import python2-pip-9.0.3-17.module+el8.3.0+6395+b838081d

.gitignore

@@ -0,0 +1 @@
+SOURCES/pip-9.0.3.tar.gz

.python2-pip.metadata

@@ -0,0 +1 @@
+1f5f44d433ca599d40f8e46f440479b2c73802d8 SOURCES/pip-9.0.3.tar.gz

SOURCES/CVE-2018-18074.patch

@@ -0,0 +1,90 @@
+From ffbfdb53681207b23bcf67dd76368ad6185ade24 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 16 Jan 2020 07:06:09 +0100
+Subject: [PATCH] Fix for CVE-2018-18074
+
+This patch contains the fix for CVE-2018-18074 and
+a subsequent regression fix combined in one.
+---
+ sessions.py | 36 +++++++++++++++++++++++++++++-------
+ utils.py    |  1 +
+ 2 files changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/sessions.py b/sessions.py
+index 6570e73..4038047 100644
+--- a/sessions.py
++++ b/sessions.py
+@@ -29,7 +29,7 @@ from .adapters import HTTPAdapter
+ 
+ from .utils import (
+     requote_uri, get_environ_proxies, get_netrc_auth, should_bypass_proxies,
+-    get_auth_from_url, rewind_body
++    get_auth_from_url, rewind_body, DEFAULT_PORTS
+ )
+ 
+ from .status_codes import codes
+@@ -116,6 +116,32 @@ class SessionRedirectMixin(object):
+             return to_native_string(location, 'utf8')
+         return None
+ 
++
++    def should_strip_auth(self, old_url, new_url):
++        """Decide whether Authorization header should be removed when redirecting"""
++        old_parsed = urlparse(old_url)
++        new_parsed = urlparse(new_url)
++        if old_parsed.hostname != new_parsed.hostname:
++            return True
++        # Special case: allow http -> https redirect when using the standard
++        # ports. This isn't specified by RFC 7235, but is kept to avoid
++        # breaking backwards compatibility with older versions of requests
++        # that allowed any redirects on the same host.
++        if (old_parsed.scheme == 'http' and old_parsed.port in (80, None)
++                and new_parsed.scheme == 'https' and new_parsed.port in (443, None)):
++            return False
++
++        # Handle default port usage corresponding to scheme.
++        changed_port = old_parsed.port != new_parsed.port
++        changed_scheme = old_parsed.scheme != new_parsed.scheme
++        default_port = (DEFAULT_PORTS.get(old_parsed.scheme, None), None)
++        if (not changed_scheme and old_parsed.port in default_port
++                and new_parsed.port in default_port):
++            return False
++
++        # Standard case: root URI must match
++        return changed_port or changed_scheme
++
+     def resolve_redirects(self, resp, req, stream=False, timeout=None,
+                           verify=True, cert=None, proxies=None, yield_requests=False, **adapter_kwargs):
+         """Receives a Response. Returns a generator of Responses or Requests."""
+@@ -232,14 +258,10 @@ class SessionRedirectMixin(object):
+         headers = prepared_request.headers
+         url = prepared_request.url
+ 
+-        if 'Authorization' in headers:
++        if 'Authorization' in headers and self.should_strip_auth(response.request.url, url):
+             # If we get redirected to a new host, we should strip out any
+             # authentication headers.
+-            original_parsed = urlparse(response.request.url)
+-            redirect_parsed = urlparse(url)
+-
+-            if (original_parsed.hostname != redirect_parsed.hostname):
+-                del headers['Authorization']
++            del headers['Authorization']
+ 
+         # .netrc might have more auth for us on our new host.
+         new_auth = get_netrc_auth(url) if self.trust_env else None
+diff --git a/utils.py b/utils.py
+index 5c47de9..5695ab0 100644
+--- a/utils.py
++++ b/utils.py
+@@ -38,6 +38,7 @@ NETRC_FILES = ('.netrc', '_netrc')
+ 
+ DEFAULT_CA_BUNDLE_PATH = certs.where()
+ 
++DEFAULT_PORTS = {'http': 80, 'https': 443}
+ 
+ if platform.system() == 'Windows':
+     # provide a proxy_bypass version on Windows without DNS lookups
+-- 
+2.24.1
+

