import CS python3.14-3.14.3-1.el9

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,3 +1 @@
-/*.tar.*
-/*.src.rpm
-/results_python3*
+SOURCES/Python-3.14.3.tar.xz

.python3.14.metadata

@@ -0,0 +1 @@
+83eed62ba54742382542474db798717e6ee6b3f2 SOURCES/Python-3.14.3.tar.xz

00478-cve-2026-4519.patch

@@ -1,114 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Tue, 24 Mar 2026 00:16:27 +0100
-Subject: 00478: CVE-2026-4519
-
-Reject leading dashes in webbrowser URLs (GH-146214)
-
-(cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
-
-Co-authored-by: Seth Michael Larson <seth@python.org>
----
- Lib/test/test_webbrowser.py                         |  5 +++++
- Lib/webbrowser.py                                   | 13 +++++++++++++
- .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst  |  1 +
- 3 files changed, 19 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-
-diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
-index 4c3ea1cd8d..22e9d7493a 100644
---- a/Lib/test/test_webbrowser.py
-+++ b/Lib/test/test_webbrowser.py
-@@ -67,6 +67,11 @@ def test_open(self):
-                    options=[],
-                    arguments=[URL])
- 
-+    def test_reject_dash_prefixes(self):
-+        browser = self.browser_class(name=CMD_NAME)
-+        with self.assertRaises(ValueError):
-+            browser.open(f"--key=val {URL}")
-+
- 
- class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
- 
-diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
-index f2e2394089..9ead2990e8 100644
---- a/Lib/webbrowser.py
-+++ b/Lib/webbrowser.py
-@@ -163,6 +163,12 @@ def open_new(self, url):
-     def open_new_tab(self, url):
-         return self.open(url, 2)
- 
-+    @staticmethod
-+    def _check_url(url):
-+        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
-+        if url and url.lstrip().startswith("-"):
-+            raise ValueError(f"Invalid URL: {url}")
-+
- 
- class GenericBrowser(BaseBrowser):
-     """Class for all browsers started with a command
-@@ -180,6 +186,7 @@ def __init__(self, name):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         cmdline = [self.name] + [arg.replace("%s", url)
-                                  for arg in self.args]
-         try:
-@@ -200,6 +207,7 @@ def open(self, url, new=0, autoraise=True):
-         cmdline = [self.name] + [arg.replace("%s", url)
-                                  for arg in self.args]
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         try:
-             if sys.platform[:3] == 'win':
-                 p = subprocess.Popen(cmdline)
-@@ -266,6 +274,7 @@ def _invoke(self, args, remote, autoraise, url=None):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         if new == 0:
-             action = self.remote_action
-         elif new == 1:
-@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
- 
-     def open(self, url, new=0, autoraise=True):
-         sys.audit("webbrowser.open", url)
-+        self._check_url(url)
-         # XXX Currently I know no way to prevent KFM from opening a new win.
-         if new == 2:
-             action = "newTab"
-@@ -588,6 +598,7 @@ def register_standard_browsers():
-     class WindowsDefault(BaseBrowser):
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             try:
-                 os.startfile(url)
-             except OSError:
-@@ -608,6 +619,7 @@ def __init__(self, name='default'):
- 
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             url = url.replace('"', '%22')
-             if self.name == 'default':
-                 proto, _sep, _rest = url.partition(":")
-@@ -664,6 +676,7 @@ def open(self, url, new=0, autoraise=True):
-     class IOSBrowser(BaseBrowser):
-         def open(self, url, new=0, autoraise=True):
-             sys.audit("webbrowser.open", url)
-+            self._check_url(url)
-             # If ctypes isn't available, we can't open a browser
-             if objc is None:
-                 return False
-diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-new file mode 100644
-index 0000000000..0f27eae99a
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
-@@ -0,0 +1 @@
-+Reject leading dashes in URLs passed to :func:`webbrowser.open`

SPECS/python3.14.spec

@@ -49,7 +49,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: Python-2.0.1
 
 
@@ -341,9 +341,6 @@ Source0: %{url}ftp/python/%{general_version}/Python-%{upstream_version}.tar.xz
 # Originally written by bkabrda
 Source8: check-pyc-timestamps.py
 
-# A script that determines the required expat version
-Source9: expat-requires.py
-
 # Desktop menu entry for idle3
 Source10: idle3.desktop
 
@@ -438,12 +435,6 @@ Patch475: 00475-cve-2025-15367.patch
 # direct call to the check function.
 Patch477: 00477-raise-an-error-when-importing-stdlib-modules-compiled-for-a-different-python-version.patch
 
