.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,3 +1 @@
-/*.tar.*
+SOURCES/Python-3.12.1.tar.xz
-/*.src.rpm
-/results_python3*

.python3.12.metadata

@@ -0,0 +1 @@
+5b11c58ea58cd6b8e1943c7e9b5f6e0997ca3632 SOURCES/Python-3.12.1.tar.xz

00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch

@@ -1,63 +0,0 @@
-From 60d40d7095983e0bc23a103b2050adc519dc7fe3 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Fri, 3 May 2024 14:17:48 +0200
-Subject: [PATCH] Expect failures in tests not working properly with expat with
- a fixed CVE in RHEL
-
----
- Lib/test/test_pyexpat.py   | 1 +
- Lib/test/test_sax.py       | 1 +
- Lib/test/test_xml_etree.py | 3 +++
- 3 files changed, 5 insertions(+)
-
-diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
-index 43cbd27..27b1502 100644
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -793,6 +793,7 @@ class ReparseDeferralTest(unittest.TestCase):
- 
-         self.assertEqual(started, ['doc'])
- 
-+    @unittest.expectedFailure
-     def test_reparse_deferral_disabled(self):
-         started = []
- 
-diff --git a/Lib/test/test_sax.py b/Lib/test/test_sax.py
-index 9b3014a..646c92d 100644
---- a/Lib/test/test_sax.py
-+++ b/Lib/test/test_sax.py
-@@ -1240,6 +1240,7 @@ class ExpatReaderTest(XmlTestBase):
- 
-         self.assertEqual(result.getvalue(), start + b"<doc></doc>")
- 
-+    @unittest.expectedFailure
-     def test_flush_reparse_deferral_disabled(self):
-         result = BytesIO()
-         xmlgen = XMLGenerator(result)
-diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
-index 9c382d1..62f2871 100644
---- a/Lib/test/test_xml_etree.py
-+++ b/Lib/test/test_xml_etree.py
-@@ -1424,9 +1424,11 @@ class XMLPullParserTest(unittest.TestCase):
-         self.assert_event_tags(parser, [('end', 'root')])
-         self.assertIsNone(parser.close())
- 
-+    @unittest.expectedFailure
-     def test_simple_xml_chunk_1(self):
-         self.test_simple_xml(chunk_size=1, flush=True)
- 
-+    @unittest.expectedFailure
-     def test_simple_xml_chunk_5(self):
-         self.test_simple_xml(chunk_size=5, flush=True)
- 
-@@ -1651,6 +1653,7 @@ class XMLPullParserTest(unittest.TestCase):
- 
-         self.assert_event_tags(parser, [('end', 'doc')])
- 
-+    @unittest.expectedFailure
-     def test_flush_reparse_deferral_disabled(self):
-         parser = ET.XMLPullParser(events=('start', 'end'))
- 
--- 
-2.44.0
-

00474-cve-2025-15366.patch

@@ -1,61 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Tue, 20 Jan 2026 14:45:42 -0600
-Subject: 00474: CVE-2025-15366
-
-gh-143921: Reject control characters in IMAP commands
-
-(cherry-picked from commit 6262704b134db2a4ba12e85ecfbd968534f28b45)
----
- Lib/imaplib.py                                              | 4 +++-
- Lib/test/test_imaplib.py                                    | 6 ++++++
- .../Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst | 1 +
- 3 files changed, 10 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
-
-diff --git a/Lib/imaplib.py b/Lib/imaplib.py
-index e337fe6471..c7f44f05b1 100644
---- a/Lib/imaplib.py
-+++ b/Lib/imaplib.py
-@@ -132,7 +132,7 @@
- # We compile these in _mode_xxx.
- _Literal = br'.*{(?P<size>\d+)}$'
- _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
--
-+_control_chars = re.compile(b'[\x00-\x1F\x7F]')
- 
- 
- class IMAP4:
-@@ -994,6 +994,8 @@ def _command(self, name, *args):
-             if arg is None: continue
-             if isinstance(arg, str):
-                 arg = bytes(arg, self._encoding)
-+            if _control_chars.search(arg):
-+                raise ValueError("Control characters not allowed in commands")
-             data = data + b' ' + arg
- 
-         literal = self.literal
-diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
-index 4429a90050..73c25bc733 100644
---- a/Lib/test/test_imaplib.py
-+++ b/Lib/test/test_imaplib.py
-@@ -504,6 +504,12 @@ def test_login(self):
-         self.assertEqual(data[0], b'LOGIN completed')
-         self.assertEqual(client.state, 'AUTH')
- 
-+    def test_control_characters(self):
-+        client, _ = self._setup(SimpleIMAPHandler)
-+        for c0 in support.control_characters_c0():
-+            with self.assertRaises(ValueError):
-+                client.login(f'user{c0}', 'pass')
-+
-     def test_logout(self):
-         client, _ = self._setup(SimpleIMAPHandler)
-         typ, data = client.login('user', 'pass')
-diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
-new file mode 100644
-index 0000000000..4e13fe92bc
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
-@@ -0,0 +1 @@
-+Reject control characters in IMAP commands.

00475-cve-2025-15367.patch

@@ -1,61 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Tue, 20 Jan 2026 14:46:32 -0600
-Subject: 00475: CVE-2025-15367
-
-gh-143923: Reject control characters in POP3 commands
-
-(cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7)
----
- Lib/poplib.py                                             | 2 ++
- Lib/test/test_poplib.py                                   | 8 ++++++++
- .../2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst        | 1 +
- 3 files changed, 11 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
-
-diff --git a/Lib/poplib.py b/Lib/poplib.py
-index 9eb662d000..5c83522504 100644
---- a/Lib/poplib.py
-+++ b/Lib/poplib.py
-@@ -122,6 +122,8 @@ def _putline(self, line):
-     def _putcmd(self, line):
-         if self._debugging: print('*cmd*', repr(line))
-         line = bytes(line, self.encoding)
-+        if re.search(b'[\x00-\x1F\x7F]', line):
-+            raise ValueError('Control characters not allowed in commands')
-         self._putline(line)
- 
- 
-diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
-index f1ebbeafe0..50d8c255d6 100644
---- a/Lib/test/test_poplib.py
-+++ b/Lib/test/test_poplib.py
-@@ -12,6 +12,7 @@
- import unittest
- from unittest import TestCase, skipUnless
- from test import support as test_support
-+from test.support import control_characters_c0
- from test.support import hashlib_helper
- from test.support import socket_helper
- from test.support import threading_helper
-@@ -395,6 +396,13 @@ def test_quit(self):
-         self.assertIsNone(self.client.sock)
-         self.assertIsNone(self.client.file)
- 
-+    def test_control_characters(self):
-+        for c0 in control_characters_c0():
-+            with self.assertRaises(ValueError):
-+                self.client.user(f'user{c0}')
-+            with self.assertRaises(ValueError):
-+                self.client.pass_(f'{c0}pass')
-+
-     @requires_ssl
-     def test_stls_capa(self):
-         capa = self.client.capa()
-diff --git a/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
-new file mode 100644
-index 0000000000..3cde4df3e0
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
-@@ -0,0 +1 @@
-+Reject control characters in POP3 commands.

00478-cve-2026-4519.patch

@@ -1,105 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Pinky <pinky00ch@gmail.com>
-Date: Wed, 25 Mar 2026 01:02:37 +0530
-Subject: 00478: CVE-2026-4519
-
-Reject leading dashes in webbrowser URLs (GH-146360)
-
-(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
-
-Co-authored-by: Seth Michael Larson <seth@python.org>
----
- Lib/test/test_webbrowser.py                          |  5 +++++
- Lib/webbrowser.py                                    | 12 ++++++++++++
- .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst   |  1 +
- 3 files changed, 18 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-
-diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
-index 2d695bc883..60f094fd6a 100644
---- a/Lib/test/test_webbrowser.py
-+++ b/Lib/test/test_webbrowser.py
-@@ -59,6 +59,11 @@ def test_open(self):
-                    options=[],
-                    arguments=[URL])
- 
-+    def test_reject_dash_prefixes(self):
-+        browser = self.browser_class(name=CMD_NAME)
-+        with self.assertRaises(ValueError):
-+            browser.open(f"--key=val {URL}")
-+
- 
- class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
- 
-diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
-index 13b9e85f9e..0bdb644d7d 100755
---- a/Lib/webbrowser.py
-+++ b/Lib/webbrowser.py
-@@ -158,6 +158,12 @@ def open_new(self, url):
-     def open_new_tab(self, url):
-         return self.open(url, 2)
- 
-+    @staticmethod
-+    def _check_url(url):
-+        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
-+        if url and url.lstrip().startswith("-"):
-+            raise ValueError(f"Invalid URL: {url}")
-+
- 
- class GenericBrowser(BaseBrowser):
-     """Class for all browsers started with a command
-@@ -175,6 +181,7 @@ def __init__(self, name):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         cmdline = [self.name] + [arg.replace("%s", url)
-                                  for arg in self.args]
-         try:
-@@ -195,6 +202,7 @@ def open(self, url, new=0, autoraise=True):
-         cmdline = [self.name] + [arg.replace("%s", url)
-                                  for arg in self.args]
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         try:
-             if sys.platform[:3] == 'win':
-                 p = subprocess.Popen(cmdline)
-@@ -260,6 +268,7 @@ def _invoke(self, args, remote, autoraise, url=None):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         if new == 0:
-             action = self.remote_action
-         elif new == 1:
-@@ -350,6 +359,7 @@ class Konqueror(BaseBrowser):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         # XXX Currently I know no way to prevent KFM from opening a new win.
-         if new == 2:
-             action = "newTab"
-@@ -554,6 +564,7 @@ def register_standard_browsers():
-     class WindowsDefault(BaseBrowser):
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             try:
-                 os.startfile(url)
-             except OSError:
-@@ -638,6 +649,7 @@ def _name(self, val):
- 
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             if self.name == 'default':
-                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
-             else:
-diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-new file mode 100644
-index 0000000000..0f27eae99a
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-@@ -0,0 +1 @@
-+Reject leading dashes in URLs passed to :func:`webbrowser.open`

00479-cve-2026-1502.patch

@@ -1,107 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Seth Larson <seth@python.org>
-Date: Fri, 10 Apr 2026 10:21:42 -0500
-Subject: 00479: CVE-2026-1502
-
-Reject CR/LF in HTTP tunnel request headers
-
-Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
----
- Lib/http/client.py                            | 11 ++++-
- Lib/test/test_httplib.py                      | 45 +++++++++++++++++++
- ...-03-20-09-29-42.gh-issue-146211.PQVbs7.rst |  2 +
- 3 files changed, 57 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
-
-diff --git a/Lib/http/client.py b/Lib/http/client.py
-index 70451d67d4..7db4807b30 100644
---- a/Lib/http/client.py
-+++ b/Lib/http/client.py
-@@ -972,13 +972,22 @@ def _wrap_ipv6(self, ip):
-         return ip
- 
-     def _tunnel(self):
-+        if _contains_disallowed_url_pchar_re.search(self._tunnel_host):
-+            raise ValueError('Tunnel host can\'t contain control characters %r'
-+                             % (self._tunnel_host,))
-         connect = b"CONNECT %s:%d %s\r\n" % (
-             self._wrap_ipv6(self._tunnel_host.encode("idna")),
-             self._tunnel_port,
-             self._http_vsn_str.encode("ascii"))
-         headers = [connect]
-         for header, value in self._tunnel_headers.items():
--            headers.append(f"{header}: {value}\r\n".encode("latin-1"))
-+            header_bytes = header.encode("latin-1")
-+            value_bytes = value.encode("latin-1")
-+            if not _is_legal_header_name(header_bytes):
-+                raise ValueError('Invalid header name %r' % (header_bytes,))
-+            if _is_illegal_header_value(value_bytes):
-+                raise ValueError('Invalid header value %r' % (value_bytes,))
-+            headers.append(b"%s: %s\r\n" % (header_bytes, value_bytes))
-         headers.append(b"\r\n")
-         # Making a single send() call instead of one per line encourages
-         # the host OS to use a more optimal packet size instead of
-diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
-index e46dac0077..e027d930d9 100644
---- a/Lib/test/test_httplib.py
-+++ b/Lib/test/test_httplib.py
-@@ -369,6 +369,51 @@ def test_invalid_headers(self):
-                 with self.assertRaisesRegex(ValueError, 'Invalid header'):
-                     conn.putheader(name, value)
- 
-+    def test_invalid_tunnel_headers(self):
-+        cases = (
-+            ('Invalid\r\nName', 'ValidValue'),
-+            ('Invalid\rName', 'ValidValue'),
-+            ('Invalid\nName', 'ValidValue'),
-+            ('\r\nInvalidName', 'ValidValue'),
-+            ('\rInvalidName', 'ValidValue'),
-+            ('\nInvalidName', 'ValidValue'),
-+            (' InvalidName', 'ValidValue'),
-+            ('\tInvalidName', 'ValidValue'),
-+            ('Invalid:Name', 'ValidValue'),
-+            (':InvalidName', 'ValidValue'),
-+            ('ValidName', 'Invalid\r\nValue'),
-+            ('ValidName', 'Invalid\rValue'),
-+            ('ValidName', 'Invalid\nValue'),
-+            ('ValidName', 'InvalidValue\r\n'),
-+            ('ValidName', 'InvalidValue\r'),
-+            ('ValidName', 'InvalidValue\n'),
-+        )
-+        for name, value in cases:
-+            with self.subTest((name, value)):
-+                conn = client.HTTPConnection('example.com')
-+                conn.set_tunnel('tunnel', headers={
-+                    name: value
-+                })
-+                conn.sock = FakeSocket('')
-+                with self.assertRaisesRegex(ValueError, 'Invalid header'):
-+                    conn._tunnel()  # Called in .connect()
-+
-+    def test_invalid_tunnel_host(self):
-+        cases = (
-+            'invalid\r.host',
-+            '\ninvalid.host',
-+            'invalid.host\r\n',
-+            'invalid.host\x00',
-+            'invalid host',
-+        )
-+        for tunnel_host in cases:
-+            with self.subTest(tunnel_host):
-+                conn = client.HTTPConnection('example.com')
-+                conn.set_tunnel(tunnel_host)
-+                conn.sock = FakeSocket('')
-+                with self.assertRaisesRegex(ValueError, 'Tunnel host can\'t contain control characters'):
-+                    conn._tunnel()  # Called in .connect()
-+
-     def test_headers_debuglevel(self):
-         body = (
-             b'HTTP/1.1 200 OK\r\n'
-diff --git a/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
-new file mode 100644
-index 0000000000..4993633b8e
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-03-20-09-29-42.gh-issue-146211.PQVbs7.rst
-@@ -0,0 +1,2 @@
-+Reject CR/LF characters in tunnel request headers for the
-+HTTPConnection.set_tunnel() method.

00480-cve-2026-4786.patch

@@ -1,64 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stan Ulbrych <stan@python.org>
-Date: Mon, 13 Apr 2026 20:02:52 +0100
-Subject: 00480: CVE-2026-4786
-
-Fix webbrowser `%action` substitution bypass of dash-prefix check
----
- Lib/test/test_webbrowser.py                              | 9 +++++++++
- Lib/webbrowser.py                                        | 5 +++--
- .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst       | 2 ++
- 3 files changed, 14 insertions(+), 2 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
-
-diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
-index 60f094fd6a..e900c0212b 100644
---- a/Lib/test/test_webbrowser.py
-+++ b/Lib/test/test_webbrowser.py
-@@ -99,6 +99,15 @@ def test_open_new_tab(self):
-                    options=[],
-                    arguments=[URL])
- 
-+    def test_reject_action_dash_prefixes(self):
-+        browser = self.browser_class(name=CMD_NAME)
-+        with self.assertRaises(ValueError):
-+            browser.open('%action--incognito')
-+        # new=1: action is "--new-window", so "%action" itself expands to
-+        # a dash-prefixed flag even with no dash in the original URL.
-+        with self.assertRaises(ValueError):
-+            browser.open('%action', new=1)
-+
- 
- class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
- 
-diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
-index 0bdb644d7d..79d410bcae 100755
---- a/Lib/webbrowser.py
-+++ b/Lib/webbrowser.py
-@@ -268,7 +268,6 @@ def _invoke(self, args, remote, autoraise, url=None):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
--        self._check_url(url)
-         if new == 0:
-             action = self.remote_action
-         elif new == 1:
-@@ -282,7 +281,9 @@ def open(self, url, new=0, autoraise=True):
-             raise Error("Bad 'new' parameter to open(); " +
-                         "expected 0, 1, or 2, got %s" % new)
- 
--        args = [arg.replace("%s", url).replace("%action", action)
-+        self._check_url(url.replace("%action", action))
-+
-+        args = [arg.replace("%action", action).replace("%s", url)
-                 for arg in self.remote_args]
-         args = [arg for arg in args if arg]
-         success = self._invoke(args, True, autoraise, url)
-diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
-new file mode 100644
-index 0000000000..45cdeebe1b
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
-@@ -0,0 +1,2 @@
-+A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
-+the dash-prefix safety check.

00482-cve-2026-6100.patch

@@ -1,61 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stan Ulbrych <stan@python.org>
-Date: Mon, 13 Apr 2026 02:14:54 +0100
-Subject: 00482: CVE-2026-6100
-
-Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
----
- .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
- Modules/_bz2module.c                                         | 1 +
- Modules/_lzmamodule.c                                        | 1 +
- Modules/zlibmodule.c                                         | 1 +
- 4 files changed, 8 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
-
-diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
-new file mode 100644
-index 0000000000..9502189ab1
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
-@@ -0,0 +1,5 @@
-+Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-+:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-+when memory allocation fails with :exc:`MemoryError`, which could let a
-+subsequent :meth:`!decompress` call read or write through a stale pointer to
-+the already-released caller buffer.
-diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
-index 97bd44b4ac..a732e89d55 100644
---- a/Modules/_bz2module.c
-+++ b/Modules/_bz2module.c
-@@ -587,6 +587,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
-     return result;
- 
- error:
-+    bzs->next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
-diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
-index 7bbd6569aa..103a6ef86c 100644
---- a/Modules/_lzmamodule.c
-+++ b/Modules/_lzmamodule.c
-@@ -1114,6 +1114,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
-     return result;
- 
- error:
-+    lzs->next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }
-diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
-index f94c57e4c8..9759593b6a 100644
---- a/Modules/zlibmodule.c
-+++ b/Modules/zlibmodule.c
-@@ -1645,6 +1645,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
-     return result;
- 
- error:
-+    self->zst.next_in = NULL;
-     Py_XDECREF(result);
-     return NULL;
- }

00483-cve-2026-2297.patch

@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Steve Dower <steve.dower@python.org>
-Date: Wed, 4 Mar 2026 19:55:52 +0000
-Subject: 00483: CVE-2026-2297
-
-Logging Bypass in Legacy .pyc File Handling
----
- Lib/importlib/_bootstrap_external.py                            | 2 +-
- .../Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst     | 2 ++
- 2 files changed, 3 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
-
-diff --git a/Lib/importlib/_bootstrap_external.py b/Lib/importlib/_bootstrap_external.py
-index 9b8a8dfc5a..6e4a087a10 100644
---- a/Lib/importlib/_bootstrap_external.py
-+++ b/Lib/importlib/_bootstrap_external.py
-@@ -1186,7 +1186,7 @@ def get_filename(self, fullname):
- 
-     def get_data(self, path):
-         """Return the data from path as raw bytes."""
--        if isinstance(self, (SourceLoader, ExtensionFileLoader)):
-+        if isinstance(self, (SourceLoader, SourcelessFileLoader, ExtensionFileLoader)):
-             with _io.open_code(str(path)) as file:
-                 return file.read()
-         else:
-diff --git a/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
-new file mode 100644
-index 0000000000..dcdb44d4fa
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-03-04-18-59-17.gh-issue-145506.6hwvEh.rst
-@@ -0,0 +1,2 @@
-+Fixes :cve:`2026-2297` by ensuring that ``SourcelessFileLoader`` uses
-+:func:`io.open_code` when opening ``.pyc`` files.