SOURCES/CVE-2018-20060.patch

@@ -0,0 +1,94 @@
+From c734f873270cf9ca414832423f7aad98443c379f Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 11:26:24 +0100
+Subject: [PATCH] CVE-2018-20060
+
+---
+ poolmanager.py | 11 ++++++++++-
+ util/retry.py  | 12 +++++++++++-
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/poolmanager.py b/poolmanager.py
+index 4ae9174..bfa5115 100644
+--- a/poolmanager.py
++++ b/poolmanager.py
+@@ -312,8 +312,9 @@ class PoolManager(RequestMethods):
+ 
+         kw['assert_same_host'] = False
+         kw['redirect'] = False
++
+         if 'headers' not in kw:
+-            kw['headers'] = self.headers
++            kw['headers'] = self.headers.copy()
+ 
+         if self.proxy is not None and u.scheme == "http":
+             response = conn.urlopen(method, url, **kw)
+@@ -335,6 +336,14 @@ class PoolManager(RequestMethods):
+         if not isinstance(retries, Retry):
+             retries = Retry.from_int(retries, redirect=redirect)
+ 
++        # Strip headers marked as unsafe to forward to the redirected location.
++        # Check remove_headers_on_redirect to avoid a potential network call within
++        # conn.is_same_host() which may use socket.gethostbyname() in the future.
++        if (retries.remove_headers_on_redirect
++                and not conn.is_same_host(redirect_location)):
++            for header in retries.remove_headers_on_redirect:
++                kw['headers'].pop(header, None)
++
+         try:
+             retries = retries.increment(method, url, response=response, _pool=conn)
+         except MaxRetryError:
+diff --git a/util/retry.py b/util/retry.py
+index c603cb4..0b83963 100644
+--- a/util/retry.py
++++ b/util/retry.py
+@@ -126,6 +126,11 @@ class Retry(object):
+         exhausted, to raise a MaxRetryError, or to return a response with a
+         response code in the 3xx range.
+ 
++    :param iterable remove_headers_on_redirect:
++        Sequence of headers to remove from the request when a response
++        indicating a redirect is returned before firing off the redirected
++        request
++
+     :param bool raise_on_status: Similar meaning to ``raise_on_redirect``:
+         whether we should raise an exception, or return a response,
+         if status falls in ``status_forcelist`` range and retries have
+@@ -144,6 +149,8 @@ class Retry(object):
+     DEFAULT_METHOD_WHITELIST = frozenset([
+         'HEAD', 'GET', 'PUT', 'DELETE', 'OPTIONS', 'TRACE'])
+ 
++    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
++
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Maximum backoff time.
+@@ -152,7 +159,8 @@ class Retry(object):
+     def __init__(self, total=10, connect=None, read=None, redirect=None, status=None,
+                  method_whitelist=DEFAULT_METHOD_WHITELIST, status_forcelist=None,
+                  backoff_factor=0, raise_on_redirect=True, raise_on_status=True,
+-                 history=None, respect_retry_after_header=True):
++                 history=None, respect_retry_after_header=True,
++                 remove_headers_on_redirect=DEFAULT_REDIRECT_HEADERS_BLACKLIST):
+ 
+         self.total = total
+         self.connect = connect
+@@ -171,6 +179,7 @@ class Retry(object):
+         self.raise_on_status = raise_on_status
+         self.history = history or tuple()
+         self.respect_retry_after_header = respect_retry_after_header
++        self.remove_headers_on_redirect = remove_headers_on_redirect
+ 
+     def new(self, **kw):
+         params = dict(
+@@ -182,6 +191,7 @@ class Retry(object):
+             raise_on_redirect=self.raise_on_redirect,
+             raise_on_status=self.raise_on_status,
+             history=self.history,
++            remove_headers_on_redirect=self.remove_headers_on_redirect,
+         )
+         params.update(kw)
+         return type(self)(**params)
+-- 
+2.24.1
+

SOURCES/CVE-2019-11236.patch

@@ -0,0 +1,43 @@
+From b40eb0f43daecc6e2e3ce47b0be49cf570d02adc Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 11:14:58 +0100
+Subject: [PATCH] CVE-2019-9740
+
+---
+ util/url.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/util/url.py b/util/url.py
+index 6b6f996..2784c85 100644
+--- a/util/url.py
++++ b/util/url.py
+@@ -1,5 +1,6 @@
+ from __future__ import absolute_import
+ from collections import namedtuple
++import re
+ 
+ from ..exceptions import LocationParseError
+ 
+@@ -10,6 +11,8 @@ url_attrs = ['scheme', 'auth', 'host', 'port', 'path', 'query', 'fragment']
+ # urllib3 infers URLs without a scheme (None) to be http.
+ NORMALIZABLE_SCHEMES = ('http', 'https', None)
+ 
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++from ..packages.six.moves.urllib.parse import quote
+ 
+ class Url(namedtuple('Url', url_attrs)):
+     """
+@@ -155,6 +158,10 @@ def parse_url(url):
+         # Empty
+         return Url()
+ 
++    # Prevent CVE-2019-9740.
++    # adapted from https://github.com/python/cpython/pull/12755
++    url = _contains_disallowed_url_pchar_re.sub(lambda match: quote(match.group()), url)
++
+     scheme = None
+     auth = None
+     host = None
+-- 
+2.24.1
+

SOURCES/CVE-2019-11324.patch

@@ -0,0 +1,26 @@
+From 54e768a6dbe3cadeb456dea37bbeaf6e1e17e87c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 9 Jan 2020 10:47:27 +0100
+Subject: [PATCH] CVE-2019-11324 Certification mishandle when error should be
+ thrown
+
+---
+ util/ssl_.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/ssl_.py b/util/ssl_.py
+index 32fd9ed..f9f12ff 100644
+--- a/util/ssl_.py
++++ b/util/ssl_.py
+@@ -319,7 +319,7 @@ def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
+             if e.errno == errno.ENOENT:
+                 raise SSLError(e)
+             raise
+-    elif getattr(context, 'load_default_certs', None) is not None:
++    elif ssl_context is None and hasattr(context, 'load_default_certs'):
+         # try to load OS default certs; works well on Windows (require Python3.4+)
+         context.load_default_certs()
+ 
+-- 
+2.24.1
+

