 * Tue Jan 14 2020 Lumír Balhar - 9.0.3-16 - Add four new patches for CVEs in bundled urllib3 and requests CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074 Resolves: rhbz#1649153 Resolves: rhbz#1700824 Resolves: rhbz#1702473 Resolves: rhbz#1643829 * Thu Oct 24 2019 Charalampos Stratakis - 9.0.3-15 - Use the system level root certificate instead of the one bundled in certifi Resolves: rhbz#1659551 * Tue Jun 18 2019 Charalampos Stratakis - 9.0.3-14 - Create the python-pip-wheel subpackage Resolves: rhbz#1659551 * Thu Apr 25 2019 Tomas Orsava - 9.0.3-13 - Bumping due to problems with modular RPM upgrade path - Resolves: rhbz#1695587 * Mon Dec 10 2018 Tomas Orsava - 9.0.3-12 - Do not show the "new version of pip" warning outside of venv - Resolves: rhbz#1656171 * Tue Dec 04 2018 Lumír Balhar - 9.0.3-11 - Use pregenerated manpage for pip2 when building without doc - Resolves: rhbz#1655587 * Wed Aug 29 2018 Tomas Orsava - 9.0.3-10 - Separate the python2-pip subpackage into its own component - Related: rhbz#1628242 * Wed Aug 29 2018 Lumír Balhar - 9.0.3-9 - Fix bash completion bug when python3 is disabled - Resolves: rhbz#1615727 * Wed Aug 15 2018 Lumír Balhar - 9.0.3-8 - Remove files without full version suffix - Resolves: rhbz#1615727 * Wed Aug 08 2018 Lumír Balhar - 9.0.3-7 - Remove unversioned binaries from python2 subpackage - Resolves: rhbz#1613343 * Tue Aug 07 2018 Lumír Balhar - 9.0.3-6 - Fix python3/doc condition - Do not build doc in python27 module * Mon Aug 06 2018 Lumír Balhar - 9.0.3-5 - Build python3-pip in python27 module * Mon Aug 06 2018 Charalampos Stratakis - 9.0.3-4 - Correct license information * Tue Jul 03 2018 Tomas Orsava - 9.0.3-3 - This package might be built with the non-modular python2 package from RHEL8 buildroot and thus we need to enable it * Mon Jun 25 2018 Tomas Orsava - 9.0.3-2 - Rebuild for the python27 module * Thu Mar 29 2018 Charalampos Stratakis - 9.0.3-1 - Update to 9.0.3 * Wed Feb 21 2018 Lumír Balhar - 9.0.1-16 - Include built HTML documentation (in the new -doc subpackage) and man page * Fri Feb 09 2018 Fedora Release Engineering - 9.0.1-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Mon Dec 04 2017 Charalampos Stratakis - 9.0.1-14 - Reintroduce the ipaddress module in the python3 subpackage. * Mon Nov 20 2017 Charalampos Stratakis - 9.0.1-13 - Add virtual provides for the bundled libraries. (rhbz#1096912) * Tue Aug 29 2017 Tomas Orsava - 9.0.1-12 - Switch macros to bcond's and make Python 2 optional to facilitate building the Python 2 and Python 3 modules * Thu Jul 27 2017 Fedora Release Engineering - 9.0.1-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Tue May 23 2017 Tomas Orsava - 9.0.1-10 - Modernized package descriptions Resolves: rhbz#1452568 * Tue Mar 21 2017 Tomas Orsava - 9.0.1-9 - Fix typo in the sudo pip warning * Fri Mar 03 2017 Tomas Orsava - 9.0.1-8 - Patch 1 update: No sudo pip warning in venv or virtualenv * Thu Feb 23 2017 Tomas Orsava - 9.0.1-7 - Patch 1 update: Customize the warning with the proper version of the pip command * Tue Feb 14 2017 Tomas Orsava - 9.0.1-6 - Added patch 1: Emit a warning when running with root privileges * Sat Feb 11 2017 Fedora Release Engineering - 9.0.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Mon Jan 02 2017 Tomas Orsava - 9.0.1-4 - Provide symlinks to executables to comply with Fedora guidelines for Python Resolves: rhbz#1406922 * Fri Dec 09 2016 Charalampos Stratakis - 9.0.1-3 - Rebuild for Python 3.6 with wheel * Fri Dec 09 2016 Charalampos Stratakis - 9.0.1-2 - Rebuild for Python 3.6 without wheel * Fri Nov 18 2016 Orion Poplawski - 9.0.1-1 - Update to 9.0.1 * Fri Nov 18 2016 Orion Poplawski - 8.1.2-5 - Enable EPEL Python 3 builds - Use new python macros - Cleanup spec * Fri Aug 05 2016 Tomas Orsava - 8.1.2-4 - Updated the test sources * Fri Aug 05 2016 Tomas Orsava - 8.1.2-3 - Moved python-pip into the python2-pip subpackage - Added the python_provide macro * Tue Jul 19 2016 Fedora Release Engineering - 8.1.2-2 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages * Tue May 17 2016 Tomas Orsava - 8.1.2-1 - Update to 8.1.2 - Moved to a new PyPI URL format - Updated the prefix-stripping patch because of upstream changes in pip/wheel.py * Mon Feb 22 2016 Slavek Kabrda - 8.0.2-1 - Update to 8.0.2 * Thu Feb 04 2016 Fedora Release Engineering - 7.1.