00484-cve-2026-3644.patch

@@ -1,146 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
-Date: Mon, 16 Mar 2026 13:43:43 +0000
-Subject: 00484: CVE-2026-3644
-
-Incomplete control character validation in http.cookies
-
-Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
----
- Lib/http/cookies.py                           | 24 ++++++++++--
- Lib/test/test_http_cookies.py                 | 38 +++++++++++++++++++
- ...-03-06-17-03-38.gh-issue-145599.kchwZV.rst |  4 ++
- 3 files changed, 62 insertions(+), 4 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
-
-diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py
-index d0a69cbe19..63d119ad46 100644
---- a/Lib/http/cookies.py
-+++ b/Lib/http/cookies.py
-@@ -335,9 +335,16 @@ def update(self, values):
-             key = key.lower()
-             if key not in self._reserved:
-                 raise CookieError("Invalid attribute %r" % (key,))
-+            if _has_control_character(key, val):
-+                raise CookieError("Control characters are not allowed in "
-+                                  f"cookies {key!r} {val!r}")
-             data[key] = val
-         dict.update(self, data)
- 
-+    def __ior__(self, values):
-+        self.update(values)
-+        return self
-+
-     def isReservedKey(self, K):
-         return K.lower() in self._reserved
- 
-@@ -363,9 +370,15 @@ def __getstate__(self):
-         }
- 
-     def __setstate__(self, state):
--        self._key = state['key']
--        self._value = state['value']
--        self._coded_value = state['coded_value']
-+        key = state['key']
-+        value = state['value']
-+        coded_value = state['coded_value']
-+        if _has_control_character(key, value, coded_value):
-+            raise CookieError("Control characters are not allowed in cookies "
-+                              f"{key!r} {value!r} {coded_value!r}")
-+        self._key = key
-+        self._value = value
-+        self._coded_value = coded_value
- 
-     def output(self, attrs=None, header="Set-Cookie:"):
-         return "%s %s" % (header, self.OutputString(attrs))
-@@ -377,13 +390,16 @@ def __repr__(self):
- 
-     def js_output(self, attrs=None):
-         # Print javascript
-+        output_string = self.OutputString(attrs)
-+        if _has_control_character(output_string):
-+            raise CookieError("Control characters are not allowed in cookies")
-         return """
-         <script type="text/javascript">
-         <!-- begin hiding
-         document.cookie = \"%s\";
-         // end hiding -->
-         </script>
--        """ % (self.OutputString(attrs).replace('"', r'\"'))
-+        """ % (output_string.replace('"', r'\"'))
- 
-     def OutputString(self, attrs=None):
-         # Build up our result
-diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py
-index f196bcc48e..2478a6c630 100644
---- a/Lib/test/test_http_cookies.py
-+++ b/Lib/test/test_http_cookies.py
-@@ -573,6 +573,14 @@ def test_control_characters(self):
-             with self.assertRaises(cookies.CookieError):
-                 morsel["path"] = c0
- 
-+            # .__setstate__()
-+            with self.assertRaises(cookies.CookieError):
-+                morsel.__setstate__({'key': c0, 'value': 'val', 'coded_value': 'coded'})
-+            with self.assertRaises(cookies.CookieError):
-+                morsel.__setstate__({'key': 'key', 'value': c0, 'coded_value': 'coded'})
-+            with self.assertRaises(cookies.CookieError):
-+                morsel.__setstate__({'key': 'key', 'value': 'val', 'coded_value': c0})
-+
-             # .setdefault()
-             with self.assertRaises(cookies.CookieError):
-                 morsel.setdefault("path", c0)
-@@ -587,6 +595,18 @@ def test_control_characters(self):
-             with self.assertRaises(cookies.CookieError):
-                 morsel.set("path", "val", c0)
- 
-+            # .update()
-+            with self.assertRaises(cookies.CookieError):
-+                morsel.update({"path": c0})
-+            with self.assertRaises(cookies.CookieError):
-+                morsel.update({c0: "val"})
-+
-+            # .__ior__()
-+            with self.assertRaises(cookies.CookieError):
-+                morsel |= {"path": c0}
-+            with self.assertRaises(cookies.CookieError):
-+                morsel |= {c0: "val"}
-+
-     def test_control_characters_output(self):
-         # Tests that even if the internals of Morsel are modified
-         # that a call to .output() has control character safeguards.
-@@ -607,6 +627,24 @@ def test_control_characters_output(self):
-             with self.assertRaises(cookies.CookieError):
-                 cookie.output()
- 
-+        # Tests that .js_output() also has control character safeguards.
-+        for c0 in support.control_characters_c0():
-+            morsel = cookies.Morsel()
-+            morsel.set("key", "value", "coded-value")
-+            morsel._key = c0  # Override private variable.
-+            cookie = cookies.SimpleCookie()
-+            cookie["cookie"] = morsel
-+            with self.assertRaises(cookies.CookieError):
-+                cookie.js_output()
-+
-+            morsel = cookies.Morsel()
-+            morsel.set("key", "value", "coded-value")
-+            morsel._coded_value = c0  # Override private variable.
-+            cookie = cookies.SimpleCookie()
-+            cookie["cookie"] = morsel
-+            with self.assertRaises(cookies.CookieError):
-+                cookie.js_output()
-+
- 
- def load_tests(loader, tests, pattern):
-     tests.addTest(doctest.DocTestSuite(cookies))
-diff --git a/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst b/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
-new file mode 100644
-index 0000000000..e53a932d12
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-03-06-17-03-38.gh-issue-145599.kchwZV.rst
-@@ -0,0 +1,4 @@
-+Reject control characters in :class:`http.cookies.Morsel`
-+:meth:`~http.cookies.Morsel.update` and
-+:meth:`~http.cookies.BaseCookie.js_output`.
-+This addresses :cve:`2026-3644`.

00485-cve-2026-4224.patch

@@ -1,98 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
-Date: Sun, 15 Mar 2026 21:46:06 +0000
-Subject: 00485: CVE-2026-4224
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Stack overflow parsing XML with deeply nested DTD content models
-
-Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
----
- Lib/test/test_pyexpat.py                       | 18 ++++++++++++++++++
- ...6-03-14-17-31-39.gh-issue-145986.ifSSr8.rst |  4 ++++
- Modules/pyexpat.c                              |  9 ++++++++-
- 3 files changed, 30 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
-
-diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
-index 38f951573f..37d9086f40 100644
---- a/Lib/test/test_pyexpat.py
-+++ b/Lib/test/test_pyexpat.py
-@@ -675,6 +675,24 @@ def test_change_size_2(self):
-         parser.Parse(xml2, True)
-         self.assertEqual(self.n, 4)
- 
-+class ElementDeclHandlerTest(unittest.TestCase):
-+    def test_deeply_nested_content_model(self):
-+        # This should raise a RecursionError and not crash.
-+        # See https://github.com/python/cpython/issues/145986.
-+        N = 500_000
-+        data = (
-+            b'<!DOCTYPE root [\n<!ELEMENT root '
-+            + b'(a, ' * N + b'a' + b')' * N
-+            + b'>\n]>\n<root/>\n'
-+        )
-+
-+        parser = expat.ParserCreate()
-+        parser.ElementDeclHandler = lambda _1, _2: None
-+        with support.infinite_recursion():
-+            with self.assertRaises(RecursionError):
-+                parser.Parse(data)
-+
-+
- class MalformedInputTest(unittest.TestCase):
-     def test1(self):
-         xml = b"\0\r\n"
-diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
-new file mode 100644
-index 0000000000..79536d1fef
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
-@@ -0,0 +1,4 @@
-+:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
-+converting deeply nested XML content models with
-+:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
-+This addresses :cve:`2026-4224`.
-diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
-index 79492ca5c4..8673540f35 100644
---- a/Modules/pyexpat.c
-+++ b/Modules/pyexpat.c
-@@ -3,6 +3,7 @@
- #endif
- 
- #include "Python.h"
-+#include "pycore_ceval.h"           // _Py_EnterRecursiveCall()
- #include "pycore_runtime.h"         // _Py_ID()
- #include <ctype.h>
- 
-@@ -578,6 +579,10 @@ static PyObject *
- conv_content_model(XML_Content * const model,
-                    PyObject *(*conv_string)(const XML_Char *))
- {
-+    if (_Py_EnterRecursiveCall(" in conv_content_model")) {
-+        return NULL;
-+    }
-+
-     PyObject *result = NULL;
-     PyObject *children = PyTuple_New(model->numchildren);
-     int i;
-@@ -589,7 +594,7 @@ conv_content_model(XML_Content * const model,
-                                                  conv_string);
-             if (child == NULL) {
-                 Py_XDECREF(children);
--                return NULL;
-+                goto done;
-             }
-             PyTuple_SET_ITEM(children, i, child);
-         }
-@@ -597,6 +602,8 @@ conv_content_model(XML_Content * const model,
-                                model->type, model->quant,
-                                conv_string,model->name, children);
-     }
-+done:
-+    _Py_LeaveRecursiveCall();
-     return result;
- }
- 

SOURCES/00251-change-user-install-location.patch

@@ -30,10 +30,10 @@ Co-authored-by: Lumír Balhar <frenzy.madness@gmail.com>
  3 files changed, 71 insertions(+), 4 deletions(-)
 
 diff --git a/Lib/site.py b/Lib/site.py
-index aed254ad50..568dbdb945 100644
+index 672fa7b000..0a9c5be53e 100644
 --- a/Lib/site.py
 +++ b/Lib/site.py
-@@ -398,8 +398,15 @@ def getsitepackages(prefixes=None):
+@@ -377,8 +377,15 @@ def getsitepackages(prefixes=None):
      return sitepackages
  
  def addsitepackages(known_paths, prefixes=None):
@@ -51,7 +51,7 @@ index aed254ad50..568dbdb945 100644
          if os.path.isdir(sitedir):
              addsitedir(sitedir, known_paths)
 diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
-index acc8d4d182..6355669f62 100644
+index 122d441bd1..2d354a11da 100644
 --- a/Lib/sysconfig.py
 +++ b/Lib/sysconfig.py
 @@ -104,6 +104,11 @@
@@ -86,7 +86,7 @@ index acc8d4d182..6355669f62 100644
  _SCHEME_KEYS = ('stdlib', 'platstdlib', 'purelib', 'platlib', 'include',
                  'scripts', 'data')
  
-@@ -268,11 +286,40 @@ def _extend_dict(target_dict, other_dict):
+@@ -263,11 +281,40 @@ def _extend_dict(target_dict, other_dict):
          target_dict[key] = value
  
  
@@ -119,7 +119,7 @@ index acc8d4d182..6355669f62 100644
 +    # we only change the defaults here, so explicit --prefix will take precedence
 +    # https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
 +    if (scheme == 'posix_prefix' and
-+        sys.prefix == '/usr' and
++        _PREFIX == '/usr' and
 +        'RPM_BUILD_ROOT' not in os.environ):
 +            _extend_dict(vars, _config_vars_local())
 +    else:
@@ -129,10 +129,10 @@ index acc8d4d182..6355669f62 100644
          # On Windows we want to substitute 'lib' for schemes rather
          # than the native value (without modifying vars, in case it
 diff --git a/Lib/test/test_sysconfig.py b/Lib/test/test_sysconfig.py
-index 67647e1b78..7baddaa9d6 100644
+index b6dbf3d52c..4f06a7673c 100644
 --- a/Lib/test/test_sysconfig.py
 +++ b/Lib/test/test_sysconfig.py
-@@ -119,8 +119,19 @@ def test_get_path(self):
+@@ -110,8 +110,19 @@ def test_get_path(self):
          for scheme in _INSTALL_SCHEMES:
              for name in _INSTALL_SCHEMES[scheme]:
                  expected = _INSTALL_SCHEMES[scheme][name].format(**config_vars)
@@ -153,7 +153,7 @@ index 67647e1b78..7baddaa9d6 100644
                      os.path.normpath(expected),
                  )
  
-@@ -353,7 +364,7 @@ def test_get_config_h_filename(self):
+@@ -335,7 +346,7 @@ def test_get_config_h_filename(self):
          self.assertTrue(os.path.isfile(config_h), config_h)
  
      def test_get_scheme_names(self):
@@ -162,7 +162,7 @@ index 67647e1b78..7baddaa9d6 100644
          if HAS_USER_BASE:
              wanted.extend(['nt_user', 'osx_framework_user', 'posix_user'])
          self.assertEqual(get_scheme_names(), tuple(sorted(wanted)))
-@@ -365,6 +376,8 @@ def test_symlink(self): # Issue 7880
+@@ -347,6 +358,8 @@ def test_symlink(self): # Issue 7880
              cmd = "-c", "import sysconfig; print(sysconfig.get_platform())"
              self.assertEqual(py.call_real(*cmd), py.call_link(*cmd))
  

SOURCES/00329-fips.patch

@@ -1,7 +1,7 @@
-From 11deb3112bd90bc2dce2fcd4a1f5975c08b91360 Mon Sep 17 00:00:00 2001
+From 5cedde59cde3f05af798a7cb5bc722cb0deb4835 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Thu, 12 Dec 2019 16:58:31 +0100
-Subject: [PATCH 1/5] Expose blake2b and blake2s hashes from OpenSSL
+Subject: [PATCH 1/6] Expose blake2b and blake2s hashes from OpenSSL
 
 These aren't as powerful as Python's own implementation, but they can be
 used under FIPS.
@@ -29,10 +29,10 @@ index 73d758a..5921360 100644
              computed = m.hexdigest() if not shake else m.hexdigest(length)
              self.assertEqual(
 diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
-index 2998820..b96001e 100644
+index af6d1b2..980712f 100644
 --- a/Modules/_hashopenssl.c
 +++ b/Modules/_hashopenssl.c
-@@ -1128,6 +1128,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
+@@ -1079,6 +1079,41 @@ _hashlib_openssl_sha512_impl(PyObject *module, PyObject *data_obj,
  }
  
  
@@ -74,7 +74,7 @@ index 2998820..b96001e 100644
  #ifdef PY_OPENSSL_HAS_SHA3
  
  /*[clinic input]
-@@ -2116,6 +2151,8 @@ static struct PyMethodDef EVP_functions[] = {
+@@ -2067,6 +2102,8 @@ static struct PyMethodDef EVP_functions[] = {
      _HASHLIB_OPENSSL_SHA256_METHODDEF
      _HASHLIB_OPENSSL_SHA384_METHODDEF
      _HASHLIB_OPENSSL_SHA512_METHODDEF
@@ -84,7 +84,7 @@ index 2998820..b96001e 100644
      _HASHLIB_OPENSSL_SHA3_256_METHODDEF
      _HASHLIB_OPENSSL_SHA3_384_METHODDEF
 diff --git a/Modules/clinic/_hashopenssl.c.h b/Modules/clinic/_hashopenssl.c.h
-index 84e2346..7fe03a3 100644
+index fb61a44..1e42b87 100644
 --- a/Modules/clinic/_hashopenssl.c.h
 +++ b/Modules/clinic/_hashopenssl.c.h
 @@ -743,6 +743,156 @@ exit:
@@ -248,16 +248,16 @@ index 84e2346..7fe03a3 100644
  #ifndef _HASHLIB_SCRYPT_METHODDEF
      #define _HASHLIB_SCRYPT_METHODDEF
  #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
--/*[clinic end generated code: output=4734184f6555dc95 input=a9049054013a1b77]*/
+-/*[clinic end generated code: output=b339e255db698147 input=a9049054013a1b77]*/
-+/*[clinic end generated code: output=f0bfddb963a21208 input=a9049054013a1b77]*/
++/*[clinic end generated code: output=1d988d457a8beebe input=a9049054013a1b77]*/
 -- 
-2.47.1
+2.43.0
 
 
-From ea9d5c84e25b5c04c2823e1edee4354dd6b2b7a5 Mon Sep 17 00:00:00 2001
+From 2a12baa9e201f54560ec99ad5ee1fa5b0006aa39 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Thu, 25 Jul 2019 17:19:06 +0200
-Subject: [PATCH 2/5] Disable Python's hash implementations in FIPS mode,
+Subject: [PATCH 2/6] Disable Python's hash implementations in FIPS mode,
  forcing OpenSSL
 
 ---
@@ -445,10 +445,10 @@ index a8bad9d..1b1d937 100644
 +    if (_Py_hashlib_fips_error(exc, name)) return NULL; \
 +} while (0)
 diff --git a/configure.ac b/configure.ac
-index 9270b5f..a9eb2c9 100644
+index 1876f77..1875d1e 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -7482,7 +7482,8 @@ PY_STDLIB_MOD([_sha2],
+@@ -7439,7 +7439,8 @@ PY_STDLIB_MOD([_sha2],
  PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes])
  PY_STDLIB_MOD([_blake2],
    [test "$with_builtin_blake2" = yes], [],
@@ -459,13 +459,13 @@ index 9270b5f..a9eb2c9 100644
  PY_STDLIB_MOD([_crypt],
    [], [test "$ac_cv_crypt_crypt" = yes],
 -- 
-2.47.1
+2.43.0
 
 
-From 29a7b7ac9e18a501ed78bde7a449b90c57d44e24 Mon Sep 17 00:00:00 2001
+From bca05b7fdb8dcab21ef80db1d59dd5daa835d84b Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Fri, 29 Jan 2021 14:16:21 +0100
-Subject: [PATCH 3/5] Use python's fall back crypto implementations only if we
+Subject: [PATCH 3/6] Use python's fall back crypto implementations only if we
  are not in FIPS mode
 
 ---
@@ -552,13 +552,13 @@ index dd61a9a..6031b02 100644
          get_builtin_constructor = getattr(hashlib,
                                            '__get_builtin_constructor')
 -- 
-2.47.1
+2.43.0
 
 
-From 59accf544492400c9fd32a8e682fb6f2206e932e Mon Sep 17 00:00:00 2001
+From c9a79f0aafd28677e3e0b8a1f6410105a71ff071 Mon Sep 17 00:00:00 2001
 From: Charalampos Stratakis <cstratak@redhat.com>
 Date: Wed, 31 Jul 2019 15:43:43 +0200
-Subject: [PATCH 4/5] Test equivalence of hashes for the various digests with
+Subject: [PATCH 4/6] Test equivalence of hashes for the various digests with
  usedforsecurity=True/False
 
 ---
@@ -712,21 +712,21 @@ index 6031b02..5bd5297 100644
  class KDFTests(unittest.TestCase):
  
 -- 
-2.47.1
+2.43.0
 
 
-From 21efadd8b488956482bdc6ccd91c37dcef705129 Mon Sep 17 00:00:00 2001
+From e972a838729ea84a0f2e0ca8e88ae1bfc129e7d8 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <pviktori@redhat.com>
 Date: Mon, 26 Aug 2019 19:39:48 +0200
-Subject: [PATCH 5/5] Guard against Python HMAC in FIPS mode
+Subject: [PATCH 5/6] Guard against Python HMAC in FIPS mode
 
 ---
- Lib/hmac.py           | 12 +++++++++---
+ Lib/hmac.py           | 13 +++++++++----
  Lib/test/test_hmac.py | 10 ++++++++++
- 2 files changed, 19 insertions(+), 3 deletions(-)
+ 2 files changed, 19 insertions(+), 4 deletions(-)
 
 diff --git a/Lib/hmac.py b/Lib/hmac.py
-index 8b4eb2f..8930bda 100644
+index 8b4f920..20ef96c 100644
 --- a/Lib/hmac.py
 +++ b/Lib/hmac.py
 @@ -16,8 +16,9 @@ else:
@@ -741,9 +741,16 @@ index 8b4eb2f..8930bda 100644
  
  # The size of the digests returned by HMAC depends on the underlying
  # hashing module used.  Use digest_size from the instance of HMAC instead.
-@@ -55,10 +56,12 @@ class HMAC:
+@@ -48,17 +49,18 @@ class HMAC:
+                    msg argument.  Passing it as a keyword argument is
+                    recommended, though not required for legacy API reasons.
+         """
+-
+         if not isinstance(key, (bytes, bytearray)):
+             raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
+ 
          if not digestmod:
-             raise TypeError("Missing required argument 'digestmod'.")
+             raise TypeError("Missing required parameter 'digestmod'.")
  
 -        if _hashopenssl and isinstance(digestmod, (str, _functype)):
 +        if _hashopenssl.get_fips_mode() or (_hashopenssl and isinstance(digestmod, (str, _functype))):
@@ -755,7 +762,7 @@ index 8b4eb2f..8930bda 100644
                  self._init_old(key, msg, digestmod)
          else:
              self._init_old(key, msg, digestmod)
-@@ -69,6 +72,9 @@ class HMAC:
+@@ -69,6 +71,9 @@ class HMAC:
          self.block_size = self._hmac.block_size
  
      def _init_old(self, key, msg, digestmod):
@@ -766,7 +773,7 @@ index 8b4eb2f..8930bda 100644
              digest_cons = digestmod
          elif isinstance(digestmod, str):
 diff --git a/Lib/test/test_hmac.py b/Lib/test/test_hmac.py
-index 1502fba..7997073 100644
+index a39a2c4..b7b24ab 100644
 --- a/Lib/test/test_hmac.py
 +++ b/Lib/test/test_hmac.py
 @@ -5,6 +5,7 @@ import hashlib
@@ -805,7 +812,7 @@ index 1502fba..7997073 100644
      @unittest.skipUnless(sha256_module is not None, 'need _sha256')
      def test_with_sha256_module(self):
          h = hmac.HMAC(b"key", b"hash this!", digestmod=sha256_module.sha256)
-@@ -489,6 +497,7 @@ class UpdateTestCase(unittest.TestCase):
+@@ -481,6 +489,7 @@ class SanityTestCase(unittest.TestCase):
  
  class CopyTestCase(unittest.TestCase):
  
@@ -813,7 +820,7 @@ index 1502fba..7997073 100644
      @hashlib_helper.requires_hashdigest('sha256')
      def test_attributes_old(self):
          # Testing if attributes are of same type.
-@@ -500,6 +509,7 @@ class CopyTestCase(unittest.TestCase):
+@@ -492,6 +501,7 @@ class CopyTestCase(unittest.TestCase):
          self.assertEqual(type(h1._outer), type(h2._outer),
              "Types of outer don't match.")
  