SOURCES/allow-stripping-given-prefix-from-wheel-RECORD-files.patch

@@ -0,0 +1,95 @@
+diff -up pip-9.0.1/pip/commands/install.py.orig pip-9.0.1/pip/commands/install.py
+--- pip-9.0.1/pip/commands/install.py.orig	2016-11-06 11:49:45.000000000 -0700
++++ pip-9.0.1/pip/commands/install.py	2016-11-16 16:20:48.638906543 -0700
+@@ -151,6 +151,14 @@ class InstallCommand(RequirementCommand)
+                  "directory.")
+ 
+         cmd_opts.add_option(
++            '--strip-file-prefix',
++            dest='strip_file_prefix',
++            metavar='prefix',
++            default=None,
++            help="Strip given prefix from script paths in wheel RECORD."
++        )
++
++        cmd_opts.add_option(
+             '--prefix',
+             dest='prefix_path',
+             metavar='dir',
+@@ -340,6 +348,7 @@ class InstallCommand(RequirementCommand)
+                             global_options,
+                             root=options.root_path,
+                             prefix=options.prefix_path,
++                            strip_file_prefix=options.strip_file_prefix,
+                         )
+ 
+                         possible_lib_locations = get_lib_location_guesses(
+diff -up pip-9.0.1/pip/req/req_install.py.orig pip-9.0.1/pip/req/req_install.py
+--- pip-9.0.1/pip/req/req_install.py.orig	2016-11-06 11:49:45.000000000 -0700
++++ pip-9.0.1/pip/req/req_install.py	2016-11-16 16:19:24.848336960 -0700
+@@ -838,8 +838,7 @@ class InstallRequirement(object):
+         else:
+             return True
+ 
+-    def install(self, install_options, global_options=[], root=None,
+-                prefix=None):
++    def install(self, install_options, global_options=[], root=None, prefix=None, strip_file_prefix=None):
+         if self.editable:
+             self.install_editable(
+                 install_options, global_options, prefix=prefix)
+@@ -848,7 +847,12 @@ class InstallRequirement(object):
+             version = pip.wheel.wheel_version(self.source_dir)
+             pip.wheel.check_compatibility(version, self.name)
+ 
+-            self.move_wheel_files(self.source_dir, root=root, prefix=prefix)
++            self.move_wheel_files(
++                self.source_dir,
++                root=root,
++                prefix=prefix,
++                strip_file_prefix=strip_file_prefix
++            )
+             self.install_succeeded = True
+             return
+ 
+@@ -1053,7 +1057,7 @@ class InstallRequirement(object):
+     def is_wheel(self):
+         return self.link and self.link.is_wheel
+ 
+-    def move_wheel_files(self, wheeldir, root=None, prefix=None):
++    def move_wheel_files(self, wheeldir, root=None, prefix=None, strip_file_prefix=None):
+         move_wheel_files(
+             self.name, self.req, wheeldir,
+             user=self.use_user_site,
+@@ -1062,6 +1066,7 @@ class InstallRequirement(object):
+             prefix=prefix,
+             pycompile=self.pycompile,
+             isolated=self.isolated,
++            strip_file_prefix=strip_file_prefix,
+         )
+ 
+     def get_dist(self):
+diff -up pip-9.0.1/pip/wheel.py.orig pip-9.0.1/pip/wheel.py
+--- pip-9.0.1/pip/wheel.py.orig	2016-11-06 11:49:45.000000000 -0700
++++ pip-9.0.1/pip/wheel.py	2016-11-16 16:19:24.848336960 -0700
+@@ -238,7 +238,7 @@ def get_entrypoints(filename):
+ 
+ 
+ def move_wheel_files(name, req, wheeldir, user=False, home=None, root=None,
+-                     pycompile=True, scheme=None, isolated=False, prefix=None):
++                     pycompile=True, scheme=None, isolated=False, prefix=None, strip_file_prefix=None):
+     """Install a wheel"""
+ 
+     if not scheme:
+@@ -521,7 +521,11 @@ if __name__ == '__main__':
+                 writer.writerow(row)
+             for f in generated:
+                 h, l = rehash(f)
+-                writer.writerow((normpath(f, lib_dir), h, l))
++                final_path = normpath(f, lib_dir)
++                if strip_file_prefix and final_path.startswith(strip_file_prefix):
++                    final_path = os.path.join(os.sep,
++                            os.path.relpath(final_path, strip_file_prefix))
++                writer.writerow((final_path, h, l))
+             for f in installed:
+                 writer.writerow((installed[f], '', ''))
+     shutil.move(temp_record, record)

SOURCES/dummy-certifi.patch

@@ -0,0 +1,15 @@
+diff --git a/pip/_vendor/certifi/core.py b/pip/_vendor/certifi/core.py
+index eab9d1d..9614a88 100644
+--- a/pip/_vendor/certifi/core.py
++++ b/pip/_vendor/certifi/core.py
+@@ -19,9 +19,7 @@ class DeprecatedBundleWarning(DeprecationWarning):
+ 
+ 
+ def where():
+-    f = os.path.dirname(__file__)
+-
+-    return os.path.join(f, 'cacert.pem')
++    return '/etc/pki/tls/certs/ca-bundle.crt'
+ 
+ 
+ def old_where():

