import python-pip-9.0.3-22.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:14:41 -04:00 committed by Stepan Oksanichenko
parent 534a9dde4e
commit 48d53d5165
2 changed files with 110 additions and 1 deletions

View File

@ -0,0 +1,91 @@
From b97ef609100fbdd5895dab48cdab578dfeba396c Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Fri, 10 Sep 2021 13:38:40 +0200
Subject: [PATCH 1/2] Implement handling of yanked_reason from the HTML anchor
---
pip/index.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/pip/index.py b/pip/index.py
index f653f6e6a..ced52ce5a 100644
--- a/pip/index.py
+++ b/pip/index.py
@@ -865,7 +865,11 @@ class HTMLPage(object):
)
pyrequire = anchor.get('data-requires-python')
pyrequire = unescape(pyrequire) if pyrequire else None
- yield Link(url, self, requires_python=pyrequire)
+ yanked_reason = anchor.get('data-yanked', default=None)
+ # Empty or valueless attribute are both parsed as empty string
+ if yanked_reason is not None:
+ yanked_reason = unescape(yanked_reason)
+ yield Link(url, self, requires_python=pyrequire, yanked_reason=yanked_reason)
_clean_re = re.compile(r'[^a-z0-9$&+,/:;=?@.#%_\\|-]', re.I)
@@ -879,7 +883,7 @@ class HTMLPage(object):
class Link(object):
- def __init__(self, url, comes_from=None, requires_python=None):
+ def __init__(self, url, comes_from=None, requires_python=None, yanked_reason=None):
"""
Object representing a parsed link from https://pypi.python.org/simple/*
@@ -900,6 +904,8 @@ class Link(object):
self.url = url
self.comes_from = comes_from
self.requires_python = requires_python if requires_python else None
+ self.yanked_reason = yanked_reason
+ self.yanked = yanked_reason is not None
def __str__(self):
if self.requires_python:
--
2.31.1
From d8dc6ee5d6809736dce43dc1e57d497f9ff91f26 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Fri, 10 Sep 2021 13:43:22 +0200
Subject: [PATCH 2/2] Skip all yanked candidates if possible
---
pip/index.py | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/pip/index.py b/pip/index.py
index ced52ce5a..823bbaf7d 100644
--- a/pip/index.py
+++ b/pip/index.py
@@ -489,6 +489,27 @@ class PackageFinder(object):
if applicable_candidates:
best_candidate = max(applicable_candidates,
key=self._candidate_sort_key)
+ # If we cannot find a non-yanked candidate,
+ # use the best one and print a warning about it.
+ # Otherwise, try to find another best candidate, ignoring
+ # all the yanked releases.
+ if getattr(best_candidate.location, "yanked", False):
+ nonyanked_candidates = [
+ c for c in applicable_candidates
+ if not getattr(c.location, "yanked", False)
+ ]
+
+ if set(nonyanked_candidates):
+ best_candidate = max(nonyanked_candidates,
+ key=self._candidate_sort_key)
+ else:
+ warning_message = (
+ "WARNING: The candidate selected for download or install "
+ "is a yanked version: '{}' candidate (version {} at {})"
+ ).format(best_candidate.project, best_candidate.version, best_candidate.location)
+ if best_candidate.location.yanked_reason:
+ warning_message += "\nReason for being yanked: {}".format(best_candidate.location.yanked_reason)
+ logger.warning(warning_message)
else:
best_candidate = None
--
2.31.1

View File

@ -14,7 +14,7 @@
Name: python-%{srcname}
# When updating, update the bundled libraries versions bellow!
Version: 9.0.3
Release: 20%{?dist}
Release: 22%{?dist}
Summary: A tool for installing and managing Python packages
Group: Development/Libraries
@ -123,6 +123,12 @@ Patch10: pip-directory-traversal-security-issue-tests.patch
# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962856
Patch11: CVE-2021-3572.patch
# Downstream-only implementation of support of yanked releases
# PEP 592 - Adding "Yank" Support to the Simple API:
# https://www.python.org/dev/peps/pep-0592/
# Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2000135
Patch12: skip_yanked_releases.patch
%global _description \
pip is a package management system used to install and manage software packages \
written in Python. Many packages can be found in the Python Package Index \
@ -265,6 +271,7 @@ popd
%patch10 -p1
%endif
%patch11 -p1
%patch12 -p1
# this goes together with patch4
rm pip/_vendor/certifi/*.pem
@ -276,6 +283,9 @@ sed -i '1d' pip/__init__.py
# Remove ordereddict as it is only required for python <= 2.6
rm pip/_vendor/ordereddict.py
# Remove windows executable binaries
rm -v pip/_vendor/distlib/*.exe
sed -i '/\.exe/d' setup.py
%build
%if %{without bootstrap}
@ -372,6 +382,14 @@ py.test-%{python3_version} -m 'not network'
%endif
%changelog
* Wed Oct 06 2021 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-22
- Remove bundled windows executables
- Resolves: rhbz#2006788
* Tue Oct 05 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-21
- Support of yanked releases
Resolves: rhbz#2000135
* Mon Jun 07 2021 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-20
- Fix for CVE-2021-3572 - pip incorrectly handled unicode separators in git references
Resolves: rhbz#1962856