.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,3 @@
-SOURCES/Python-3.12.1.tar.xz
+/*.tar.*
+/*.src.rpm
+/results_python3*

.python3.12.metadata

@@ -1 +0,0 @@
-5b11c58ea58cd6b8e1943c7e9b5f6e0997ca3632 SOURCES/Python-3.12.1.tar.xz

00251-change-user-install-location.patch

@@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
  3 files changed, 71 insertions(+), 4 deletions(-)
 
 diff --git a/Lib/site.py b/Lib/site.py
-index 672fa7b000..0a9c5be53e 100644
+index aed254ad50..568dbdb945 100644
 --- a/Lib/site.py
 +++ b/Lib/site.py
-@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None):
+@@ -398,8 +398,15 @@ def getsitepackages(prefixes=None):
      return sitepackages
  
  def addsitepackages(known_paths, prefixes=None):
@@ -51,7 +51,7 @@ index 672fa7b000..0a9c5be53e 100644
          if os.path.isdir(sitedir):
              addsitedir(sitedir, known_paths)
 diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
-index 122d441bd1..2d354a11da 100644
+index acc8d4d182..6355669f62 100644
 --- a/Lib/sysconfig.py
 +++ b/Lib/sysconfig.py
 @@ -104,6 +104,11 @@
@@ -86,7 +86,7 @@ index 122d441bd1..2d354a11da 100644
  _SCHEME_KEYS = ('stdlib', 'platstdlib', 'purelib', 'platlib', 'include',
                  'scripts', 'data')
  
-@@ -263,11 +281,40 @@ def _extend_dict(target_dict, other_dict):
+@@ -268,11 +286,40 @@ def _extend_dict(target_dict, other_dict):
          target_dict[key] = value
  
  
@@ -119,7 +119,7 @@ index 122d441bd1..2d354a11da 100644
 +    # we only change the defaults here, so explicit --prefix will take precedence
 +    # https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
 +    if (scheme == 'posix_prefix' and
-+        _PREFIX == '/usr' and
++        sys.prefix == '/usr' and
 +        'RPM_BUILD_ROOT' not in os.environ):
 +            _extend_dict(vars, _config_vars_local())
 +    else:
@@ -129,10 +129,10 @@ index 122d441bd1..2d354a11da 100644
          # On Windows we want to substitute 'lib' for schemes rather
          # than the native value (without modifying vars, in case it
 diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py
-index b6dbf3d52c..4f06a7673c 100644
+index 67647e1b78..7baddaa9d6 100644
 --- a/Lib/test/test_sysconfig.py
 +++ b/Lib/test/test_sysconfig.py
-@@ -110,8 +110,19 @@ def test_get_path(self):
+@@ -119,8 +119,19 @@ def test_get_path(self):
          for scheme in _INSTALL_SCHEMES:
              for name in _INSTALL_SCHEMES[scheme]:
                  expected = _INSTALL_SCHEMES[scheme][name].format(**config_vars)
@@ -153,7 +153,7 @@ index b6dbf3d52c..4f06a7673c 100644
                      os.path.normpath(expected),
                  )
  
-@@ -335,7 +346,7 @@ def test_get_config_h_filename(self):
+@@ -353,7 +364,7 @@ def test_get_config_h_filename(self):
          self.assertTrue(os.path.isfile(config_h), config_h)
  
      def test_get_scheme_names(self):
@@ -162,7 +162,7 @@ index b6dbf3d52c..4f06a7673c 100644
          if HAS_USER_BASE:
              wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
          self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -347,6 +358,8 @@ def test_symlink(self): # Issue 7880
+@@ -365,6 +376,8 @@ def test_symlink(self): # Issue 7880
              cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
              self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
  

00329-fips.patch

@@ -1,7 +1,7 @@
-From 5cedde59cde3f05af798a7cb5bc722cb0deb4835 Mon Sep 17 00:00:00 2001
+From 11deb3112bd90bc2dce2fcd4a1f5975c08b91360 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
-Subject: [PATCH 1/6] Expose blake2b and blake2s hashes from OpenSSL
+Subject: [PATCH 1/5] Expose blake2b and blake2s hashes from OpenSSL
 
 These aren't as powerful as Python's own implementation, but they can be
 used under FIPS.
@@ -29,10 +29,10 @@ index 73d758a..5921360 100644
              computed = m.hexdigest() if not shake else m.hexdigest(length)
              self.assertEqual(
 diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
-index af6d1b2..980712f 100644
+index 2998820..b96001e 100644
 --- a/Modules/_hashopenssl.c
 +++ b/Modules/_hashopenssl.c
-@@ -1079,6 +1079,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
+@@ -1128,6 +1128,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
  }
  
  
@@ -74,7 +74,7 @@ index af6d1b2..980712f 100644
  #ifdef PY_OPENSSL_HAS_SHA3
  
  /*[clinic input]
-@@ -2067,6 +2102,8 @@ static struct PyMethodDef EVP_functions[] = {
+@@ -2116,6 +2151,8 @@ static struct PyMethodDef EVP_functions[] = {
      _HASHLIB_OPENSSL_SHA256_METHODDEF
      _HASHLIB_OPENSSL_SHA384_METHODDEF
      _HASHLIB_OPENSSL_SHA512_METHODDEF
@@ -84,7 +84,7 @@ index af6d1b2..980712f 100644
      _HASHLIB_OPENSSL_SHA3_256_METHODDEF
      _HASHLIB_OPENSSL_SHA3_384_METHODDEF
 diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h
-index fb61a44..1e42b87 100644
+index 84e2346..7fe03a3 100644
 --- a/Modules/clinic/_hashopenssl.c.h
 +++ b/Modules/clinic/_hashopenssl.c.h
 @@ -743,6 +743,156 @@ exit:
@@ -248,16 +248,16 @@ index fb61a44..1e42b87 100644
  #ifndef _HASHLIB_SCRYPT_METHODDEF
      #define _HASHLIB_SCRYPT_METHODDEF
  #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
--/*[clinic end generated code: output=b339e255db698147 input=a9049054013a1b77]*/
+-/*[clinic end generated code: output=4734184f6555dc95 input=a9049054013a1b77]*/
-+/*[clinic end generated code: output=1d988d457a8beebe input=a9049054013a1b77]*/
++/*[clinic end generated code: output=f0bfddb963a21208 input=a9049054013a1b77]*/
 -- 
-2.43.0
+2.47.1
 
 
-From 2a12baa9e201f54560ec99ad5ee1fa5b0006aa39 Mon Sep 17 00:00:00 2001
+From ea9d5c84e25b5c04c2823e1edee4354dd6b2b7a5 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
-Subject: [PATCH 2/6] Disable Python's hash implementations in FIPS mode,
+Subject: [PATCH 2/5] Disable Python's hash implementations in FIPS mode,
  forcing OpenSSL
 
 ---
@@ -445,10 +445,10 @@ index a8bad9d..1b1d937 100644
 +    if (_Py_hashlib_fips_error(exc, name)) return NULL; \
 +} while (0)
 diff --git a/configure.ac b/configure.ac
-index 1876f77..1875d1e 100644
+index 9270b5f..a9eb2c9 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -7439,7 +7439,8 @@ PY_STDLIB_MOD([_sha2],
+@@ -7482,7 +7482,8 @@ PY_STDLIB_MOD([_sha2],
  PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes])
  PY_STDLIB_MOD([_blake2],
    [test "$with_builtin_blake2" = yes], [],
@@ -459,13 +459,13 @@ index 1876f77..1875d1e 100644
  PY_STDLIB_MOD([_crypt],
    [], [test "$ac_cv_crypt_crypt" = yes],
 -- 
-2.43.0
+2.47.1
 
 
-From bca05b7fdb8dcab21ef80db1d59dd5daa835d84b Mon Sep 17 00:00:00 2001
+From 29a7b7ac9e18a501ed78bde7a449b90c57d44e24 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
-Subject: [PATCH 3/6] Use python's fall back crypto implementations only if we
+Subject: [PATCH 3/5] Use python's fall back crypto implementations only if we
  are not in FIPS mode
 
 ---
@@ -552,13 +552,13 @@ index dd61a9a..6031b02 100644
          get_builtin_constructor = getattr(hashlib,
                                            '__get_builtin_constructor')
 -- 
-2.43.0
+2.47.1
 
 
-From c9a79f0aafd28677e3e0b8a1f6410105a71ff071 Mon Sep 17 00:00:00 2001
+From 59accf544492400c9fd32a8e682fb6f2206e932e Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
-Subject: [PATCH 4/6] Test equivalence of hashes for the various digests with
+Subject: [PATCH 4/5] Test equivalence of hashes for the various digests with
  usedforsecurity=True/False
 
 ---
@@ -712,21 +712,21 @@ index 6031b02..5bd5297 100644
  class KDFTests(unittest.TestCase):
  
 -- 
-2.43.0
+2.47.1
 
 
-From e972a838729ea84a0f2e0ca8e88ae1bfc129e7d8 Mon Sep 17 00:00:00 2001
+From 21efadd8b488956482bdc6ccd91c37dcef705129 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
-Subject: [PATCH 5/6] Guard against Python HMAC in FIPS mode
+Subject: [PATCH 5/5] Guard against Python HMAC in FIPS mode
 
 ---
- Lib/hmac.py           | 13 +++++++++----
+ Lib/hmac.py           | 12 +++++++++---
  Lib/test/test_hmac.py | 10 ++++++++++
- 2 files changed, 19 insertions(+), 4 deletions(-)
+ 2 files changed, 19 insertions(+), 3 deletions(-)
 
 diff --git a/Lib/hmac.py b/Lib/hmac.py
-index 8b4f920..20ef96c 100644
+index 8b4eb2f..8930bda 100644
 --- a/Lib/hmac.py
 +++ b/Lib/hmac.py
 @@ -16,8 +16,9 @@ else:
@@ -741,16 +741,9 @@ index 8b4f920..20ef96c 100644
  
  # The size of the digests returned by HMAC depends on the underlying
  # hashing module used.  Use digest_size from the instance of HMAC instead.
-@@ -48,17 +49,18 @@ class HMAC:
+@@ -55,10 +56,12 @@ class HMAC:
-                    msg argument.  Passing it as a keyword argument is
-                    recommended, though not required for legacy API reasons.
-         """
--
-         if not isinstance(key, (bytes, bytearray)):
-             raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
- 
          if not digestmod:
-             raise TypeError("Missing required parameter 'digestmod'.")
+             raise TypeError("Missing required argument 'digestmod'.")
  
 -        if _hashopenssl and isinstance(digestmod, (str, _functype)):
 +        if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))):
@@ -762,7 +755,7 @@ index 8b4f920..20ef96c 100644
                  self._init_old(key, msg, digestmod)
          else:
              self._init_old(key, msg, digestmod)
-@@ -69,6 +71,9 @@ class HMAC:
+@@ -69,6 +72,9 @@ class HMAC:
          self.block_size = self._hmac.block_size
  
      def _init_old(self, key, msg, digestmod):
@@ -773,7 +766,7 @@ index 8b4f920..20ef96c 100644
              digest_cons = digestmod
          elif isinstance(digestmod, str):
 diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
-index a39a2c4..b7b24ab 100644
+index 1502fba..7997073 100644
 --- a/Lib/test/test_hmac.py
 +++ b/Lib/test/test_hmac.py
 @@ -5,6 +5,7 @@ import hashlib
@@ -812,7 +805,7 @@ index a39a2c4..b7b24ab 100644
      @unittest.skipUnless(sha256_module is not None, 'need _sha256')
      def test_with_sha256_module(self):
          h = hmac.HMAC(b"key", b"hash this!", digestmod=sha256_module.sha256)
-@@ -481,6 +489,7 @@ class SanityTestCase(unittest.TestCase):
+@@ -489,6 +497,7 @@ class UpdateTestCase(unittest.TestCase):
  
  class CopyTestCase(unittest.TestCase):
  
@@ -820,7 +813,7 @@ index a39a2c4..b7b24ab 100644
      @hashlib_helper.requires_hashdigest('sha256')
      def test_attributes_old(self):
          # Testing if attributes are of same type.
-@@ -492,6 +501,7 @@ class CopyTestCase(unittest.TestCase):
+@@ -500,6 +509,7 @@ class CopyTestCase(unittest.TestCase):
          self.assertEqual(type(h1._outer), type(h2._outer),
              "Types of outer don't match.")
  
