From 43a0c07ccdb6c4b9cddc343ba1606e0059bd4cbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
Date: Wed, 10 Sep 2025 13:24:36 +0200
Subject: [PATCH] Convert from Fedora for the Python 3.14 stack in RHEL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fedora contributions by:
    Alfredo Moralejo <amoralej@redhat.com>
    Benjamin A. Beasley <code@musicinmybrain.net>
    Charalampos Stratakis <cstratak@redhat.com>
    Christian Heimes <christian@python.org>
    Colin Walters <walters@verbum.org>
    Dennis Gilmore <dennis@ausil.us>
    Fabio Valentini <decathorpe@gmail.com>
    Felix Schwarz <felix.schwarz@oss.schwarz.eu>
    Francisco Trivino <ftrivino@redhat.com>
    Haikel Guemar <hguemar@fedoraproject.org>
    Igor Gnatenko <ignatenkobrain@fedoraproject.org>
    Iryna Shcherbina <shcherbina.iryna@gmail.com>
    Jeremy Cline <jeremy@jcline.org>
    Lumir Balhar <lbalhar@redhat.com>
    Matěj Cepl <mcepl@cepl.eu>
    Miro Hrončok <miro@hroncok.cz>
    Nathaniel McCallum <npmccallum@redhat.com>
    Peter Robinson <pbrobinson@gmail.com>
    Randy Barlow <randy@electronsweatshop.com>
    Robert Kuska <rkuska@redhat.com>
    Sahana Prasad <sahana@redhat.com>
    Stephen Gallagher <sgallagh@redhat.com>
    Troy Dawson <tdawson@redhat.com>
    Yaakov Selkowitz <yselkowi@redhat.com>
---
 ...n-build-backend-with-setuptools-rust.patch |  96 +++++++++++++
 python3.14-cryptography.spec                  | 136 ++++++++++++++----
 2 files changed, 207 insertions(+), 25 deletions(-)
 create mode 100644 Replace-maturin-build-backend-with-setuptools-rust.patch

diff --git a/Replace-maturin-build-backend-with-setuptools-rust.patch b/Replace-maturin-build-backend-with-setuptools-rust.patch
new file mode 100644
index 0000000..c38b966
--- /dev/null
+++ b/Replace-maturin-build-backend-with-setuptools-rust.patch
@@ -0,0 +1,96 @@
+From c12aed73a8e6557ed4125038be62439db820624c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
+Date: Wed, 10 Sep 2025 11:20:00 +0200
+Subject: [PATCH] Replace maturin build backend with setuptools-rust
+
+---
+ pyproject.toml | 52 +++++++++++++++-----------------------------------
+ 1 file changed, 15 insertions(+), 37 deletions(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index d9ef70420..573f80cec 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -2,16 +2,15 @@
+ # These requirements must be kept sync with the requirements in
+ # ./.github/requirements/build-requirements.{in,txt}
+ requires = [
+-    "maturin>=1.8.6,<2",
+-
+     # Must be kept in sync with `project.dependencies`
+     "cffi>=1.14; platform_python_implementation != 'PyPy'",
+     # Used by cffi (which import distutils, and in Python 3.12, distutils has
+     # been removed from the stdlib, but installing setuptools puts it back) as
+     # well as our build.rs for the rust/cffi bridge.
+     "setuptools!=74.0.0,!=74.1.0,!=74.1.1,!=74.1.2",
++    "setuptools-rust>=1.5.0",
+ ]
+-build-backend = "maturin"
++build-backend = "setuptools.build_meta"
+ 
+ [project]
+ name = "cryptography"
+@@ -59,6 +58,14 @@ source = "https://github.com/pyca/cryptography/"
+ issues = "https://github.com/pyca/cryptography/issues"
+ changelog = "https://cryptography.io/en/latest/changelog/"
+ 
++[tool.setuptools]
++zip-safe = false
++package-dir = {"" = "src"}
++
++[tool.setuptools.packages.find]
++where = ["src"]
++include = ["cryptography*"]
++
+ [project.optional-dependencies]
+ ssh = ["bcrypt >=3.1.5"]
+ 
+@@ -93,40 +100,11 @@ pep8test = [
+     "click >=8.0.1",
+ ]
+ 
+-[tool.maturin]
+-python-source = "src"
+-python-packages = ["cryptography"]
+-manifest-path = "src/rust/Cargo.toml"
+-module-name = "cryptography.hazmat.bindings._rust"
+-locked = true
+-sdist-generator = "git"
+-include = [
+-    "CHANGELOG.rst",
+-    "CONTRIBUTING.rst",
+-
+-    "docs/**/*",
+-
+-    { path = "src/_cffi_src/**/*.py", format = "sdist" },
+-    { path = "src/_cffi_src/**/*.c", format = "sdist" },
+-    { path = "src/_cffi_src/**/*.h", format = "sdist" },
+-
+-    { path = "Cargo.toml", format = "sdist" },
+-    { path = "Cargo.lock", format = "sdist" },
+-    { path = "src/rust/**/Cargo.toml", format = "sdist" },
+-    { path = "src/rust/**/Cargo.lock", format = "sdist" },
+-    { path = "src/rust/**/*.rs", format = "sdist" },
+-
+-    "tests/**/*.py",
+-]
+-exclude = [
+-    "vectors/**/*",
+-    "target/**/*",
+-    "docs/_build/**/*",
+-    ".github/**/*",
+-    ".readthedocs.yml",
+-    "ci-constraints-requirements.txt",
+-    "mypy.ini",
+-]
++[[tool.setuptools-rust.ext-modules]]
++target = "cryptography.hazmat.bindings._rust"
++path = "src/rust/Cargo.toml"
++py-limited-api = "auto"
++rust-version = ">=1.65.0"
+ 
+ [tool.pytest.ini_options]
+ addopts = "-r s --capture=no --strict-markers --benchmark-disable"
+-- 
+2.51.0
+
diff --git a/python3.14-cryptography.spec b/python3.14-cryptography.spec
index ae9b0b1..9bda5ef 100644
--- a/python3.14-cryptography.spec
+++ b/python3.14-cryptography.spec
@@ -1,23 +1,65 @@
-%bcond_without tests
+%global python3_pkgversion 3.14
 