@@ -822,5 +829,270 @@ index 1502fba..7997073 100644
      def test_realcopy_old(self):
          # Testing if the copy method created a real copy.
 -- 
-2.47.1
+2.43.0
+
+
+From b12202196a78b877dcd32cfea273051b60038a41 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 25 Aug 2021 16:44:43 +0200
+Subject: [PATCH 6/6] Disable hash-based PYCs in FIPS mode
+
+If FIPS mode is on, we can't use siphash-based HMAC
+(_Py_KeyedHash), so:
+
+- Unchecked hash PYCs can be imported, but not created
+- Checked hash PYCs can not be imported nor created
+- The default mode is timestamp-based PYCs, even if
+  SOURCE_DATE_EPOCH is set.
+
+If FIPS mode is off, there are no changes in behavior.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1835169
+---
+ Lib/py_compile.py                             |  4 +++-
+ Lib/test/support/__init__.py                  | 14 +++++++++++++
+ Lib/test/test_cmd_line_script.py              |  2 ++
+ Lib/test/test_compileall.py                   | 11 +++++++++-
+ .../test_importlib/source/test_file_loader.py |  6 ++++++
+ Lib/test/test_py_compile.py                   | 11 ++++++++--
+ Lib/test/test_zipimport.py                    |  2 ++
+ Python/import.c                               | 20 +++++++++++++++++++
+ 8 files changed, 66 insertions(+), 4 deletions(-)
+
+diff --git a/Lib/py_compile.py b/Lib/py_compile.py
+index 388614e..fd9a139 100644
+--- a/Lib/py_compile.py
++++ b/Lib/py_compile.py
+@@ -70,7 +70,9 @@ class PycInvalidationMode(enum.Enum):
+ 
+ 
+ def _get_default_invalidation_mode():
+-    if os.environ.get('SOURCE_DATE_EPOCH'):
++    import _hashlib
++    if (os.environ.get('SOURCE_DATE_EPOCH') and not
++          _hashlib.get_fips_mode()):
+         return PycInvalidationMode.CHECKED_HASH
+     else:
+         return PycInvalidationMode.TIMESTAMP
+diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
+index fd9265c..fcd1ea7 100644
+--- a/Lib/test/support/__init__.py
++++ b/Lib/test/support/__init__.py
+@@ -2346,6 +2346,20 @@ def sleeping_retry(timeout, err_msg=None, /,
+         delay = min(delay * 2, max_delay)
+ 
+ 
++def fails_in_fips_mode(expected_error):
++    import _hashlib
++    if _hashlib.get_fips_mode():
++        def _decorator(func):
++            def _wrapper(self, *args, **kwargs):
++                with self.assertRaises(expected_error):
++                    func(self, *args, **kwargs)
++            return _wrapper
++    else:
++        def _decorator(func):
++            return func
++    return _decorator
++
++
+ @contextlib.contextmanager
+ def adjust_int_max_str_digits(max_digits):
+     """Temporarily change the integer string conversion length limit."""
+diff --git a/Lib/test/test_cmd_line_script.py b/Lib/test/test_cmd_line_script.py
+index 1b58882..d6caff1 100644
+--- a/Lib/test/test_cmd_line_script.py
++++ b/Lib/test/test_cmd_line_script.py
+@@ -286,6 +286,7 @@ class CmdLineTest(unittest.TestCase):
+             self._check_script(zip_name, run_name, zip_name, zip_name, '',
+                                zipimport.zipimporter)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def test_zipfile_compiled_checked_hash(self):
+         with os_helper.temp_dir() as script_dir:
+             script_name = _make_test_script(script_dir, '__main__')
+@@ -296,6 +297,7 @@ class CmdLineTest(unittest.TestCase):
+             self._check_script(zip_name, run_name, zip_name, zip_name, '',
+                                zipimport.zipimporter)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def test_zipfile_compiled_unchecked_hash(self):
+         with os_helper.temp_dir() as script_dir:
+             script_name = _make_test_script(script_dir, '__main__')
+diff --git a/Lib/test/test_compileall.py b/Lib/test/test_compileall.py
+index 9cd92ad..4ec29a1 100644
+--- a/Lib/test/test_compileall.py
++++ b/Lib/test/test_compileall.py
+@@ -806,14 +806,23 @@ class CommandLineTestsBase:
+         out = self.assertRunOK('badfilename')
+         self.assertRegex(out, b"Can't list 'badfilename'")
+ 
+-    def test_pyc_invalidation_mode(self):
++    @support.fails_in_fips_mode(AssertionError)
++    def test_pyc_invalidation_mode_checked(self):
+         script_helper.make_script(self.pkgdir, 'f1', '')
+         pyc = importlib.util.cache_from_source(
+             os.path.join(self.pkgdir, 'f1.py'))
++
+         self.assertRunOK('--invalidation-mode=checked-hash', self.pkgdir)
+         with open(pyc, 'rb') as fp:
+             data = fp.read()
+         self.assertEqual(int.from_bytes(data[4:8], 'little'), 0b11)
++
++    @support.fails_in_fips_mode(AssertionError)
++    def test_pyc_invalidation_mode_unchecked(self):
++        script_helper.make_script(self.pkgdir, 'f1', '')
++        pyc = importlib.util.cache_from_source(
++            os.path.join(self.pkgdir, 'f1.py'))
++
+         self.assertRunOK('--invalidation-mode=unchecked-hash', self.pkgdir)
+         with open(pyc, 'rb') as fp:
+             data = fp.read()
+diff --git a/Lib/test/test_importlib/source/test_file_loader.py b/Lib/test/test_importlib/source/test_file_loader.py
+index f35adec..62087c6 100644
+--- a/Lib/test/test_importlib/source/test_file_loader.py
++++ b/Lib/test/test_importlib/source/test_file_loader.py
+@@ -16,6 +16,7 @@ import types
+ import unittest
+ import warnings
+ 
++from test import support
+ from test.support.import_helper import make_legacy_pyc, unload
+ 
+ from test.test_py_compile import without_source_date_epoch
+@@ -237,6 +238,7 @@ class SimpleTest(abc.LoaderTests):
+                 loader.load_module('bad name')
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_checked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping:
+             source = mapping['_temp']
+@@ -268,6 +270,7 @@ class SimpleTest(abc.LoaderTests):
+             )
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_overridden_checked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping, \
+              unittest.mock.patch('_imp.check_hash_based_pycs', 'never'):
+@@ -293,6 +296,7 @@ class SimpleTest(abc.LoaderTests):
+             self.assertEqual(mod.state, 'old')
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_unchecked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping:
+             source = mapping['_temp']
+@@ -323,6 +327,7 @@ class SimpleTest(abc.LoaderTests):
+             )
+ 
+     @util.writes_bytecode_files
++    @support.fails_in_fips_mode(ImportError)
+     def test_overridden_unchecked_hash_based_pyc(self):
+         with util.create_modules('_temp') as mapping, \
+              unittest.mock.patch('_imp.check_hash_based_pycs', 'always'):
+@@ -432,6 +437,7 @@ class BadBytecodeTest:
+                                                del_source=del_source)
+             test('_temp', mapping, bc_path)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def _test_partial_hash(self, test, *, del_source=False):
+         with util.create_modules('_temp') as mapping:
+             bc_path = self.manipulate_bytecode(
+diff --git a/Lib/test/test_py_compile.py b/Lib/test/test_py_compile.py
+index c4e6551..81fd962 100644
+--- a/Lib/test/test_py_compile.py
++++ b/Lib/test/test_py_compile.py
+@@ -141,13 +141,16 @@ class PyCompileTestsBase:
+             importlib.util.cache_from_source(bad_coding)))
+ 
+     def test_source_date_epoch(self):
++        import _hashlib
+         py_compile.compile(self.source_path, self.pyc_path)
+         self.assertTrue(os.path.exists(self.pyc_path))
+         self.assertFalse(os.path.exists(self.cache_path))
+         with open(self.pyc_path, 'rb') as fp:
+             flags = importlib._bootstrap_external._classify_pyc(
+                 fp.read(), 'test', {})
+-        if os.environ.get('SOURCE_DATE_EPOCH'):
++        if _hashlib.get_fips_mode():
++            expected_flags = 0b00
++        elif os.environ.get('SOURCE_DATE_EPOCH'):
+             expected_flags = 0b11
+         else:
+             expected_flags = 0b00
+@@ -178,7 +181,8 @@ class PyCompileTestsBase:
+         # Specifying optimized bytecode should lead to a path reflecting that.
+         self.assertIn('opt-2', py_compile.compile(self.source_path, optimize=2))
+ 
+-    def test_invalidation_mode(self):
++    @support.fails_in_fips_mode(ImportError)
++    def test_invalidation_mode_checked(self):
+         py_compile.compile(
+             self.source_path,
+             invalidation_mode=py_compile.PycInvalidationMode.CHECKED_HASH,
+@@ -187,6 +191,9 @@ class PyCompileTestsBase:
+             flags = importlib._bootstrap_external._classify_pyc(
+                 fp.read(), 'test', {})
+         self.assertEqual(flags, 0b11)
++
++    @support.fails_in_fips_mode(ImportError)
++    def test_invalidation_mode_unchecked(self):
+         py_compile.compile(
+             self.source_path,
+             invalidation_mode=py_compile.PycInvalidationMode.UNCHECKED_HASH,
+diff --git a/Lib/test/test_zipimport.py b/Lib/test/test_zipimport.py
+index 14c1971..bcd1466 100644
+--- a/Lib/test/test_zipimport.py
++++ b/Lib/test/test_zipimport.py
+@@ -190,6 +190,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
+                  TESTMOD + pyc_ext: (NOW, test_pyc)}
+         self.doTest(pyc_ext, files, TESTMOD)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     def testUncheckedHashBasedPyc(self):
+         source = b"state = 'old'"
+         source_hash = importlib.util.source_hash(source)
+@@ -204,6 +205,7 @@ class UncompressedZipImportTestCase(ImportHooksBaseTestCase):
+             self.assertEqual(mod.state, 'old')
+         self.doTest(None, files, TESTMOD, call=check)
+ 
++    @support.fails_in_fips_mode(ImportError)
+     @unittest.mock.patch('_imp.check_hash_based_pycs', 'always')
+     def test_checked_hash_based_change_pyc(self):
+         source = b"state = 'old'"
+diff --git a/Python/import.c b/Python/import.c
+index 54232a1..236786b 100644
+--- a/Python/import.c
++++ b/Python/import.c
+@@ -3829,6 +3829,26 @@ static PyObject *
+ _imp_source_hash_impl(PyObject *module, long key, Py_buffer *source)
+ /*[clinic end generated code: output=edb292448cf399ea input=9aaad1e590089789]*/
+ {
++    PyObject *_hashlib = PyImport_ImportModule("_hashlib");
++    if (_hashlib == NULL) {
++        return NULL;
++    }
++    PyObject *fips_mode_obj = PyObject_CallMethod(_hashlib, "get_fips_mode", NULL);
++    Py_DECREF(_hashlib);
++    if (fips_mode_obj == NULL) {
++        return NULL;
++    }
++    int fips_mode = PyObject_IsTrue(fips_mode_obj);
++    Py_DECREF(fips_mode_obj);
++    if (fips_mode < 0) {
++        return NULL;
++    }
++    if (fips_mode) {
++        PyErr_SetString(
++            PyExc_ImportError,
++            "hash-based PYC validation (siphash24) not available in FIPS mode");
++        return NULL;
++    };
+     union {
+         uint64_t x;
+         char data[sizeof(uint64_t)];
+-- 
+2.43.0
 

SOURCES/00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

@@ -16,10 +16,10 @@ https://github.com/GrahamDumpleton/mod_wsgi/issues/730
  2 files changed, 8 insertions(+), 50 deletions(-)
 
 diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
-index 75a56f7830..c2509fced1 100644
+index 756d5e329f..5d09775efc 100644
 --- a/Lib/test/test_threading.py
 +++ b/Lib/test/test_threading.py
-@@ -1100,39 +1100,6 @@ def noop(): pass
+@@ -1007,39 +1007,6 @@ def noop(): pass
              threading.Thread(target=noop).start()
              # Thread.join() is not called
  
@@ -56,14 +56,14 @@ index 75a56f7830..c2509fced1 100644
 -        self.assertEqual(out, b'')
 -        self.assertEqual(err, b'')
 -
-     def test_start_new_thread_at_finalization(self):
+     def test_start_new_thread_at_exit(self):
          code = """if 1:
-             import _thread
+             import atexit
 diff --git a/Lib/threading.py b/Lib/threading.py
-index 0bba85d08a..b256e3273f 100644
+index 8dcaf8ca6a..ed0b0f4632 100644
 --- a/Lib/threading.py
 +++ b/Lib/threading.py
-@@ -1587,29 +1587,20 @@ def _shutdown():
+@@ -1586,29 +1586,20 @@ def _shutdown():
  
      global _SHUTTING_DOWN
      _SHUTTING_DOWN = True

SOURCES/00397-tarfile-filter.patch

@@ -1,24 +1,19 @@
-From ddd8064257a1916726b784d43f18e889ea1634f7 Mon Sep 17 00:00:00 2001
+From 73d2995223c725638d53b9cb8e1d26b82daf0874 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
-Date: Tue, 2 Jul 2024 11:40:37 +0200
+Date: Mon, 6 Mar 2023 17:24:24 +0100
 Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
  (downstream)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
 
 Add and test RHEL-specific ways of configuring the default behavior: environment
 variable and config file.
-
-Co-Authored-By: Tomáš Hrnčiar <thrnciar@redhat.com>
 ---
- Lib/tarfile.py           |  47 +++++++++++--
+ Lib/tarfile.py           |  47 +++++++++++++--
  Lib/test/test_shutil.py  |   2 +-
- Lib/test/test_tarfile.py | 147 +++++++++++++++++++++++++++++++++++++--
+ Lib/test/test_tarfile.py | 123 ++++++++++++++++++++++++++++++++++++++-
- 3 files changed, 185 insertions(+), 11 deletions(-)
+ 3 files changed, 163 insertions(+), 9 deletions(-)
 
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index e1487e3..89b6843 100755
+index 02f5e3b..f7109f3 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
 @@ -71,6 +71,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
@@ -35,7 +30,7 @@ index e1487e3..89b6843 100755
  
  #---------------------------------------------------------
  # tar constants
-@@ -2218,11 +2225,41 @@ class TarFile(object):
+@@ -2217,11 +2224,41 @@ class TarFile(object):
          if filter is None:
              filter = self.extraction_filter
              if filter is None:
@@ -43,7 +38,7 @@ index e1487e3..89b6843 100755
 -                    'Python 3.14 will, by default, filter extracted tar '
 -                    + 'archives and reject files or modify their metadata. '
 -                    + 'Use the filter argument to control this behavior.',
--                    DeprecationWarning, stacklevel=3)
+-                    DeprecationWarning)
 +                name = os.environ.get('PYTHON_TARFILE_EXTRACTION_FILTER')
 +                if name is None:
 +                    try:
@@ -77,16 +72,16 @@ index e1487e3..89b6843 100755
 +                        + 'and some mode bits are cleared. '
 +                        + 'See https://access.redhat.com/articles/7004769 '
 +                        + 'for more details.',
-+                        RuntimeWarning, stacklevel=3)
++                        RuntimeWarning)
 +                    return tar_filter
                  return fully_trusted_filter
              if isinstance(filter, str):
                  raise TypeError(
 diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
-index 7bc5d12..88b4bdb 100644
+index 5fd8fb4..501da8f 100644
 --- a/Lib/test/test_shutil.py
 +++ b/Lib/test/test_shutil.py
-@@ -2096,7 +2096,7 @@ class TestArchives(BaseTest, unittest.TestCase):
+@@ -1950,7 +1950,7 @@ class TestArchives(BaseTest, unittest.TestCase):
          self.check_unpack_archive(format, filter='fully_trusted')
          self.check_unpack_archive(format, filter='data')
          with warnings_helper.check_warnings(
@@ -96,48 +91,10 @@ index 7bc5d12..88b4bdb 100644
  
      def test_unpack_archive_tar(self):
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index 3fbd25e..9aa727e 100644
+index c5fc76d..397e334 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
-@@ -727,7 +727,17 @@ class MiscReadTestBase(CommonReadTest):
+@@ -3097,8 +3097,8 @@ class NoneInfoExtractTests(ReadTest):
-             tarfile.open(tarname, encoding="iso8859-1") as tar
-         ):
-             directories = [t for t in tar if t.isdir()]
--            with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
-+            with self.assertWarnsRegex(
-+                RuntimeWarning,
-+                re.escape(
-+                    'The default behavior of tarfile extraction has been '
-+                    'changed to disallow common exploits '
-+                    '(including CVE-2007-4559). '
-+                    'By default, absolute/parent paths are disallowed '
-+                    'and some mode bits are cleared. '
-+                    'See https://access.redhat.com/articles/7004769 '
-+                    'for more details.'
-+                )) as cm:
-                 tar.extractall(DIR, directories)
-             # check that the stacklevel of the deprecation warning is correct:
-             self.assertEqual(cm.filename, __file__)
-@@ -740,7 +750,17 @@ class MiscReadTestBase(CommonReadTest):
-             tarfile.open(tarname, encoding="iso8859-1") as tar
-         ):
-             tarinfo = tar.getmember(dirtype)
--            with self.assertWarnsRegex(DeprecationWarning, "Use the filter argument") as cm:
-+            with self.assertWarnsRegex(
-+                RuntimeWarning,
-+                re.escape(
-+                    'The default behavior of tarfile extraction has been '
-+                    'changed to disallow common exploits '
-+                    '(including CVE-2007-4559). '
-+                    'By default, absolute/parent paths are disallowed '
-+                    'and some mode bits are cleared. '
-+                    'See https://access.redhat.com/articles/7004769 '
-+                    'for more details.'
-+                )) as cm:
-                 tar.extract(tarinfo, path=DIR)
-             # check that the stacklevel of the deprecation warning is correct:
-             self.assertEqual(cm.filename, __file__)
-@@ -3144,8 +3164,8 @@ class NoneInfoExtractTests(ReadTest):
          tar.errorlevel = 0
          with ExitStack() as cm:
              if cls.extraction_filter is None:
@@ -148,7 +105,7 @@ index 3fbd25e..9aa727e 100644
              tar.extractall(cls.control_dir, filter=cls.extraction_filter)
          tar.close()
          cls.control_paths = set(
-@@ -3966,7 +3986,7 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -3919,7 +3919,7 @@ class TestExtractionFilters(unittest.TestCase):
          with ArchiveMaker() as arc:
              arc.add('foo')
          with warnings_helper.check_warnings(
@@ -157,7 +114,7 @@ index 3fbd25e..9aa727e 100644
              with self.check_context(arc.open(), None):
                  self.expect_file('foo')
  
-@@ -4136,6 +4156,123 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -4089,6 +4089,123 @@ class TestExtractionFilters(unittest.TestCase):
              self.expect_exception(TypeError)  # errorlevel is not int
  
  
@@ -278,9 +235,9 @@ index 3fbd25e..9aa727e 100644
 +                self.check_trusted_default(tar, tempdir)
 +
 +
- class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+ def setUpModule():
-     testdir = os.path.join(TEMPDIR, "testoverwrite")
+     os_helper.unlink(TEMPDIR)
- 
+     os.makedirs(TEMPDIR)
 -- 
-2.44.0
+2.43.0
 

SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch

@@ -0,0 +1,483 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Fri, 15 Dec 2023 16:10:40 +0100
+Subject: [PATCH] 00415: [CVE-2023-27043] gh-102988: Reject malformed addresses
+ in email.parseaddr() (#111116)
+
+Detect email address parsing errors and return empty tuple to
+indicate the parsing error (old API). Add an optional 'strict'
+parameter to getaddresses() and parseaddr() functions. Patch by
+Thomas Dwyer.
+
+Co-Authored-By: Thomas Dwyer <github@tomd.tel>
+---
+ Doc/library/email.utils.rst                   |  19 +-
+ Lib/email/utils.py                            | 151 +++++++++++++-
+ Lib/test/test_email/test_email.py             | 187 +++++++++++++++++-
+ ...-10-20-15-28-08.gh-issue-102988.dStNO7.rst |   8 +
+ 4 files changed, 344 insertions(+), 21 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+
+diff --git a/Doc/library/email.utils.rst b/Doc/library/email.utils.rst
+index 345b64001c..d693a9bc39 100644
+--- a/Doc/library/email.utils.rst
++++ b/Doc/library/email.utils.rst
+@@ -58,13 +58,18 @@ of the new API.
+    begins with angle brackets, they are stripped off.
+ 
+ 
+-.. function:: parseaddr(address)
++.. function:: parseaddr(address, *, strict=True)
+ 
+    Parse address -- which should be the value of some address-containing field such
+    as :mailheader:`To` or :mailheader:`Cc` -- into its constituent *realname* and
+    *email address* parts.  Returns a tuple of that information, unless the parse
+    fails, in which case a 2-tuple of ``('', '')`` is returned.
+ 
++   If *strict* is true, use a strict parser which rejects malformed inputs.
++
++   .. versionchanged:: 3.13
++      Add *strict* optional parameter and reject malformed inputs by default.
++
+ 
+ .. function:: formataddr(pair, charset='utf-8')
+ 
+@@ -82,12 +87,15 @@ of the new API.
+       Added the *charset* option.
+ 
+ 
+-.. function:: getaddresses(fieldvalues)
++.. function:: getaddresses(fieldvalues, *, strict=True)
+ 
+    This method returns a list of 2-tuples of the form returned by ``parseaddr()``.
+    *fieldvalues* is a sequence of header field values as might be returned by
+-   :meth:`Message.get_all <email.message.Message.get_all>`.  Here's a simple
+-   example that gets all the recipients of a message::
++   :meth:`Message.get_all <email.message.Message.get_all>`.
++
++   If *strict* is true, use a strict parser which rejects malformed inputs.
++
++   Here's a simple example that gets all the recipients of a message::
+ 
+       from email.utils import getaddresses
+ 
+@@ -97,6 +105,9 @@ of the new API.
+       resent_ccs = msg.get_all('resent-cc', [])
+       all_recipients = getaddresses(tos + ccs + resent_tos + resent_ccs)
+ 
++   .. versionchanged:: 3.13
++      Add *strict* optional parameter and reject malformed inputs by default.
++
+ 
+ .. function:: parsedate(date)
+ 
+diff --git a/Lib/email/utils.py b/Lib/email/utils.py
+index 81da5394ea..43c3627fca 100644
+--- a/Lib/email/utils.py
++++ b/Lib/email/utils.py
+@@ -48,6 +48,7 @@
+ specialsre = re.compile(r'[][\\()<>@,:;".]')
+ escapesre = re.compile(r'[\\"]')
+ 
++
+ def _has_surrogates(s):
+     """Return True if s contains surrogate-escaped binary data."""
+     # This check is based on the fact that unless there are surrogates, utf8
+@@ -106,12 +107,127 @@ def formataddr(pair, charset='utf-8'):
+     return address
+ 
+ 
++def _iter_escaped_chars(addr):
++    pos = 0
++    escape = False
++    for pos, ch in enumerate(addr):
++        if escape:
++            yield (pos, '\\' + ch)
++            escape = False
++        elif ch == '\\':
++            escape = True
++        else:
++            yield (pos, ch)
++    if escape:
++        yield (pos, '\\')
+ 
+-def getaddresses(fieldvalues):
+-    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
+-    all = COMMASPACE.join(str(v) for v in fieldvalues)
+-    a = _AddressList(all)
+-    return a.addresslist
++
++def _strip_quoted_realnames(addr):
++    """Strip real names between quotes."""
++    if '"' not in addr:
++        # Fast path
++        return addr
++
++    start = 0
++    open_pos = None
++    result = []
++    for pos, ch in _iter_escaped_chars(addr):
++        if ch == '"':
++            if open_pos is None:
++                open_pos = pos
++            else:
++                if start != open_pos:
++                    result.append(addr[start:open_pos])
++                start = pos + 1
++                open_pos = None
++
++    if start < len(addr):
++        result.append(addr[start:])
++
++    return ''.join(result)
++
++
++supports_strict_parsing = True
++
++def getaddresses(fieldvalues, *, strict=True):
++    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
++
++    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
++    its place.
++
++    If strict is true, use a strict parser which rejects malformed inputs.
++    """
++
++    # If strict is true, if the resulting list of parsed addresses is greater
++    # than the number of fieldvalues in the input list, a parsing error has
++    # occurred and consequently a list containing a single empty 2-tuple [('',
++    # '')] is returned in its place. This is done to avoid invalid output.
++    #
++    # Malformed input: getaddresses(['alice@example.com <bob@example.com>'])
++    # Invalid output: [('', 'alice@example.com'), ('', 'bob@example.com')]
++    # Safe output: [('', '')]
++
++    if not strict:
++        all = COMMASPACE.join(str(v) for v in fieldvalues)
++        a = _AddressList(all)
++        return a.addresslist
++
++    fieldvalues = [str(v) for v in fieldvalues]
++    fieldvalues = _pre_parse_validation(fieldvalues)
++    addr = COMMASPACE.join(fieldvalues)
++    a = _AddressList(addr)
++    result = _post_parse_validation(a.addresslist)
++
++    # Treat output as invalid if the number of addresses is not equal to the
++    # expected number of addresses.
++    n = 0
++    for v in fieldvalues:
++        # When a comma is used in the Real Name part it is not a deliminator.
++        # So strip those out before counting the commas.
++        v = _strip_quoted_realnames(v)
++        # Expected number of addresses: 1 + number of commas
++        n += 1 + v.count(',')
++    if len(result) != n:
++        return [('', '')]
++
++    return result
++
++
++def _check_parenthesis(addr):
++    # Ignore parenthesis in quoted real names.
++    addr = _strip_quoted_realnames(addr)
++
++    opens = 0
++    for pos, ch in _iter_escaped_chars(addr):
++        if ch == '(':
++            opens += 1
++        elif ch == ')':
++            opens -= 1
++            if opens < 0:
++                return False
++    return (opens == 0)
++
++
++def _pre_parse_validation(email_header_fields):
++    accepted_values = []
++    for v in email_header_fields:
++        if not _check_parenthesis(v):
++            v = "('', '')"
++        accepted_values.append(v)
++
++    return accepted_values
++
++
++def _post_parse_validation(parsed_email_header_tuples):
++    accepted_values = []
++    # The parser would have parsed a correctly formatted domain-literal
++    # The existence of an [ after parsing indicates a parsing failure
++    for v in parsed_email_header_tuples:
++        if '[' in v[1]:
++            v = ('', '')
++        accepted_values.append(v)
++
++    return accepted_values
+ 
+ 
+ def _format_timetuple_and_zone(timetuple, zone):
+@@ -205,16 +321,33 @@ def parsedate_to_datetime(data):
+             tzinfo=datetime.timezone(datetime.timedelta(seconds=tz)))
+ 
+ 
+-def parseaddr(addr):
++def parseaddr(addr, *, strict=True):
+     """
+     Parse addr into its constituent realname and email address parts.
+ 
+     Return a tuple of realname and email address, unless the parse fails, in
+     which case return a 2-tuple of ('', '').
++
++    If strict is True, use a strict parser which rejects malformed inputs.
+     """
+-    addrs = _AddressList(addr).addresslist
+-    if not addrs:
+-        return '', ''
++    if not strict:
++        addrs = _AddressList(addr).addresslist
++        if not addrs:
++            return ('', '')
++        return addrs[0]
++
++    if isinstance(addr, list):
++        addr = addr[0]
++
++    if not isinstance(addr, str):
++        return ('', '')
++
++    addr = _pre_parse_validation([addr])[0]
++    addrs = _post_parse_validation(_AddressList(addr).addresslist)
++
++    if not addrs or len(addrs) > 1:
++        return ('', '')
++
+     return addrs[0]
+ 
+ 
+diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
+index 2a237095b9..4672b790d8 100644
+--- a/Lib/test/test_email/test_email.py
++++ b/Lib/test/test_email/test_email.py
+@@ -16,6 +16,7 @@
+ 
+ import email
+ import email.policy
++import email.utils
+ 
+ from email.charset import Charset
+ from email.generator import Generator, DecodedGenerator, BytesGenerator
+@@ -3337,15 +3338,137 @@ def test_getaddresses_comma_in_name(self):
+             ],
+         )
+ 
++    def test_parsing_errors(self):
++        """Test for parsing errors from CVE-2023-27043 and CVE-2019-16056"""
++        alice = 'alice@example.org'
++        bob = 'bob@example.com'
++        empty = ('', '')
++
++        # Test utils.getaddresses() and utils.parseaddr() on malformed email
++        # addresses: default behavior (strict=True) rejects malformed address,
++        # and strict=False which tolerates malformed address.
++        for invalid_separator, expected_non_strict in (
++            ('(', [(f'<{bob}>', alice)]),
++            (')', [('', alice), empty, ('', bob)]),
++            ('<', [('', alice), empty, ('', bob), empty]),
++            ('>', [('', alice), empty, ('', bob)]),
++            ('[', [('', f'{alice}[<{bob}>]')]),
++            (']', [('', alice), empty, ('', bob)]),
++            ('@', [empty, empty, ('', bob)]),
++            (';', [('', alice), empty, ('', bob)]),
++            (':', [('', alice), ('', bob)]),
++            ('.', [('', alice + '.'), ('', bob)]),
++            ('"', [('', alice), ('', f'<{bob}>')]),
++        ):
++            address = f'{alice}{invalid_separator}<{bob}>'
++            with self.subTest(address=address):
++                self.assertEqual(utils.getaddresses([address]),
++                                 [empty])
++                self.assertEqual(utils.getaddresses([address], strict=False),
++                                 expected_non_strict)
++
++                self.assertEqual(utils.parseaddr([address]),
++                                 empty)
++                self.assertEqual(utils.parseaddr([address], strict=False),
++                                 ('', address))
++
++        # Comma (',') is treated differently depending on strict parameter.
++        # Comma without quotes.
++        address = f'{alice},<{bob}>'
++        self.assertEqual(utils.getaddresses([address]),
++                         [('', alice), ('', bob)])
++        self.assertEqual(utils.getaddresses([address], strict=False),
++                         [('', alice), ('', bob)])
++        self.assertEqual(utils.parseaddr([address]),
++                         empty)
++        self.assertEqual(utils.parseaddr([address], strict=False),
++                         ('', address))
++
++        # Real name between quotes containing comma.
++        address = '"Alice, alice@example.org" <bob@example.com>'
++        expected_strict = ('Alice, alice@example.org', 'bob@example.com')
++        self.assertEqual(utils.getaddresses([address]), [expected_strict])
++        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
++        self.assertEqual(utils.parseaddr([address]), expected_strict)
++        self.assertEqual(utils.parseaddr([address], strict=False),
++                         ('', address))
++
++        # Valid parenthesis in comments.
++        address = 'alice@example.org (Alice)'
++        expected_strict = ('Alice', 'alice@example.org')
++        self.assertEqual(utils.getaddresses([address]), [expected_strict])
++        self.assertEqual(utils.getaddresses([address], strict=False), [expected_strict])
++        self.assertEqual(utils.parseaddr([address]), expected_strict)
++        self.assertEqual(utils.parseaddr([address], strict=False),
++                         ('', address))
++
++        # Invalid parenthesis in comments.
++        address = 'alice@example.org )Alice('
++        self.assertEqual(utils.getaddresses([address]), [empty])
++        self.assertEqual(utils.getaddresses([address], strict=False),
++                         [('', 'alice@example.org'), ('', ''), ('', 'Alice')])
++        self.assertEqual(utils.parseaddr([address]), empty)
++        self.assertEqual(utils.parseaddr([address], strict=False),
++                         ('', address))
++
++        # Two addresses with quotes separated by comma.
++        address = '"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>'
++        self.assertEqual(utils.getaddresses([address]),
++                         [('Jane Doe', 'jane@example.net'),
++                          ('John Doe', 'john@example.net')])
++        self.assertEqual(utils.getaddresses([address], strict=False),
++                         [('Jane Doe', 'jane@example.net'),
++                          ('John Doe', 'john@example.net')])
++        self.assertEqual(utils.parseaddr([address]), empty)
++        self.assertEqual(utils.parseaddr([address], strict=False),
++                         ('', address))
++
++        # Test email.utils.supports_strict_parsing attribute
++        self.assertEqual(email.utils.supports_strict_parsing, True)
++
+     def test_getaddresses_nasty(self):
+-        eq = self.assertEqual
+-        eq(utils.getaddresses(['foo: ;']), [('', '')])
+-        eq(utils.getaddresses(
+-           ['[]*-- =~$']),
+-           [('', ''), ('', ''), ('', '*--')])
+-        eq(utils.getaddresses(
+-           ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
+-           [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
++        for addresses, expected in (
++            (['"Sürname, Firstname" <to@example.com>'],
++             [('Sürname, Firstname', 'to@example.com')]),
++
++            (['foo: ;'],
++             [('', '')]),
++
++            (['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>'],
++             [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')]),
++
++            ([r'Pete(A nice \) chap) <pete(his account)@silly.test(his host)>'],
++             [('Pete (A nice ) chap his account his host)', 'pete@silly.test')]),
++
++            (['(Empty list)(start)Undisclosed recipients  :(nobody(I know))'],
++             [('', '')]),
++
++            (['Mary <@machine.tld:mary@example.net>, , jdoe@test   . example'],
++             [('Mary', 'mary@example.net'), ('', ''), ('', 'jdoe@test.example')]),
++
++            (['John Doe <jdoe@machine(comment).  example>'],
++             [('John Doe (comment)', 'jdoe@machine.example')]),
++
++            (['"Mary Smith: Personal Account" <smith@home.example>'],
++             [('Mary Smith: Personal Account', 'smith@home.example')]),
++
++            (['Undisclosed recipients:;'],
++             [('', '')]),
++
++            ([r'<boss@nil.test>, "Giant; \"Big\" Box" <bob@example.net>'],
++             [('', 'boss@nil.test'), ('Giant; "Big" Box', 'bob@example.net')]),
++        ):
++            with self.subTest(addresses=addresses):
++                self.assertEqual(utils.getaddresses(addresses),
++                                 expected)
++                self.assertEqual(utils.getaddresses(addresses, strict=False),
++                                 expected)
++
++        addresses = ['[]*-- =~$']
++        self.assertEqual(utils.getaddresses(addresses),
++                         [('', '')])
++        self.assertEqual(utils.getaddresses(addresses, strict=False),
++                         [('', ''), ('', ''), ('', '*--')])
+ 
+     def test_getaddresses_embedded_comment(self):
+         """Test proper handling of a nested comment"""
+@@ -3536,6 +3659,54 @@ def test_mime_classes_policy_argument(self):
+                 m = cls(*constructor, policy=email.policy.default)
+                 self.assertIs(m.policy, email.policy.default)
+ 
++    def test_iter_escaped_chars(self):
++        self.assertEqual(list(utils._iter_escaped_chars(r'a\\b\"c\\"d')),
++                         [(0, 'a'),
++                          (2, '\\\\'),
++                          (3, 'b'),
++                          (5, '\\"'),
++                          (6, 'c'),
++                          (8, '\\\\'),
++                          (9, '"'),
++                          (10, 'd')])
++        self.assertEqual(list(utils._iter_escaped_chars('a\\')),
++                         [(0, 'a'), (1, '\\')])
++
++    def test_strip_quoted_realnames(self):
++        def check(addr, expected):
++            self.assertEqual(utils._strip_quoted_realnames(addr), expected)
++
++        check('"Jane Doe" <jane@example.net>, "John Doe" <john@example.net>',
++              ' <jane@example.net>,  <john@example.net>')
++        check(r'"Jane \"Doe\"." <jane@example.net>',
++              ' <jane@example.net>')
++
++        # special cases
++        check(r'before"name"after', 'beforeafter')
++        check(r'before"name"', 'before')
++        check(r'b"name"', 'b')  # single char
++        check(r'"name"after', 'after')
++        check(r'"name"a', 'a')  # single char
++        check(r'"name"', '')
++
++        # no change
++        for addr in (
++            'Jane Doe <jane@example.net>, John Doe <john@example.net>',
++            'lone " quote',
++        ):
++            self.assertEqual(utils._strip_quoted_realnames(addr), addr)
++
++
++    def test_check_parenthesis(self):
++        addr = 'alice@example.net'
++        self.assertTrue(utils._check_parenthesis(f'{addr} (Alice)'))
++        self.assertFalse(utils._check_parenthesis(f'{addr} )Alice('))
++        self.assertFalse(utils._check_parenthesis(f'{addr} (Alice))'))
++        self.assertFalse(utils._check_parenthesis(f'{addr} ((Alice)'))
++
++        # Ignore real name between quotes
++        self.assertTrue(utils._check_parenthesis(f'")Alice((" {addr}'))
++
+ 
+ # Test the iterator/generators
+ class TestIterators(TestEmailBase):
+diff --git a/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+new file mode 100644
+index 0000000000..3d0e9e4078
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2023-10-20-15-28-08.gh-issue-102988.dStNO7.rst
+@@ -0,0 +1,8 @@
++:func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now
++return ``('', '')`` 2-tuples in more situations where invalid email
++addresses are encountered instead of potentially inaccurate values. Add
++optional *strict* parameter to these two functions: use ``strict=False`` to
++get the old behavior, accept malformed inputs.
++``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check
++if the *strict* paramater is available. Patch by Thomas Dwyer and Victor
++Stinner to improve the CVE-2023-27043 fix.

SOURCES/Python-3.12.1.tar.xz.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEcWlgX2LHUTVtBUomqCHmgOX6YwUFAmVyMspfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDcx
+Njk2MDVGNjJDNzUxMzU2RDA1NEEyNkE4MjFFNjgwRTVGQTYzMDUACgkQqCHmgOX6
+YwWv5w/+JlGtfy+x+6mtauH1uOkt7n9PMQou1LcthDs5s41wuwjO7RbwnmJD6aDk
+DqwLHheoq6Kjbl6PF1kG2T8ZbHkMudhnc5yH4eQG52IGNQ6evilxoC6AyhVg8ANi
++u6Juh9r2Hjz/LDWFB4hzwcOBKy0jYw98+A0uMvpPd2bmdFMBLQE0GTZCdrRsGYs
+q0oysUX7uCJBfINp7XwiVGAK/6ma0nrr0A1ho6LCau+VGkDnJZdKZgIMyyxp6qL1
+7tMjb3LUpV3FWp57L2za59TaayApNf5BlanC+de6oKEhEJ8oEFyWxOx2GmXHZwch
+ucj7Z1dxuI7fjNVkEvZ+JuheLGtB9mAmUZslXgUJf5wo49bCo9E4/ZlIFQk7VJR3
+Bm9VlQb5mMydB8QJbMy/BpgNjgKmEvBTnir37prJpUV/TL1YZT0eZ5JxCnlUIL/F
+6cOzAE3zHPnvHcyHhKV3q5CoONdBtB3RWgS66m4eMneuWoNKaoEbO5IDxtKvCd1J
+AKLmzCB0/KCWVUIYBTfJ8ytBVQA0Z2w8CZ7SC8asX4DocDCvxim1sQg5s8c4mzh+
+1JVbyqqEmf9m74Mqby0vICC6UVvgaPyiOxTphtRXLIYHUscLVn5+586RMYnM9nP4
+nEK+H/fq6Rcp1XEtIPzCG4IPUAYnuDLjbGQegltpKV/SAYn+DGg=
+=dCpy
+-----END PGP SIGNATURE-----

SPECS/python3.12.spec

@@ -16,12 +16,12 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.13
+%global general_version %{pybasever}.1
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 4%{?dist}
-License: Python-2.0.1
+License: Python
 
 
 # ==================================
@@ -65,55 +65,57 @@ License: Python-2.0.1
 # If the rpmwheels condition is disabled, we use the bundled wheel packages
 # from Python with the versions below.
 # This needs to be manually updated when we update Python.
-%global pip_version 25.0.1
+%global pip_version 23.2.1
-%global setuptools_version 79.0.1
+%global setuptools_version 67.6.1
 %global wheel_version 0.40.0
 # All of those also include a list of indirect bundled libs:
 # pip
 #  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/ensurepip/_bundled/pip-*.whl pip/_vendor/vendor.txt)
 %global pip_bundled_provides %{expand:
-Provides: bundled(python3dist(cachecontrol)) = 0.14.1
+Provides: bundled(python3dist(cachecontrol)) = 0.12.11
-Provides: bundled(python3dist(certifi)) = 2024.8.30
+Provides: bundled(python3dist(certifi)) = 2023.5.7
-Provides: bundled(python3dist(distlib)) = 0.3.9
+Provides: bundled(python3dist(chardet)) = 5.1
-Provides: bundled(python3dist(distro)) = 1.9
+Provides: bundled(python3dist(colorama)) = 0.4.6
-Provides: bundled(python3dist(idna)) = 3.10
+Provides: bundled(python3dist(distlib)) = 0.3.6
-Provides: bundled(python3dist(msgpack)) = 1.1
+Provides: bundled(python3dist(distro)) = 1.8
-Provides: bundled(python3dist(packaging)) = 24.2
+Provides: bundled(python3dist(idna)) = 3.4
-Provides: bundled(python3dist(platformdirs)) = 4.3.6
+Provides: bundled(python3dist(msgpack)) = 1.0.5
-Provides: bundled(python3dist(pygments)) = 2.18
+Provides: bundled(python3dist(packaging)) = 21.3
-Provides: bundled(python3dist(pyproject-hooks)) = 1.2
+Provides: bundled(python3dist(platformdirs)) = 3.8.1
-Provides: bundled(python3dist(requests)) = 2.32.3
+Provides: bundled(python3dist(pygments)) = 2.15.1
+Provides: bundled(python3dist(pyparsing)) = 3.1
+Provides: bundled(python3dist(pyproject-hooks)) = 1
+Provides: bundled(python3dist(requests)) = 2.31
 Provides: bundled(python3dist(resolvelib)) = 1.0.1
-Provides: bundled(python3dist(rich)) = 13.9.4
+Provides: bundled(python3dist(rich)) = 13.4.2
-Provides: bundled(python3dist(setuptools)) = 70.3
+Provides: bundled(python3dist(setuptools)) = 68
-Provides: bundled(python3dist(tomli)) = 2.2.1
+Provides: bundled(python3dist(six)) = 1.16
-Provides: bundled(python3dist(truststore)) = 0.10
+Provides: bundled(python3dist(tenacity)) = 8.2.2
-Provides: bundled(python3dist(typing-extensions)) = 4.12.2
+Provides: bundled(python3dist(tomli)) = 2.0.1
-Provides: bundled(python3dist(urllib3)) = 1.26.20
+Provides: bundled(python3dist(typing-extensions)) = 4.7.1
+Provides: bundled(python3dist(urllib3)) = 1.26.16
+Provides: bundled(python3dist(webencodings)) = 0.5.1
 }
 # setuptools
-# vendor.txt not in .whl
+# vendor.txt files not in .whl
-# %%{_rpmconfigdir}/pythonbundles.py <(unzip -l Lib/test/wheeldata/setuptools-*.whl | grep -E '_vendor/.+dist-info/RECORD' | sed -E 's@^.*/([^-]+)-([^-]+)\.dist-info/.*$@\1==\2@')
+#  $ %%{_rpmconfigdir}/pythonbundles.py \
+#    <(curl -L https://github.com/pypa/setuptools/raw/v%%{setuptools_version}/setuptools/_vendor/vendored.txt) \
+#    <(curl -L https://github.com/pypa/setuptools/raw/v%%{setuptools_version}/pkg_resources/_vendor/vendored.txt)
 %global setuptools_bundled_provides %{expand:
-Provides: bundled(python3dist(autocommand)) = 2.2.2
+Provides: bundled(python3dist(importlib-metadata)) = 6
-Provides: bundled(python3dist(backports-tarfile)) = 1.2
+Provides: bundled(python3dist(importlib-resources)) = 5.10.2
-Provides: bundled(python3dist(importlib-metadata)) = 8
+Provides: bundled(python3dist(jaraco-text)) = 3.7
-Provides: bundled(python3dist(inflect)) = 7.3.1
+Provides: bundled(python3dist(more-itertools)) = 8.8
-Provides: bundled(python3dist(jaraco-collections)) = 5.1
+Provides: bundled(python3dist(ordered-set)) = 3.1.1
-Provides: bundled(python3dist(jaraco-context)) = 5.3
+Provides: bundled(python3dist(packaging)) = 23
-Provides: bundled(python3dist(jaraco-functools)) = 4.0.1
+Provides: bundled(python3dist(platformdirs)) = 2.6.2
-Provides: bundled(python3dist(jaraco-text)) = 3.12.1
-Provides: bundled(python3dist(more-itertools)) = 10.3
-Provides: bundled(python3dist(packaging)) = 24.2
-Provides: bundled(python3dist(platformdirs)) = 4.2.2
 Provides: bundled(python3dist(tomli)) = 2.0.1
-Provides: bundled(python3dist(typeguard)) = 4.3
+Provides: bundled(python3dist(typing-extensions)) = 4.0.1
-Provides: bundled(python3dist(typing-extensions)) = 4.12.2
+Provides: bundled(python3dist(typing-extensions)) = 4.4
-Provides: bundled(python3dist(wheel)) = 0.45.1
+Provides: bundled(python3dist(zipp)) = 3.7
-Provides: bundled(python3dist(zipp)) = 3.19.2
 }
 # wheel
-#  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheeldata/wheel-*.whl wheel/vendored/vendor.txt)
+#  $ %%{_rpmconfigdir}/pythonbundles.py <(unzip -p Lib/test/wheel-*.whl wheel/vendored/vendor.txt)
 %global wheel_bundled_provides %{expand:
 Provides: bundled(python3dist(packaging)) = 23
 }
@@ -197,13 +199,6 @@ Provides: bundled(python3dist(packaging)) = 23
 %global py_INSTSONAME_optimized libpython%{LDVERSION_optimized}.so.%{py_SOVERSION}
 %global py_INSTSONAME_debug     libpython%{LDVERSION_debug}.so.%{py_SOVERSION}
 
-# The -O flag for the compiler, optimized builds
-# https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
-%global optflags_optimized -O3
-# The -O flag for the compiler, debug builds
-# -Wno-cpp avoids some warnings with -O0
-%global optflags_debug -O0 -Wno-cpp
-
 # Disable automatic bytecompilation. The python3 binary is not yet be
 # available in /usr/bin when Python is built. Also, the bytecompilation fails
 # on files that test invalid syntax.
@@ -336,7 +331,7 @@ Source11: idle3.appdata.xml
 