@@ -829,270 +822,5 @@ index a39a2c4..b7b24ab 100644
      def test_realcopy_old(self):
          # Testing if the copy method created a real copy.
 -- 
-2.43.0
+2.47.1
-
-
-From b12202196a78b877dcd32cfea273051b60038a41 Mon Sep 17 00:00:00 2001
-From: Petr Viktorin <encukou@gmail.com>
-Date: Wed, 25 Aug 2021 16:44:43 +0200
-Subject: [PATCH 6/6] Disable hash-based PYCs in FIPS mode
-
-If FIPS mode is on, we can't use siphash-based HMAC
-(_Py_KeyedHash), so:
-
-- Unchecked hash PYCs can be imported, but not created
-- Checked hash PYCs can not be imported nor created
-- The default mode is timestamp-based PYCs, even if
-  SOURCE_DATE_EPOCH is set.
-
-If FIPS mode is off, there are no changes in behavior.
-
-Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
----
- Lib/py_compile.py                             |  4 +++-
- Lib/test/support/__init__.py                  | 14 +++++++++++++
- Lib/test/test_cmd_line_script.py              |  2 ++
- Lib/test/test_compileall.py                   | 11 +++++++++-
- .../test_importlib/source/test_file_loader.py |  6 ++++++
- Lib/test/test_py_compile.py                   | 11 ++++++++--
- Lib/test/test_zipimport.py                    |  2 ++
- Python/import.c                               | 20 +++++++++++++++++++
- 8 files changed, 66 insertions(+), 4 deletions(-)
-
-diff --git a/Lib/py_compile.py b/Lib/py_compile.py
-index 388614e..fd9a139 100644
---- a/Lib/py_compile.py
-+++ b/Lib/py_compile.py
-@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum):
- 
- 
- def _get_default_invalidation_mode():
--    if os.environ.get('SOURCE_DATE_EPOCH'):
-+    import _hashlib
-+    if (os.environ.get('SOURCE_DATE_EPOCH') and not
-+          _hashlib.get_fips_mode()):
-         return PycInvalidationMode.CHECKED_HASH
-     else:
-         return PycInvalidationMode.TIMESTAMP
-diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
-index fd9265c..fcd1ea7 100644
---- a/Lib/test/support/__init__.py
-+++ b/Lib/test/support/__init__.py
-@@ -2346,6 +2346,20 @@ def sleeping_retry(timeout, err_msg=None, /,
-         delay = min(delay * 2, max_delay)
- 
- 
-+def fails_in_fips_mode(expected_error):
-+    import _hashlib
-+    if _hashlib.get_fips_mode():
-+        def _decorator(func):
-+            def _wrapper(self, *args, **kwargs):
-+                with self.assertRaises(expected_error):
-+                    func(self, *args, **kwargs)
-+            return _wrapper
-+    else:
-+        def _decorator(func):
-+            return func
-+    return _decorator
-+
-+
- @contextlib.contextmanager
- def adjust_int_max_str_digits(max_digits):
-     """Temporarily change the integer string conversion length limit."""
-diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
-index 1b58882..d6caff1 100644
---- a/Lib/test/test_cmd_line_script.py
-+++ b/Lib/test/test_cmd_line_script.py
-@@ -286,6 +286,7 @@ class CmdLineTest(unittest.TestCase):
-             self._check_script(zip_name, run_name, zip_name, zip_name, '',
-                                zipimport.zipimporter)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_zipfile_compiled_checked_hash(self):
-         with os_helper.temp_dir() as script_dir:
-             script_name = _make_test_script(script_dir, '__main__')
-@@ -296,6 +297,7 @@ class CmdLineTest(unittest.TestCase):
-             self._check_script(zip_name, run_name, zip_name, zip_name, '',
-                                zipimport.zipimporter)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def test_zipfile_compiled_unchecked_hash(self):
-         with os_helper.temp_dir() as script_dir:
-             script_name = _make_test_script(script_dir, '__main__')
-diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
-index 9cd92ad..4ec29a1 100644
---- a/Lib/test/test_compileall.py
-+++ b/Lib/test/test_compileall.py
-@@ -806,14 +806,23 @@ class CommandLineTestsBase:
-         out = self.assertRunOK('badfilename')
-         self.assertRegex(out, b"Can't list 'badfilename'")
- 
--    def test_pyc_invalidation_mode(self):
-+    @support.fails_in_fips_mode(AssertionError)
-+    def test_pyc_invalidation_mode_checked(self):
-         script_helper.make_script(self.pkgdir, 'f1', '')
-         pyc = importlib.util.cache_from_source(
-             os.path.join(self.pkgdir, 'f1.py'))
-+
-         self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
-         with open(pyc, 'rb') as fp:
-             data = fp.read()
-         self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
-+
-+    @support.fails_in_fips_mode(AssertionError)
-+    def test_pyc_invalidation_mode_unchecked(self):
-+        script_helper.make_script(self.pkgdir, 'f1', '')
-+        pyc = importlib.util.cache_from_source(
-+            os.path.join(self.pkgdir, 'f1.py'))
-+
-         self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
-         with open(pyc, 'rb') as fp:
-             data = fp.read()
-diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
-index f35adec..62087c6 100644
---- a/Lib/test/test_importlib/source/test_file_loader.py
-+++ b/Lib/test/test_importlib/source/test_file_loader.py
-@@ -16,6 +16,7 @@ import types
- import unittest
- import warnings
- 
-+from test import support
- from test.support.import_helper import make_legacy_pyc, unload
- 
- from test.test_py_compile import without_source_date_epoch
-@@ -237,6 +238,7 @@ class SimpleTest(abc.LoaderTests):
-                 loader.load_module('bad name')
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_checked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping:
-             source = mapping['_temp']
-@@ -268,6 +270,7 @@ class SimpleTest(abc.LoaderTests):
-             )
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_overridden_checked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping, \
-              unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
-@@ -293,6 +296,7 @@ class SimpleTest(abc.LoaderTests):
-             self.assertEqual(mod.state, 'old')
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_unchecked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping:
-             source = mapping['_temp']
-@@ -323,6 +327,7 @@ class SimpleTest(abc.LoaderTests):
-             )
- 
-     @util.writes_bytecode_files
-+    @support.fails_in_fips_mode(ImportError)
-     def test_overridden_unchecked_hash_based_pyc(self):
-         with util.create_modules('_temp') as mapping, \
-              unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
-@@ -432,6 +437,7 @@ class BadBytecodeTest:
-                                                del_source=del_source)
-             test('_temp', mapping, bc_path)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def _test_partial_hash(self, test, *, del_source=False):
-         with util.create_modules('_temp') as mapping:
-             bc_path = self.manipulate_bytecode(
-diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
-index c4e6551..81fd962 100644
---- a/Lib/test/test_py_compile.py
-+++ b/Lib/test/test_py_compile.py
-@@ -141,13 +141,16 @@ class PyCompileTestsBase:
-             importlib.util.cache_from_source(bad_coding)))
- 
-     def test_source_date_epoch(self):
-+        import _hashlib
-         py_compile.compile(self.source_path, self.pyc_path)
-         self.assertTrue(os.path.exists(self.pyc_path))
-         self.assertFalse(os.path.exists(self.cache_path))
-         with open(self.pyc_path, 'rb') as fp:
-             flags = importlib._bootstrap_external._classify_pyc(
-                 fp.read(), 'test', {})
--        if os.environ.get('SOURCE_DATE_EPOCH'):
-+        if _hashlib.get_fips_mode():
-+            expected_flags = 0b00
-+        elif os.environ.get('SOURCE_DATE_EPOCH'):
-             expected_flags = 0b11
-         else:
-             expected_flags = 0b00
-@@ -178,7 +181,8 @@ class PyCompileTestsBase:
-         # Specifying optimized bytecode should lead to a path reflecting that.
-         self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
- 
--    def test_invalidation_mode(self):
-+    @support.fails_in_fips_mode(ImportError)
-+    def test_invalidation_mode_checked(self):
-         py_compile.compile(
-             self.source_path,
-             invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
-@@ -187,6 +191,9 @@ class PyCompileTestsBase:
-             flags = importlib._bootstrap_external._classify_pyc(
-                 fp.read(), 'test', {})
-         self.assertEqual(flags, 0b11)
-+
-+    @support.fails_in_fips_mode(ImportError)
-+    def test_invalidation_mode_unchecked(self):
-         py_compile.compile(
-             self.source_path,
-             invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
-diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
-index 14c1971..bcd1466 100644
---- a/Lib/test/test_zipimport.py
-+++ b/Lib/test/test_zipimport.py
-@@ -190,6 +190,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
-                  TESTMOD + pyc_ext: (NOW, test_pyc)}
-         self.doTest(pyc_ext, files, TESTMOD)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     def testUncheckedHashBasedPyc(self):
-         source = b"state = 'old'"
-         source_hash = importlib.util.source_hash(source)
-@@ -204,6 +205,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
-             self.assertEqual(mod.state, 'old')
-         self.doTest(None, files, TESTMOD, call=check)
- 
-+    @support.fails_in_fips_mode(ImportError)
-     @unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
-     def test_checked_hash_based_change_pyc(self):
-         source = b"state = 'old'"
-diff --git a/Python/import.c b/Python/import.c
-index 54232a1..236786b 100644
---- a/Python/import.c
-+++ b/Python/import.c
-@@ -3829,6 +3829,26 @@ static PyObject *
- _imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
- /*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
- {
-+    PyObject *_hashlib = PyImport_ImportModule("_hashlib");
-+    if (_hashlib == NULL) {
-+        return NULL;
-+    }
-+    PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
-+    Py_DECREF(_hashlib);
-+    if (fips_mode_obj == NULL) {
-+        return NULL;
-+    }
-+    int fips_mode = PyObject_IsTrue(fips_mode_obj);
-+    Py_DECREF(fips_mode_obj);
-+    if (fips_mode < 0) {
-+        return NULL;
-+    }
-+    if (fips_mode) {
-+        PyErr_SetString(
-+            PyExc_ImportError,
-+            "hash-based PYC validation (siphash24) not available in FIPS mode");
-+        return NULL;
-+    };
-     union {
-         uint64_t x;
-         char data[sizeof(uint64_t)];
--- 
-2.43.0
 

00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

@@ -16,10 +16,10 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730
  2 files changed, 8 insertions(+), 50 deletions(-)
 
 diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
-index 756d5e329f..5d09775efc 100644
+index 75a56f7830..c2509fced1 100644
 --- a/Lib/test/test_threading.py
 +++ b/Lib/test/test_threading.py
-@@ -1007,39 +1007,6 @@ def noop(): pass
+@@ -1100,39 +1100,6 @@ def noop(): pass
              threading.Thread(target=noop).start()
              # Thread.join() is not called
  
@@ -56,14 +56,14 @@ index 756d5e329f..5d09775efc 100644
 -        self.assertEqual(out, b'')
 -        self.assertEqual(err, b'')
 -
-     def test_start_new_thread_at_exit(self):
+     def test_start_new_thread_at_finalization(self):
          code = """if 1:
-             import atexit
+             import _thread
 diff --git a/Lib/threading.py b/Lib/threading.py
-index 8dcaf8ca6a..ed0b0f4632 100644
+index 064c74d40f..9e3abacd42 100644
 --- a/Lib/threading.py
 +++ b/Lib/threading.py
-@@ -1586,29 +1586,20 @@ def _shutdown():
+@@ -1587,29 +1587,20 @@ def _shutdown():
  
      global _SHUTTING_DOWN
      _SHUTTING_DOWN = True

00397-tarfile-filter.patch

@@ -1,19 +1,24 @@
-From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001
+From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
-Date: Mon, 6 Mar 2023 17:24:24 +0100
+Date: Tue, 2 Jul 2024 11:40:37 +0200
 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
  (downstream)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
 
 Add and test RHEL-specific ways of configuring the default behavior: environment
 variable and config file.
+
+Co-Authored-By: Tomáš Hrnčiar <thrnciar@redhat.com>
 ---
- Lib/tarfile.py           |  47 +++++++++++++--
+ Lib/tarfile.py           |  47 +++++++++++--
  Lib/test/test_shutil.py  |   2 +-
- Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++-
+ Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++--
- 3 files changed, 163 insertions(+), 9 deletions(-)
+ 3 files changed, 185 insertions(+), 11 deletions(-)
 
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index 02f5e3b..f7109f3 100755
+index e1487e3..89b6843 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
 @@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
@@ -30,7 +35,7 @@ index 02f5e3b..f7109f3 100755
  
  #---------------------------------------------------------
  # tar constants
-@@ -2217,11 +2224,41 @@ class TarFile(object):
+@@ -2218,11 +2225,41 @@ class TarFile(object):
          if filter is None:
              filter = self.extraction_filter
              if filter is None:
@@ -38,7 +43,7 @@ index 02f5e3b..f7109f3 100755
 -                    'Python 3.14 will, by default, filter extracted tar '
 -                    + 'archives and reject files or modify their metadata. '
 -                    + 'Use the filter argument to control this behavior.',
--                    DeprecationWarning)
+-                    DeprecationWarning, stacklevel=3)
 +                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
 +                if name is None:
 +                    try:
@@ -72,16 +77,16 @@ index 02f5e3b..f7109f3 100755
 +                        + 'and some mode bits are cleared. '
 +                        + 'See https://access.redhat.com/articles/7004769 '
 +                        + 'for more details.',
-+                        RuntimeWarning)
++                        RuntimeWarning, stacklevel=3)
 +                    return tar_filter
                  return fully_trusted_filter
              if isinstance(filter, str):
                  raise TypeError(
 diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
-index 5fd8fb4..501da8f 100644
+index 7bc5d12..88b4bdb 100644
 --- a/Lib/test/test_shutil.py
 +++ b/Lib/test/test_shutil.py
-@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase):
+@@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase):
          self.check_unpack_archive(format, filter='fully_trusted')
          self.check_unpack_archive(format, filter='data')
          with warnings_helper.check_warnings(
@@ -91,10 +96,48 @@ index 5fd8fb4..501da8f 100644
  
      def test_unpack_archive_tar(self):
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index c5fc76d..397e334 100644
+index 3fbd25e..9aa727e 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
-@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest):
+@@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest):
+             tarfile.open(tarname, encoding="iso8859-1") as tar
+         ):
+             directories = [t for t in tar if t.isdir()]
+-            with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
++            with self.assertWarnsRegex(
++                RuntimeWarning,
++                re.escape(
++                    'The default behavior of tarfile extraction has been '
++                    'changed to disallow common exploits '
++                    '(including CVE-2007-4559). '
++                    'By default, absolute/parent paths are disallowed '
++                    'and some mode bits are cleared. '
++                    'See https://access.redhat.com/articles/7004769 '
++                    'for more details.'
++                )) as cm:
+                 tar.extractall(DIR, directories)
+             # check that the stacklevel of the deprecation warning is correct:
+             self.assertEqual(cm.filename, __file__)
+@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest):
+             tarfile.open(tarname, encoding="iso8859-1") as tar
+         ):
+             tarinfo = tar.getmember(dirtype)
+-            with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
++            with self.assertWarnsRegex(
++                RuntimeWarning,
++                re.escape(
++                    'The default behavior of tarfile extraction has been '
++                    'changed to disallow common exploits '
++                    '(including CVE-2007-4559). '
++                    'By default, absolute/parent paths are disallowed '
++                    'and some mode bits are cleared. '
++                    'See https://access.redhat.com/articles/7004769 '
++                    'for more details.'
++                )) as cm:
+                 tar.extract(tarinfo, path=DIR)
+             # check that the stacklevel of the deprecation warning is correct:
+             self.assertEqual(cm.filename, __file__)
+@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest):
          tar.errorlevel = 0
          with ExitStack() as cm:
              if cls.extraction_filter is None:
@@ -105,7 +148,7 @@ index c5fc76d..397e334 100644
              tar.extractall(cls.control_dir, filter=cls.extraction_filter)
          tar.close()
          cls.control_paths = set(
-@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase):
          with ArchiveMaker() as arc:
              arc.add('foo')
          with warnings_helper.check_warnings(
@@ -114,7 +157,7 @@ index c5fc76d..397e334 100644
              with self.check_context(arc.open(), None):
                  self.expect_file('foo')
  
