Update to 3.4.7 and simplify builds

Remove dependency on python-cryptography-vectors package and use vectors directly from Github source tar ball. Always include RHEL sources in SRPM to work around https://git.centos.org/centos/centpkg/issue/33 Resolves: rhbz#1952343
2021-04-22 09:46:45 +02:00 · 2021-04-22 09:46:45 +02:00 · 41b3a83259
commit 41b3a83259
parent ad1252373e
5 changed files with 43 additions and 76 deletions
--- a/.gitignore
+++ b/.gitignore
@ -38,3 +38,5 @@
 /cryptography-3.4.6.tar.gz
 /cryptography-3.4.6.tar.gz.asc
 /cryptography-3.4.6-vendor.tar.bz2
+/cryptography-3.4.7.tar.gz
+/cryptography-3.4.7-vendor.tar.bz2
--- a/README.md
+++ b/README.md
@ -8,57 +8,7 @@ The example assumes

 * Fedora Rawhide (f34)
 * PyCA cryptography release ``3.4``
-* Update Bugzilla issues are ``RHBZ#00000001`` and ``RHBZ#00000002``
-* Build side tag is ``f34-build-side-12345``
-
-### Request a side tag for building
-
-python-cryptography builds depend on python-cryptography-vectors
-package. Both packages must be build in a side tag.
-
-```shell
-fedpkg request-side-tag --base-tag f34-build
-```
-
-### Build new python-cryptography-vectors first
-
-```shell
-pushd ../python-cryptography-vectors
-```
-
-Switch and update branch
-
-```shell
-fedpkg switch-branch rawhide
-fedpkg pull
-```
-
-Bump version and get sources
-
-```shell
-rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography-vectors.spec
-spectool -gf python-cryptography-vectors.spec
-```
-
-Upload sources
-
-```shell
-fedpkg new-sources cryptography_vectors-3.4.tar.gz
-```
-
-Commit changes
-
-```shell
-fedpkg commit --clog
-fedpkg push
-```
-
-Build and wait for repo to regenerate
-
-```shell
-fedpkg build --target=f34-build-side-12345
-koji wait-repo --build python-cryptography-vectors-3.4-1 f34-build-side-12345
-```
+* Update Bugzilla issue is ``RHBZ#00000001``

 ### Build new python-cryptography

@ -72,14 +22,14 @@ fedpkg pull
 Bump version and get sources

 ```shell
-rpmdev-bumpspec -c "Update to 3.4 (#00000002)" -n 3.4 python-cryptography.spec
+rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
 spectool -gf python-cryptography.spec
 ```

-Upload new sources (**two files!**)
+Upload new source

 ```shell
-fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc
+fedpkg new-sources cryptography-3.4.tar.gz
 ```

 Commit changes
@ -92,5 +42,18 @@ fedpkg push
 Build

 ```shell
-fedpkg build --target=f34-build-side-12345
+fedpkg build
+```
+
+## RHEL/CentOS builds
+
+RHEL and CentOS use a different approach for Rust crates packaging than
+Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
+``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
+CentOS. Instead python-cryptography uses a tar ball with vendored crates.
+The tar ball is created by a script:
+
+```shell
+./vendor_rust.py
+rhpkg upload cryptography-3.4-vendor.tar.bz2
 ```
--- a/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
+++ b/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@ -6,24 +6,18 @@
 %global pyo3_version 0.13.1

 Name:           python-%{srcname}
-Version:        3.4.6
-Release:        2%{?dist}
+Version:        3.4.7
+Release:        1%{?dist}
 Summary:        PyCA's cryptography library

 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/
-Source0:        %{pypi_source}
-Source1:        %{pypi_source}.asc
-# key ids of upstream authors are published in the AUTHORS file:
-#    https://github.com/pyca/cryptography/blob/master/AUTHORS.rst
-# gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98"
-# gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
-Source2:        gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
-%if 0%{?rhel}
+Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
                # created by ./vendor_rust.py helper script
-Source3:        cryptography-%{version}-vendor.tar.bz2
-Source4:        conftest-skipper.py
-%endif
+Source1:        cryptography-%{version}-vendor.tar.bz2
+Source2:        conftest-skipper.py
+
+ExclusiveArch:  %{rust_arches}

 BuildRequires:  openssl-devel
 BuildRequires:  gcc
@ -41,7 +35,6 @@ BuildRequires:  python%{python3_pkgversion}-setuptools-rust >= 0.11.3
 BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1

 %if %{with tests}
-BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
 %if 0%{?fedora}
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
 BuildRequires:  python%{python3_pkgversion}-iso8601
@ -64,13 +57,16 @@ Summary:        PyCA's cryptography library
 Requires:       openssl-libs
 Requires:       python%{python3_pkgversion}-six >= 1.4.1
 Requires:       python%{python3_pkgversion}-cffi >= 1.7
+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
+# Can be safely removed in Fedora 37
+Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
+%endif

 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.

 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1 -n %{srcname}-%{version}

 %generate_buildrequires
@ -84,7 +80,7 @@ rm -f Cargo.lock
 cd ../..
 %else
 # RHEL: use vendored Rust crates
-%cargo_prep -V 3
+%cargo_prep -V 1
 %endif

 %build
@ -102,12 +98,14 @@ find . -name .keep -print -delete
 # skip hypothesis tests on RHEL
 rm -rf tests/hypothesis
 # append skipper to skip iso8601 and pretend tests
-cat < %{SOURCE4} >> tests/conftest.py
+cat < %{SOURCE2} >> tests/conftest.py
 %endif

 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
-PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
+PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
+    %{__python3} -m pytest \
+    -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
 %endif

 %files -n python%{python3_pkgversion}-%{srcname}
@ -117,6 +115,11 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info

 %changelog
+* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
+- Update to 3.4.7
+- Remove dependency on python-cryptography-vectors package and use vectors
+  directly from Github source tar ball. Related: rhbz#1952343
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.6-2
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

--- a/5
+++ b/5
@ -1,3 +1,2 @@
-SHA512 (cryptography-3.4.6.tar.gz) = 30b712adc5cc114faeb7bfef0b9de88c6daefa5a8b99e53bd6d37b8ed560bd1d396cbb202902c307b90f40d695bde151164436bf233fb726dc836c8b70126653
-SHA512 (cryptography-3.4.6.tar.gz.asc) = 91e8c5f5e9e0d440d0882f0bf2f5f039b299c88f03f52d4060f0ee2a18d46ca6503d77444196db91b8d29c7b302b238461795d252777f9bc2953c52789df9fad
-SHA512 (cryptography-3.4.6-vendor.tar.bz2) = a3e8b6218c6714730bd235e21e5a1d3389e6c1a15542fa22898fd242dcd7a45f6032054ee42799ba87b8d304717318838a944255823d8a47180810796fd41a82
+SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9
+SHA512 (cryptography-3.4.7-vendor.tar.bz2) = 67060536b5d48e0497290fb3307329d57e9ac56cb9ee13c2fb1b2f93d059872d411d9dbff3f00bece23a8593d667799de86630b3748337b204f8776ef3f0a387