 # (Patches taken from github.com/fedora-python/cpython)
 
-# 00251 # 6a4ec74157aa01f1ada9f29f30a371cd9e5369e8
+# 00251 # cae5a6abc5df08239c85b83e4e250b6f2702e4f5
 # Change user install location
 #
 # Set values of base and platbase in sysconfig from /usr
@@ -385,70 +380,14 @@ Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-g
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch
 
-# 00422 # a353cebef737c41420dc7ae2469dd657371b8881
+# 00415 # 83e0fc3ec7bc38055c536f482578a10f6efcc08c
-# Fix tests for XMLPullParser with Expat 2.6.0
+# [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
 #
-# Feeding the parser by too small chunks defers parsing to prevent
+# Detect email address parsing errors and return empty tuple to
-# CVE-2023-52425. Future versions of Expat may be more reactive.
+# indicate the parsing error (old API). Add an optional 'strict'
-Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+# parameter to getaddresses() and parseaddr() functions. Patch by
-
+# Thomas Dwyer.
-# 00474 # 837ddca0372fa87ff9cee47142200caa21e77def
+Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
-# CVE-2025-15366
-#
-# gh-143921: Reject control characters in IMAP commands
-#
-# (cherry-picked from commit 6262704b134db2a4ba12e85ecfbd968534f28b45)
-Patch474: 00474-cve-2025-15366.patch
-
-# 00475 # 3748209a316662d4e85981ca1a7418547a1d25c6
-# CVE-2025-15367
-#
-# gh-143923: Reject control characters in POP3 commands
-#
-# (cherry-picked from commit b234a2b67539f787e191d2ef19a7cbdce32874e7)
-Patch475: 00475-cve-2025-15367.patch
-
-# 00478 # eb93352dc8e31f4d52546b84daad875e6ff7f29e
-# CVE-2026-4519
-#
-# Reject leading dashes in webbrowser URLs (GH-146360)
-Patch478: 00478-cve-2026-4519.patch
-
-# 00479 # 97404b2cf62e545c2d41be7ccfed4e74da9ee665
-# CVE-2026-1502
-#
-# Reject CR/LF in HTTP tunnel request headers
-Patch479: 00479-cve-2026-1502.patch
-
-# 00480 # 6f4eef3ba4d9818a53698e994550ee8db17a1e2e
-# CVE-2026-4786
-#
-# Fix webbrowser `%%action` substitution bypass of dash-prefix check
-Patch480: 00480-cve-2026-4786.patch
-
-# 00482 # 69f14bc306fc62400d45565faa980b77858b9151
-# CVE-2026-6100
-#
-# Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
-Patch482: 00482-cve-2026-6100.patch
-
-# 00483 # 577c595137ce6ff92158ddaf2d7b7ea86437825d
-# CVE-2026-2297
-#
-# Logging Bypass in Legacy .pyc File Handling
-Patch483: 00483-cve-2026-2297.patch
-
-# 00484 # 8b5133c1ab17a060cd134bea2a4b6e1831c47fed
-# CVE-2026-3644
-#
-# Incomplete control character validation in http.cookies
-Patch484: 00484-cve-2026-3644.patch
-
-# 00485 # 12a5b206676927bcee131ab4f2bd6783d2f5914a
-# CVE-2026-4224
-#
-# Stack overflow parsing XML with deeply nested DTD content models
-Patch485: 00485-cve-2026-4224.patch
 
 # (New patches go here ^^^)
 #
@@ -816,8 +755,8 @@ If you want to build an RPM against the python%{pyshortver} module, you need to
 
 %if %{with rpmwheels}
 rm Lib/ensurepip/_bundled/pip-%{pip_version}-py3-none-any.whl
-rm Lib/test/wheeldata/setuptools-%{setuptools_version}-py3-none-any.whl
+rm Lib/test/setuptools-%{setuptools_version}-py3-none-any.whl
-rm Lib/test/wheeldata/wheel-%{wheel_version}-py3-none-any.whl
+rm Lib/test/wheel-%{wheel_version}-py3-none-any.whl
 %endif
 
 # Remove all exe files to ensure we are not shipping prebuilt binaries
@@ -896,7 +835,6 @@ BuildPython() {
   ConfName=$1
   ExtraConfigArgs=$2
   MoreCFlags=$3
-  MoreCFlagsNodist=$4
 
   # Each build is done in its own directory
   ConfDir=build/$ConfName
@@ -936,7 +874,7 @@ BuildPython() {
   $ExtraConfigArgs \
   %{nil}
 
-%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags $MoreCFlagsNodist"
+%global flags_override EXTRA_CFLAGS="$MoreCFlags" CFLAGS_NODIST="$CFLAGS_NODIST $MoreCFlags"
 
 %if %{without bootstrap}
   # Regenerate generated files (needs python3)
@@ -959,14 +897,12 @@ BuildPython() {
 # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1818857
 BuildPython debug \
   "--without-ensurepip --with-pydebug" \
-  "%{optflags_debug}" \
+  "-O0 -Wno-cpp"
-  ""
 %endif # with debug_build
 
 BuildPython optimized \
   "--without-ensurepip %{optimizations_flag}" \
-  "" \
+  ""
-  "%{optflags_optimized}"
 
 # ======================================================
 # Installing the built code:
@@ -1071,7 +1007,7 @@ EOF
 %if %{with debug_build}
 InstallPython debug \
   %{py_INSTSONAME_debug} \
-  "%{optflags_debug}" \
+  -O0 \
   %{LDVERSION_debug}
 %endif # with debug_build
 
@@ -1581,6 +1517,10 @@ fi
 %{dynload_dir}/termios.%{SOABI_optimized}.so
 %{dynload_dir}/unicodedata.%{SOABI_optimized}.so
 %{dynload_dir}/_uuid.%{SOABI_optimized}.so
+%{dynload_dir}/xxlimited.%{SOABI_optimized}.so
+%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so
+%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so
+%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so
 %{dynload_dir}/zlib.%{SOABI_optimized}.so
 %{dynload_dir}/_zoneinfo.%{SOABI_optimized}.so
 
@@ -1681,6 +1621,12 @@ fi
 
 %{pylibdir}/zoneinfo
 
+%dir %{pylibdir}/__phello__/
+%dir %{pylibdir}/__phello__/__pycache__/
+%{pylibdir}/__phello__/__init__.py
+%{pylibdir}/__phello__/spam.py
+%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes}
+
 %if "%{_lib}" == "lib64"
 %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}
 %attr(0755,root,root) %dir %{_prefix}/lib/python%{pybasever}/site-packages
@@ -1780,17 +1726,7 @@ fi
 %{dynload_dir}/_testmultiphase.%{SOABI_optimized}.so
 %{dynload_dir}/_testsinglephase.%{SOABI_optimized}.so
 %{dynload_dir}/_xxinterpchannels.%{SOABI_optimized}.so
-%{dynload_dir}/_xxsubinterpreters.%{SOABI_optimized}.so
 %{dynload_dir}/_xxtestfuzz.%{SOABI_optimized}.so
-%{dynload_dir}/xxlimited.%{SOABI_optimized}.so
-%{dynload_dir}/xxlimited_35.%{SOABI_optimized}.so
-%{dynload_dir}/xxsubtype.%{SOABI_optimized}.so
-
-%dir %{pylibdir}/__phello__/
-%dir %{pylibdir}/__phello__/__pycache__/
-%{pylibdir}/__phello__/__init__.py
-%{pylibdir}/__phello__/spam.py
-%{pylibdir}/__phello__/__pycache__/*%{bytecode_suffixes}
 
 # We don't bother splitting the debug build out into further subpackages:
 # if you need it, you're probably a developer.
@@ -1872,6 +1808,10 @@ fi
 %{dynload_dir}/termios.%{SOABI_debug}.so
 %{dynload_dir}/unicodedata.%{SOABI_debug}.so
 %{dynload_dir}/_uuid.%{SOABI_debug}.so
+%{dynload_dir}/xxlimited.%{SOABI_debug}.so
+%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so
+%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so
+%{dynload_dir}/xxsubtype.%{SOABI_debug}.so
 %{dynload_dir}/zlib.%{SOABI_debug}.so
 %{dynload_dir}/_zoneinfo.%{SOABI_debug}.so
 
@@ -1908,11 +1848,7 @@ fi
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 %{dynload_dir}/_testsinglephase.%{SOABI_debug}.so
 %{dynload_dir}/_xxinterpchannels.%{SOABI_debug}.so
-%{dynload_dir}/_xxsubinterpreters.%{SOABI_debug}.so
 %{dynload_dir}/_xxtestfuzz.%{SOABI_debug}.so
-%{dynload_dir}/xxlimited.%{SOABI_debug}.so
-%{dynload_dir}/xxlimited_35.%{SOABI_debug}.so
-%{dynload_dir}/xxsubtype.%{SOABI_debug}.so
 
 %{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py
 %{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes}
@@ -1940,104 +1876,6 @@ fi
 # ======================================================
 
 %changelog
-* Thu Apr 16 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.12.13-2
-- Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE-2026-3644, CVE-2026-4224
-Resolves: RHEL-168130, RHEL-167892
-
-* Thu Apr 16 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.13-1
-- Update to 3.12.13
-- Security fixes for CVE-2025-6075, CVE-2025-13837, CVE-2025-15282, CVE-2025-59375, CVE-2026-0672
-Related: RHEL-168130, RHEL-167892
-
-* Fri Mar 27 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-4
-- Security fix for CVE-2026-4519
-Resolves: RHEL-158029
-
-* Fri Feb 27 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.12-3
-- Security fixes for CVE-2026-0865, CVE-2025-15366, CVE-2025-15367 and CVE-2026-1299
-Resolves: RHEL-143065
-Resolves: RHEL-143122
-Resolves: RHEL-144862
-
-* Fri Jan 16 2026 Lumír Balhar <lbalhar@redhat.com> - 3.12.12-2
-- Security fix for CVE-2025-13836
-Resolves: RHEL-140993
-
-* Fri Oct 10 2025 Karolina Surma <ksurma@redhat.com> - 3.12.12-1
-- Update to 3.12.12
-- Security fix for CVE-2025-8291 and CVE-2025-12084
-Resolves: RHEL-128364, RHEL-135391
-
-* Thu Aug 14 2025 Lumír Balhar <lbalhar@redhat.com> - 3.12.11-2
-- Security fix for CVE-2025-8194
-Resolves: RHEL-106343
-
-* Wed Jun 04 2025 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.11-1
-- Update to 3.12.11
-- Security fixes for CVE-2025-4517, CVE-2025-4330, CVE-2025-4138, CVE-2024-12718, CVE-2025-4435
-Resolves: RHEL-98040, RHEL-98010, RHEL-97808, RHEL-98070, RHEL-98213
-
-* Wed Apr 09 2025 Miro Hrončok <mhroncok@redhat.com> - 3.12.10-1
-- Update to 3.12.10
-Resolves: RHEL-86888
-
-* Tue Feb 04 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.12.9-1
-- Update to 3.12.9
-- Security fix for CVE-2025-0938
-Related: RHEL-86888
-
-* Tue Dec 03 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.8-1
-- Update to 3.12.8
-- Security fix for CVE-2024-9287 and CVE-2024-12254
-Resolves: RHEL-64880, RHEL-70315
-
-* Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.6-1
-- Update to 3.12.6
-Resolves: RHEL-57405
-
-* Fri Aug 23 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.5-2
-- Security fix for CVE-2024-8088
-Resolves: RHEL-55939
-
-* Wed Aug 07 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.5-1
-- Update to 3.12.5
-- Security fix for CVE-2024-6923
-Resolves: RHEL-53075
-
-* Thu Jul 25 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.4-3
-- Properly propagate the optimization flags to C extensions
-
-* Wed Jul 17 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.4-2
-- Build Python with -O3
-- https://fedoraproject.org/wiki/Changes/Python_built_with_gcc_O3
-
-* Fri Jun 28 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.12.4-1
-- Update to 3.12.4
-Resolves: RHEL-44074
-
-* Tue Jun 11 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.3-2
-- Enable importing of hash-based .pyc files under FIPS mode
-Resolves: RHEL-40776
-
-* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.3-1
-- Update to 3.12.3
-Related: RHEL-33685
-
-* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-3
-- Move all test modules to the python3-test package, namely:
-   - __phello__
-   - _xxsubinterpreters
-   - xxlimited
-   - xxlimited_35
-   - xxsubtype
-
-* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-2
-- Fix tests for XMLPullParser with Expat with fixed CVE
-
-* Fri May 03 2024 Lumír Balhar <lbalhar@redhat.com> - 3.12.2-1
-- Update to 3.12.2
-Resolves: RHEL-33685
-
 * Mon Feb 19 2024 Charalampos Stratakis <cstratak@redhat.com> - 3.12.1-4
 - Add Red Hat configuration for CVE-2007-4559
 

gating.yaml

@@ -1,8 +0,0 @@
---- !Policy
-
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
-

plan.fmf

@@ -1,82 +0,0 @@
-execute:
-  how: tmt
-
-provision:
-  hardware:
-    memory: '>= 3 GB'
-
-environment:
-  pybasever: '3.12'
-
-discover:
-  - name: tests_python
-    how: shell
-    url: https://gitlab.com/redhat/centos-stream/tests/python.git
-    tests:
-    - name: smoke
-      path: /smoke
-      test: "VERSION=${pybasever} TOX=false ./venv.sh"
-    - name: debugsmoke
-      path: /smoke
-      test: "PYTHON=python${pybasever}d TOX=false VERSION=${pybasever} ./venv.sh"
-    - name: selftest
-      path: /selftest
-      test: "VERSION=${pybasever} X='-i test_check_probes -x test_dtrace' ./parallel.sh"
-    - name: debugtest
-      path: /selftest
-      test: "VERSION=${pybasever} PYTHON=python${pybasever}d X='-i test_check_probes -x test_dtrace' ./parallel.sh"
-    - name: optimizedflags
-      path: /flags
-      test: "python${pybasever} ./assertflags.py -O3 PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS_NODIST PY_CORE_CFLAGS PY_STDMODULE_CFLAGS"
-    - name: optimizedflags_3rd
-      path: /flags
-      test: "python${pybasever} ./assertflags.py -O2 CFLAGS PY_CFLAGS"
-    - name: debugflags
-      path: /flags
-      test: "python${pybasever}d ./assertflags.py -O0"
-  - name: same_repo
-    how: shell
-    tests:
-    - name: pytest
-      test: "PYTHONPATH=/usr/lib/rpm/redhat ALTERNATE_PYTHON_VERSION=skip pytest-3.12 -v"
-    - name: manual_byte_compilation_clamp_mtime_off
-      path: /tests
-      test: "rpmbuild --define 'dist .clamp0' --define 'clamp_mtime_to_source_date_epoch 0' -ba pythontest.spec"
-    - name: manual_byte_compilation_clamp_mtime_on
-      path: /tests
-      test: "rpmbuild --define 'dist .clamp1' --define 'clamp_mtime_to_source_date_epoch 1' -ba pythontest.spec"
-    - name: rpmlint_clamp_mtime_off
-      test: "rpmlint ~/rpmbuild/RPMS/x86_64/pythontest-0-0.clamp0.x86_64.rpm | grep python-bytecode-inconsistent-mtime || exit 0 && exit 1"
-    - name: rpmlint_clamp_mtime_on
-      test: "rpmlint ~/rpmbuild/RPMS/x86_64/pythontest-0-0.clamp1.x86_64.rpm | grep python-bytecode-inconsistent-mtime || exit 0 && exit 1"
-prepare:
-  - name: Install dependencies
-    how: install
-    package:
-    - gcc  # for extension building in venv and selftest
-    - gcc-c++ # for test_cppext
-    - gdb  # for test_gdb
-    - "python${pybasever}"  # the test subject
-    - "python${pybasever}-debug"  # for leak testing
-    - "python${pybasever}-devel"  # for extension building in venv and selftest
-    - "python${pybasever}-tkinter"  # for selftest
-    - "python${pybasever}-test"  # for selftest
-    - glibc-all-langpacks # for locale tests
-    - rpm  # for debugging
-    - rpm-build
-    - rpmlint
-    - python-rpm-macros
-    - python3-rpm-macros
-    - python3.12-rpm-macros
-    - python3.12-pytest
-    - python2
-  - name: Update packages
-    how: shell
-    script: dnf upgrade -y
-  - name: Install python3-devel specially to avoid a failure
-    how: shell
-    script: dnf install -y python3-devel --nobest --allowerasing
-  - name: rpm_qa
-    order: 100
-    how: shell
-    script: rpm -qa | sort | tee $TMT_PLAN_DATA/rpmqa.txt

rpminspect.yaml

@@ -1,37 +0,0 @@
-# exclude test XML data (not always valid) from XML validity check:
-xml:
-    ignore:
-        - '/usr/lib*/python*/test/xmltestdata/*'
-        - '/usr/lib*/python*/test/xmltestdata/*/*'
-
-# exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
-badfuncs:
-    allowed:
-        '/usr/lib*/python*/lib-dynload/_socket.*':
-            - inet_aton
-            - inet_ntoa
-
-# exclude the debug build from annocheck entirely
-annocheck:
-    ignore:
-        - '/usr/bin/python*d'
-        - '/usr/lib*/libpython*d.so.1.0'
-        - '/usr/lib*/python*/lib-dynload/*.cpython-*d-*-*-*.so'
-
-# don't report changed content of compiled files
-# that is expected with every toolchain update and not reproducible yet
-changedfiles:
-    # note that this is a posix regex, so no \d
-    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
-
-# files change size all the time, we don't need to VERIFY it
-# however, the INFO is useful, so we don't disable the check entirely
-filesize:
-    # artificially large number, TODO a better way
-    size_threshold: 100000
-
-
-# completely disabled inspections:
-inspections:
-    # we know about our patches, no need to report anything
-    patches: off

rpmlint.toml

@@ -1,106 +0,0 @@
-Filters = [
-
-    # KNOWN BUGS:
-    # https://bugzilla.redhat.com/show_bug.cgi?id=1489816
-    'crypto-policy-non-compliance-openssl',
-
-
-    # TESTS:
-    '(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3\.\d+/test',
-
-
-    # OTHER DELIBERATES:
-    # chroot function
-    'missing-call-to-chdir-with-chroot',
-
-    # gethostbyname function calls gethostbyname
-    '(E|W): binary-or-shlib-calls-gethostbyname /usr/lib(64)?/python3\.\d+/lib-dynload/_socket\.',
-
-    # intentionally unversioned and selfobsoleted
-    'unversioned-explicit-obsoletes python',
-    'unversioned Obsoletes: Obsoletes: python3\.\d+$',
-    'self-obsoletion python3\.\d+(-\S+)? obsoletes python3\.\d+(-\S+)?',
-
-    # intentionally hardcoded
-    'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})',
-
-    # we have non binary stuff, python files
-    'only-non-binary-in-usr-lib',
-
-    # some devel files that are deliberately needed
-    'devel-file-in-non-devel-package /usr/include/python3\.\d+m?/pyconfig-(32|64)\.h',
-    'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/distutils/tests/xxmodule\.c',
-    # ...or are used as test data
-    'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/test',
-
-    # some bytecode is shipped without sources on purpose, as a space optimization
-    # if this regex needs to be relaxed in the future, make sure it **does not** match pyc files in __pycache__
-    'python-bytecode-without-source /usr/lib(64)?/python3\.\d+/(encodings|pydoc_data)/[^/]+.pyc',
-
-    # DUPLICATE FILES
-    # test data are often duplicated
-    '(E|W): files-duplicate /usr/lib(64)?/python3\.\d+/(test|__phello__)/',
-    # duplicated inits or mains are also common
-    '(E|W): files-duplicate .+__init__\.py.+__init__\.py',
-    '(E|W): files-duplicate .+__main__\.py.+__main__\.py',
-    # files in the debugsource package
-    '(E|W): files-duplicate /usr/src/debug',
-    # general waste report
-    '(E|W): files-duplicated-waste',
-
-    # SORRY, NOT SORRY:
-    # manual pages
-    'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3?-debug|pathfix|msgfmt|pygettext)',
-    'no-manual-page-for-binary python3?.*-config$',
-    'no-manual-page-for-binary python3\.\d+dm?$',
-
-    # missing documentation from subpackages
-    '^python3(\.\d+)?-(debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation',
-
-    # platform python is obsoleted, but not provided
-    'obsolete-not-provided platform-python',
-
-    # we have extra tokens at the end of %endif/%else directives, we consider them useful
-    'extra tokens at the end of %(endif|else) directive',
-
-
-    # RPMLINT IMPERFECTIONS
-    # https://github.com/rpm-software-management/rpmlint/issues/780
-    '/usr/lib/debug',
-
-    # we provide python(abi) manually to be sure. createrepo will merge this with the automatic
-    'python3(\.\d+)?\.[^:-]+: (E|W): useless-provides python\(abi\)',
-
-    # debugsource and debuginfo have no docs
-    '^python3(\.\d+)?-debug(source|info)\.[^:]+: (E|W): no-documentation',
-
-    # this is OK for F28+
-    'library-without-ldconfig-post',
-
-    # debug package contains devel and non-devel files
-    'python3(\.\d+)?-debug\.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package',
-
-    # this goes to other subpackage, hence not actually dangling
-    'dangling-relative-symlink /usr/bin/python python3',
-    'dangling-relative-symlink /usr/share/man/man1/python\.1\.gz python3\.1\.gz',
-    'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc python-3\.\d+(-embed)?\.pc',
-
-    # the python-unversioned-command package contains dangling symlinks by design
-    '^python-unversioned-command\.[^:]+: (E|W): dangling-relative-symlink (/usr/bin/python \./python3|/usr/share/man/man1/python\.1\S* ./python3\.1\S*)$',
-
-    # we need this macro to evaluate, even if the line starts with #
-    'macro-in-comment %\{_pyconfig(32|64)_h\}',
-
-    # Python modules don't need to be linked against libc
-    # Since 3.8 they are no longer linked against libpython3.8.so.1.0
-    '(E|W): library-not-linked-against-libc /usr/lib(64)?/python3\.\d+/lib-dynload/',
-    '(E|W): shared-lib(rary)?-without-dependency-information /usr/lib(64)?/python3\.\d+/lib-dynload/',
-
-    # specfile-errors are listed twice, once with reason and once without
-    # we filter out the empty ones
-    '\bpython3(\.\d+)?\.(src|spec): (E|W): specfile-error\s+$',
-
-    # SPELLING ERRORS
-    'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest) ',
-
-]