-@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase):
              self.expect_exception(TypeError)  # errorlevel is not int
  
  
@@ -235,9 +278,9 @@ index c5fc76d..397e334 100644
 +                self.check_trusted_default(tar, tempdir)
 +
 +
- def setUpModule():
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
-     os_helper.unlink(TEMPDIR)
+     testdir = os.path.join(TEMPDIR, "testoverwrite")
-     os.makedirs(TEMPDIR)
+ 
 -- 
-2.43.0
+2.44.0
 

00462-fix-pyssl_seterror-handling-ssl_error_syscall.patch

@@ -0,0 +1,196 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: yevgeny hong <hongyevgeny@gmail.com>
+Date: Tue, 26 Mar 2024 16:45:43 +0900
+Subject: 00462: Fix PySSL_SetError handling SSL_ERROR_SYSCALL
+
+Python 3.10 changed from using SSL_write() and SSL_read() to SSL_write_ex() and
+SSL_read_ex(), but did not update handling of the return value.
+
+Change error handling so that the return value is not examined.
+OSError (not EOF) is now returned when retval is 0.
+
+This resolves the issue of failing tests when a system is
+stressed on OpenSSL 3.5.
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+---
+ Lib/test/test_ssl.py                          | 28 ++++++-----
+ ...-02-18-09-50-31.gh-issue-115627.HGchj0.rst |  2 +
+ Modules/_ssl.c                                | 48 +++++++------------
+ 3 files changed, 35 insertions(+), 43 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index b13e37d0cd..daeb8cba74 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -2427,16 +2427,18 @@ def run(self):
+                         self.write(msg.lower())
+                 except OSError as e:
+                     # handles SSLError and socket errors
++                    if isinstance(e, ConnectionError):
++                        # OpenSSL 1.1.1 sometimes raises
++                        # ConnectionResetError when connection is not
++                        # shut down gracefully.
++                        if self.server.chatty and support.verbose:
++                            print(f" Connection reset by peer: {self.addr}")
++
++                        self.close()
++                        self.running = False
++                        return
+                     if self.server.chatty and support.verbose:
+-                        if isinstance(e, ConnectionError):
+-                            # OpenSSL 1.1.1 sometimes raises
+-                            # ConnectionResetError when connection is not
+-                            # shut down gracefully.
+-                            print(
+-                                f" Connection reset by peer: {self.addr}"
+-                            )
+-                        else:
+-                            handle_error("Test server failure:\n")
++                        handle_error("Test server failure:\n")
+                     try:
+                         self.write(b"ERROR\n")
+                     except OSError:
+@@ -3148,8 +3150,8 @@ def test_wrong_cert_tls13(self):
+                                         suppress_ragged_eofs=False) as s:
+             s.connect((HOST, server.port))
+             with self.assertRaisesRegex(
+-                ssl.SSLError,
+-                'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA'
++                OSError,
++                'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA|closed by the remote host|Connection reset by peer'
+             ):
+                 # TLS 1.3 perform client cert exchange after handshake
+                 s.write(b'data')
+@@ -4422,8 +4424,8 @@ def msg_cb(conn, direction, version, content_type, msg_type, data):
+                 # test sometimes fails with EOF error. Test passes as long as
+                 # server aborts connection with an error.
+                 with self.assertRaisesRegex(
+-                    ssl.SSLError,
+-                    '(certificate required|EOF occurred)'
++                    OSError,
++                    'certificate required|EOF occurred|closed by the remote host|Connection reset by peer'
+                 ):
+                     # receive CertificateRequest
+                     data = s.recv(1024)
+diff --git a/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
+new file mode 100644
+index 0000000000..75d926ab59
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-02-18-09-50-31.gh-issue-115627.HGchj0.rst
+@@ -0,0 +1,2 @@
++Fix the :mod:`ssl` module error handling of connection terminate by peer.
++It now throws an OSError with the appropriate error code instead of an EOFError.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index aae4dc323d..27dd7bbe11 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -573,7 +573,7 @@ PySSL_ChainExceptions(PySSLSocket *sslsock) {
+ }
+ 
+ static PyObject *
+-PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
++PySSL_SetError(PySSLSocket *sslsock, const char *filename, int lineno)
+ {
+     PyObject *type;
+     char *errstr = NULL;
+@@ -586,7 +586,6 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+     _sslmodulestate *state = get_state_sock(sslsock);
+     type = state->PySSLErrorObject;
+ 
+-    assert(ret <= 0);
+     e = ERR_peek_last_error();
+ 
+     if (sslsock->ssl != NULL) {
+@@ -619,32 +618,21 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+         case SSL_ERROR_SYSCALL:
+         {
+             if (e == 0) {
+-                PySocketSockObject *s = GET_SOCKET(sslsock);
+-                if (ret == 0 || (((PyObject *)s) == Py_None)) {
++                /* underlying BIO reported an I/O error */
++                ERR_clear_error();
++#ifdef MS_WINDOWS
++                if (err.ws) {
++                    return PyErr_SetFromWindowsErr(err.ws);
++                }
++#endif
++                if (err.c) {
++                    errno = err.c;
++                    return PyErr_SetFromErrno(PyExc_OSError);
++                }
++                else {
+                     p = PY_SSL_ERROR_EOF;
+                     type = state->PySSLEOFErrorObject;
+                     errstr = "EOF occurred in violation of protocol";
+-                } else if (s && ret == -1) {
+-                    /* underlying BIO reported an I/O error */
+-                    ERR_clear_error();
+-#ifdef MS_WINDOWS
+-                    if (err.ws) {
+-                        return PyErr_SetFromWindowsErr(err.ws);
+-                    }
+-#endif
+-                    if (err.c) {
+-                        errno = err.c;
+-                        return PyErr_SetFromErrno(PyExc_OSError);
+-                    }
+-                    else {
+-                        p = PY_SSL_ERROR_EOF;
+-                        type = state->PySSLEOFErrorObject;
+-                        errstr = "EOF occurred in violation of protocol";
+-                    }
+-                } else { /* possible? */
+-                    p = PY_SSL_ERROR_SYSCALL;
+-                    type = state->PySSLSyscallErrorObject;
+-                    errstr = "Some I/O error occurred";
+                 }
+             } else {
+                 if (ERR_GET_LIB(e) == ERR_LIB_SSL &&
+@@ -1007,7 +995,7 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self)
+              err.ssl == SSL_ERROR_WANT_WRITE);
+     Py_XDECREF(sock);
+     if (ret < 1)
+-        return PySSL_SetError(self, ret, __FILE__, __LINE__);
++        return PySSL_SetError(self, __FILE__, __LINE__);
+     if (PySSL_ChainExceptions(self) < 0)
+         return NULL;
+     Py_RETURN_NONE;
+@@ -2424,7 +2412,7 @@ _ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
+ 
+     Py_XDECREF(sock);
+     if (retval == 0)
+-        return PySSL_SetError(self, retval, __FILE__, __LINE__);
++        return PySSL_SetError(self, __FILE__, __LINE__);
+     if (PySSL_ChainExceptions(self) < 0)
+         return NULL;
+     return PyLong_FromSize_t(count);
+@@ -2454,7 +2442,7 @@ _ssl__SSLSocket_pending_impl(PySSLSocket *self)
+     self->err = err;
+ 
+     if (count < 0)
+-        return PySSL_SetError(self, count, __FILE__, __LINE__);
++        return PySSL_SetError(self, __FILE__, __LINE__);
+     else
+         return PyLong_FromLong(count);
+ }
+@@ -2577,7 +2565,7 @@ _ssl__SSLSocket_read_impl(PySSLSocket *self, Py_ssize_t len,
+              err.ssl == SSL_ERROR_WANT_WRITE);
+ 
+     if (retval == 0) {
+-        PySSL_SetError(self, retval, __FILE__, __LINE__);
++        PySSL_SetError(self, __FILE__, __LINE__);
+         goto error;
+     }
+     if (self->exc != NULL)
+@@ -2703,7 +2691,7 @@ _ssl__SSLSocket_shutdown_impl(PySSLSocket *self)
+     }
+     if (ret < 0) {
+         Py_XDECREF(sock);
+-        PySSL_SetError(self, ret, __FILE__, __LINE__);
++        PySSL_SetError(self, __FILE__, __LINE__);
+         return NULL;
+     }
+     if (self->exc != NULL)

00464-enable-pac-and-bti-protections-for-aarch64.patch

@@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Tue, 3 Jun 2025 03:02:15 +0200
+Subject: 00464: Enable PAC and BTI protections for aarch64
+
+Apply protection against ROP/JOP attacks for aarch64 on asm_trampoline.S
+
+The BTI flag must be applied in the assembler sources for this class
+of attacks to be mitigated on newer aarch64 processors.
+
+Upstream PR: https://github.com/python/cpython/pull/130864/files
+
+The upstream patch is incomplete but only for the case where
+frame pointers are not used on 3.13+.
+
+Since on Fedora we always compile with frame pointers the BTI/PAC
+hardware protections can be enabled without losing Perf unwinding.
+---
+ Python/asm_trampoline.S         |  4 +++
+ Python/asm_trampoline_aarch64.h | 50 +++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+)
+ create mode 100644 Python/asm_trampoline_aarch64.h
+
+diff --git a/Python/asm_trampoline.S b/Python/asm_trampoline.S
+index 341d0bbe51..ae882660b5 100644
+--- a/Python/asm_trampoline.S
++++ b/Python/asm_trampoline.S
+@@ -1,3 +1,5 @@
++#include "asm_trampoline_aarch64.h"
++
+     .text
+     .globl	_Py_trampoline_func_start
+ # The following assembly is equivalent to:
+@@ -20,10 +22,12 @@ _Py_trampoline_func_start:
+ #if defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
+     // ARM64 little endian, 64bit ABI
+     // generate with aarch64-linux-gnu-gcc 12.1
++    SIGN_LR
+     stp     x29, x30, [sp, -16]!
+     mov     x29, sp
+     blr     x3
+     ldp     x29, x30, [sp], 16
++    VERIFY_LR
+     ret
+ #endif
+     .globl	_Py_trampoline_func_end
+diff --git a/Python/asm_trampoline_aarch64.h b/Python/asm_trampoline_aarch64.h
+new file mode 100644
+index 0000000000..4b0ec4a7dc
+--- /dev/null
++++ b/Python/asm_trampoline_aarch64.h
+@@ -0,0 +1,50 @@
++#ifndef ASM_TRAMPOLINE_AARCH_64_H_
++#define ASM_TRAMPOLINE_AARCH_64_H_
++
++/*
++ * References:
++ *  - https://developer.arm.com/documentation/101028/0012/5--Feature-test-macros
++ *  - https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst
++ */
++
++#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
++  #define BTI_J hint 36 /* bti j: for jumps, IE br instructions */
++  #define BTI_C hint 34  /* bti c: for calls, IE bl instructions */
++  #define GNU_PROPERTY_AARCH64_BTI 1 /* bit 0 GNU Notes is for BTI support */
++#else
++  #define BTI_J
++  #define BTI_C
++  #define GNU_PROPERTY_AARCH64_BTI 0
++#endif
++
++#if defined(__ARM_FEATURE_PAC_DEFAULT)
++  #if __ARM_FEATURE_PAC_DEFAULT & 1
++    #define SIGN_LR hint 25 /* paciasp: sign with the A key */
++    #define VERIFY_LR hint 29 /* autiasp: verify with the A key */
++  #elif __ARM_FEATURE_PAC_DEFAULT & 2
++    #define SIGN_LR hint 27 /* pacibsp: sign with the b key */
++    #define VERIFY_LR hint 31 /* autibsp: verify with the b key */
++  #endif
++  #define GNU_PROPERTY_AARCH64_POINTER_AUTH 2 /* bit 1 GNU Notes is for PAC support */
++#else
++  #define SIGN_LR BTI_C
++  #define VERIFY_LR
++  #define GNU_PROPERTY_AARCH64_POINTER_AUTH 0
++#endif
++
++/* Add the BTI and PAC support to GNU Notes section */
++#if GNU_PROPERTY_AARCH64_BTI != 0 || GNU_PROPERTY_AARCH64_POINTER_AUTH != 0
++    .pushsection .note.gnu.property, "a"; /* Start a new allocatable section */
++    .balign 8; /* align it on a byte boundry */
++    .long 4; /* size of "GNU\0" */
++    .long 0x10; /* size of descriptor */
++    .long 0x5; /* NT_GNU_PROPERTY_TYPE_0 */
++    .asciz "GNU";
++    .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
++    .long 4; /* Four bytes of data */
++    .long (GNU_PROPERTY_AARCH64_BTI|GNU_PROPERTY_AARCH64_POINTER_AUTH); /* BTI or PAC is enabled */
++    .long 0; /* padding for 8 byte alignment */
++    .popsection; /* end the section */
++#endif
++
++#endif

00474-cve-2025-15366.patch

@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 14:45:42 -0600
+Subject: 00474: CVE-2025-15366
+
+gh-143921: Reject control characters in IMAP commands
+
+(cherry-picked from commit 6262704b134db2a4ba12e85ecfbd968534f28b45)
+---
+ Lib/imaplib.py                                              | 4 +++-
+ Lib/test/test_imaplib.py                                    | 6 ++++++
+ .../Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 +
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+
+diff --git a/Lib/imaplib.py b/Lib/imaplib.py
+index e337fe6471..c7f44f05b1 100644
+--- a/Lib/imaplib.py
++++ b/Lib/imaplib.py
+@@ -132,7 +132,7 @@
+ # We compile these in _mode_xxx.
+ _Literal = br'.*{(?P<size>\d+)}$'
+ _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
+-
++_control_chars = re.compile(b'[\x00-\x1F\x7F]')
+ 
+ 
+ class IMAP4:
+@@ -994,6 +994,8 @@ def _command(self, name, *args):
+             if arg is None: continue
+             if isinstance(arg, str):
+                 arg = bytes(arg, self._encoding)
++            if _control_chars.search(arg):
++                raise ValueError("Control characters not allowed in commands")
+             data = data + b' ' + arg
+ 
+         literal = self.literal
+diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
+index 4429a90050..73c25bc733 100644
+--- a/Lib/test/test_imaplib.py
++++ b/Lib/test/test_imaplib.py
+@@ -504,6 +504,12 @@ def test_login(self):
+         self.assertEqual(data[0], b'LOGIN completed')
+         self.assertEqual(client.state, 'AUTH')
+ 
++    def test_control_characters(self):
++        client, _ = self._setup(SimpleIMAPHandler)
++        for c0 in support.control_characters_c0():
++            with self.assertRaises(ValueError):
++                client.login(f'user{c0}', 'pass')
++
+     def test_logout(self):
+         client, _ = self._setup(SimpleIMAPHandler)
+         typ, data = client.login('user', 'pass')
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+new file mode 100644
+index 0000000000..4e13fe92bc
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
+@@ -0,0 +1 @@
++Reject control characters in IMAP commands.