SOURCES/emit-a-warning-when-running-with-root-privileges.patch

@@ -0,0 +1,44 @@
+From 18a617e9e0f64b727938422d4f941dfddfbf5d00 Mon Sep 17 00:00:00 2001
+From: Tomas Orsava <torsava@redhat.com>
+Date: Tue, 14 Feb 2017 17:10:09 +0100
+Subject: [PATCH] Emit a warning when running with root privileges.
+
+---
+ pip/commands/install.py | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/pip/commands/install.py b/pip/commands/install.py
+index 227c526..277a3d1 100644
+--- a/pip/commands/install.py
++++ b/pip/commands/install.py
+@@ -6,6 +6,8 @@ import os
+ import tempfile
+ import shutil
+ import warnings
++import sys
++from os import path
+ try:
+     import wheel
+ except ImportError:
+@@ -193,6 +195,18 @@ class InstallCommand(RequirementCommand):
+         cmdoptions.resolve_wheel_no_use_binary(options)
+         cmdoptions.check_install_build_global(options)
+ 
++        def is_venv():
++            return hasattr(sys, 'real_prefix') or \
++                    (hasattr(sys, 'base_prefix') and sys.base_prefix != sys.prefix)
++
++        # Check whether we have root privileges and aren't in venv/virtualenv
++        if os.getuid() == 0 and not is_venv():
++            logger.warning(
++                "WARNING: Running pip install with root privileges is "
++                "generally not a good idea. Try `%s install --user` instead."
++                        % path.basename(sys.argv[0])
++            )
++
+         if options.as_egg:
+             warnings.warn(
+                 "--egg has been deprecated and will be removed in the future. "
+-- 
+2.11.0
+

SOURCES/pip-nowarn-upgrade.patch

@@ -0,0 +1,36 @@
+diff --git a/pip/utils/outdated.py b/pip/utils/outdated.py
+index 2164cc3..c71539f 100644
+--- a/pip/utils/outdated.py
++++ b/pip/utils/outdated.py
+@@ -92,6 +92,21 @@ def load_selfcheck_statefile():
+         return GlobalSelfCheckState()
+ 
+ 
++def pip_installed_by_pip():
++    """Checks whether pip was installed by pip
++
++    This is used not to display the upgrade message when pip is in fact
++    installed by system package manager, such as dnf on Fedora.
++    """
++    import pkg_resources
++    try:
++        dist = pkg_resources.get_distribution('pip')
++        return (dist.has_metadata('INSTALLER') and
++                'pip' in dist.get_metadata_lines('INSTALLER'))
++    except pkg_resources.DistributionNotFound:
++        return False
++
++
+ def pip_version_check(session):
+     """Check for an update for pip.
+ 
+@@ -141,7 +156,8 @@ def pip_version_check(session):
+ 
+         # Determine if our pypi_version is older
+         if (pip_version < remote_version and
+-                pip_version.base_version != remote_version.base_version):
++                pip_version.base_version != remote_version.base_version and
++                pip_installed_by_pip()):
+             # Advise "python -m pip" on Windows to avoid issues
+             # with overwriting pip.exe.
+             if WINDOWS:

SPECS/python2-pip.spec

@@ -0,0 +1,610 @@
+%bcond_with bootstrap
+%bcond_with tests
+%bcond_with doc
+
+%global srcname pip
+%global python_wheelname %{srcname}-%{version}-py2.py3-none-any.whl
+%global python2_wheeldir %{_datadir}/python2-wheels
+%if %{without bootstrap}
+%global python2_wheelname %python_wheelname
+%endif
+
+# Note that with disabled python3, bashcomp2 will be disabled as well because
+# bashcompdir will point to a different path than with python3 enabled.
+%global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
+%if "%{bashcompdir}" != "%{_sysconfdir}/bash_completion.d"
+%global bashcomp2 1
+%endif
+
+Name:           python2-%{srcname}
+# When updating, update the bundled libraries versions bellow!
+Version:        9.0.3
+Release:        17%{?dist}
+Summary:        A tool for installing and managing Python 2 packages
+
+Group:          Development/Libraries
+
+# We bundle a lot of libraries with pip, which itself is under MIT license.
+# Here is the list of the libraries with corresponding licenses:
+
+# appdirs: MIT
+# CacheControl: ASL 2.0
+# certifi: MPLv2.0
+# chardet: LGPLv2
+# colorama: BSD
+# distlib: Python
+# distro: ASL 2.0
+# html5lib: MIT
+# idna: BSD
+# ipaddress: Python
+# lockfile: MIT
+# packaging: ASL 2.0 or BSD
+# progress: ISC
+# pyparsing: MIT
+# requests: ASL 2.0
+# retrying: ASL 2.0
+# urllib3: MIT
+# six: MIT
+# urllib3: MIT
+# webencodings: BSD
+
+License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
+URL:            http://www.pip-installer.org
+Source0:        https://files.pythonhosted.org/packages/source/p/%{srcname}/%{srcname}-%{version}.tar.gz
+# to get tests:
+# git clone https://github.com/pypa/pip && cd pip
+# git checkout 9.0.1 && tar -czvf ../pip-9.0.1-tests.tar.gz tests/
+%if %{with tests}
+Source1:        pip-9.0.1-tests.tar.gz
+%endif
+# Manpage generated by sphinx from source tarball
+# cd pip-9.0.3/docs && make man && cp _build/man/pip.1 ../../pip2.1
+Source2:        pip2.1
+
+BuildArch:      noarch
+
+%if %{with tests}
+BuildRequires:  git
+BuildRequires:  bzr
+%endif
+
+# Patch until the following issue gets implemented upstream:
+# https://github.com/pypa/pip/issues/1351
+Patch0:         allow-stripping-given-prefix-from-wheel-RECORD-files.patch
+
+# Downstream only patch
+# Emit a warning to the user if pip install is run with root privileges
+# Issue upstream: https://github.com/pypa/pip/issues/4288
+Patch1:         emit-a-warning-when-running-with-root-privileges.patch
+
+# Do not show the "new version of pip" warning outside of venv
+# Upstream issue: https://github.com/pypa/pip/issues/5346
+# Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1573755
+Patch3:         pip-nowarn-upgrade.patch
+
+# Use the system level root certificate instead of the one bundled in certifi
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655253
+Patch4:         dummy-certifi.patch
+
+# Patch for CVE in the bundled urllib3
+# CVE-2018-20060 Cross-host redirect does not remove Authorization header allow for credential exposure
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20060
+Patch5:         CVE-2018-20060.patch
+
+# Patch for CVE in the bundled urllib3
+# CVE-2019-11236 CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11236
+Patch6:         CVE-2019-11236.patch
+
+# Patch for CVE in the bundled urllib3
+# CVE-2019-11324 Certification mishandle when error should be thrown
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-11324
+Patch7:         CVE-2019-11324.patch
+
+# Patch for CVE in the bundled requests
+# CVE-2018-18074 Redirect from HTTPS to HTTP does not remove Authorization header
+# This patch fixes both the CVE
+# https://bugzilla.redhat.com/show_bug.cgi?id=1643829
+# and the subsequent regression
+# https://github.com/psf/requests/pull/4851
+Patch8:         CVE-2018-18074.patch
+
+BuildRequires:  python2-devel
+BuildRequires:  python2-setuptools
+%if %{with tests}
+BuildRequires:  python2-mock
+BuildRequires:  python2-pytest
+BuildRequires:  python2-pretend
+BuildRequires:  python2-freezegun
+BuildRequires:  python2-pytest-capturelog
+BuildRequires:  python2-scripttest
+BuildRequires:  python2-virtualenv
+%endif
+%if %{without bootstrap}
+BuildRequires:  python2-pip
+BuildRequires:  python2-wheel
+%endif
+Requires:       python2-setuptools
+
+# Virtual provides for the packages bundled by pip.
+# You can find the versions in pip/_vendor/vendor.txt file.
+# Don't forget to update this bellow for python3 as well.
+Provides: bundled(python2dist(appdirs)) = 1.4.0
+Provides: bundled(python2dist(cachecontrol)) = 0.11.7
+Provides: bundled(python2dist(colorama)) = 0.3.7
+Provides: bundled(python2dist(distlib)) = 0.2.4
+Provides: bundled(python2dist(distro)) = 1.0.1
+Provides: bundled(python2dist(html5lib)) = 1.0b10
+Provides: bundled(python2dist(ipaddress) = 1.0.17
+Provides: bundled(python2dist(lockfile)) = 0.12.2
+Provides: bundled(python2dist(packaging)) = 16.8
+Provides: bundled(python2dist(setuptools)) = 28.8.0