sources

@@ -1,2 +0,0 @@
-SHA512 (Python-3.12.13.tar.xz) = e1eb66f0b34581f0155e3ce25ba72cf0b4b1107672ed0ad3e86bcfe616945c9204c41ffc492f32b1066b9154913ff88343038967ad8711dd05e6f2332fdb735b
-SHA512 (Python-3.12.13.tar.xz.asc) = 903fd3baa7e29891bb00fb159ec9c43804a71002c4cd38902d25bf4e5167f856b37d211a5b1098ee60e1ea41f8a10a1596dd2382edc6d7367d55dd4154807fc7

tests/.fmf/version

@@ -1 +0,0 @@
-1

tests/.gitignore

@@ -1,2 +0,0 @@
-__*__/
-

tests/pythontest.spec

@@ -1,87 +0,0 @@
-%global __python3 /usr/bin/python3.12
-%global basedir /opt/test/byte_compilation
-
-# We have 3 different ways of bytecompiling: for 3.9+, 3.4-3.8, and 2.7
-# Test with a representative of each.
-%global python36_sitelib /usr/lib/python3.6/site-packages
-%global python27_sitelib /usr/lib/python2.7/site-packages
-
-Name:           pythontest
-Version:        0
-Release:        0%{?dist}
-Summary:        ...
-License:        MIT
-BuildRequires:  python3-devel
-BuildRequires:  python2
-BuildRequires:  python3.12-devel
-BuildRequires:  python3.12-rpm-macros
-
-%description
-...
-
-%install
-mkdir -p %{buildroot}%{basedir}/directory/to/test/recursion
-
-echo "print()" > %{buildroot}%{basedir}/file.py
-echo "print()" > %{buildroot}%{basedir}/directory/to/test/recursion/file_in_dir.py
-
-%py_byte_compile %{python3} %{buildroot}%{basedir}/file.py
-%py_byte_compile %{python3} %{buildroot}%{basedir}/directory
-
-# Files in sitelib are compiled automatically by brp-python-bytecompile
-mkdir -p %{buildroot}%{python3_sitelib}/directory/
-echo "print()" > %{buildroot}%{python3_sitelib}/directory/file.py
-
-mkdir -p %{buildroot}%{python36_sitelib}/directory/
-echo "print()" > %{buildroot}%{python36_sitelib}/directory/file.py
-
-mkdir -p %{buildroot}%{python27_sitelib}/directory/
-echo "print()" > %{buildroot}%{python27_sitelib}/directory/file.py
-
-%check
-LOCATIONS="
-    %{buildroot}%{basedir}
-    %{buildroot}%{python3_sitelib}/directory/
-    %{buildroot}%{python36_sitelib}/directory/
-    %{buildroot}%{python27_sitelib}/directory/
-"
-
-echo "============== Print .py files found in LOCATIONS =================="
-find $LOCATIONS -name "*.py"
-echo "============== Print .pyc files found in LOCATIONS =================="
-find $LOCATIONS -name "*.py[co]"
-echo "============== End of print =================="
-
-# Count .py and .pyc files
-PY=$(find $LOCATIONS -name "*.py" | wc -l)
-PYC=$(find $LOCATIONS -name "*.py[co]" | wc -l)
-
-# We should have 5 .py files (3 for python3, one each for 3.6 & 2.7)
-test $PY -eq 5
-
-# Every .py file should be byte-compiled to two .pyc files (optimization level 0 and 1)
-# so we should have two times more .pyc files than .py files
-test $(expr $PY \* 2) -eq $PYC
-
-# In this case the .pyc files should be identical across omtimization levels
-# (they don't use docstrings and assert staements)
-# So they should be hardlinked; the number of distinct inodes should match the
-# number of source files. (Or be smaller, if the dupe detection is done
-# across all files.)
-
-INODES=$(stat --format %i $(find $LOCATIONS -name "*.py[co]") | sort -u | wc -l)
-test $PY -ge $INODES
-
-
-%files
-%pycached %{basedir}/file.py
-%pycached %{basedir}/directory/to/test/recursion/file_in_dir.py
-%pycached %{python3_sitelib}/directory/file.py
-%pycached %{python36_sitelib}/directory/file.py
-%{python27_sitelib}/directory/file.py*
-
-
-%changelog
-* Thu Jan 01 2015 Fedora Packager <nobody@fedoraproject.org> - 0-0
-- This changelog entry exists and is deliberately set in the past
-