00475-cve-2025-15367.patch

@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <seth@python.org>
+Date: Tue, 20 Jan 2026 14:46:32 -0600
+Subject: 00475: CVE-2025-15367
+
+gh-143923: Reject control characters in POP3 commands
+
+(cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7)
+---
+ Lib/poplib.py                                             | 2 ++
+ Lib/test/test_poplib.py                                   | 8 ++++++++
+ .../2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst        | 1 +
+ 3 files changed, 11 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index 9eb662d000..5c83522504 100644
+--- a/Lib/poplib.py
++++ b/Lib/poplib.py
+@@ -122,6 +122,8 @@ def _putline(self, line):
+     def _putcmd(self, line):
+         if self._debugging: print('*cmd*', repr(line))
+         line = bytes(line, self.encoding)
++        if re.search(b'[\x00-\x1F\x7F]', line):
++            raise ValueError('Control characters not allowed in commands')
+         self._putline(line)
+ 
+ 
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+index f1ebbeafe0..50d8c255d6 100644
+--- a/Lib/test/test_poplib.py
++++ b/Lib/test/test_poplib.py
+@@ -12,6 +12,7 @@
+ import unittest
+ from unittest import TestCase, skipUnless
+ from test import support as test_support
++from test.support import control_characters_c0
+ from test.support import hashlib_helper
+ from test.support import socket_helper
+ from test.support import threading_helper
+@@ -395,6 +396,13 @@ def test_quit(self):
+         self.assertIsNone(self.client.sock)
+         self.assertIsNone(self.client.file)
+ 
++    def test_control_characters(self):
++        for c0 in control_characters_c0():
++            with self.assertRaises(ValueError):
++                self.client.user(f'user{c0}')
++            with self.assertRaises(ValueError):
++                self.client.pass_(f'{c0}pass')
++
+     @requires_ssl
+     def test_stls_capa(self):
+         capa = self.client.capa()
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+new file mode 100644
+index 0000000000..3cde4df3e0
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
+@@ -0,0 +1 @@
++Reject control characters in POP3 commands.

00478-cve-2026-4519.patch

@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Pinky <pinky00ch@gmail.com>
+Date: Wed, 25 Mar 2026 01:02:37 +0530
+Subject: 00478: CVE-2026-4519
+
+Reject leading dashes in webbrowser URLs (GH-146360)
+
+(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
+
+Co-authored-by: Seth Michael Larson <seth@python.org>
+---
+ Lib/test/test_webbrowser.py                          |  5 +++++
+ Lib/webbrowser.py                                    | 12 ++++++++++++
+ .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst   |  1 +
+ 3 files changed, 18 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 2d695bc883..60f094fd6a 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -59,6 +59,11 @@ def test_open(self):
+                    options=[],
+                    arguments=[URL])
+ 
++    def test_reject_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open(f"--key=val {URL}")
++
+ 
+ class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 13b9e85f9e..0bdb644d7d 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -158,6 +158,12 @@ def open_new(self, url):
+     def open_new_tab(self, url):
+         return self.open(url, 2)
+ 
++    @staticmethod
++    def _check_url(url):
++        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
++        if url and url.lstrip().startswith("-"):
++            raise ValueError(f"Invalid URL: {url}")
++
+ 
+ class GenericBrowser(BaseBrowser):
+     """Class for all browsers started with a command
+@@ -175,6 +181,7 @@ def __init__(self, name):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         try:
+@@ -195,6 +202,7 @@ def open(self, url, new=0, autoraise=True):
+         cmdline = [self.name] + [arg.replace("%s", url)
+                                  for arg in self.args]
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         try:
+             if sys.platform[:3] == 'win':
+                 p = subprocess.Popen(cmdline)
+@@ -260,6 +268,7 @@ def _invoke(self, args, remote, autoraise, url=None):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
++        self._check_url(url)
+         # XXX Currently I know no way to prevent KFM from opening a new win.
+         if new == 2:
+             action = "newTab"
+@@ -554,6 +564,7 @@ def register_standard_browsers():
+     class WindowsDefault(BaseBrowser):
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
++            self._check_url(url)
+             try:
+                 os.startfile(url)
+             except OSError:
+@@ -638,6 +649,7 @@ def _name(self, val):
+ 
+         def open(self, url, new=0, autoraise=True):
+             sys.audit("webbrowser.open", url)
++            self._check_url(url)
+             if self.name == 'default':
+                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
+             else:
+diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+new file mode 100644
+index 0000000000..0f27eae99a
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
+@@ -0,0 +1 @@
++Reject leading dashes in URLs passed to :func:`webbrowser.open`

00479-cve-2026-1502.patch

@@ -0,0 +1,107 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Seth Larson <seth@python.org>
+Date: Fri, 10 Apr 2026 10:21:42 -0500
+Subject: 00479: CVE-2026-1502
+
+Reject CR/LF in HTTP tunnel request headers
+
+Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
+---
+ Lib/http/client.py                            | 11 ++++-
+ Lib/test/test_httplib.py                      | 45 +++++++++++++++++++
+ ...-03-20-09-29-42.gh-issue-146211.PQVbs7.rst |  2 +
+ 3 files changed, 57 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 70451d67d4..7db4807b30 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -972,13 +972,22 @@ def _wrap_ipv6(self, ip):
+         return ip
+ 
+     def _tunnel(self):
++        if _contains_disallowed_url_pchar_re.search(self._tunnel_host):
++            raise ValueError('Tunnel host can\'t contain control characters %r'
++                             % (self._tunnel_host,))
+         connect = b"CONNECT %s:%d %s\r\n" % (
+             self._wrap_ipv6(self._tunnel_host.encode("idna")),
+             self._tunnel_port,
+             self._http_vsn_str.encode("ascii"))
+         headers = [connect]
+         for header, value in self._tunnel_headers.items():
+-            headers.append(f"{header}: {value}\r\n".encode("latin-1"))
++            header_bytes = header.encode("latin-1")
++            value_bytes = value.encode("latin-1")
++            if not _is_legal_header_name(header_bytes):
++                raise ValueError('Invalid header name %r' % (header_bytes,))
++            if _is_illegal_header_value(value_bytes):
++                raise ValueError('Invalid header value %r' % (value_bytes,))
++            headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes))
+         headers.append(b"\r\n")
+         # Making a single send() call instead of one per line encourages
+         # the host OS to use a more optimal packet size instead of
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
+index e46dac0077..e027d930d9 100644
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -369,6 +369,51 @@ def test_invalid_headers(self):
+                 with self.assertRaisesRegex(ValueError, 'Invalid header'):
+                     conn.putheader(name, value)
+ 
++    def test_invalid_tunnel_headers(self):
++        cases = (
++            ('Invalid\r\nName', 'ValidValue'),
++            ('Invalid\rName', 'ValidValue'),
++            ('Invalid\nName', 'ValidValue'),
++            ('\r\nInvalidName', 'ValidValue'),
++            ('\rInvalidName', 'ValidValue'),
++            ('\nInvalidName', 'ValidValue'),
++            (' InvalidName', 'ValidValue'),
++            ('\tInvalidName', 'ValidValue'),
++            ('Invalid:Name', 'ValidValue'),
++            (':InvalidName', 'ValidValue'),
++            ('ValidName', 'Invalid\r\nValue'),
++            ('ValidName', 'Invalid\rValue'),
++            ('ValidName', 'Invalid\nValue'),
++            ('ValidName', 'InvalidValue\r\n'),
++            ('ValidName', 'InvalidValue\r'),
++            ('ValidName', 'InvalidValue\n'),
++        )
++        for name, value in cases:
++            with self.subTest((name, value)):
++                conn = client.HTTPConnection('example.com')
++                conn.set_tunnel('tunnel', headers={
++                    name: value
++                })
++                conn.sock = FakeSocket('')
++                with self.assertRaisesRegex(ValueError, 'Invalid header'):
++                    conn._tunnel()  # Called in .connect()
++
++    def test_invalid_tunnel_host(self):
++        cases = (
++            'invalid\r.host',
++            '\ninvalid.host',
++            'invalid.host\r\n',
++            'invalid.host\x00',
++            'invalid host',
++        )
++        for tunnel_host in cases:
++            with self.subTest(tunnel_host):
++                conn = client.HTTPConnection('example.com')
++                conn.set_tunnel(tunnel_host)
++                conn.sock = FakeSocket('')
++                with self.assertRaisesRegex(ValueError, 'Tunnel host can\'t contain control characters'):
++                    conn._tunnel()  # Called in .connect()
++
+     def test_headers_debuglevel(self):
+         body = (
+             b'HTTP/1.1 200 OK\r\n'
+diff --git a/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
+new file mode 100644
+index 0000000000..4993633b8e
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
+@@ -0,0 +1,2 @@
++Reject CR/LF characters in tunnel request headers for the
++HTTPConnection.set_tunnel() method.

00480-cve-2026-4786.patch

@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 20:02:52 +0100
+Subject: 00480: CVE-2026-4786
+
+Fix webbrowser `%action` substitution bypass of dash-prefix check
+---
+ Lib/test/test_webbrowser.py                              | 9 +++++++++
+ Lib/webbrowser.py                                        | 5 +++--
+ .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst       | 2 ++
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+
+diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
+index 60f094fd6a..e900c0212b 100644
+--- a/Lib/test/test_webbrowser.py
++++ b/Lib/test/test_webbrowser.py
+@@ -99,6 +99,15 @@ def test_open_new_tab(self):
+                    options=[],
+                    arguments=[URL])
+ 
++    def test_reject_action_dash_prefixes(self):
++        browser = self.browser_class(name=CMD_NAME)
++        with self.assertRaises(ValueError):
++            browser.open('%action--incognito')
++        # new=1: action is "--new-window", so "%action" itself expands to
++        # a dash-prefixed flag even with no dash in the original URL.
++        with self.assertRaises(ValueError):
++            browser.open('%action', new=1)
++
+ 
+ class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
+ 
+diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
+index 0bdb644d7d..79d410bcae 100755
+--- a/Lib/webbrowser.py
++++ b/Lib/webbrowser.py
+@@ -268,7 +268,6 @@ def _invoke(self, args, remote, autoraise, url=None):
+ 
+     def open(self, url, new=0, autoraise=True):
+         sys.audit("webbrowser.open", url)
+-        self._check_url(url)
+         if new == 0:
+             action = self.remote_action
+         elif new == 1:
+@@ -282,7 +281,9 @@ def open(self, url, new=0, autoraise=True):
+             raise Error("Bad 'new' parameter to open(); " +
+                         "expected 0, 1, or 2, got %s" % new)
+ 
+-        args = [arg.replace("%s", url).replace("%action", action)
++        self._check_url(url.replace("%action", action))
++
++        args = [arg.replace("%action", action).replace("%s", url)
+                 for arg in self.remote_args]
+         args = [arg for arg in args if arg]
+         success = self._invoke(args, True, autoraise, url)
+diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+new file mode 100644
+index 0000000000..45cdeebe1b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
+@@ -0,0 +1,2 @@
++A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
++the dash-prefix safety check.