-%{!?python3_pkgversion:%global python3_pkgversion 3}
+# RHEL: Tests disabled due to missing deps
+%bcond_with tests
 
 %global srcname cryptography
 
-Name:           python-%{srcname}
+Name:           python%{python3_pkgversion}-%{srcname}
 Version:        45.0.4
 Release:        %autorelease
 Summary:        PyCA's cryptography library
 
-# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
-# as well as the Python Software Foundation license for the OS random
-# engine derived by CPython.
-# Rust crate dependency licenses:
-# Apache-2.0
-# Apache-2.0 OR MIT
-# BSD-3-Clause
-# MIT
-# MIT OR Apache-2.0
+# We bundle various crates with cryptography which is dual licensed
+# under the ASL 2.0 or BSD, as well as the Python license
+# for the OS random engine derived by CPython.
+
+# in the vendor dir from SOURCE1:
+#     import pathlib, tomllib
+#     bundled = {}
+#     for d in pathlib.Path('.').iterdir():
+#         cargo_toml = d / 'Cargo.toml'
+#         cargo = tomllib.loads(cargo_toml.read_text())
+#         bundled[cargo['package']['name']] = cargo['package']
+#     for pkg in sorted(bundled):
+#         print(f"# {pkg}: {bundled[pkg]['license']}")
+
+# asn1: BSD-3-Clause
+# asn1_derive: BSD-3-Clause
+# autocfg: Apache-2.0 OR MIT
+# base64: MIT OR Apache-2.0
+# bitflags: MIT OR Apache-2.0
+# cc: MIT OR Apache-2.0
+# cfg-if: MIT/Apache-2.0
+# foreign-types: MIT/Apache-2.0
+# foreign-types-shared: MIT/Apache-2.0
+# heck: MIT OR Apache-2.0
+# indoc: MIT OR Apache-2.0
+# itoa: MIT OR Apache-2.0
+# libc: MIT OR Apache-2.0
+# memoffset: MIT
+# once_cell: MIT OR Apache-2.0
+# openssl: Apache-2.0
+# openssl-macros: MIT/Apache-2.0
+# openssl-sys: MIT
+# pem: MIT
+# pkg-config: MIT OR Apache-2.0
+# portable-atomic: Apache-2.0 OR MIT
+# proc-macro2: MIT OR Apache-2.0
+# pyo3: MIT OR Apache-2.0
+# pyo3-build-config: MIT OR Apache-2.0
+# pyo3-ffi: MIT OR Apache-2.0
+# pyo3-macros: MIT OR Apache-2.0
+# pyo3-macros-backend: MIT OR Apache-2.0
+# quote: MIT OR Apache-2.0
+# self_cell: Apache-2.0
+# shlex: MIT OR Apache-2.0
+# syn: MIT OR Apache-2.0
+# target-lexicon: Apache-2.0 WITH LLVM-exception
+# unicode-ident: (MIT OR Apache-2.0) AND Unicode-3.0
+# unindent: MIT OR Apache-2.0
+# vcpkg: MIT/Apache-2.0
+
 License:        (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0)
 URL:            https://cryptography.io/en/latest/
 Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
@@ -25,6 +67,11 @@ Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
 