tests/test_evals.py

@@ -1,923 +0,0 @@
-import os
-import subprocess
-import platform
-import re
-import sys
-import textwrap
-
-import pytest
-
-X_Y = f'{sys.version_info[0]}.{sys.version_info[1]}'
-XY = f'{sys.version_info[0]}{sys.version_info[1]}'
-
-# Handy environment variable you can use to run the tests
-# with modified macros files. Multiple files should be
-# separated by colon.
-# You can use * if you escape it from your Shell:
-# TESTED_FILES='macros.*' pytest -v
-# Remember that some tests might need more macros files than just
-# the local ones. You might need to use:
-# TESTED_FILES='/usr/lib/rpm/macros:/usr/lib/rpm/platform/x86_64-linux/macros:macros.*'
-TESTED_FILES = os.getenv("TESTED_FILES", None)
-
-
-def rpm_eval(expression, fails=False, **kwargs):
-    cmd = ['rpmbuild']
-    if TESTED_FILES:
-        cmd += ['--macros', TESTED_FILES]
-    for var, value in kwargs.items():
-        if value is None:
-            cmd += ['--undefine', var]
-        else:
-            cmd += ['--define', f'{var} {value}']
-    cmd += ['--eval', expression]
-    cp = subprocess.run(cmd, text=True, env={**os.environ, 'LANG': 'C.utf-8'},
-                        stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
-    if fails:
-        assert cp.returncode != 0, cp.stdout
-    elif fails is not None:
-        assert cp.returncode == 0, cp.stdout
-    return cp.stdout.strip().splitlines()
-
-
-@pytest.fixture(scope="session")
-def lib():
-    lib_eval = rpm_eval("%_lib")[0]
-    if lib_eval == "%_lib" and TESTED_FILES:
-        raise ValueError(
-            "%_lib is not resolved to an actual value. "
-            "You may want to include /usr/lib/rpm/platform/x86_64-linux/macros to TESTED_FILES."
-        )
-    return lib_eval
-
-
-def get_alt_x_y():
-    """
-    Some tests require alternate Python version to be installed.
-    In order to allow any Python version (or none at all),
-    this function/fixture exists.
-    You can control the behavior by setting the $ALTERNATE_PYTHON_VERSION
-    environment variable to X.Y (e.g. 3.6) or SKIP.
-    The environment variable must be set.
-    """
-    env_name = "ALTERNATE_PYTHON_VERSION"
-    alternate_python_version = os.getenv(env_name, "")
-    if alternate_python_version.upper() == "SKIP":
-        pytest.skip(f"${env_name} set to SKIP")
-    if not alternate_python_version:
-        raise ValueError(f"${env_name} must be set, "
-                         f"set it to SKIP if you want to skip tests that "
-                         f"require alternate Python version.")
-    if not re.match(r"^\d+\.\d+$", alternate_python_version):
-        raise ValueError(f"${env_name} must be X.Y")
-    return alternate_python_version
-
-
-def get_alt_xy():
-    """
-    Same as get_alt_x_y() but without a dot
-    """
-    return get_alt_x_y().replace(".", "")
-
-
-# We don't use decorators, to be able to call the functions directly
-alt_x_y = pytest.fixture(scope="session")(get_alt_x_y)
-alt_xy = pytest.fixture(scope="session")(get_alt_xy)
-
-
-# https://fedoraproject.org/wiki/Changes/PythonSafePath
-def safe_path_flag(x_y):
-    return 'P' if tuple(int(i) for i in x_y.split('.')) >= (3, 11) else ''
-
-
-def shell_stdout(script):
-    return subprocess.check_output(script,
-                                   env={**os.environ, 'LANG': 'C.utf-8'},
-                                   text=True,
-                                   shell=True).rstrip()
-
-
-@pytest.mark.parametrize('macro', ['%__python3', '%python3'])
-def test_python3(macro):
-    assert rpm_eval(macro) == ['/usr/bin/python3.12']
-
-
-@pytest.mark.skip("Overriden in python3.12-rpm-macros")
-@pytest.mark.parametrize('macro', ['%__python3', '%python3'])
-@pytest.mark.parametrize('pkgversion', ['3', '3.9', '3.12'])
-def test_python3_with_pkgversion(macro, pkgversion):
-    assert rpm_eval(macro, python3_pkgversion=pkgversion) == [f'/usr/bin/python{pkgversion}']
-
-
-@pytest.mark.skip("py_dist_name uses the old canonicalization on RHEL 8")
-@pytest.mark.parametrize('argument, result', [
-    ('a', 'a'),
-    ('a-a', 'a-a'),
-    ('a_a', 'a-a'),
-    ('a.a', 'a-a'),
-    ('a---a', 'a-a'),
-    ('a-_-a', 'a-a'),
-    ('a-_-a', 'a-a'),
-    ('a[b]', 'a[b]'),
-    ('Aha[Boom]', 'aha[boom]'),
-    ('a.a[b.b]', 'a-a[b-b]'),
-])
-def test_pydist_name(argument, result):
-    assert rpm_eval(f'%py_dist_name {argument}') == [result]
-
-
-@pytest.mark.skip("py2_dist uses the old canonicalization on RHEL 8")
-def test_py2_dist():
-    assert rpm_eval(f'%py2_dist Aha[Boom] a') == ['python2dist(aha[boom]) python2dist(a)']
-
-
-@pytest.mark.skip("py3_dist uses the old canonicalization on RHEL 8")
-def test_py3_dist():
-    assert rpm_eval(f'%py3_dist Aha[Boom] a') == ['python3dist(aha[boom]) python3dist(a)']
-
-
-def test_py3_dist_with_python3_pkgversion_redefined(alt_x_y):
-    assert rpm_eval(f'%py3_dist Aha[Boom] a', python3_pkgversion=alt_x_y) == [f'python{alt_x_y}dist(aha[boom]) python{alt_x_y}dist(a)']
-
-
-@pytest.mark.skip("python_provide is still enabled on RHEL 8")
-def test_python_provide_python():
-    assert rpm_eval('%python_provide python-foo') == []
-
-
-@pytest.mark.skip("python_provide does not work with this test when __python3 is overridden")
-def test_python_provide_python3():
-    lines = rpm_eval('%python_provide python3-foo', version='6', release='1.fc66')
-    assert 'Obsoletes: python-foo < 6-1.fc66' in lines
-    assert 'Provides: python-foo = 6-1.fc66' in lines
-    assert f'Provides: python{X_Y}-foo = 6-1.fc66' in lines
-    assert len(lines) == 3
-
-
-@pytest.mark.skip("python_provide does not work with this test when __python3 is overridden")
-def test_python_provide_python3_epoched():
-    lines = rpm_eval('%python_provide python3-foo', epoch='1', version='6', release='1.fc66')
-    assert 'Obsoletes: python-foo < 1:6-1.fc66' in lines
-    assert 'Provides: python-foo = 1:6-1.fc66' in lines
-    assert f'Provides: python{X_Y}-foo = 1:6-1.fc66' in lines
-    assert len(lines) == 3
-
-
-@pytest.mark.skip("python_provide does not work with this test when __python3 is overridden")
-def test_python_provide_python3X():
-    lines = rpm_eval(f'%python_provide python{X_Y}-foo', version='6', release='1.fc66')
-    assert 'Obsoletes: python-foo < 6-1.fc66' in lines
-    assert 'Provides: python-foo = 6-1.fc66' in lines
-    assert 'Provides: python3-foo = 6-1.fc66' in lines
-    assert len(lines) == 3
-
-
-@pytest.mark.skip("python_provide does not work with this test when __python3 is overridden")
-def test_python_provide_python3X_epoched():
-    lines = rpm_eval(f'%python_provide python{X_Y}-foo', epoch='1', version='6', release='1.fc66')
-    assert 'Obsoletes: python-foo < 1:6-1.fc66' in lines
-    assert 'Provides: python-foo = 1:6-1.fc66' in lines
-    assert 'Provides: python3-foo = 1:6-1.fc66' in lines
-    assert len(lines) == 3
-
-
-@pytest.mark.skip("python_provide does not work with this test when __python3 is overridden")
-def test_python_provide_doubleuse():
-    lines = rpm_eval('%{python_provide python3-foo}%{python_provide python3-foo}',
-                     version='6', release='1.fc66')
-    assert 'Obsoletes: python-foo < 6-1.fc66' in lines
-    assert 'Provides: python-foo = 6-1.fc66' in lines
-    assert f'Provides: python{X_Y}-foo = 6-1.fc66' in lines
-    assert len(lines) == 6
-    assert len(set(lines)) == 3
-
-
-@pytest.mark.parametrize('rhel', [None, 10])
-def test_py_provides_python(rhel):
-    lines = rpm_eval('%py_provides python-foo', version='6', release='1.fc66', rhel=rhel)
-    assert 'Provides: python-foo = 6-1.fc66' in lines
-    assert len(lines) == 1
-
-
-@pytest.mark.parametrize('rhel', [None, 12])
-def test_py_provides_whatever(rhel):
-    lines = rpm_eval('%py_provides whatever', version='6', release='1.fc66', rhel=rhel)
-    assert 'Provides: whatever = 6-1.fc66' in lines
-    assert len(lines) == 1
-
-
-@pytest.mark.skip("py_provides behaves differently for alternative Python stacks")
-@pytest.mark.parametrize('rhel', [None, 9])
-def test_py_provides_python3(rhel):
-    lines = rpm_eval('%py_provides python3-foo', version='6', release='1.fc66', rhel=rhel)
-    assert 'Provides: python3-foo = 6-1.fc66' in lines
-    assert 'Provides: python-foo = 6-1.fc66' in lines
-    assert f'Provides: python{X_Y}-foo = 6-1.fc66' in lines
-    if rhel:
-        assert f'Obsoletes: python{X_Y}-foo < 6-1.fc66' in lines
-        assert len(lines) == 4
-    else:
-        assert len(lines) == 3
-
-
-@pytest.mark.skip("py_provides behaves differently for alternative Python stacks")
-@pytest.mark.parametrize('rhel', [None, 9])
-def test_py_provides_python3_with_isa(rhel):
-    lines = rpm_eval('%py_provides python3-foo(x86_64)', version='6', release='1.fc66', rhel=rhel)
-    assert 'Provides: python3-foo(x86_64) = 6-1.fc66' in lines
-    assert 'Provides: python-foo(x86_64) = 6-1.fc66' in lines
-    assert f'Provides: python{X_Y}-foo(x86_64) = 6-1.fc66' in lines
-    assert f'Obsoletes: python{X_Y}-foo(x86_64) < 6-1.fc66' not in lines
-    assert len(lines) == 3
-
-
-@pytest.mark.skip("py_provides behaves differently for alternative Python stacks")
-@pytest.mark.parametrize('rhel', [None, 13])
-def test_py_provides_python3_epoched(rhel):
-    lines = rpm_eval('%py_provides python3-foo', epoch='1', version='6', release='1.fc66', rhel=rhel)
-    assert 'Provides: python3-foo = 1:6-1.fc66' in lines
-    assert 'Provides: python-foo = 1:6-1.fc66' in lines
-    assert f'Provides: python{X_Y}-foo = 1:6-1.fc66' in lines
-    if rhel:
-        assert f'Obsoletes: python{X_Y}-foo < 1:6-1.fc66' in lines
-        assert len(lines) == 4
-    else:
-        assert len(lines) == 3
-
-
-@pytest.mark.skip("py_provides behaves differently for alternative Python stacks")
-@pytest.mark.parametrize('rhel', [None, 13])
-def test_py_provides_python3X(rhel):
-    lines = rpm_eval(f'%py_provides python{X_Y}-foo', version='6', release='1.fc66', rhel=rhel)
-    assert f'Provides: python{X_Y}-foo = 6-1.fc66' in lines
-    assert 'Provides: python-foo = 6-1.fc66' in lines
-    assert 'Provides: python3-foo = 6-1.fc66' in lines
-    assert len(lines) == 3
-
-
-@pytest.mark.skip("py_provides behaves differently for alternative Python stacks")
-@pytest.mark.parametrize('rhel', [None, 27])
-def test_py_provides_python3X_epoched(rhel):
-    lines = rpm_eval(f'%py_provides python{X_Y}-foo', epoch='1', version='6', release='1.fc66', rhel=rhel)
-    assert f'Provides: python{X_Y}-foo = 1:6-1.fc66' in lines
-    assert 'Provides: python-foo = 1:6-1.fc66' in lines
-    assert 'Provides: python3-foo = 1:6-1.fc66' in lines
-    assert len(lines) == 3
-
-
-@pytest.mark.skip("py_provides behaves differently for alternative Python stacks")
-@pytest.mark.parametrize('rhel', [None, 2])
-def test_py_provides_doubleuse(rhel):
-    lines = rpm_eval('%{py_provides python3-foo}%{py_provides python3-foo}',
-                     version='6', release='1.fc66', rhel=rhel)
-    assert 'Provides: python3-foo = 6-1.fc66' in lines
-    assert 'Provides: python-foo = 6-1.fc66' in lines
-    assert f'Provides: python{X_Y}-foo = 6-1.fc66' in lines
-    if rhel:
-        assert f'Obsoletes: python{X_Y}-foo < 6-1.fc66' in lines
-        assert len(lines) == 8
-        assert len(set(lines)) == 4
-    else:
-        assert len(lines) == 6
-        assert len(set(lines)) == 3
-
-
-@pytest.mark.skip("py_provides behaves differently for alternative Python stacks")
-@pytest.mark.parametrize('rhel', [None, 2])
-def test_py_provides_with_evr(rhel):
-    lines = rpm_eval('%py_provides python3-foo 123',
-                     version='6', release='1.fc66', rhel=rhel)
-    assert 'Provides: python3-foo = 123' in lines
-    assert 'Provides: python-foo = 123' in lines
-    assert f'Provides: python{X_Y}-foo = 123' in lines
-    if rhel:
-        assert f'Obsoletes: python{X_Y}-foo < 123' in lines
-        assert len(lines) == 4
-    else:
-        assert len(lines) == 3
-
-
-def test_python_wheel_pkg_prefix():
-    assert rpm_eval('%python_wheel_pkg_prefix', fedora='44', rhel=None, eln=None) == ['python']
-    assert rpm_eval('%python_wheel_pkg_prefix', fedora='44', rhel=None, eln=None, python3_pkgversion='3.9') == ['python']
-    assert rpm_eval('%python_wheel_pkg_prefix', fedora=None, rhel='1', eln='1') == ['python']
-    assert rpm_eval('%python_wheel_pkg_prefix', fedora=None, rhel='1', eln=None) == ['python3.12']
-    assert rpm_eval('%python_wheel_pkg_prefix', fedora=None, rhel='1', eln=None, python3_pkgversion='3.10') == ['python3.10']
-    assert rpm_eval('%python_wheel_pkg_prefix', fedora=None, rhel='1', eln=None, python3_pkgversion='3.12') == ['python3.12']
-
-
-def test_python_wheel_dir():
-    assert rpm_eval('%python_wheel_dir', fedora='44', rhel=None, eln=None) == ['/usr/share/python-wheels']
-    assert rpm_eval('%python_wheel_dir', fedora='44', rhel=None, eln=None, python3_pkgversion='3.9') == ['/usr/share/python-wheels']
-    assert rpm_eval('%python_wheel_dir', fedora=None, rhel='1', eln='1') == ['/usr/share/python-wheels']
-    assert rpm_eval('%python_wheel_dir', fedora=None, rhel='1', eln=None) == ['/usr/share/python3.12-wheels']
-    assert rpm_eval('%python_wheel_dir', fedora=None, rhel='1', eln=None, python3_pkgversion='3.10') == ['/usr/share/python3.10-wheels']
-    assert rpm_eval('%python_wheel_dir', fedora=None, rhel='1', eln=None, python3_pkgversion='3.12') == ['/usr/share/python3.12-wheels']
-
-
-def test_pytest_passes_options_naturally():
-    lines = rpm_eval('%pytest -k foo')
-    assert '/usr/bin/pytest-3.12 -k foo' in lines[-1]
-
-
-def test_pytest_different_command():
-    lines = rpm_eval('%pytest', __pytest='pytest-3')
-    assert 'pytest-3' in lines[-1]
-
-
-def test_pytest_command_suffix():
-    lines = rpm_eval('%pytest -v')
-    assert '/usr/bin/pytest-3.12 -v' in lines[-1]
-
-# this test does not require alternate Pythons to be installed
-@pytest.mark.parametrize('version', ['3.6', '3.7', '3.12'])
-def test_pytest_command_suffix_alternate_pkgversion(version):
-    lines = rpm_eval('%pytest -v', python3_pkgversion=version, python3_version=version)
-    assert f'/usr/bin/pytest-{version} -v' in lines[-1]
-
-
-@pytest.mark.skip("This functionality is not present in RHEL 8")
-def test_pytest_sets_pytest_xdist_auto_num_workers():
-    lines = rpm_eval('%pytest', _smp_build_ncpus=2)
-    assert 'PYTEST_XDIST_AUTO_NUM_WORKERS=2' in '\n'.join(lines)
-
-
-def test_pytest_undefined_addopts_are_not_set():
-    lines = rpm_eval('%pytest', __pytest_addopts=None)
-    assert 'PYTEST_ADDOPTS' not in '\n'.join(lines)
-
-
-def test_pytest_defined_addopts_are_set():
-    lines = rpm_eval('%pytest', __pytest_addopts="--ignore=stuff")
-    assert 'PYTEST_ADDOPTS="${PYTEST_ADDOPTS:-} --ignore=stuff"' in '\n'.join(lines)
-
-
-@pytest.mark.parametrize('__pytest_addopts', ['--macronized-option', 'x y z', None])
-def test_pytest_addopts_preserves_envvar(__pytest_addopts):
-    # this is the line a packager might put in the spec file before running %pytest:
-    spec_line = 'export PYTEST_ADDOPTS="--exported-option1 --exported-option2"'
-
-    # instead of actually running /usr/bin/pytest,
-    # we run a small shell script that echoes the tested value for inspection
-    lines = rpm_eval('%pytest', __pytest_addopts=__pytest_addopts,
-                     __pytest="sh -c 'echo $PYTEST_ADDOPTS'")
-
-    echoed = shell_stdout('\n'.join([spec_line] + lines))
-
-    # assert all values were echoed
-    assert '--exported-option1' in echoed
-    assert '--exported-option2' in echoed
-    if __pytest_addopts is not None:
-        assert __pytest_addopts in echoed
-
-    # assert the options are separated
-    assert 'option--' not in echoed
-    assert 'z--' not in echoed
-
-@pytest.mark.skip("RHEL 8 predates py3_test_envvars")
-@pytest.mark.parametrize('__pytest_addopts', ['-X', None])
-def test_py3_test_envvars(lib, __pytest_addopts):
-    lines = rpm_eval('%{py3_test_envvars}\\\n%{python3} -m unittest',
-                     buildroot='BUILDROOT',
-                     _smp_build_ncpus='3',
-                     __pytest_addopts=__pytest_addopts)
-    assert all(l.endswith('\\') for l in lines[:-1])
-    stripped_lines = [l.strip(' \\') for l in lines]
-    sitearch = f'BUILDROOT/usr/{lib}/python{X_Y}/site-packages'
-    sitelib = f'BUILDROOT/usr/lib/python{X_Y}/site-packages'
-    assert f'PYTHONPATH="${{PYTHONPATH:-{sitearch}:{sitelib}}}"' in stripped_lines
-    assert 'PATH="BUILDROOT/usr/bin:$PATH"' in stripped_lines
-    assert 'CFLAGS="${CFLAGS:-${RPM_OPT_FLAGS}}" LDFLAGS="${LDFLAGS:-${RPM_LD_FLAGS}}"' in stripped_lines
-    assert 'PYTHONDONTWRITEBYTECODE=1' in stripped_lines
-    assert 'PYTEST_XDIST_AUTO_NUM_WORKERS=3' in stripped_lines
-    if __pytest_addopts:
-        assert f'PYTEST_ADDOPTS="${{PYTEST_ADDOPTS:-}} {__pytest_addopts}"' in stripped_lines
-    else:
-        assert 'PYTEST_ADDOPTS' not in ''.join(lines)
-    assert stripped_lines[-1] == '/usr/bin/python3.12 -m unittest'
-
-
-def test_pypi_source_default_name():
-    urls = rpm_eval('%pypi_source',
-                    name='foo', version='6')
-    assert urls == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6.tar.gz']
-
-
-def test_pypi_source_default_srcname():
-    urls = rpm_eval('%pypi_source',
-                    name='python-foo', srcname='foo', version='6')
-    assert urls == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6.tar.gz']
-
-
-def test_pypi_source_default_pypi_name():
-    urls = rpm_eval('%pypi_source',
-                    name='python-foo', pypi_name='foo', version='6')
-    assert urls == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6.tar.gz']
-
-
-def test_pypi_source_default_name_uppercase():
-    urls = rpm_eval('%pypi_source',
-                    name='Foo', version='6')
-    assert urls == ['https://files.pythonhosted.org/packages/source/F/Foo/Foo-6.tar.gz']
-
-
-def test_pypi_source_provided_name():
-    urls = rpm_eval('%pypi_source foo',
-                    name='python-bar', pypi_name='bar', version='6')
-    assert urls == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6.tar.gz']
-
-
-def test_pypi_source_provided_name_version():
-    urls = rpm_eval('%pypi_source foo 6',
-                    name='python-bar', pypi_name='bar', version='3')
-    assert urls == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6.tar.gz']
-
-
-def test_pypi_source_provided_name_version_ext():
-    url = rpm_eval('%pypi_source foo 6 zip',
-                   name='python-bar', pypi_name='bar', version='3')
-    assert url == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6.zip']
-
-
-def test_pypi_source_prerelease():
-    urls = rpm_eval('%pypi_source',
-                    name='python-foo', pypi_name='foo', version='6~b2')
-    assert urls == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6b2.tar.gz']
-
-
-def test_pypi_source_explicit_tilde():
-    urls = rpm_eval('%pypi_source foo 6~6',
-                    name='python-foo', pypi_name='foo', version='6')
-    assert urls == ['https://files.pythonhosted.org/packages/source/f/foo/foo-6~6.tar.gz']
-
-
-@pytest.mark.skip("%py3_shebang_fix has a complicated evaluation in RHEL 8 due to differences between Python stacks")
-def test_py3_shebang_fix():
-    cmd = rpm_eval('%py3_shebang_fix arg1 arg2 arg3')[-1].strip()
-    assert cmd == '/usr/bin/python3.12 -B /usr/lib/rpm/redhat/pathfix.py -pni /usr/bin/python3.12 $shebang_flags arg1 arg2 arg3'
-
-
-def test_py3_shebang_fix_default_shebang_flags():
-    lines = rpm_eval('%py3_shebang_fix arg1 arg2')
-    lines[-1] = 'echo $shebang_flags'
-    assert shell_stdout('\n'.join(lines)) == f'-kas{safe_path_flag(X_Y)}'
-
-
-def test_py3_shebang_fix_custom_shebang_flags():
-    lines = rpm_eval('%py3_shebang_fix arg1 arg2', py3_shebang_flags='Es')
-    lines[-1] = 'echo $shebang_flags'
-    assert shell_stdout('\n'.join(lines)) == '-kaEs'
-
-
-@pytest.mark.parametrize('_py3_shebang_s', [None, '%{nil}'])
-def test_py3_shebang_fix_undefined_py3_shebang_s(_py3_shebang_s):
-    lines = rpm_eval('%py3_shebang_fix arg1 arg2', _py3_shebang_s=_py3_shebang_s)
-    lines[-1] = 'echo $shebang_flags'
-    expected = f'-ka{safe_path_flag(X_Y)}' if safe_path_flag(X_Y) else '-k'
-    assert shell_stdout('\n'.join(lines)) == expected
-
-
-@pytest.mark.parametrize('_py3_shebang_P', [None, '%{nil}'])
-def test_py3_shebang_fix_undefined_py3_shebang_P(_py3_shebang_P):
-    lines = rpm_eval('%py3_shebang_fix arg1 arg2', _py3_shebang_P=_py3_shebang_P)
-    lines[-1] = 'echo $shebang_flags'
-    assert shell_stdout('\n'.join(lines)) == '-kas'
-
-
-@pytest.mark.parametrize('_py3_shebang_s', [None, '%{nil}'])
-@pytest.mark.parametrize('_py3_shebang_P', [None, '%{nil}'])
-def test_py3_shebang_fix_undefined_py3_shebang_sP(_py3_shebang_s, _py3_shebang_P):
-    lines = rpm_eval('%py3_shebang_fix arg1 arg2',
-                     _py3_shebang_s=_py3_shebang_s,
-                     _py3_shebang_P=_py3_shebang_P)
-    lines[-1] = 'echo $shebang_flags'
-    assert shell_stdout('\n'.join(lines)) == '-k'
-
-
-@pytest.mark.parametrize('flags', [None, '%{nil}'])
-def test_py3_shebang_fix_no_shebang_flags(flags):
-    lines = rpm_eval('%py3_shebang_fix arg1 arg2', py3_shebang_flags=flags)
-    lines[-1] = 'echo $shebang_flags'
-    assert shell_stdout('\n'.join(lines)) == '-k'
-
-
-@pytest.mark.skip("%py_shebang_fix has a complicated evaluation in RHEL 8 due to differences between Python stacks")
-def test_py_shebang_fix_custom_python():
-    cmd = rpm_eval('%py_shebang_fix arg1 arg2 arg3', __python='/usr/bin/pypy')[-1].strip()
-    assert cmd == '/usr/bin/pypy -B /usr/lib/rpm/redhat/pathfix.py -pni /usr/bin/pypy $shebang_flags arg1 arg2 arg3'
-
-
-def test_pycached_in_sitelib():
-    lines = rpm_eval('%pycached %{python3_sitelib}/foo*.py')
-    assert lines == [
-        f'/usr/lib/python{X_Y}/site-packages/foo*.py',
-        f'/usr/lib/python{X_Y}/site-packages/__pycache__/foo*.cpython-{XY}{{,.opt-?}}.pyc'
-    ]
-
-
-def test_pycached_in_sitearch(lib):
-    lines = rpm_eval('%pycached %{python3_sitearch}/foo*.py')
-    assert lines == [
-        f'/usr/{lib}/python{X_Y}/site-packages/foo*.py',
-        f'/usr/{lib}/python{X_Y}/site-packages/__pycache__/foo*.cpython-{XY}{{,.opt-?}}.pyc'
-    ]
-
-
-# this test does not require alternate Pythons to be installed
-@pytest.mark.parametrize('version', ['3.6', '3.7', '3.12'])
-def test_pycached_with_alternate_version(version):
-    version_nodot = version.replace('.', '')
-    lines = rpm_eval(f'%pycached /usr/lib/python{version}/site-packages/foo*.py')
-    assert lines == [
-        f'/usr/lib/python{version}/site-packages/foo*.py',
-        f'/usr/lib/python{version}/site-packages/__pycache__/foo*.cpython-{version_nodot}{{,.opt-?}}.pyc'
-    ]
-
-
-def test_pycached_in_custom_dir():
-    lines = rpm_eval('%pycached /bar/foo*.py')
-    assert lines == [
-        '/bar/foo*.py',
-        '/bar/__pycache__/foo*.cpython-3*{,.opt-?}.pyc'
-    ]
-
-
-def test_pycached_with_exclude():
-    lines = rpm_eval('%pycached %exclude %{python3_sitelib}/foo*.py')
-    assert lines == [
-        f'%exclude /usr/lib/python{X_Y}/site-packages/foo*.py',
-        f'%exclude /usr/lib/python{X_Y}/site-packages/__pycache__/foo*.cpython-{XY}{{,.opt-?}}.pyc'
-    ]
-
-
-def test_pycached_fails_with_extension_glob():
-    lines = rpm_eval('%pycached %{python3_sitelib}/foo.py*', fails=True)
-    assert lines[0] == 'error: %pycached can only be used with paths explicitly ending with .py'
-
-
-@pytest.mark.skip("Python extras subpackages are not handled in RHEL 8")
-def test_python_extras_subpkg_i():
-    lines = rpm_eval('%python_extras_subpkg -n python3-setuptools_scm -i %{python3_sitelib}/*.egg-info toml yaml',
-                     version='6', release='7')
-    expected = textwrap.dedent(f"""
-        %package -n python3-setuptools_scm+toml
-        Summary: Metapackage for python3-setuptools_scm: toml extras
-        Requires: python3-setuptools_scm = 6-7
-        %description -n python3-setuptools_scm+toml
-        This is a metapackage bringing in toml extras requires for
-        python3-setuptools_scm.
-        It makes sure the dependencies are installed.
-
-        %files -n python3-setuptools_scm+toml
-        %ghost /usr/lib/python{X_Y}/site-packages/*.egg-info
-
-        %package -n python3-setuptools_scm+yaml
-        Summary: Metapackage for python3-setuptools_scm: yaml extras
-        Requires: python3-setuptools_scm = 6-7
-        %description -n python3-setuptools_scm+yaml
-        This is a metapackage bringing in yaml extras requires for
-        python3-setuptools_scm.
-        It makes sure the dependencies are installed.
-
-        %files -n python3-setuptools_scm+yaml
-        %ghost /usr/lib/python{X_Y}/site-packages/*.egg-info
-        """).lstrip().splitlines()
-    assert lines == expected
-
-
-@pytest.mark.skip("Python extras subpackages are not handled in RHEL 8")
-def test_python_extras_subpkg_f():
-    lines = rpm_eval('%python_extras_subpkg -n python3-setuptools_scm -f ghost_filelist toml yaml',
-                     version='6', release='7')
-    expected = textwrap.dedent(f"""
-        %package -n python3-setuptools_scm+toml
-        Summary: Metapackage for python3-setuptools_scm: toml extras
-        Requires: python3-setuptools_scm = 6-7
-        %description -n python3-setuptools_scm+toml
-        This is a metapackage bringing in toml extras requires for
-        python3-setuptools_scm.
-        It makes sure the dependencies are installed.
-
-        %files -n python3-setuptools_scm+toml -f ghost_filelist
-
-        %package -n python3-setuptools_scm+yaml
-        Summary: Metapackage for python3-setuptools_scm: yaml extras
-        Requires: python3-setuptools_scm = 6-7
-        %description -n python3-setuptools_scm+yaml
-        This is a metapackage bringing in yaml extras requires for
-        python3-setuptools_scm.
-        It makes sure the dependencies are installed.
-
-        %files -n python3-setuptools_scm+yaml -f ghost_filelist
-        """).lstrip().splitlines()
-    assert lines == expected
-
-
-@pytest.mark.skip("Python extras subpackages are not handled in RHEL 8")
-def test_python_extras_subpkg_F():
-    lines = rpm_eval('%python_extras_subpkg -n python3-setuptools_scm -F toml yaml',
-                     version='6', release='7')
-    expected = textwrap.dedent(f"""
-        %package -n python3-setuptools_scm+toml
-        Summary: Metapackage for python3-setuptools_scm: toml extras
-        Requires: python3-setuptools_scm = 6-7
-        %description -n python3-setuptools_scm+toml
-        This is a metapackage bringing in toml extras requires for
-        python3-setuptools_scm.
-        It makes sure the dependencies are installed.
-
-
-
-        %package -n python3-setuptools_scm+yaml
-        Summary: Metapackage for python3-setuptools_scm: yaml extras
-        Requires: python3-setuptools_scm = 6-7
-        %description -n python3-setuptools_scm+yaml
-        This is a metapackage bringing in yaml extras requires for
-        python3-setuptools_scm.
-        It makes sure the dependencies are installed.
-        """).lstrip().splitlines()
-    assert lines == expected
-
-
-@pytest.mark.skip("Python extras subpackages are not handled in RHEL 8")
-def test_python_extras_subpkg_underscores():
-    lines = rpm_eval('%python_extras_subpkg -n python3-webscrapbook -F adhoc_ssl',
-                     version='0.33.3', release='1.fc33')
-    expected = textwrap.dedent(f"""
-        %package -n python3-webscrapbook+adhoc_ssl
-        Summary: Metapackage for python3-webscrapbook: adhoc_ssl extras
-        Requires: python3-webscrapbook = 0.33.3-1.fc33
-        %description -n python3-webscrapbook+adhoc_ssl
-        This is a metapackage bringing in adhoc_ssl extras requires for
-        python3-webscrapbook.
-        It makes sure the dependencies are installed.
-        """).lstrip().splitlines()
-    assert lines == expected
-
-
-@pytest.mark.skip("Python extras subpackages are not handled in RHEL 8")
-@pytest.mark.parametrize('sep', [pytest.param(('', ' ', ' ', ''), id='spaces'),
-                                 pytest.param(('', ',', ',', ''), id='commas'),
-                                 pytest.param(('', ',', ',', ','), id='commas-trailing'),
-                                 pytest.param((',', ',', ',', ''), id='commas-leading'),
-                                 pytest.param((',', ',', ',', ','), id='commas-trailing-leading'),
-                                 pytest.param(('', ',', ' ', ''), id='mixture'),
-                                 pytest.param(('  ', '   ', '\t\t, ', '\t'), id='chaotic-good'),
-                                 pytest.param(('', '\t ,, \t\r ', ',,\t  , ', ',,'), id='chaotic-evil')])
-def test_python_extras_subpkg_arg_separators(sep):
-    lines = rpm_eval('%python_extras_subpkg -n python3-hypothesis -F {}cli{}ghostwriter{}pytz{}'.format(*sep),
-                     version='6.6.0', release='1.fc35')
-    expected = textwrap.dedent(f"""
-        %package -n python3-hypothesis+cli
-        Summary: Metapackage for python3-hypothesis: cli extras
-        Requires: python3-hypothesis = 6.6.0-1.fc35
-        %description -n python3-hypothesis+cli
-        This is a metapackage bringing in cli extras requires for python3-hypothesis.
-        It makes sure the dependencies are installed.
-
-
-
-        %package -n python3-hypothesis+ghostwriter
-        Summary: Metapackage for python3-hypothesis: ghostwriter extras
-        Requires: python3-hypothesis = 6.6.0-1.fc35
-        %description -n python3-hypothesis+ghostwriter
-        This is a metapackage bringing in ghostwriter extras requires for
-        python3-hypothesis.
-        It makes sure the dependencies are installed.
-
-
-
-        %package -n python3-hypothesis+pytz
-        Summary: Metapackage for python3-hypothesis: pytz extras
-        Requires: python3-hypothesis = 6.6.0-1.fc35
-        %description -n python3-hypothesis+pytz
-        This is a metapackage bringing in pytz extras requires for python3-hypothesis.
-        It makes sure the dependencies are installed.
-        """).lstrip().splitlines()
-    assert lines == expected
-
-
-@pytest.mark.skip("Python extras subpackages are not handled in RHEL 8")
-@pytest.mark.parametrize('basename_len', [1, 10, 30, 45, 78])
-@pytest.mark.parametrize('extra_len', [1, 13, 28, 52, 78])
-def test_python_extras_subpkg_description_wrapping(basename_len, extra_len):
-    basename = 'x' * basename_len
-    extra = 'y' * extra_len
-    lines = rpm_eval(f'%python_extras_subpkg -n {basename} -F {extra}',
-                     version='6', release='7')
-    for idx, line in enumerate(lines):
-        if line.startswith('%description'):
-            start = idx + 1
-    lines = lines[start:]
-    assert all(len(l) < 80 for l in lines)
-    assert len(lines) < 6
-    if len(" ".join(lines[:-1])) < 80:
-        assert len(lines) == 2
-    expected_singleline = (f"This is a metapackage bringing in {extra} extras "
-                           f"requires for {basename}. "
-                           f"It makes sure the dependencies are installed.")
-    description_singleline = " ".join(lines)
-    assert description_singleline == expected_singleline
-
-
-unversioned_macros = pytest.mark.parametrize('macro', [
-    '%__python',
-    '%python',
-    '%python_version',
-    '%python_version_nodots',
-    '%python_sitelib',
-    '%python_sitearch',
-    '%python_platform',
-    '%python_platform_triplet',
-    '%python_ext_suffix',
-    '%python_cache_tag',
-    '%py_shebang_fix',
-    '%py_build',
-    '%py_build_egg',
-    '%py_build_wheel',
-    '%py_install',
-    '%py_install_egg',
-    '%py_install_wheel',
-    '%py_check_import',
-    '%py_test_envvars',
-])
-
-
-@pytest.mark.skip("Not applicable for python3.12-rpm-macros")
-@unversioned_macros
-def test_unversioned_python_errors(macro):
-    lines = rpm_eval(macro, fails=True)
-    assert lines[0] == (
-        'error: attempt to use unversioned python, '
-        'define %__python to /usr/bin/python2 or /usr/bin/python3 explicitly'
-    )
-    # when the macros are %global, the error is longer
-    # we deliberately allow this extra line to be optional
-    if len(lines) > 1:
-        # the failed macro is not unnecessarily our tested macro
-        pattern = r'error: Macro %\S+ failed to expand'
-        assert re.match(pattern, lines[1])
-    # but there should be no more lines
-    assert len(lines) < 3
-
-
-@pytest.mark.skip("Not applicable for python3.12-rpm-macros")
-@unversioned_macros
-def test_unversioned_python_works_when_defined(macro):
-    macro3 = macro.replace('python', 'python3').replace('py_', 'py3_')
-    assert rpm_eval(macro, __python='/usr/bin/python3.12') == rpm_eval(macro3)
-
-
-# we could rework the test for multiple architectures, but the Fedora CI currently only runs on x86_64
-x86_64_only = pytest.mark.skipif(platform.machine() != "x86_64", reason="works on x86_64 only")
-
-
-@x86_64_only
-def test_platform_triplet():
-    assert rpm_eval("%python3_platform_triplet") == ["x86_64-linux-gnu"]
-
-
-@x86_64_only
-def test_ext_suffix():
-    assert rpm_eval("%python3_ext_suffix") == [f".cpython-{XY}-x86_64-linux-gnu.so"]
-
-
-def test_cache_tag():
-    assert rpm_eval("%python3_cache_tag") == [f"cpython-{XY}"]
-
-
-def test_cache_tag_alternate_python(alt_x_y, alt_xy):
-    assert rpm_eval("%python_cache_tag", __python=f"/usr/bin/python{alt_x_y}") == [f"cpython-{alt_xy}"]
-
-
-def test_cache_tag_alternate_python3(alt_x_y, alt_xy):
-    assert rpm_eval("%python3_cache_tag", __python3=f"/usr/bin/python{alt_x_y}") == [f"cpython-{alt_xy}"]
-
-
-@pytest.mark.skip("Throws ModuleNotFoundError(distutils) when run with Python 3.12, expected")
-def test_python_sitelib_value_python3():
-    macro = '%python_sitelib'
-    assert rpm_eval(macro, __python='%__python3') == [f'/usr/lib/python{X_Y}/site-packages']
-
-
-def test_python_sitelib_value_alternate_python(alt_x_y):
-    macro = '%python_sitelib'
-    assert rpm_eval(macro, __python=f'/usr/bin/python{alt_x_y}') == [f'/usr/lib/python{alt_x_y}/site-packages']
-
-
-def test_python3_sitelib_value_default():
-    macro = '%python3_sitelib'
-    assert rpm_eval(macro) == [f'/usr/lib/python{X_Y}/site-packages']
-
-
-def test_python3_sitelib_value_alternate_python(alt_x_y):
-    macro = '%python3_sitelib'
-    assert (rpm_eval(macro, __python3=f'/usr/bin/python{alt_x_y}') ==
-            rpm_eval(macro, python3_pkgversion=alt_x_y) ==
-            [f'/usr/lib/python{alt_x_y}/site-packages'])
-
-
-def test_python3_sitelib_value_alternate_prefix():
-    macro = '%python3_sitelib'
-    assert rpm_eval(macro, _prefix='/app') == [f'/app/lib/python{X_Y}/site-packages']
-
-
-@pytest.mark.skip("Throws ModuleNotFoundError(distutils) when run with Python 3.12, expected")
-def test_python_sitearch_value_python3(lib):
-    macro = '%python_sitearch'
-    assert rpm_eval(macro, __python='%__python3') == [f'/usr/{lib}/python{X_Y}/site-packages']
-
-
-def test_python_sitearch_value_alternate_python(lib, alt_x_y):
-    macro = '%python_sitearch'
-    assert rpm_eval(macro, __python=f'/usr/bin/python{alt_x_y}') == [f'/usr/{lib}/python{alt_x_y}/site-packages']
-
-
-def test_python3_sitearch_value_default(lib):
-    macro = '%python3_sitearch'
-    assert rpm_eval(macro) == [f'/usr/{lib}/python{X_Y}/site-packages']
-
-
-def test_python3_sitearch_value_alternate_python(lib, alt_x_y):
-    macro = '%python3_sitearch'
-    assert (rpm_eval(macro, __python3=f'/usr/bin/python{alt_x_y}') ==
-            rpm_eval(macro, python3_pkgversion=alt_x_y) ==
-            [f'/usr/{lib}/python{alt_x_y}/site-packages'])
-
-
-def test_python3_sitearch_value_alternate_prefix(lib):
-    macro = '%python3_sitearch'
-    assert rpm_eval(macro, _prefix='/app') == [f'/app/{lib}/python{X_Y}/site-packages']
-
-
-@pytest.mark.parametrize(
-    'args, expected_args',
-    [
-        ('six', 'six'),
-        ('-f foo.txt', '-f foo.txt'),
-        ('-t -f foo.txt six, seven', '-t -f foo.txt six, seven'),
-        ('-e "foo*" -f foo.txt six, seven', '-e "foo*" -f foo.txt six, seven'),
-        ('six.quarter six.half,, SIX', 'six.quarter six.half,, SIX'),
-        ('-f foo.txt six\nsix.half\nSIX', '-f foo.txt six six.half SIX'),
-        ('six \\ -e six.half', 'six -e six.half'),
-    ]
-)
-@pytest.mark.parametrize('__python3',
-                         [None,
-                          f'/usr/bin/python{X_Y}',
-                          '/usr/bin/pythonX.Y'])
-def test_py3_check_import(args, expected_args, __python3, lib):
-    x_y = X_Y
-    macros = {
-        'buildroot': 'BUILDROOT',
-        '_rpmconfigdir': 'RPMCONFIGDIR',
-    }
-    if __python3 is not None:
-        if 'X.Y' in __python3:
-            __python3 = __python3.replace('X.Y', get_alt_x_y())
-        macros['__python3'] = __python3
-        # If the __python3 command has version at the end, parse it and expect it.
-        # Note that the command is used to determine %python3_sitelib and %python3_sitearch,
-        # so we only test known CPython schemes here and not PyPy for simplicity.
-        if (match := re.match(r'.+python(\d+\.\d+)$', __python3)):
-            x_y = match.group(1)
-
-    invocation = '%{py3_check_import ' + args +'}'
-    lines = rpm_eval(invocation, **macros)
-
-    # An equality check is a bit inflexible here,
-    # every time we change the macro we need to change this test.
-    # However actually executing it and verifying the result is much harder :/
-    # At least, let's make the lines saner to check:
-    lines = [line.rstrip('\\').strip() for line in lines]
-    expected = textwrap.dedent(fr"""
-        PATH="BUILDROOT/usr/bin:$PATH"
-        PYTHONPATH="${{PYTHONPATH:-BUILDROOT/usr/{lib}/python{x_y}/site-packages:BUILDROOT/usr/lib/python{x_y}/site-packages}}"
-        _PYTHONSITE="BUILDROOT/usr/{lib}/python{x_y}/site-packages:BUILDROOT/usr/lib/python{x_y}/site-packages"
-        PYTHONDONTWRITEBYTECODE=1
-        {__python3 or '/usr/bin/python3.12'} -s{safe_path_flag(x_y)} RPMCONFIGDIR/redhat/import_all_modules_py3_12.py {expected_args}
-        """)
-    assert lines == expected.splitlines()
-
-
-@pytest.mark.parametrize(
-    'shebang_flags_value, expected_shebang_flags',
-    [
-        ('sP', '-sP'),
-        ('s', '-s'),
-        ('%{nil}', ''),
-        (None, ''),
-        ('Es', '-Es'),
-    ]
-)
-def test_py3_check_import_respects_shebang_flags(shebang_flags_value, expected_shebang_flags, lib):
-    macros = {
-        '_rpmconfigdir': 'RPMCONFIGDIR',
-        '__python3': '/usr/bin/python3',
-        'py3_shebang_flags': shebang_flags_value,
-    }
-    lines = rpm_eval('%py3_check_import sys', **macros)
-    # Compare the last line of the command, that's where lua part is evaluated
-    expected = f'/usr/bin/python3 {expected_shebang_flags} RPMCONFIGDIR/redhat/import_all_modules_py3_12.py sys'
-    assert  lines[-1].strip() == expected
-