00482-cve-2026-6100.patch

@@ -0,0 +1,61 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Mon, 13 Apr 2026 02:14:54 +0100
+Subject: 00482: CVE-2026-6100
+
+Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
+---
+ .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
+ Modules/_bz2module.c                                         | 1 +
+ Modules/_lzmamodule.c                                        | 1 +
+ Modules/zlibmodule.c                                         | 1 +
+ 4 files changed, 8 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+
+diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+new file mode 100644
+index 0000000000..9502189ab1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
+@@ -0,0 +1,5 @@
++Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
++:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
++when memory allocation fails with :exc:`MemoryError`, which could let a
++subsequent :meth:`!decompress` call read or write through a stale pointer to
++the already-released caller buffer.
+diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
+index 97bd44b4ac..a732e89d55 100644
+--- a/Modules/_bz2module.c
++++ b/Modules/_bz2module.c
+@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    bzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
+index 7bbd6569aa..103a6ef86c 100644
+--- a/Modules/_lzmamodule.c
++++ b/Modules/_lzmamodule.c
+@@ -1114,6 +1114,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
+     return result;
+ 
+ error:
++    lzs->next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }
+diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
+index f94c57e4c8..9759593b6a 100644
+--- a/Modules/zlibmodule.c
++++ b/Modules/zlibmodule.c
+@@ -1645,6 +1645,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
+     return result;
+ 
+ error:
++    self->zst.next_in = NULL;
+     Py_XDECREF(result);
+     return NULL;
+ }

00483-cve-2026-2297.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Steve Dower <steve.dower@python.org>
+Date: Wed, 4 Mar 2026 19:55:52 +0000
+Subject: 00483: CVE-2026-2297
+
+Logging Bypass in Legacy .pyc File Handling
+---
+ Lib/importlib/_bootstrap_external.py                            | 2 +-
+ .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst     | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
+
+diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
+index 9b8a8dfc5a..6e4a087a10 100644
+--- a/Lib/importlib/_bootstrap_external.py
++++ b/Lib/importlib/_bootstrap_external.py
+@@ -1186,7 +1186,7 @@ def get_filename(self, fullname):
+ 
+     def get_data(self, path):
+         """Return the data from path as raw bytes."""
+-        if isinstance(self, (SourceLoader, ExtensionFileLoader)):
++        if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)):
+             with _io.open_code(str(path)) as file:
+                 return file.read()
+         else:
+diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
+new file mode 100644
+index 0000000000..dcdb44d4fa
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
+@@ -0,0 +1,2 @@
++Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses
++:func:`io.open_code` when opening ``.pyc`` files.

00484-cve-2026-3644.patch

@@ -0,0 +1,146 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
+Date: Mon, 16 Mar 2026 13:43:43 +0000
+Subject: 00484: CVE-2026-3644
+
+Incomplete control character validation in http.cookies
+
+Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
+---
+ Lib/http/cookies.py                           | 24 ++++++++++--
+ Lib/test/test_http_cookies.py                 | 38 +++++++++++++++++++
+ ...-03-06-17-03-38.gh-issue-145599.kchwZV.rst |  4 ++
+ 3 files changed, 62 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
+
+diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
+index d0a69cbe19..63d119ad46 100644
+--- a/Lib/http/cookies.py
++++ b/Lib/http/cookies.py
+@@ -335,9 +335,16 @@ def update(self, values):
+             key = key.lower()
+             if key not in self._reserved:
+                 raise CookieError("Invalid attribute %r" % (key,))
++            if _has_control_character(key, val):
++                raise CookieError("Control characters are not allowed in "
++                                  f"cookies {key!r} {val!r}")
+             data[key] = val
+         dict.update(self, data)
+ 
++    def __ior__(self, values):
++        self.update(values)
++        return self
++
+     def isReservedKey(self, K):
+         return K.lower() in self._reserved
+ 
+@@ -363,9 +370,15 @@ def __getstate__(self):
+         }
+ 
+     def __setstate__(self, state):
+-        self._key = state['key']
+-        self._value = state['value']
+-        self._coded_value = state['coded_value']
++        key = state['key']
++        value = state['value']
++        coded_value = state['coded_value']
++        if _has_control_character(key, value, coded_value):
++            raise CookieError("Control characters are not allowed in cookies "
++                              f"{key!r} {value!r} {coded_value!r}")
++        self._key = key
++        self._value = value
++        self._coded_value = coded_value
+ 
+     def output(self, attrs=None, header="Set-Cookie:"):
+         return "%s %s" % (header, self.OutputString(attrs))
+@@ -377,13 +390,16 @@ def __repr__(self):
+ 
+     def js_output(self, attrs=None):
+         # Print javascript
++        output_string = self.OutputString(attrs)
++        if _has_control_character(output_string):
++            raise CookieError("Control characters are not allowed in cookies")
+         return """
+         <script type="text/javascript">
+         <!-- begin hiding
+         document.cookie = \"%s\";
+         // end hiding -->
+         </script>
+-        """ % (self.OutputString(attrs).replace('"', r'\"'))
++        """ % (output_string.replace('"', r'\"'))
+ 
+     def OutputString(self, attrs=None):
+         # Build up our result
+diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
+index f196bcc48e..2478a6c630 100644
+--- a/Lib/test/test_http_cookies.py
++++ b/Lib/test/test_http_cookies.py
+@@ -573,6 +573,14 @@ def test_control_characters(self):
+             with self.assertRaises(cookies.CookieError):
+                 morsel["path"] = c0
+ 
++            # .__setstate__()
++            with self.assertRaises(cookies.CookieError):
++                morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'})
++            with self.assertRaises(cookies.CookieError):
++                morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'})
++            with self.assertRaises(cookies.CookieError):
++                morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0})
++
+             # .setdefault()
+             with self.assertRaises(cookies.CookieError):
+                 morsel.setdefault("path", c0)
+@@ -587,6 +595,18 @@ def test_control_characters(self):
+             with self.assertRaises(cookies.CookieError):
+                 morsel.set("path", "val", c0)
+ 
++            # .update()
++            with self.assertRaises(cookies.CookieError):
++                morsel.update({"path": c0})
++            with self.assertRaises(cookies.CookieError):
++                morsel.update({c0: "val"})
++
++            # .__ior__()
++            with self.assertRaises(cookies.CookieError):
++                morsel |= {"path": c0}
++            with self.assertRaises(cookies.CookieError):
++                morsel |= {c0: "val"}
++
+     def test_control_characters_output(self):
+         # Tests that even if the internals of Morsel are modified
+         # that a call to .output() has control character safeguards.
+@@ -607,6 +627,24 @@ def test_control_characters_output(self):
+             with self.assertRaises(cookies.CookieError):
+                 cookie.output()
+ 
++        # Tests that .js_output() also has control character safeguards.
++        for c0 in support.control_characters_c0():
++            morsel = cookies.Morsel()
++            morsel.set("key", "value", "coded-value")
++            morsel._key = c0  # Override private variable.
++            cookie = cookies.SimpleCookie()
++            cookie["cookie"] = morsel
++            with self.assertRaises(cookies.CookieError):
++                cookie.js_output()
++
++            morsel = cookies.Morsel()
++            morsel.set("key", "value", "coded-value")
++            morsel._coded_value = c0  # Override private variable.
++            cookie = cookies.SimpleCookie()
++            cookie["cookie"] = morsel
++            with self.assertRaises(cookies.CookieError):
++                cookie.js_output()
++
+ 
+ def load_tests(loader, tests, pattern):
+     tests.addTest(doctest.DocTestSuite(cookies))
+diff --git a/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst b/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
+new file mode 100644
+index 0000000000..e53a932d12
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
+@@ -0,0 +1,4 @@
++Reject control characters in :class:`http.cookies.Morsel`
++:meth:`~http.cookies.Morsel.update` and
++:meth:`~http.cookies.BaseCookie.js_output`.
++This addresses :cve:`2026-3644`.

00485-cve-2026-4224.patch

@@ -0,0 +1,98 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
+Date: Sun, 15 Mar 2026 21:46:06 +0000
+Subject: 00485: CVE-2026-4224
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Stack overflow parsing XML with deeply nested DTD content models
+
+Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
+---
+ Lib/test/test_pyexpat.py                       | 18 ++++++++++++++++++
+ ...6-03-14-17-31-39.gh-issue-145986.ifSSr8.rst |  4 ++++
+ Modules/pyexpat.c                              |  9 ++++++++-
+ 3 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+
+diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
+index 38f951573f..37d9086f40 100644
+--- a/Lib/test/test_pyexpat.py
++++ b/Lib/test/test_pyexpat.py
+@@ -675,6 +675,24 @@ def test_change_size_2(self):
+         parser.Parse(xml2, True)
+         self.assertEqual(self.n, 4)
+ 
++class ElementDeclHandlerTest(unittest.TestCase):
++    def test_deeply_nested_content_model(self):
++        # This should raise a RecursionError and not crash.
++        # See https://github.com/python/cpython/issues/145986.
++        N = 500_000
++        data = (
++            b'<!DOCTYPE root [\n<!ELEMENT root '
++            + b'(a, ' * N + b'a' + b')' * N
++            + b'>\n]>\n<root/>\n'
++        )
++
++        parser = expat.ParserCreate()
++        parser.ElementDeclHandler = lambda _1, _2: None
++        with support.infinite_recursion():
++            with self.assertRaises(RecursionError):
++                parser.Parse(data)
++
++
+ class MalformedInputTest(unittest.TestCase):
+     def test1(self):
+         xml = b"\0\r\n"
+diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+new file mode 100644
+index 0000000000..79536d1fef
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+@@ -0,0 +1,4 @@
++:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
++converting deeply nested XML content models with
++:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
++This addresses :cve:`2026-4224`.
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index 79492ca5c4..8673540f35 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -3,6 +3,7 @@
+ #endif
+ 
+ #include "Python.h"
++#include "pycore_ceval.h"           // _Py_EnterRecursiveCall()
+ #include "pycore_runtime.h"         // _Py_ID()
+ #include <ctype.h>
+ 
+@@ -578,6 +579,10 @@ static PyObject *
+ conv_content_model(XML_Content * const model,
+                    PyObject *(*conv_string)(const XML_Char *))
+ {
++    if (_Py_EnterRecursiveCall(" in conv_content_model")) {
++        return NULL;
++    }
++
+     PyObject *result = NULL;
+     PyObject *children = PyTuple_New(model->numchildren);
+     int i;
+@@ -589,7 +594,7 @@ conv_content_model(XML_Content * const model,
+                                                  conv_string);
+             if (child == NULL) {
+                 Py_XDECREF(children);
+-                return NULL;
++                goto done;
+             }
+             PyTuple_SET_ITEM(children, i, child);
+         }
+@@ -597,6 +602,8 @@ conv_content_model(XML_Content * const model,
+                                model->type, model->quant,
+                                conv_string,model->name, children);
+     }
++done:
++    _Py_LeaveRecursiveCall();
+     return result;
+ }
+ 

SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch

@@ -1,483 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@python.org>
-Date: Fri, 15 Dec 2023 16:10:40 +0100
-Subject: [PATCH] 00415: [CVE-2023-27043] gh-102988: Reject malformed addresses
- in email.parseaddr() (#111116)
-
-Detect email address parsing errors and return empty tuple to
-indicate the parsing error (old API). Add an optional 'strict'
-parameter to getaddresses() and parseaddr() functions. Patch by
-Thomas Dwyer.
-
-Co-Authored-By: Thomas Dwyer <github@tomd.tel>
----
- Doc/library/email.utils.rst                   |  19 +-
- Lib/email/utils.py                            | 151 +++++++++++++-
- Lib/test/test_email/test_email.py             | 187 +++++++++++++++++-
- ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst |   8 +
- 4 files changed, 344 insertions(+), 21 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-
-diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
-index 345b64001c..d693a9bc39 100644
---- a/Doc/library/email.utils.rst
-+++ b/Doc/library/email.utils.rst
-@@ -58,13 +58,18 @@ of the new API.
-    begins with angle brackets, they are stripped off.
- 
- 
--.. function:: parseaddr(address)
-+.. function:: parseaddr(address, *, strict=True)
- 
-    Parse address -- which should be the value of some address-containing field such
-    as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
-    *email address* parts.  Returns a tuple of that information, unless the parse
-    fails, in which case a 2-tuple of ``('', '')`` is returned.
- 
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: formataddr(pair, charset='utf-8')
- 
-@@ -82,12 +87,15 @@ of the new API.
-       Added the *charset* option.
- 
- 
--.. function:: getaddresses(fieldvalues)
-+.. function:: getaddresses(fieldvalues, *, strict=True)
- 
-    This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
-    *fieldvalues* is a sequence of header field values as might be returned by
--   :meth:`Message.get_all <email.message.Message.get_all>`.  Here's a simple
--   example that gets all the recipients of a message::
-+   :meth:`Message.get_all <email.message.Message.get_all>`.
-+
-+   If *strict* is true, use a strict parser which rejects malformed inputs.
-+
-+   Here's a simple example that gets all the recipients of a message::
- 
-       from email.utils import getaddresses
- 
-@@ -97,6 +105,9 @@ of the new API.
-       resent_ccs = msg.get_all('resent-cc', [])
-       all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
- 
-+   .. versionchanged:: 3.13
-+      Add *strict* optional parameter and reject malformed inputs by default.
-+
- 
- .. function:: parsedate(date)
- 
-diff --git a/Lib/email/utils.py b/Lib/email/utils.py
-index 81da5394ea..43c3627fca 100644
---- a/Lib/email/utils.py
-+++ b/Lib/email/utils.py
-@@ -48,6 +48,7 @@
- specialsre = re.compile(r'[][\\()<>@,:;".]')
- escapesre = re.compile(r'[\\"]')
- 
-+
- def _has_surrogates(s):
-     """Return True if s contains surrogate-escaped binary data."""
-     # This check is based on the fact that unless there are surrogates, utf8
-@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
-     return address
- 
- 
-+def _iter_escaped_chars(addr):
-+    pos = 0
-+    escape = False
-+    for pos, ch in enumerate(addr):
-+        if escape:
-+            yield (pos, '\\' + ch)
-+            escape = False
-+        elif ch == '\\':
-+            escape = True
-+        else:
-+            yield (pos, ch)
-+    if escape:
-+        yield (pos, '\\')
- 
--def getaddresses(fieldvalues):
--    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
--    all = COMMASPACE.join(str(v) for v in fieldvalues)
--    a = _AddressList(all)
--    return a.addresslist
-+
-+def _strip_quoted_realnames(addr):
-+    """Strip real names between quotes."""
-+    if '"' not in addr:
-+        # Fast path
-+        return addr
-+
-+    start = 0
-+    open_pos = None
-+    result = []
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '"':
-+            if open_pos is None:
-+                open_pos = pos
-+            else:
-+                if start != open_pos:
-+                    result.append(addr[start:open_pos])
-+                start = pos + 1
-+                open_pos = None
-+
-+    if start < len(addr):
-+        result.append(addr[start:])
-+
-+    return ''.join(result)
-+
-+
-+supports_strict_parsing = True
-+
-+def getaddresses(fieldvalues, *, strict=True):
-+    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-+
-+    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-+    its place.
-+
-+    If strict is true, use a strict parser which rejects malformed inputs.
-+    """
-+
-+    # If strict is true, if the resulting list of parsed addresses is greater
-+    # than the number of fieldvalues in the input list, a parsing error has
-+    # occurred and consequently a list containing a single empty 2-tuple [('',
-+    # '')] is returned in its place. This is done to avoid invalid output.
-+    #
-+    # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
-+    # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
-+    # Safe output: [('', '')]
-+
-+    if not strict:
-+        all = COMMASPACE.join(str(v) for v in fieldvalues)
-+        a = _AddressList(all)
-+        return a.addresslist
-+
-+    fieldvalues = [str(v) for v in fieldvalues]
-+    fieldvalues = _pre_parse_validation(fieldvalues)
-+    addr = COMMASPACE.join(fieldvalues)
-+    a = _AddressList(addr)
-+    result = _post_parse_validation(a.addresslist)
-+
-+    # Treat output as invalid if the number of addresses is not equal to the
-+    # expected number of addresses.
-+    n = 0
-+    for v in fieldvalues:
-+        # When a comma is used in the Real Name part it is not a deliminator.
-+        # So strip those out before counting the commas.
-+        v = _strip_quoted_realnames(v)
-+        # Expected number of addresses: 1 + number of commas
-+        n += 1 + v.count(',')
-+    if len(result) != n:
-+        return [('', '')]
-+
-+    return result
-+
-+
-+def _check_parenthesis(addr):
-+    # Ignore parenthesis in quoted real names.
-+    addr = _strip_quoted_realnames(addr)
-+
-+    opens = 0
-+    for pos, ch in _iter_escaped_chars(addr):
-+        if ch == '(':
-+            opens += 1
-+        elif ch == ')':
-+            opens -= 1
-+            if opens < 0:
-+                return False
-+    return (opens == 0)
-+
-+
-+def _pre_parse_validation(email_header_fields):
-+    accepted_values = []
-+    for v in email_header_fields:
-+        if not _check_parenthesis(v):
-+            v = "('', '')"
-+        accepted_values.append(v)
-+
-+    return accepted_values
-+
-+
-+def _post_parse_validation(parsed_email_header_tuples):
-+    accepted_values = []
-+    # The parser would have parsed a correctly formatted domain-literal
-+    # The existence of an [ after parsing indicates a parsing failure
-+    for v in parsed_email_header_tuples:
-+        if '[' in v[1]:
-+            v = ('', '')
-+        accepted_values.append(v)
-+
-+    return accepted_values
- 
- 
- def _format_timetuple_and_zone(timetuple, zone):
-@@ -205,16 +321,33 @@ def parsedate_to_datetime(data):
-             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
- 
- 
--def parseaddr(addr):
-+def parseaddr(addr, *, strict=True):
-     """
-     Parse addr into its constituent realname and email address parts.
- 
-     Return a tuple of realname and email address, unless the parse fails, in
-     which case return a 2-tuple of ('', '').
-+
-+    If strict is True, use a strict parser which rejects malformed inputs.
-     """
--    addrs = _AddressList(addr).addresslist
--    if not addrs:
--        return '', ''
-+    if not strict:
-+        addrs = _AddressList(addr).addresslist
-+        if not addrs:
-+            return ('', '')
-+        return addrs[0]
-+
-+    if isinstance(addr, list):
-+        addr = addr[0]
-+
-+    if not isinstance(addr, str):
-+        return ('', '')
-+
-+    addr = _pre_parse_validation([addr])[0]
-+    addrs = _post_parse_validation(_AddressList(addr).addresslist)
-+
-+    if not addrs or len(addrs) > 1:
-+        return ('', '')
-+
-     return addrs[0]
- 
- 
-diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
-index 2a237095b9..4672b790d8 100644
---- a/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
-@@ -16,6 +16,7 @@
- 
- import email
- import email.policy
-+import email.utils
- 
- from email.charset import Charset
- from email.generator import Generator, DecodedGenerator, BytesGenerator
-@@ -3337,15 +3338,137 @@ def test_getaddresses_comma_in_name(self):
-             ],
-         )
- 
-+    def test_parsing_errors(self):
-+        """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
-+        alice = 'alice@example.org'
-+        bob = 'bob@example.com'
-+        empty = ('', '')
-+
-+        # Test utils.getaddresses() and utils.parseaddr() on malformed email
-+        # addresses: default behavior (strict=True) rejects malformed address,
-+        # and strict=False which tolerates malformed address.
-+        for invalid_separator, expected_non_strict in (
-+            ('(', [(f'<{bob}>', alice)]),
-+            (')', [('', alice), empty, ('', bob)]),
-+            ('<', [('', alice), empty, ('', bob), empty]),
-+            ('>', [('', alice), empty, ('', bob)]),
-+            ('[', [('', f'{alice}[<{bob}>]')]),
-+            (']', [('', alice), empty, ('', bob)]),
-+            ('@', [empty, empty, ('', bob)]),
-+            (';', [('', alice), empty, ('', bob)]),
-+            (':', [('', alice), ('', bob)]),
-+            ('.', [('', alice + '.'), ('', bob)]),
-+            ('"', [('', alice), ('', f'<{bob}>')]),
-+        ):
-+            address = f'{alice}{invalid_separator}<{bob}>'
-+            with self.subTest(address=address):
-+                self.assertEqual(utils.getaddresses([address]),
-+                                 [empty])
-+                self.assertEqual(utils.getaddresses([address], strict=False),
-+                                 expected_non_strict)
-+
-+                self.assertEqual(utils.parseaddr([address]),
-+                                 empty)
-+                self.assertEqual(utils.parseaddr([address], strict=False),
-+                                 ('', address))
-+
-+        # Comma (',') is treated differently depending on strict parameter.
-+        # Comma without quotes.
-+        address = f'{alice},<{bob}>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', alice), ('', bob)])
-+        self.assertEqual(utils.parseaddr([address]),
-+                         empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Real name between quotes containing comma.
-+        address = '"Alice, alice@example.org" <bob@example.com>'
-+        expected_strict = ('Alice, alice@example.org', 'bob@example.com')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Valid parenthesis in comments.
-+        address = 'alice@example.org (Alice)'
-+        expected_strict = ('Alice', 'alice@example.org')
-+        self.assertEqual(utils.getaddresses([address]), [expected_strict])
-+        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
-+        self.assertEqual(utils.parseaddr([address]), expected_strict)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Invalid parenthesis in comments.
-+        address = 'alice@example.org )Alice('
-+        self.assertEqual(utils.getaddresses([address]), [empty])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Two addresses with quotes separated by comma.
-+        address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
-+        self.assertEqual(utils.getaddresses([address]),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.getaddresses([address], strict=False),
-+                         [('Jane Doe', 'jane@example.net'),
-+                          ('John Doe', 'john@example.net')])
-+        self.assertEqual(utils.parseaddr([address]), empty)
-+        self.assertEqual(utils.parseaddr([address], strict=False),
-+                         ('', address))
-+
-+        # Test email.utils.supports_strict_parsing attribute
-+        self.assertEqual(email.utils.supports_strict_parsing, True)
-+
-     def test_getaddresses_nasty(self):
--        eq = self.assertEqual
--        eq(utils.getaddresses(['foo: ;']), [('', '')])
--        eq(utils.getaddresses(
--           ['[]*-- =~$']),
--           [('', ''), ('', ''), ('', '*--')])
--        eq(utils.getaddresses(
--           ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
--           [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
-+        for addresses, expected in (
-+            (['"Sürname, Firstname" <to@example.com>'],
-+             [('Sürname, Firstname', 'to@example.com')]),
-+
-+            (['foo: ;'],
-+             [('', '')]),
-+
-+            (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
-+             [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
-+
-+            ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
-+             [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
-+
-+            (['(Empty list)(start)Undisclosed recipients  :(nobody(I know))'],
-+             [('', '')]),
-+
-+            (['Mary <@machine.tld:mary@example.net>, , jdoe@test   . example'],
-+             [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
-+
-+            (['John Doe <jdoe@machine(comment).  example>'],
-+             [('John Doe (comment)', 'jdoe@machine.example')]),
-+
-+            (['"Mary Smith: Personal Account" <smith@home.example>'],
-+             [('Mary Smith: Personal Account', 'smith@home.example')]),
-+
-+            (['Undisclosed recipients:;'],
-+             [('', '')]),
-+
-+            ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
-+             [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
-+        ):
-+            with self.subTest(addresses=addresses):
-+                self.assertEqual(utils.getaddresses(addresses),
-+                                 expected)
-+                self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                                 expected)
-+
-+        addresses = ['[]*-- =~$']
-+        self.assertEqual(utils.getaddresses(addresses),
-+                         [('', '')])
-+        self.assertEqual(utils.getaddresses(addresses, strict=False),
-+                         [('', ''), ('', ''), ('', '*--')])
- 
-     def test_getaddresses_embedded_comment(self):
-         """Test proper handling of a nested comment"""
-@@ -3536,6 +3659,54 @@ def test_mime_classes_policy_argument(self):
-                 m = cls(*constructor, policy=email.policy.default)
-                 self.assertIs(m.policy, email.policy.default)
- 
-+    def test_iter_escaped_chars(self):
-+        self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
-+                         [(0, 'a'),
-+                          (2, '\\\\'),
-+                          (3, 'b'),
-+                          (5, '\\"'),
-+                          (6, 'c'),
-+                          (8, '\\\\'),
-+                          (9, '"'),
-+                          (10, 'd')])
-+        self.assertEqual(list(utils._iter_escaped_chars('a\\')),
-+                         [(0, 'a'), (1, '\\')])
-+
-+    def test_strip_quoted_realnames(self):
-+        def check(addr, expected):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), expected)
-+
-+        check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
-+              ' <jane@example.net>,  <john@example.net>')
-+        check(r'"Jane \"Doe\"." <jane@example.net>',
-+              ' <jane@example.net>')
-+
-+        # special cases
-+        check(r'before"name"after', 'beforeafter')
-+        check(r'before"name"', 'before')
-+        check(r'b"name"', 'b')  # single char
-+        check(r'"name"after', 'after')
-+        check(r'"name"a', 'a')  # single char
-+        check(r'"name"', '')
-+
-+        # no change
-+        for addr in (
-+            'Jane Doe <jane@example.net>, John Doe <john@example.net>',
-+            'lone " quote',
-+        ):
-+            self.assertEqual(utils._strip_quoted_realnames(addr), addr)
-+
-+
-+    def test_check_parenthesis(self):
-+        addr = 'alice@example.net'
-+        self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
-+        self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
-+
-+        # Ignore real name between quotes
-+        self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
-+
- 
- # Test the iterator/generators
- class TestIterators(TestEmailBase):
-diff --git a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-new file mode 100644
-index 0000000000..3d0e9e4078
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
-@@ -0,0 +1,8 @@
-+:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
-+return ``('', '')`` 2-tuples in more situations where invalid email
-+addresses are encountered instead of potentially inaccurate values. Add
-+optional *strict* parameter to these two functions: use ``strict=False`` to
-+get the old behavior, accept malformed inputs.
-+``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
-+if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
-+Stinner to improve the CVE-2023-27043 fix.

SOURCES/Python-3.12.1.tar.xz.asc

@@ -1,18 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmVyMspfFIAAAAAALgAo
-aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
-Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
-YwWv5w/+JlGtfy+x+6mtauH1uOkt7n9PMQou1LcthDs5s41wuwjO7RbwnmJD6aDk
-DqwLHheoq6Kjbl6PF1kG2T8ZbHkMudhnc5yH4eQG52IGNQ6evilxoC6AyhVg8ANi
-+u6Juh9r2Hjz/LDWFB4hzwcOBKy0jYw98+A0uMvpPd2bmdFMBLQE0GTZCdrRsGYs
-q0oysUX7uCJBfINp7XwiVGAK/6ma0nrr0A1ho6LCau+VGkDnJZdKZgIMyyxp6qL1
-7tMjb3LUpV3FWp57L2za59TaayApNf5BlanC+de6oKEhEJ8oEFyWxOx2GmXHZwch
-ucj7Z1dxuI7fjNVkEvZ+JuheLGtB9mAmUZslXgUJf5wo49bCo9E4/ZlIFQk7VJR3
-Bm9VlQb5mMydB8QJbMy/BpgNjgKmEvBTnir37prJpUV/TL1YZT0eZ5JxCnlUIL/F
-6cOzAE3zHPnvHcyHhKV3q5CoONdBtB3RWgS66m4eMneuWoNKaoEbO5IDxtKvCd1J
-AKLmzCB0/KCWVUIYBTfJ8ytBVQA0Z2w8CZ7SC8asX4DocDCvxim1sQg5s8c4mzh+
-1JVbyqqEmf9m74Mqby0vICC6UVvgaPyiOxTphtRXLIYHUscLVn5+586RMYnM9nP4
-nEK+H/fq6Rcp1XEtIPzCG4IPUAYnuDLjbGQegltpKV/SAYn+DGg=
-=dCpy
------END PGP SIGNATURE-----