+Provides: bundled(python2dist(progress)) = 1.2
+Provides: bundled(python2dist(pyparsing)) = 2.1.10
+Provides: bundled(python2dist(requests)) = 2.11.1
+Provides: bundled(python2dist(retrying)) = 1.3.3
+Provides: bundled(python2dist(six)) = 1.10.0
+Provides: bundled(python2dist(webencodings)) = 0.5
+
+# Bundled within the requests bundle
+Provides: bundled(python2dist(chardet)) = 2.3.0
+Provides: bundled(python2dist(urllib3)) = 1.16
+
+%{?python_provide:%python_provide python2-%{srcname}}
+
+%description
+pip is a package management system used to install and manage software packages
+written in Python. Many packages can be found in the Python Package Index
+(PyPI). pip is a recursive acronym that can stand for either "Pip Installs
+Packages" or "Pip Installs Python".
+
+
+%if %{with doc}
+%package doc
+Summary:        A documentation for a tool for installing and managing Python packages
+
+BuildRequires:  python%{python3_pkgversion}-sphinx
+
+%description doc
+A documentation for a tool for installing and managing Python packages
+
+%endif
+
+%if %{without bootstrap}
+%package -n python2-pip-wheel
+Summary:        The pip wheel
+
+# Virtual provides for the packages bundled by pip.
+# You can find the versions in pip/_vendor/vendor.txt file.
+Provides: bundled(python2dist(appdirs)) = 1.4.0
+Provides: bundled(python2dist(cachecontrol)) = 0.11.7
+Provides: bundled(python2dist(colorama)) = 0.3.7
+Provides: bundled(python2dist(distlib)) = 0.2.4
+Provides: bundled(python2dist(distro)) = 1.0.1
+Provides: bundled(python2dist(html5lib)) = 1.0b10
+Provides: bundled(python2dist(ipaddress) = 1.0.17
+Provides: bundled(python2dist(lockfile)) = 0.12.2
+Provides: bundled(python2dist(packaging)) = 16.8
+Provides: bundled(python2dist(setuptools)) = 28.8.0
+Provides: bundled(python2dist(progress)) = 1.2
+Provides: bundled(python2dist(pyparsing)) = 2.1.10
+Provides: bundled(python2dist(requests)) = 2.11.1
+Provides: bundled(python2dist(retrying)) = 1.3.3
+Provides: bundled(python2dist(six)) = 1.10.0
+Provides: bundled(python2dist(webencodings)) = 0.5
+
+%description -n python2-pip-wheel
+A Python wheel of pip to use with venv.
+%endif
+
+
+%prep
+%setup -q -n %{srcname}-%{version}
+%if %{with tests}
+tar -xf %{SOURCE1}
+%endif
+
+%patch0 -p1
+%patch1 -p1
+%patch3 -p1
+%patch4 -p1
+
+# Patching of bundled libraries
+pushd pip/_vendor/urllib3
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+popd
+pushd pip/_vendor/requests
+%patch8 -p1
+popd
+
+# this goes together with patch4
+rm pip/_vendor/certifi/*.pem
+rm pip/_vendor/requests/*.pem
+sed -i '/\.pem$/d' pip.egg-info/SOURCES.txt
+
+sed -i '1d' pip/__init__.py
+
+# Remove ordereddict as it is only required for python <= 2.6
+rm pip/_vendor/ordereddict.py
+
+
+%build
+export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
+%if %{without bootstrap}
+%py2_build_wheel
+%else
+%py2_build
+%endif
+
+%if %{with doc}
+pushd docs
+make html
+make man
+rm _build/html/.buildinfo
+popd
+%endif
+
+
+%install
+%if %{with doc}
+install -d %{buildroot}%{_mandir}/man1
+install -pm0644 docs/_build/man/*.1 %{buildroot}%{_mandir}/man1/pip2.1
+%else
+# When building without doc, use pregenerated version of pip2 manual page
+mkdir -p %{buildroot}%{_mandir}/man1/
+cp %{SOURCE2} %{buildroot}%{_mandir}/man1/
+%endif # with doc
+
+export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
+%if %{without bootstrap}
+%py2_install_wheel %{python2_wheelname}
+%else
+%py2_install
+%endif
+
+rm %{buildroot}%{_bindir}/pip{,%{python2_version}}
+
+# Provide symlinks to executables to comply with Fedora guidelines for Python
+ln -s ./pip2 %{buildroot}%{_bindir}/pip-%{python2_version}
+ln -s ./pip2 %{buildroot}%{_bindir}/pip%{python2_version}
+ln -s ./pip2 %{buildroot}%{_bindir}/pip-2
+# Manpage symlink
+ln -s ./pip2.1.gz %{buildroot}%{_mandir}/man1/pip%{python2_version}.1.gz
+
+mkdir -p %{buildroot}%{bashcompdir}
+PYTHONPATH=%{buildroot}%{python2_sitelib} \
+    %{buildroot}%{_bindir}/pip2 completion --bash \
+    > %{buildroot}%{bashcompdir}/pip2
+pips2="pip2"
+pips3=pip%{python3_version}
+for pip in %{buildroot}%{_bindir}/pip*; do
+    pip=$(basename $pip)
+    case $pip in
+        pip2.*|pip-2*)
+            pips2="$pips2 $pip"
+%if 0%{?bashcomp2}
+            ln -s pip2 %{buildroot}%{bashcompdir}/$pip
+%endif
+            ;;
+    esac
+done
+sed -i -e "s/^\\(complete.*\\) pip\$/\\1 $pips2/" \
+    %{buildroot}%{bashcompdir}/pip2
+
+# Make sure the INSTALLER is not pip, otherwise pip-nowarn-upgrade.patch
+# (Patch3) won't work
+mkdir -p %{buildroot}%{python2_sitelib}/pip-%{version}.dist-info
+echo rpm > %{buildroot}%{python2_sitelib}/pip-%{version}.dist-info/INSTALLER
+
+
+%if %{without bootstrap}
+mkdir -p %{buildroot}%{python2_wheeldir}
+install -p dist/%{python2_wheelname} -t %{buildroot}%{python2_wheeldir}
+%endif
+
+%if %{with tests}
+%check
+export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
+py.test-%{python2_version} -m 'not network'
+%endif
+
+
+%files
+%license LICENSE.txt
+%doc README.rst
+%{_mandir}/man1/pip2.*