tests/test_import_all_modules.py

@@ -1,427 +0,0 @@
-from import_all_modules_py3_12 import argparser, exclude_unwanted_module_globs
-from import_all_modules_py3_12 import main as modules_main
-from import_all_modules_py3_12 import read_modules_from_cli, filter_top_level_modules_only
-
-from pathlib import Path
-
-import pytest
-import shlex
-import sys
-
-
-@pytest.fixture(autouse=True)
-def preserve_sys_path():
-    original_sys_path = list(sys.path)
-    yield
-    sys.path = original_sys_path
-
-
-@pytest.fixture(autouse=True)
-def preserve_sys_modules():
-    original_sys_modules = dict(sys.modules)
-    yield
-    sys.modules = original_sys_modules
-
-
-@pytest.mark.parametrize(
-    'args, imports',
-    [
-        ('six', ['six']),
-        ('five  six seven', ['five', 'six', 'seven']),
-        ('six,seven, eight', ['six', 'seven', 'eight']),
-        ('six.quarter  six.half,, SIX', ['six.quarter', 'six.half', 'SIX']),
-        ('six.quarter  six.half,, SIX \\ ', ['six.quarter', 'six.half', 'SIX']),
-    ]
-)
-def test_read_modules_from_cli(args, imports):
-    argv = shlex.split(args)
-    cli_args = argparser().parse_args(argv)
-    assert read_modules_from_cli(cli_args.modules) == imports
-
-
-@pytest.mark.parametrize(
-    'all_mods, imports',
-    [
-        (['six'], ['six']),
-        (['five', 'six', 'seven'], ['five', 'six', 'seven']),
-        (['six.seven', 'eight'], ['eight']),
-        (['SIX', 'six.quarter', 'six.half.and.sth', 'seven'], ['SIX', 'seven']),
-    ],
-)
-def test_filter_top_level_modules_only(all_mods, imports):
-    assert filter_top_level_modules_only(all_mods) == imports
-
-
-@pytest.mark.parametrize(
-    'globs, expected',
-    [
-        (['*.*'], ['foo', 'boo']),
-        (['?oo'], ['foo.bar', 'foo.bar.baz', 'foo.baz']),
-        (['*.baz'], ['foo', 'foo.bar', 'boo']),
-        (['foo'], ['foo.bar', 'foo.bar.baz', 'foo.baz', 'boo']),
-        (['foo*'], ['boo']),
-        (['foo*', '*bar'], ['boo']),
-        (['foo', 'bar'], ['foo.bar', 'foo.bar.baz', 'foo.baz', 'boo']),
-        (['*'], []),
-    ]
-)
-def test_exclude_unwanted_module_globs(globs, expected):
-    my_modules = ['foo', 'foo.bar', 'foo.bar.baz', 'foo.baz', 'boo']
-    tested = exclude_unwanted_module_globs(globs, my_modules)
-    assert tested == expected
-
-
-def test_cli_with_all_args():
-    '''A smoke test, all args must be parsed correctly.'''
-    mods = ['foo', 'foo.bar', 'baz']
-    files = ['-f', './foo']
-    top = ['-t']
-    exclude = ['-e', 'foo*']
-    cli_args = argparser().parse_args([*mods, *files, *top, *exclude])
-
-    assert cli_args.filename == [Path('foo')]
-    assert cli_args.top_level is True
-    assert cli_args.modules == ['foo', 'foo.bar', 'baz']
-    assert cli_args.exclude == ['foo*']
-
-
-def test_cli_without_filename_toplevel():
-    '''Modules provided on command line (without files) must be parsed correctly.'''
-    mods = ['foo', 'foo.bar', 'baz']
-    cli_args = argparser().parse_args(mods)
-
-    assert cli_args.filename is None
-    assert cli_args.top_level is False
-    assert cli_args.modules == ['foo', 'foo.bar', 'baz']
-
-
-def test_cli_with_filename_no_cli_mods():
-    '''Files (without any modules provided on command line) must be parsed correctly.'''
-
-    files = ['-f', './foo', '-f', './bar', '-f', './baz']
-    cli_args = argparser().parse_args(files)
-
-    assert cli_args.filename == [Path('foo'), Path('./bar'), Path('./baz')]
-    assert not cli_args.top_level
-
-
-def test_main_raises_error_when_no_modules_provided():
-    '''If no filename nor modules were provided, ValueError is raised.'''
-
-    with pytest.raises(ValueError):
-        modules_main([])
-
-
-def test_import_all_modules_does_not_import():
-    '''Ensure the files from /usr/lib/rpm/redhat cannot be imported and
-    checked for import'''
-
-    # We already imported it in this file once, make sure it's not imported
-    # from the cache
-    sys.modules.pop('import_all_modules_py3_12')
-    with pytest.raises(ModuleNotFoundError):
-        modules_main(['import_all_modules_py3_12'])
-
-
-def test_modules_from_cwd_not_found(tmp_path, monkeypatch):
-    test_module = tmp_path / 'this_is_a_module_in_cwd.py'
-    test_module.write_text('')
-    monkeypatch.chdir(tmp_path)
-    with pytest.raises(ModuleNotFoundError):
-        modules_main(['this_is_a_module_in_cwd'])
-
-
-def test_modules_from_sys_path_found(tmp_path):
-    test_module = tmp_path / 'this_is_a_module_in_sys_path.py'
-    test_module.write_text('')
-    sys.path.append(str(tmp_path))
-    modules_main(['this_is_a_module_in_sys_path'])
-    assert 'this_is_a_module_in_sys_path' in sys.modules
-
-
-def test_modules_from_file_are_found(tmp_path):
-    test_file = tmp_path / 'this_is_a_file_in_tmp_path.txt'
-    test_file.write_text('math\nwave\ncsv\n')
-
-    # Make sure the tested modules are not already in sys.modules
-    for m in ('math', 'wave', 'csv'):
-        sys.modules.pop(m, None)
-
-    modules_main(['-f', str(test_file)])
-
-    assert 'csv' in sys.modules
-    assert 'math' in sys.modules
-    assert 'wave' in sys.modules
-
-
-def test_modules_from_files_are_found(tmp_path):
-    test_file_1 = tmp_path / 'this_is_a_file_in_tmp_path_1.txt'
-    test_file_2 = tmp_path / 'this_is_a_file_in_tmp_path_2.txt'
-    test_file_3 = tmp_path / 'this_is_a_file_in_tmp_path_3.txt'
-
-    test_file_1.write_text('math\nwave\n')
-    test_file_2.write_text('csv\npathlib\n')
-    test_file_3.write_text('logging\ncsv\n')
-
-    # Make sure the tested modules are not already in sys.modules
-    for m in ('math', 'wave', 'csv', 'pathlib', 'logging'):
-        sys.modules.pop(m, None)
-
-    modules_main(['-f', str(test_file_1), '-f', str(test_file_2), '-f', str(test_file_3), ])
-    for module in ('csv', 'math', 'wave', 'pathlib', 'logging'):
-        assert module in sys.modules
-
-
-def test_nonexisting_modules_raise_exception_on_import(tmp_path):
-    test_file = tmp_path / 'this_is_a_file_in_tmp_path.txt'
-    test_file.write_text('nonexisting_module\nanother\n')
-    with pytest.raises(ModuleNotFoundError):
-        modules_main(['-f', str(test_file)])
-
-
-def test_nested_modules_found_when_expected(tmp_path, monkeypatch, capsys):
-
-    # This one is supposed to raise an error
-    cwd_path = tmp_path / 'test_cwd'
-    Path.mkdir(cwd_path)
-    test_module_1 = cwd_path / 'this_is_a_module_in_cwd.py'
-
-    # Nested structure that is supposed to be importable
-    nested_path_1 = tmp_path / 'nested'
-    nested_path_2 = nested_path_1 / 'more_nested'
-
-    for path in (nested_path_1, nested_path_2):
-        Path.mkdir(path)
-
-    test_module_2 = tmp_path / 'this_is_a_module_in_level_0.py'
-    test_module_3 = nested_path_1 / 'this_is_a_module_in_level_1.py'
-    test_module_4 = nested_path_2 / 'this_is_a_module_in_level_2.py'
-
-    for module in (test_module_1, test_module_2, test_module_3, test_module_4):
-        module.write_text('')
-
-    sys.path.append(str(tmp_path))
-    monkeypatch.chdir(cwd_path)
-
-    with pytest.raises(ModuleNotFoundError):
-        modules_main([
-            'this_is_a_module_in_level_0',
-            'nested.this_is_a_module_in_level_1',
-            'nested.more_nested.this_is_a_module_in_level_2',
-            'this_is_a_module_in_cwd'])
-
-    _, err = capsys.readouterr()
-    assert 'Check import: this_is_a_module_in_level_0' in err
-    assert 'Check import: nested.this_is_a_module_in_level_1' in err
-    assert 'Check import: nested.more_nested.this_is_a_module_in_level_2' in err
-    assert 'Check import: this_is_a_module_in_cwd' in err
-
-
-def test_modules_both_from_files_and_cli_are_imported(tmp_path):
-    test_file_1 = tmp_path / 'this_is_a_file_in_tmp_path_1.txt'
-    test_file_1.write_text('this_is_a_module_in_tmp_path_1')
-
-    test_file_2 = tmp_path / 'this_is_a_file_in_tmp_path_2.txt'
-    test_file_2.write_text('this_is_a_module_in_tmp_path_2')
-
-    test_module_1 = tmp_path / 'this_is_a_module_in_tmp_path_1.py'
-    test_module_2 = tmp_path / 'this_is_a_module_in_tmp_path_2.py'
-    test_module_3 = tmp_path / 'this_is_a_module_in_tmp_path_3.py'
-
-    for module in (test_module_1, test_module_2, test_module_3):
-        module.write_text('')
-
-    sys.path.append(str(tmp_path))
-    modules_main([
-        '-f', str(test_file_1),
-        'this_is_a_module_in_tmp_path_3',
-        '-f', str(test_file_2),
-    ])
-
-    expected = (
-        'this_is_a_module_in_tmp_path_1',
-        'this_is_a_module_in_tmp_path_2',
-        'this_is_a_module_in_tmp_path_3',
-    )
-    for module in expected:
-        assert module in sys.modules
-
-
-def test_non_existing_module_raises_exception(tmp_path):
-
-    test_module_1 = tmp_path / 'this_is_a_module_in_tmp_path_1.py'
-    test_module_1.write_text('')
-    sys.path.append(str(tmp_path))
-
-    with pytest.raises(ModuleNotFoundError):
-        modules_main([
-            'this_is_a_module_in_tmp_path_1',
-            'this_is_a_module_in_tmp_path_2',
-        ])
-
-
-def test_module_with_error_propagates_exception(tmp_path):
-
-    test_module_1 = tmp_path / 'this_is_a_module_in_tmp_path_1.py'
-    test_module_1.write_text('0/0')
-    sys.path.append(str(tmp_path))
-
-    # The correct exception must be raised
-    with pytest.raises(ZeroDivisionError):
-        modules_main([
-            'this_is_a_module_in_tmp_path_1',
-        ])
-
-
-def test_correct_modules_are_excluded(tmp_path):
-    test_module_1 = tmp_path / 'module_in_tmp_path_1.py'
-    test_module_2 = tmp_path / 'module_in_tmp_path_2.py'
-    test_module_3 = tmp_path / 'module_in_tmp_path_3.py'
-
-    for module in (test_module_1, test_module_2, test_module_3):
-        module.write_text('')
-
-    sys.path.append(str(tmp_path))
-    test_file_1 = tmp_path / 'a_file_in_tmp_path_1.txt'
-    test_file_1.write_text('module_in_tmp_path_1\nmodule_in_tmp_path_2\nmodule_in_tmp_path_3\n')
-
-    modules_main([
-        '-e', 'module_in_tmp_path_2',
-        '-f', str(test_file_1),
-        '-e', 'module_in_tmp_path_3',
-        ])
-
-    assert 'module_in_tmp_path_1' in sys.modules
-    assert 'module_in_tmp_path_2' not in sys.modules
-    assert 'module_in_tmp_path_3' not in sys.modules
-
-
-def test_excluding_all_modules_raises_error(tmp_path):
-    test_module_1 = tmp_path / 'module_in_tmp_path_1.py'
-    test_module_2 = tmp_path / 'module_in_tmp_path_2.py'
-    test_module_3 = tmp_path / 'module_in_tmp_path_3.py'
-
-    for module in (test_module_1, test_module_2, test_module_3):
-        module.write_text('')
-
-    sys.path.append(str(tmp_path))
-    test_file_1 = tmp_path / 'a_file_in_tmp_path_1.txt'
-    test_file_1.write_text('module_in_tmp_path_1\nmodule_in_tmp_path_2\nmodule_in_tmp_path_3\n')
-
-    with pytest.raises(ValueError):
-        modules_main([
-            '-e', 'module_in_tmp_path*',
-            '-f', str(test_file_1),
-            ])
-
-
-def test_only_toplevel_modules_found(tmp_path):
-
-    # Nested structure that is supposed to be importable
-    nested_path_1 = tmp_path / 'nested'
-    nested_path_2 = nested_path_1 / 'more_nested'
-
-    for path in (nested_path_1, nested_path_2):
-        Path.mkdir(path)
-
-    test_module_1 = tmp_path / 'this_is_a_module_in_level_0.py'
-    test_module_2 = nested_path_1 / 'this_is_a_module_in_level_1.py'
-    test_module_3 = nested_path_2 / 'this_is_a_module_in_level_2.py'
-
-    for module in (test_module_1, test_module_2, test_module_3):
-        module.write_text('')
-
-    sys.path.append(str(tmp_path))
-
-    modules_main([
-        'this_is_a_module_in_level_0',
-        'nested.this_is_a_module_in_level_1',
-        'nested.more_nested.this_is_a_module_in_level_2',
-        '-t'])
-
-    assert 'nested.this_is_a_module_in_level_1' not in sys.modules
-    assert 'nested.more_nested.this_is_a_module_in_level_2' not in sys.modules
-
-
-def test_only_toplevel_included_modules_found(tmp_path):
-
-    # Nested structure that is supposed to be importable
-    nested_path_1 = tmp_path / 'nested'
-    nested_path_2 = nested_path_1 / 'more_nested'
-
-    for path in (nested_path_1, nested_path_2):
-        Path.mkdir(path)
-
-    test_module_1 = tmp_path / 'this_is_a_module_in_level_0.py'
-    test_module_4 = tmp_path / 'this_is_another_module_in_level_0.py'
-
-    test_module_2 = nested_path_1 / 'this_is_a_module_in_level_1.py'
-    test_module_3 = nested_path_2 / 'this_is_a_module_in_level_2.py'
-
-    for module in (test_module_1, test_module_2, test_module_3, test_module_4):
-        module.write_text('')
-
-    sys.path.append(str(tmp_path))
-
-    modules_main([
-        'this_is_a_module_in_level_0',
-        'this_is_another_module_in_level_0',
-        'nested.this_is_a_module_in_level_1',
-        'nested.more_nested.this_is_a_module_in_level_2',
-        '-t',
-        '-e', '*another*'
-    ])
-
-    assert 'nested.this_is_a_module_in_level_1' not in sys.modules
-    assert 'nested.more_nested.this_is_a_module_in_level_2' not in sys.modules
-    assert 'this_is_another_module_in_level_0' not in sys.modules
-    assert 'this_is_a_module_in_level_0' in sys.modules
-
-
-def test_module_list_from_relative_path(tmp_path, monkeypatch):
-
-    monkeypatch.chdir(tmp_path)
-    test_file_1 = Path('this_is_a_file_in_cwd.txt')
-    test_file_1.write_text('wave')
-
-    sys.modules.pop('wave', None)
-
-    modules_main([
-        '-f', 'this_is_a_file_in_cwd.txt'
-    ])
-
-    assert 'wave' in sys.modules
-
-
-@pytest.mark.parametrize('arch_in_path', [True, False])
-def test_pth_files_are_read_from__PYTHONSITE(arch_in_path, tmp_path, monkeypatch, capsys):
-    sitearch = tmp_path / 'lib64'
-    sitearch.mkdir()
-    sitelib = tmp_path / 'lib'
-    sitelib.mkdir()
-
-    for where, word in (sitearch, "ARCH"), (sitelib, "LIB"), (sitelib, "MOD"):
-        module = where / f'print{word}.py'
-        module.write_text(f'print("{word}")')
-
-    pth_sitearch = sitearch / 'ARCH.pth'
-    pth_sitearch.write_text('import printARCH\n')
-
-    pth_sitelib = sitelib / 'LIB.pth'
-    pth_sitelib.write_text('import printLIB\n')
-
-    if arch_in_path:
-        sys.path.append(str(sitearch))
-    sys.path.append(str(sitelib))
-
-    # we always add sitearch to _PYTHONSITE
-    # but when not in sys.path, it should not be processed for .pth files
-    monkeypatch.setenv('_PYTHONSITE', f'{sitearch}:{sitelib}')
-
-    modules_main(['printMOD'])
-    out, err = capsys.readouterr()
-    if arch_in_path:
-        assert out == 'ARCH\nLIB\nMOD\n'
-    else:
-        assert out == 'LIB\nMOD\n'
-