SOURCES/import_all_modules_py3_12.py

@@ -1,171 +0,0 @@
-'''Script to perform import of each module given to %%py_check_import
-'''
-import argparse
-import importlib
-import fnmatch
-import os
-import re
-import site
-import sys
-
-from contextlib import contextmanager
-from pathlib import Path
-
-
-def read_modules_files(file_paths):
-    '''Read module names from the files (modules must be newline separated).
-
-    Return the module names list or, if no files were provided, an empty list.
-    '''
-
-    if not file_paths:
-        return []
-
-    modules = []
-    for file in file_paths:
-        file_contents = file.read_text()
-        modules.extend(file_contents.split())
-    return modules
-
-
-def read_modules_from_cli(argv):
-    '''Read module names from command-line arguments (space or comma separated).
-
-    Return the module names list.
-    '''
-
-    if not argv:
-        return []
-
-    # %%py3_check_import allows to separate module list with comma or whitespace,
-    # we need to unify the output to a list of particular elements
-    modules_as_str = ' '.join(argv)
-    modules = re.split(r'[\s,]+', modules_as_str)
-    # Because of shell expansion in some less typical cases it may happen
-    # that a trailing space will occur at the end of the list.
-    # Remove the empty items from the list before passing it further
-    modules = [m for m in modules if m]
-    return modules
-
-
-def filter_top_level_modules_only(modules):
-    '''Filter out entries with nested modules (containing dot) ie. 'foo.bar'.
-
-    Return the list of top-level modules.
-    '''
-
-    return [module for module in modules if '.' not in module]
-
-
-def any_match(text, globs):
-    '''Return True if any of given globs fnmatchcase's the given text.'''
-
-    return any(fnmatch.fnmatchcase(text, g) for g in globs)
-
-
-def exclude_unwanted_module_globs(globs, modules):
-    '''Filter out entries which match the either of the globs given as argv.
-
-    Return the list of filtered modules.
-    '''
-
-    return [m for m in modules if not any_match(m, globs)]
-
-
-def read_modules_from_all_args(args):
-    '''Return a joined list of modules from all given command-line arguments.
-    '''
-
-    modules = read_modules_files(args.filename)
-    modules.extend(read_modules_from_cli(args.modules))
-    if args.exclude:
-        modules = exclude_unwanted_module_globs(args.exclude, modules)
-
-    if args.top_level:
-        modules = filter_top_level_modules_only(modules)
-
-    # Error when someone accidentally managed to filter out everything
-    if len(modules) == 0:
-        raise ValueError('No modules to check were left')
-
-    return modules
-
-
-def import_modules(modules):
-    '''Procedure to perform import check for each module name from the given list of modules.
-    '''
-
-    for module in modules:
-        print('Check import:', module, file=sys.stderr)
-        importlib.import_module(module)
-
-
-def argparser():
-    parser = argparse.ArgumentParser(
-        description='Generate list of all importable modules for import check.'
-    )
-    parser.add_argument(
-        'modules', nargs='*',
-        help=('Add modules to check the import (space or comma separated).'),
-    )
-    parser.add_argument(
-        '-f', '--filename', action='append', type=Path,
-        help='Add importable module names list from file.',
-    )
-    parser.add_argument(
-        '-t', '--top-level', action='store_true',
-        help='Check only top-level modules.',
-    )
-    parser.add_argument(
-        '-e', '--exclude', action='append',
-        help='Provide modules globs to be excluded from the check.',
-    )
-    return parser
-
-
-@contextmanager
-def remove_unwanteds_from_sys_path():
-    '''Remove cwd and this script's parent from sys.path for the import test.
-    Bring the original contents back after import is done (or failed)
-    '''
-
-    cwd_absolute = Path.cwd().absolute()
-    this_file_parent = Path(__file__).parent.absolute()
-    old_sys_path = list(sys.path)
-    for path in old_sys_path:
-        if Path(path).absolute() in (cwd_absolute, this_file_parent):
-            sys.path.remove(path)
-    try:
-        yield
-    finally:
-        sys.path = old_sys_path
-
-
-def addsitedirs_from_environ():
-    '''Load directories from the _PYTHONSITE environment variable (separated by :)
-    and load the ones already present in sys.path via site.addsitedir()
-    to handle .pth files in them.
-
-    This is needed to properly import old-style namespace packages with nspkg.pth files.
-    See https://bugzilla.redhat.com/2018551 for a more detailed rationale.'''
-    for path in os.getenv('_PYTHONSITE', '').split(':'):
-        if path in sys.path:
-            site.addsitedir(path)
-
-
-def main(argv=None):
-
-    cli_args = argparser().parse_args(argv)
-
-    if not cli_args.modules and not cli_args.filename:
-        raise ValueError('No modules to check were provided')
-
-    modules = read_modules_from_all_args(cli_args)
-
-    with remove_unwanteds_from_sys_path():
-        addsitedirs_from_environ()
-        import_modules(modules)
-
-
-if __name__ == '__main__':
-    main()

SOURCES/macros.python3.12

@@ -1,91 +0,0 @@
-%__python3 /usr/bin/python3.12
-%python3_pkgversion 3.12
-
-# The following are macros from macros.python3 in Fedora that are newer/different than those in the python3-rpm-macros package in RHEL 8.
-# These macros overwrite/supercede some of the macros in the python3-rpm-macros package in RHEL.
-
-# nb: $RPM_BUILD_ROOT is not set when the macros are expanded (at spec parse time)
-#     so we set it manually (to empty string), making our Python prefer the correct install scheme location
-# platbase/base is explicitly set to %%{_prefix} to support custom values, such as /app for flatpaks
-%python3_sitelib %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '%{_prefix}', 'base': '%{_prefix}'}))")
-%python3_sitearch %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '%{_prefix}', 'base': '%{_prefix}'}))")
-%python3_version %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; sys.stdout.write('{0.major}.{0.minor}'.format(sys.version_info))")
-%python3_version_nodots %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; sys.stdout.write('{0.major}{0.minor}'.format(sys.version_info))")
-%python3_platform %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_platform())")
-%python3_platform_triplet %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_config_var('MULTIARCH'))")
-%python3_ext_suffix %(RPM_BUILD_ROOT= %{__python3} -Ic "import sysconfig; print(sysconfig.get_config_var('EXT_SUFFIX'))")
-%python3_cache_tag %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; print(sys.implementation.cache_tag)")
-
-%_py3_shebang_s s
-%_py3_shebang_P %(RPM_BUILD_ROOT= %{__python3} -Ic "import sys; print('P' if hasattr(sys.flags, 'safe_path') else '')")
-%py3_shbang_opts -%{?_py3_shebang_s}%{?_py3_shebang_P}
-
-%py3_shebang_fix %{expand:\\\
-  if [ -z "%{?py3_shebang_flags}" ]; then
-    shebang_flags="-k"
-  else
-    shebang_flags="-ka%{py3_shebang_flags}"
-  fi
-  %{__python3} -B %{_rpmconfigdir}/redhat/pathfix_py3_12.py -pni %{__python3} $shebang_flags}
-
-%py3_install() %{expand:\\\
-  CFLAGS="${CFLAGS:-${RPM_OPT_FLAGS}}" LDFLAGS="${LDFLAGS:-${RPM_LD_FLAGS}}"\\\
-  %{__python3} %{py_setup} %{?py_setup_args} install -O1 --skip-build --root %{buildroot} --prefix %{_prefix} %{?*}
-  rm -rfv %{buildroot}%{_bindir}/__pycache__
-}
-
-%py3_install_egg() %{expand:\\\
-  mkdir -p %{buildroot}%{python3_sitelib}
-  %{__python3} -m easy_install -m --prefix %{buildroot}%{_prefix} -Z dist/*-py%{python3_version}.egg %{?*}
-  rm -rfv %{buildroot}%{_bindir}/__pycache__
-}
-
-%py3_install_wheel() %{expand:\\\
-  %{__python3} -m pip install -I dist/%{1} --root %{buildroot} --prefix %{_prefix} --no-deps --no-index --no-warn-script-location
-  rm -rfv %{buildroot}%{_bindir}/__pycache__
-  for distinfo in %{buildroot}%{python3_sitelib}/*.dist-info %{buildroot}%{python3_sitearch}/*.dist-info; do
-    if [ -f ${distinfo}/direct_url.json ]; then
-      rm -fv ${distinfo}/direct_url.json
-      sed -i '/direct_url.json/d' ${distinfo}/RECORD
-    fi
-  done
-}
-
-# With $PATH and $PYTHONPATH set to the %%buildroot,
-# try to import the Python 3 module(s) given as command-line args or read from file (-f).
-# Respect the custom values of %%py3_shebang_flags or set nothing if it's undefined.
-# Filter and check import on only top-level modules using -t flag.
-# Exclude unwanted modules by passing their globs to -e option.
-# Useful as a smoke test in %%check when running tests is not feasible.
-# Use spaces or commas as separators if providing list directly.
-# Use newlines as separators if providing list in a file.
-%py3_check_import(e:tf:) %{expand:\\\
-  PATH="%{buildroot}%{_bindir}:$PATH"\\\
-  PYTHONPATH="${PYTHONPATH:-%{buildroot}%{python3_sitearch}:%{buildroot}%{python3_sitelib}}"\\\
-  _PYTHONSITE="%{buildroot}%{python3_sitearch}:%{buildroot}%{python3_sitelib}"\\\
-  PYTHONDONTWRITEBYTECODE=1\\\
-  %{lua:
-  local command = "%{__python3} "
-  if rpm.expand("%{?py3_shebang_flags}") ~= "" then
-    command = command .. "-%{py3_shebang_flags}"
-  end
-  command = command .. " %{_rpmconfigdir}/redhat/import_all_modules_py3_12.py "
-  -- handle multiline arguments correctly, see https://bugzilla.redhat.com/2018809
-  local args=rpm.expand('%{?**}'):gsub("[%s\\\\]*%s+", " ")
-  print(command .. args)
-  }
-}
-
-# Environment variables used by %%pytest, %%tox or standalone, e.g.:
-#  %%{py3_test_envvars} %%{python3} -m unittest
-%py3_test_envvars %{expand:\\\
-  CFLAGS="${CFLAGS:-${RPM_OPT_FLAGS}}" LDFLAGS="${LDFLAGS:-${RPM_LD_FLAGS}}"\\\
-  PATH="%{buildroot}%{_bindir}:$PATH"\\\
-  PYTHONPATH="${PYTHONPATH:-%{buildroot}%{python3_sitearch}:%{buildroot}%{python3_sitelib}}"\\\
-  PYTHONDONTWRITEBYTECODE=1\\\
-  %{?__pytest_addopts:PYTEST_ADDOPTS="${PYTEST_ADDOPTS:-} %{__pytest_addopts}"}\\\
-  PYTEST_XDIST_AUTO_NUM_WORKERS=%{_smp_build_ncpus}}
-
-# This is intended for Python 3 only, hence also no Python version in the name.
-%__pytest /usr/bin/pytest-%{python3_version}
-%pytest %py3_test_envvars %__pytest

SOURCES/pathfix_py3_12.py

@@ -1,199 +0,0 @@
-#!/usr/bin/env python3
-
-import sys
-import os
-from stat import *
-import getopt
-
-err = sys.stderr.write
-dbg = err
-rep = sys.stdout.write
-
-new_interpreter = None
-preserve_timestamps = False
-create_backup = True
-keep_flags = False
-add_flags = b''
-
-
-def main():
-    global new_interpreter
-    global preserve_timestamps
-    global create_backup
-    global keep_flags
-    global add_flags
-
-    usage = ('usage: %s -i /interpreter -p -n -k -a file-or-directory ...\n' %
-             sys.argv[0])
-    try:
-        opts, args = getopt.getopt(sys.argv[1:], 'i:a:kpn')
-    except getopt.error as msg:
-        err(str(msg) + '\n')
-        err(usage)
-        sys.exit(2)
-    for o, a in opts:
-        if o == '-i':
-            new_interpreter = a.encode()
-        if o == '-p':
-            preserve_timestamps = True
-        if o == '-n':
-            create_backup = False
-        if o == '-k':
-            keep_flags = True
-        if o == '-a':
-            add_flags = a.encode()
-            if b' ' in add_flags:
-                err("-a option doesn't support whitespaces")
-                sys.exit(2)
-    if not new_interpreter or not new_interpreter.startswith(b'/') or \
-           not args:
-        err('-i option or file-or-directory missing\n')
-        err(usage)
-        sys.exit(2)
-    bad = 0
-    for arg in args:
-        if os.path.isdir(arg):
-            if recursedown(arg): bad = 1
-        elif os.path.islink(arg):
-            err(arg + ': will not process symbolic links\n')
-            bad = 1
-        else:
-            if fix(arg): bad = 1
-    sys.exit(bad)
-
-
-def ispython(name):
-    return name.endswith('.py')
-
-
-def recursedown(dirname):
-    dbg('recursedown(%r)\n' % (dirname,))
-    bad = 0
-    try:
-        names = os.listdir(dirname)
-    except OSError as msg:
-        err('%s: cannot list directory: %r\n' % (dirname, msg))
-        return 1
-    names.sort()
-    subdirs = []
-    for name in names:
-        if name in (os.curdir, os.pardir): continue
-        fullname = os.path.join(dirname, name)
-        if os.path.islink(fullname): pass
-        elif os.path.isdir(fullname):
-            subdirs.append(fullname)
-        elif ispython(name):
-            if fix(fullname): bad = 1
-    for fullname in subdirs:
-        if recursedown(fullname): bad = 1
-    return bad
-
-
-def fix(filename):
-##  dbg('fix(%r)\n' % (filename,))
-    try:
-        f = open(filename, 'rb')
-    except IOError as msg:
-        err('%s: cannot open: %r\n' % (filename, msg))
-        return 1
-    with f:
-        line = f.readline()
-        fixed = fixline(line)
-        if line == fixed:
-            rep(filename+': no change\n')
-            return
-        head, tail = os.path.split(filename)
-        tempname = os.path.join(head, '@' + tail)
-        try:
-            g = open(tempname, 'wb')
-        except IOError as msg:
-            err('%s: cannot create: %r\n' % (tempname, msg))
-            return 1
-        with g:
-            rep(filename + ': updating\n')
-            g.write(fixed)
-            BUFSIZE = 8*1024
-            while 1:
-                buf = f.read(BUFSIZE)
-                if not buf: break
-                g.write(buf)
-
-    # Finishing touch -- move files
-
-    mtime = None
-    atime = None
-    # First copy the file's mode to the temp file
-    try:
-        statbuf = os.stat(filename)
-        mtime = statbuf.st_mtime
-        atime = statbuf.st_atime
-        os.chmod(tempname, statbuf[ST_MODE] & 0o7777)
-    except OSError as msg:
-        err('%s: warning: chmod failed (%r)\n' % (tempname, msg))
-    # Then make a backup of the original file as filename~
-    if create_backup:
-        try:
-            os.rename(filename, filename + '~')
-        except OSError as msg:
-            err('%s: warning: backup failed (%r)\n' % (filename, msg))
-    else:
-        try:
-            os.remove(filename)
-        except OSError as msg:
-            err('%s: warning: removing failed (%r)\n' % (filename, msg))
-    # Now move the temp file to the original file
-    try:
-        os.rename(tempname, filename)
-    except OSError as msg:
-        err('%s: rename failed (%r)\n' % (filename, msg))
-        return 1
-    if preserve_timestamps:
-        if atime and mtime:
-            try:
-                os.utime(filename, (atime, mtime))
-            except OSError as msg:
-                err('%s: reset of timestamp failed (%r)\n' % (filename, msg))
-                return 1
-    # Return success
-    return 0
-
-
-def parse_shebang(shebangline):
-    shebangline = shebangline.rstrip(b'\n')
-    start = shebangline.find(b' -')
-    if start == -1:
-        return b''
-    return shebangline[start:]
-
-
-def populate_flags(shebangline):
-    old_flags = b''
-    if keep_flags:
-        old_flags = parse_shebang(shebangline)
-        if old_flags:
-            old_flags = old_flags[2:]
-    if not (old_flags or add_flags):
-        return b''
-    # On Linux, the entire string following the interpreter name
-    # is passed as a single argument to the interpreter.
-    # e.g. "#! /usr/bin/python3 -W Error -s" runs "/usr/bin/python3 "-W Error -s"
-    # so shebang should have single '-' where flags are given and
-    # flag might need argument for that reasons adding new flags is
-    # between '-' and original flags
-    # e.g. #! /usr/bin/python3 -sW Error
-    return b' -' + add_flags + old_flags
-
-
-def fixline(line):
-    if not line.startswith(b'#!'):
-        return line
-
-    if b"python" not in line:
-        return line
-
-    flags = populate_flags(line)
-    return b'#! ' + new_interpreter + flags + b'\n'
-
-
-if __name__ == '__main__':
-    main()