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild * Wed Oct 14 2015 Robert Kuska - 7.1.0-3 - Rebuilt for Python3.5 rebuild - With wheel set to 1 * Tue Oct 13 2015 Robert Kuska - 7.1.0-2 - Rebuilt for Python3.5 rebuild * Wed Jul 01 2015 Slavek Kabrda - 7.1.0-1 - Update to 7.1.0 * Tue Jun 30 2015 Ville Skyttä - 7.0.3-3 - Install bash completion - Ship LICENSE.txt as %%license where available * Thu Jun 18 2015 Fedora Release Engineering - 7.0.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Thu Jun 04 2015 Matej Stuchlik - 7.0.3-1 - Update to 7.0.3 * Fri Mar 06 2015 Matej Stuchlik - 6.0.8-1 - Update to 6.0.8 * Thu Dec 18 2014 Slavek Kabrda - 1.5.6-5 - Only enable tests on Fedora. * Mon Dec 01 2014 Matej Stuchlik - 1.5.6-4 - Add tests - Add patch skipping tests requiring Internet access * Tue Nov 18 2014 Matej Stuchlik - 1.5.6-3 - Added patch for local dos with predictable temp dictionary names (http://seclists.org/oss-sec/2014/q4/655) * Sat Jun 07 2014 Fedora Release Engineering - 1.5.6-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Sun May 25 2014 Matej Stuchlik - 1.5.6-1 - Update to 1.5.6 * Fri Apr 25 2014 Matej Stuchlik - 1.5.4-4 - Rebuild as wheel for Python 3.4 * Thu Apr 24 2014 Matej Stuchlik - 1.5.4-3 - Disable build_wheel * Thu Apr 24 2014 Matej Stuchlik - 1.5.4-2 - Rebuild as wheel for Python 3.4 * Mon Apr 07 2014 Matej Stuchlik - 1.5.4-1 - Updated to 1.5.4 * Mon Oct 14 2013 Tim Flink - 1.4.1-1 - Removed patch for CVE 2013-2099 as it has been included in the upstream 1.4.1 release - Updated version to 1.4.1 * Sun Aug 04 2013 Fedora Release Engineering - 1.3.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Tue Jul 16 2013 Toshio Kuratomi - 1.3.1-4 - Fix for CVE 2013-2099 * Thu May 23 2013 Tim Flink - 1.3.1-3 - undo python2 executable rename to python-pip. fixes #958377 - fix summary to match upstream * Mon May 06 2013 Kevin Kofler - 1.3.1-2 - Fix main package Summary, it's for Python 2, not 3 (#877401) * Fri Apr 26 2013 Jon Ciesla - 1.3.1-1 - Update to 1.3.1, fix for CVE-2013-1888. * Thu Feb 14 2013 Fedora Release Engineering - 1.2.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Tue Oct 09 2012 Tim Flink - 1.2.1-2 - Fixing files for python3-pip * Thu Oct 04 2012 Tim Flink - 1.2.1-1 - Update to upstream 1.2.1 - Change binary from pip-python to python-pip (RHBZ#855495) - Add alias from python-pip to pip-python, to be removed at a later date * Tue May 15 2012 Tim Flink - 1.1.0-1 - Update to upstream 1.1.0 * Sat Jan 14 2012 Fedora Release Engineering - 1.0.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Sat Oct 22 2011 Tim Flink - 1.0.2-1 - update to 1.0.2 and added python3 subpackage * Wed Jun 22 2011 Tim Flink - 0.8.3-1 - update to 0.8.3 and project home page * Tue Feb 08 2011 Fedora Release Engineering - 0.8.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Mon Dec 20 2010 Luke Macken - 0.8.2-1 - update to 0.8.2 of pip * Mon Aug 30 2010 Peter Halliday - 0.8-1 - update to 0.8 of pip * Thu Jul 22 2010 David Malcolm - 0.7.2-5 - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild * Wed Jul 7 2010 Peter Halliday - 0.7.2-1 - update to 0.7.2 of pip * Sun May 23 2010 Peter Halliday - 0.7.1-1 - update to 0.7.1 of pip * Fri Jan 1 2010 Peter Halliday - 0.6.1.4 - fix dependency issue * Fri Dec 18 2009 Peter Halliday - 0.6.1-2 - fix spec file * Thu Dec 17 2009 Peter Halliday - 0.6.1-1 - upgrade to 0.6.1 of pip * Mon Aug 31 2009 Peter Halliday - 0.4-1 - Initial package