+# upstream uses maturin as a build backend,
+# we replace it with setuptools-rust since it is not available in RHEL
+# reverts: https://github.com/pyca/cryptography/commit/5b23baa
+Patch:          Replace-maturin-build-backend-with-setuptools-rust.patch
+
 ExclusiveArch:  %{rust_arches}
 
 BuildRequires:  openssl-devel
@@ -54,21 +101,60 @@ BuildRequires:  python%{python3_pkgversion}-pytz
 BuildRequires:  python%{python3_pkgversion}-pytest >= 6.2.0
 %endif
 
-%description
-cryptography is a package designed to expose cryptographic primitives and
-recipes to Python developers.
-
-%package -n  python%{python3_pkgversion}-%{srcname}
-Summary:        PyCA's cryptography library
-%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
-
 Requires:       openssl-libs
-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
-# Can be safely removed in Fedora 37
-Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
-%endif
+Requires:       python%{python3_pkgversion}-cffi >= 1.12
 
-%description -n python%{python3_pkgversion}-%{srcname}
+# Provides for the bundled crates
+# (continuation of the snippet above the License tag)
+#     for pkg in sorted(bundled):
+#         print(f"Provides: bundled(crate({pkg})) = {bundled[pkg]['version']}")
+Provides: bundled(crate(asn1)) = 0.21.3
+Provides: bundled(crate(asn1_derive)) = 0.21.3
+Provides: bundled(crate(autocfg)) = 1.4.0
+Provides: bundled(crate(base64)) = 0.22.1
+Provides: bundled(crate(bitflags)) = 2.9.1
+Provides: bundled(crate(cc)) = 1.2.23
+Provides: bundled(crate(cfg-if)) = 1.0.0
+Provides: bundled(crate(foreign-types)) = 0.3.2
+Provides: bundled(crate(foreign-types-shared)) = 0.1.1
+Provides: bundled(crate(heck)) = 0.5.0
+Provides: bundled(crate(indoc)) = 2.0.6
+Provides: bundled(crate(itoa)) = 1.0.15
+Provides: bundled(crate(libc)) = 0.2.172
+Provides: bundled(crate(memoffset)) = 0.9.1
+Provides: bundled(crate(once_cell)) = 1.21.3
+Provides: bundled(crate(openssl)) = 0.10.72
+Provides: bundled(crate(openssl-macros)) = 0.1.1
+Provides: bundled(crate(openssl-sys)) = 0.9.108
+Provides: bundled(crate(pem)) = 3.0.5
+Provides: bundled(crate(pkg-config)) = 0.3.32
+Provides: bundled(crate(portable-atomic)) = 1.11.0
+Provides: bundled(crate(proc-macro2)) = 1.0.95
+Provides: bundled(crate(pyo3)) = 0.25.0
+Provides: bundled(crate(pyo3-build-config)) = 0.25.0
+Provides: bundled(crate(pyo3-ffi)) = 0.25.0
+Provides: bundled(crate(pyo3-macros)) = 0.25.0
+Provides: bundled(crate(pyo3-macros-backend)) = 0.25.0
+Provides: bundled(crate(quote)) = 1.0.40
+Provides: bundled(crate(self_cell)) = 1.2.0
+Provides: bundled(crate(shlex)) = 1.3.0
+Provides: bundled(crate(syn)) = 2.0.101
+Provides: bundled(crate(target-lexicon)) = 0.13.2
+Provides: bundled(crate(unicode-ident)) = 1.0.18
+Provides: bundled(crate(unindent)) = 0.2.4
+Provides: bundled(crate(vcpkg)) = 0.2.15
+
+# Cryptography crates
+Provides: bundled(crate(cryptography-cffi)) = 0.1.0
+Provides: bundled(crate(cryptography-crypto)) = 0.1.0
+Provides: bundled(crate(cryptography-keepalive)) = 0.1.0
+Provides: bundled(crate(cryptography-key-parsing)) = 0.1.0
+Provides: bundled(crate(cryptography-rust)) = 0.1.0
+Provides: bundled(crate(cryptography-x509)) = 0.1.0
+Provides: bundled(crate(cryptography-x509-verification)) = 0.1.0
+Provides: bundled(crate(cryptography-openssl)) = 0.1.0
+
+%description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.