check-pyc-timestamps.py

@@ -16,7 +16,6 @@ LEVELS = (None, 1, 2)
 # list of globs of test and other files that we expect not to have bytecode
 not_compiled = [
     '/usr/bin/*',
-    '/usr/lib/rpm/redhat/*',
     '*/test/badsyntax_*.py',
     '*/tokenizedata/bad_coding.py',
     '*/tokenizedata/bad_coding2.py',

expat-requires.py

@@ -0,0 +1,50 @@
+import pathlib
+import pyexpat
+import sys
+
+
+# This will determine the version of currently installed expat
+EXPAT_VERSION = pyexpat.EXPAT_VERSION.removeprefix('expat_')
+MAJOR, MINOR, PATCH = (int(i) for i in EXPAT_VERSION.split('.'))
+EXPAT_COMBINED_VERSION = 10000*MAJOR + 100*MINOR + PATCH
+
+# For the listed files, we find all XML_COMBINED_VERSION-based #ifs
+SRC = pathlib.Path.cwd()
+SOURCES = [
+    SRC / 'Modules/pyexpat.c',
+    SRC / 'Modules/clinic/pyexpat.c.h',
+]
+versions = set()
+for source in SOURCES:
+    for line in source.read_text().splitlines():
+        if 'XML_COMBINED_VERSION' not in line:
+            continue
+        words = line.split()
+        if words[0] == '#define':
+            continue
+        if len(words) != 4:
+            continue
+        if words[0] not in ('#if', '#elif'):
+            continue
+        if words[1].startswith('(') and words[-1].endswith(')'):
+            words[1] = words[1][1:]
+            words[-1] = words[-1][:-1]
+        if words[1] == 'XML_COMBINED_VERSION':
+            version = int(words[3])
+            if words[2] == '>':
+                versions.add(version+1)
+                continue
+            if words[2] == '>=':
+                versions.add(version)
+                continue
+        raise ValueError(
+            'Unknown line with XML_COMBINED_VERSION, adjust this script:\n\n'
+            f'{line}'
+        )
+
+# We need the highest satisfiable version used in the #ifs, in x.y.z notation
+v = max({v for v in versions if v <= EXPAT_COMBINED_VERSION})
+major, minor_patch = divmod(v, 10000)
+minor, patch = divmod(minor_patch, 100)
+print(f"{major}.{minor}.{patch}")
+

gating.yaml

@@ -0,0 +1,5 @@
+--- !Policy
+
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

plan.fmf

@@ -0,0 +1,61 @@
+execute:
+  how: tmt
+
+provision:
+  hardware:
+    memory: '>= 3 GB'
+
+environment:
+  pybasever: '3.12'
+
+discover:
+  - name: tests_python
+    how: shell
+    url: https://gitlab.com/redhat/centos-stream/tests/python.git
+    tests:
+    - name: smoke
+      path: /smoke
+      test: "VERSION=${pybasever} TOX=false ./venv.sh"
+    - name: debugsmoke
+      path: /smoke
+      test: "PYTHON=python${pybasever}d TOX=false VERSION=${pybasever} ./venv.sh"
+    - name: selftest
+      path: /selftest
+      test: "VERSION=${pybasever} X='-i test_check_probes' ./parallel.sh"
+    - name: debugtest
+      path: /selftest
+      test: "VERSION=${pybasever} PYTHON=python${pybasever}d X='-i test_check_probes' ./parallel.sh"
+    - name: optimizedflags
+      path: /flags
+      test: "python${pybasever} ./assertflags.py -O3"
+    - name: debugflags
+      path: /flags
+      test: "python${pybasever}d ./assertflags.py -O0"
+    - name: marshalparser
+      path: /marshalparser
+      test: "VERSION=${pybasever} SAMPLE=10 ./test_marshalparser_compatibility.sh"
+
+prepare:
+  - name: Install dependencies
+    how: install
+    package:
+    - gcc  # for extension building in venv and selftest
+    - gcc-c++ # for test_cppext
+    - gdb  # for test_gdb
+    - "python${pybasever}"  # the test subject
+    - "python${pybasever}-debug"  # for leak testing
+    - "python${pybasever}-devel"  # for extension building in venv and selftest
+    - "python${pybasever}-tkinter"  # for selftest
+    - "python${pybasever}-test"  # for selftest
+    - glibc-all-langpacks # for locale tests
+    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
+    - rpm  # for debugging
+    - dnf  # for upgrade
+    - perf # for test_perf_profiler
+  - name: Update packages
+    how: shell
+    script: dnf upgrade -y
+  - name: rpm_qa
+    order: 100
+    how: shell
+    script: rpm -qa | sort | tee $TMT_PLAN_DATA/rpmqa.txt

rpminspect.yaml

@@ -0,0 +1,37 @@
+# exclude test XML data (not always valid) from XML validity check:
+xml:
+    ignore:
+        - '/usr/lib*/python*/test/xmltestdata/*'
+        - '/usr/lib*/python*/test/xmltestdata/*/*'
+
+# exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
+badfuncs:
+    allowed:
+        '/usr/lib*/python*/lib-dynload/_socket.*':
+            - inet_aton
+            - inet_ntoa
+
+# exclude the debug build from annocheck entirely
+annocheck:
+    ignore:
+        - '/usr/bin/python*d'
+        - '/usr/lib*/libpython*d.so.1.0'
+        - '/usr/lib*/python*/lib-dynload/*.cpython-*d-*-*-*.so'
+
+# don't report changed content of compiled files
+# that is expected with every toolchain update and not reproducible yet
+changedfiles:
+    # note that this is a posix regex, so no \d
+    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
+
+# files change size all the time, we don't need to VERIFY it
+# however, the INFO is useful, so we don't disable the check entirely
+filesize:
+    # artificially large number, TODO a better way
+    size_threshold: 100000
+
+
+# completely disabled inspections:
+inspections:
+    # we know about our patches, no need to report anything
+    patches: off

rpmlint.toml

@@ -0,0 +1,106 @@
+Filters = [
+
+    # KNOWN BUGS:
+    # https://bugzilla.redhat.com/show_bug.cgi?id=1489816
+    'crypto-policy-non-compliance-openssl',
+
+
+    # TESTS:
+    '(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3\.\d+/test',
+
+
+    # OTHER DELIBERATES:
+    # chroot function
+    'missing-call-to-chdir-with-chroot',
+
+    # gethostbyname function calls gethostbyname
+    '(E|W): binary-or-shlib-calls-gethostbyname /usr/lib(64)?/python3\.\d+/lib-dynload/_socket\.',
+
+    # intentionally unversioned and selfobsoleted
+    'unversioned-explicit-obsoletes python',
+    'unversioned Obsoletes: Obsoletes: python3\.\d+$',
+    'self-obsoletion python3\.\d+(-\S+)? obsoletes python3\.\d+(-\S+)?',
+
+    # intentionally hardcoded
+    'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})',
+
+    # we have non binary stuff, python files
+    'only-non-binary-in-usr-lib',
+
+    # some devel files that are deliberately needed
+    'devel-file-in-non-devel-package /usr/include/python3\.\d+m?/pyconfig-(32|64)\.h',
+    'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/distutils/tests/xxmodule\.c',
+    # ...or are used as test data
+    'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/test',
+
+    # some bytecode is shipped without sources on purpose, as a space optimization
+    # if this regex needs to be relaxed in the future, make sure it **does not** match pyc files in __pycache__
+    'python-bytecode-without-source /usr/lib(64)?/python3\.\d+/(encodings|pydoc_data)/[^/]+.pyc',
+
+    # DUPLICATE FILES
+    # test data are often duplicated
+    '(E|W): files-duplicate /usr/lib(64)?/python3\.\d+/(test|__phello__)/',
+    # duplicated inits or mains are also common
+    '(E|W): files-duplicate .+__init__\.py.+__init__\.py',
+    '(E|W): files-duplicate .+__main__\.py.+__main__\.py',
+    # files in the debugsource package
+    '(E|W): files-duplicate /usr/src/debug',
+    # general waste report
+    '(E|W): files-duplicated-waste',
+
+    # SORRY, NOT SORRY:
+    # manual pages
+    'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3?-debug|pathfix|msgfmt|pygettext)',
+    'no-manual-page-for-binary python3?.*-config$',
+    'no-manual-page-for-binary python3\.\d+dm?$',
+
+    # missing documentation from subpackages
+    '^python3(\.\d+)?-(debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation',
+
+    # platform python is obsoleted, but not provided
+    'obsolete-not-provided platform-python',
+
+    # we have extra tokens at the end of %endif/%else directives, we consider them useful
+    'extra tokens at the end of %(endif|else) directive',
+
+
+    # RPMLINT IMPERFECTIONS
+    # https://github.com/rpm-software-management/rpmlint/issues/780
+    '/usr/lib/debug',
+
+    # we provide python(abi) manually to be sure. createrepo will merge this with the automatic
+    'python3(\.\d+)?\.[^:-]+: (E|W): useless-provides python\(abi\)',
+
+    # debugsource and debuginfo have no docs
+    '^python3(\.\d+)?-debug(source|info)\.[^:]+: (E|W): no-documentation',
+
+    # this is OK for F28+
+    'library-without-ldconfig-post',
+
+    # debug package contains devel and non-devel files
+    'python3(\.\d+)?-debug\.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package',
+
+    # this goes to other subpackage, hence not actually dangling
+    'dangling-relative-symlink /usr/bin/python python3',
+    'dangling-relative-symlink /usr/share/man/man1/python\.1\.gz python3\.1\.gz',
+    'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc python-3\.\d+(-embed)?\.pc',
+
+    # the python-unversioned-command package contains dangling symlinks by design
+    '^python-unversioned-command\.[^:]+: (E|W): dangling-relative-symlink (/usr/bin/python \./python3|/usr/share/man/man1/python\.1\S* ./python3\.1\S*)$',
+
+    # we need this macro to evaluate, even if the line starts with #
+    'macro-in-comment %\{_pyconfig(32|64)_h\}',
+
+    # Python modules don't need to be linked against libc
+    # Since 3.8 they are no longer linked against libpython3.8.so.1.0
+    '(E|W): library-not-linked-against-libc /usr/lib(64)?/python3\.\d+/lib-dynload/',
+    '(E|W): shared-lib(rary)?-without-dependency-information /usr/lib(64)?/python3\.\d+/lib-dynload/',
+
+    # specfile-errors are listed twice, once with reason and once without
+    # we filter out the empty ones
+    '\bpython3(\.\d+)?\.(src|spec): (E|W): specfile-error\s+$',
+
+    # SPELLING ERRORS
+    'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest) ',
+
+]

sources

@@ -0,0 +1,2 @@
+SHA512 (Python-3.12.13.tar.xz) = e1eb66f0b34581f0155e3ce25ba72cf0b4b1107672ed0ad3e86bcfe616945c9204c41ffc492f32b1066b9154913ff88343038967ad8711dd05e6f2332fdb735b
+SHA512 (Python-3.12.13.tar.xz.asc) = 903fd3baa7e29891bb00fb159ec9c43804a71002c4cd38902d25bf4e5167f856b37d211a5b1098ee60e1ea41f8a10a1596dd2382edc6d7367d55dd4154807fc7

tests/.fmf/version

@@ -0,0 +1 @@
+1