+%{_bindir}/pip2
+%{_bindir}/pip-2
+%{_bindir}/pip%{python2_version}
+%{_bindir}/pip-%{python2_version}
+%{python2_sitelib}/pip*
+%dir %{bashcompdir}
+%{bashcompdir}/pip2
+%if 0%{?bashcomp2}
+%{bashcompdir}/pip2*
+%{bashcompdir}/pip-2*
+%dir %(dirname %{bashcompdir})
+%endif
+
+%if %{with doc}
+%files doc
+%license LICENSE.txt
+%doc README.rst
+%doc docs/_build/html
+%endif # with doc
+
+%if %{without bootstrap}
+%files -n python2-pip-wheel
+%license LICENSE.txt
+# we own the dir for simplicity
+%dir %{python2_wheeldir}/
+%{python2_wheeldir}/%{python2_wheelname}
+%endif
+
+%changelog
+* Mon Mar 16 2020 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-17
+- Remove unused CA bundle from the bundled requests library
+Resolves: rhbz#1775194
+
+* Tue Jan 14 2020 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-16
+- Add four new patches for CVEs in bundled urllib3 and requests
+CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074
+Resolves: rhbz#1649153
+Resolves: rhbz#1700824
+Resolves: rhbz#1702473
+Resolves: rhbz#1643829
+
+* Thu Oct 24 2019 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-15
+- Use the system level root certificate instead of the one bundled in certifi
+Resolves: rhbz#1659551
+
+* Tue Jun 18 2019 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-14
+- Create the python-pip-wheel subpackage
+Resolves: rhbz#1659551
+
+* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 9.0.3-13
+- Bumping due to problems with modular RPM upgrade path
+- Resolves: rhbz#1695587
+
+* Mon Dec 10 2018 Tomas Orsava <torsava@redhat.com> - 9.0.3-12
+- Do not show the "new version of pip" warning outside of venv
+- Resolves: rhbz#1656171
+
+* Tue Dec 04 2018 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-11
+- Use pregenerated manpage for pip2 when building without doc
+- Resolves: rhbz#1655587
+
+* Wed Aug 29 2018 Tomas Orsava <torsava@redhat.com> - 9.0.3-10
+- Separate the python2-pip subpackage into its own component
+- Related: rhbz#1628242
+
+* Wed Aug 29 2018 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-9
+- Fix bash completion bug when python3 is disabled
+- Resolves: rhbz#1615727
+
+* Wed Aug 15 2018 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-8
+- Remove files without full version suffix
+- Resolves: rhbz#1615727
+
+* Wed Aug 08 2018 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-7
+- Remove unversioned binaries from python2 subpackage
+- Resolves: rhbz#1613343
+
+* Tue Aug 07 2018 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-6
+- Fix python3/doc condition
+- Do not build doc in python27 module
+
+* Mon Aug 06 2018 Lumír Balhar <lbalhar@redhat.com> - 9.0.3-5
+- Build python3-pip in python27 module
+
+* Mon Aug 06 2018 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-4
+- Correct license information
+
+* Tue Jul 03 2018 Tomas Orsava <torsava@redhat.com> - 9.0.3-3
+- This package might be built with the non-modular python2 package from RHEL8
+  buildroot and thus we need to enable it
+
+* Mon Jun 25 2018 Tomas Orsava <torsava@redhat.com> - 9.0.3-2
+- Rebuild for the python27 module
+
+* Thu Mar 29 2018 Charalampos Stratakis <cstratak@redhat.com> - 9.0.3-1
+- Update to 9.0.3
+
+* Wed Feb 21 2018 Lumír Balhar <lbalhar@redhat.com> - 9.0.1-16
+- Include built HTML documentation (in the new -doc subpackage) and man page
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Dec 04 2017 Charalampos Stratakis <cstratak@redhat.com> - 9.0.1-14
+- Reintroduce the ipaddress module in the python3 subpackage.
+
+* Mon Nov 20 2017 Charalampos Stratakis <cstratak@redhat.com> - 9.0.1-13
+- Add virtual provides for the bundled libraries. (rhbz#1096912)
+
+* Tue Aug 29 2017 Tomas Orsava <torsava@redhat.com> - 9.0.1-12
+- Switch macros to bcond's and make Python 2 optional to facilitate building
+  the Python 2 and Python 3 modules
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue May 23 2017 Tomas Orsava <torsava@redhat.com> - 9.0.1-10
+- Modernized package descriptions
+Resolves: rhbz#1452568
+
+* Tue Mar 21 2017 Tomas Orsava <torsava@redhat.com> - 9.0.1-9
+- Fix typo in the sudo pip warning
+
+* Fri Mar 03 2017 Tomas Orsava <torsava@redhat.com> - 9.0.1-8
+- Patch 1 update: No sudo pip warning in venv or virtualenv
+
+* Thu Feb 23 2017 Tomas Orsava <torsava@redhat.com> - 9.0.1-7
+- Patch 1 update: Customize the warning with the proper version of the pip
+  command
+
+* Tue Feb 14 2017 Tomas Orsava <torsava@redhat.com> - 9.0.1-6
+- Added patch 1: Emit a warning when running with root privileges
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Jan 02 2017 Tomas Orsava <torsava@redhat.com> - 9.0.1-4
+- Provide symlinks to executables to comply with Fedora guidelines for Python
+Resolves: rhbz#1406922
+
+* Fri Dec 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 9.0.1-3
+- Rebuild for Python 3.6 with wheel
+
+* Fri Dec 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 9.0.1-2
+- Rebuild for Python 3.6 without wheel
+
+* Fri Nov 18 2016 Orion Poplawski <orion@cora.nwra.com> - 9.0.1-1
+- Update to 9.0.1
+
+* Fri Nov 18 2016 Orion Poplawski <orion@cora.nwra.com> - 8.1.2-5
+- Enable EPEL Python 3 builds
+- Use new python macros
+- Cleanup spec
+
+* Fri Aug 05 2016 Tomas Orsava <torsava@redhat.com> - 8.1.2-4
+- Updated the test sources
+
+* Fri Aug 05 2016 Tomas Orsava <torsava@redhat.com> - 8.1.2-3
+- Moved python-pip into the python2-pip subpackage
+- Added the python_provide macro
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 8.1.2-2
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Tue May 17 2016 Tomas Orsava <torsava@redhat.com> - 8.1.2-1
+- Update to 8.1.2
+- Moved to a new PyPI URL format
+- Updated the prefix-stripping patch because of upstream changes in pip/wheel.py
+
+* Mon Feb 22 2016 Slavek Kabrda <bkabrda@redhat.com> - 8.0.2-1
+- Update to 8.0.2
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 7.1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Oct 14 2015 Robert Kuska <rkuska@redhat.com> - 7.1.0-3
+- Rebuilt for Python3.5 rebuild
+- With wheel set to 1
+
+* Tue Oct 13 2015 Robert Kuska <rkuska@redhat.com> - 7.1.0-2
+- Rebuilt for Python3.5 rebuild
+
+* Wed Jul 01 2015 Slavek Kabrda <bkabrda@redhat.com> - 7.1.0-1
+- Update to 7.1.0
+
+* Tue Jun 30 2015 Ville Skyttä <ville.skytta@iki.fi> - 7.0.3-3
+- Install bash completion
+- Ship LICENSE.txt as %%license where available
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.0.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu Jun 04 2015 Matej Stuchlik <mstuchli@redhat.com> - 7.0.3-1
+- Update to 7.0.3
+
+* Fri Mar 06 2015 Matej Stuchlik <mstuchli@redhat.com> - 6.0.8-1
+- Update to 6.0.8
+
+* Thu Dec 18 2014 Slavek Kabrda <bkabrda@redhat.com> - 1.5.6-5
+- Only enable tests on Fedora.
+
+* Mon Dec 01 2014 Matej Stuchlik <mstuchli@redhat.com> - 1.5.6-4
+- Add tests
+- Add patch skipping tests requiring Internet access
+
+* Tue Nov 18 2014 Matej Stuchlik <mstuchli@redhat.com> - 1.5.6-3
+- Added patch for local dos with predictable temp dictionary names
+  (http://seclists.org/oss-sec/2014/q4/655)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sun May 25 2014 Matej Stuchlik <mstuchli@redhat.com> - 1.5.6-1
+- Update to 1.5.6
+
+* Fri Apr 25 2014 Matej Stuchlik <mstuchli@redhat.com> - 1.5.4-4
+- Rebuild as wheel for Python 3.4
+
+* Thu Apr 24 2014 Matej Stuchlik <mstuchli@redhat.com> - 1.5.4-3
+- Disable build_wheel
+
+* Thu Apr 24 2014 Matej Stuchlik <mstuchli@redhat.com> - 1.5.4-2
+- Rebuild as wheel for Python 3.4
+
+* Mon Apr 07 2014 Matej Stuchlik <mstuchli@redhat.com> - 1.5.4-1
+- Updated to 1.5.4
+
+* Mon Oct 14 2013 Tim Flink <tflink@fedoraproject.org> - 1.4.1-1
+- Removed patch for CVE 2013-2099 as it has been included in the upstream 1.4.1 release
+- Updated version to 1.4.1
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue Jul 16 2013 Toshio Kuratomi <toshio@fedoraproject.org> - 1.3.1-4
+- Fix for CVE 2013-2099
+
+* Thu May 23 2013 Tim Flink <tflink@fedoraproject.org> - 1.3.1-3
+- undo python2 executable rename to python-pip. fixes #958377
+- fix summary to match upstream
+
+* Mon May 06 2013 Kevin Kofler <Kevin@tigcc.ticalc.org> - 1.3.1-2
+- Fix main package Summary, it's for Python 2, not 3 (#877401)
+
+* Fri Apr 26 2013 Jon Ciesla <limburgher@gmail.com> - 1.3.1-1
+- Update to 1.3.1, fix for CVE-2013-1888.
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Oct 09 2012 Tim Flink <tflink@fedoraproject.org> - 1.2.1-2
+- Fixing files for python3-pip
+
+* Thu Oct 04 2012 Tim Flink <tflink@fedoraproject.org> - 1.2.1-1
+- Update to upstream 1.2.1
+- Change binary from pip-python to python-pip (RHBZ#855495)
+- Add alias from python-pip to pip-python, to be removed at a later date
+
+* Tue May 15 2012 Tim Flink <tflink@fedoraproject.org> - 1.1.0-1
+- Update to upstream 1.1.0
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Sat Oct 22 2011 Tim Flink <tflink@fedoraproject.org> - 1.0.2-1
+- update to 1.0.2 and added python3 subpackage
+
+* Wed Jun 22 2011 Tim Flink <tflink@fedoraproject.org> - 0.8.3-1
+- update to 0.8.3 and project home page
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Dec 20 2010 Luke Macken <lmacken@redhat.com> - 0.8.2-1
+- update to 0.8.2 of pip
+* Mon Aug 30 2010 Peter Halliday <phalliday@excelsiorsystems.net> - 0.8-1
+- update to 0.8 of pip
+* Thu Jul 22 2010 David Malcolm <dmalcolm@redhat.com> - 0.7.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
+
+* Wed Jul 7 2010 Peter Halliday <phalliday@excelsiorsystems.net> - 0.7.2-1
+- update to 0.7.2 of pip
+* Sun May 23 2010 Peter Halliday <phalliday@excelsiorsystems.net> - 0.7.1-1
+- update to 0.7.1 of pip
+* Fri Jan 1 2010 Peter Halliday <phalliday@excelsiorsystems.net> - 0.6.1.4
+- fix dependency issue
+* Fri Dec 18 2009 Peter Halliday <phalliday@excelsiorsystems.net> - 0.6.1-2
+- fix spec file 
+* Thu Dec 17 2009 Peter Halliday <phalliday@excelsiorsystems.net> - 0.6.1-1
+- upgrade to 0.6.1 of pip
+* Mon Aug 31 2009 Peter Halliday <phalliday@excelsiorsystems.net> - 0.4-1
+- Initial package
+