-# 00478 # d9d794656850591a4e6aeddcf853505aeea08028
-# CVE-2026-4519
-#
-# Reject leading dashes in webbrowser URLs (GH-146214)
-Patch478: 00478-cve-2026-4519.patch
-
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -624,20 +615,6 @@ Recommends: (%{pkgname}-tkinter%{?_isa} if tk%{?_isa})
 # The zoneinfo module needs tzdata
 Requires: tzdata
 
-# The requirement on libexpat is generated, but we need to version it.
-# When built with a specific expat version, but installed with an older one,
-# we sometimes get:
-#   ImportError: /usr/lib64/python3.X/lib-dynload/pyexpat.cpython-....so:
-#   undefined symbol: XML_...
-# The pyexpat module has build-time checks for expat version to only use the
-# available symbols. However, there is no runtime protection, so when the module
-# is later installed with an older expat, it may error due to undefined symbols.
-# This breaks many things, including python -m venv.
-# We avoid this problem by requiring expat equal or greater than the latest known
-# version which introduced new symbols used by Python.
-# Other subpackages (like -debug) also need this, but they all depend on -libs.
-%global expat_min_version 2.7.2
-Requires: expat%{?_isa} >= %{expat_min_version}
 
 %description -n %{pkgname}-libs
 This package contains runtime libraries for use by Python:
@@ -662,6 +639,10 @@ Requires: (python3-rpm-macros if rpm-build)
 # On Fedora, we keep this to avoid one additional round of %%generate_buildrequires.
 %{!?rhel:Requires: (pyproject-rpm-macros if rpm-build)}
 
+# We provide the python3.14-rpm-macros here to make it possible to
+# BuildRequire them in the same manner as RHEL8.
+Provides: %{pkgname}-rpm-macros = %{version}-%{release}
+
 %unversioned_obsoletes_of_python3_X_if_main devel
 
 %if %{with main_python}
@@ -835,7 +816,6 @@ License: %{libs_license} AND Apache-2.0 AND ISC AND LGPL-2.1-only AND MPL-2.0 AN
 # See the comments in the definition of main -libs subpackage for detailed explanations
 Provides: bundled(mimalloc) = 2.12
 Requires: tzdata
-Requires: expat%{?_isa} >= %{expat_min_version}
 
 # There are files in the standard library that have python shebang.
 # We've filtered the automatic requirement out so libs are installable without
@@ -1460,12 +1440,6 @@ for Module in %{buildroot}/%{dynload_dir}/*.so ; do
     esac
 done
 
-# Check the expat compatibility
-expat_found=$(LD_LIBRARY_PATH="%{buildroot}%{_libdir}" PYTHONPATH="%{buildroot}%{pylibdir}" %{buildroot}%{_bindir}/python%{pybasever} %{SOURCE9})
-if [ "${expat_found}" != "%{expat_min_version}" ]; then
-    echo "Found expat version is different than the declared one, found: ${expat_found}" ; exit 1
-fi
-
 
 # ======================================================
 # Running the upstream test suite
@@ -1981,24 +1955,17 @@ CheckPython freethreading
 # ======================================================
 
 %changelog
-* Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.14.3-2
-- Security fix for CVE-2026-4519
-Resolves: RHEL-158114
-
 * Wed Feb 04 2026 Karolina Surma <ksurma@redhat.com> - 3.14.3-1
 - Update to Python 3.14.3
 - Security fixes for CVE-2025-11468, CVE-2026-0672,CVE-2026-0865,
 CVE-2025-15282, CVE-2026-1299, CVE-2025-11468, CVE-2025-15366,
 CVE-2025-15367
-Resolves: RHEL-144855, RHEL-143058, RHEL-143111
+Resolves: RHEL-144896, RHEL-143115, RHEL-143173
 
-* Mon Jan 19 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.14.2-3
+* Fri Jan 09 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.14.2-3
 - Support OpenSSL FIPS mode
 - Disable the builtin hashlib hashes except blake2
-Related: RHEL-120788
-
-* Mon Jan 12 2026 Karolina Surma <ksurma@redhat.com> - 3.14.2-2
-- Explicitly require expat >= 2.7.2
+Related: RHEL-120823
 
 * Fri Dec 05 2025 Miro Hrončok <mhroncok@redhat.com> - 3.14.2-1
 - Update to Python 3.14.2

expat-requires.py

@@ -1,50 +0,0 @@
-import pathlib
-import pyexpat
-import sys
-
-
-# This will determine the version of currently installed expat
-EXPAT_VERSION = pyexpat.EXPAT_VERSION.removeprefix('expat_')
-MAJOR, MINOR, PATCH = (int(i) for i in EXPAT_VERSION.split('.'))
-EXPAT_COMBINED_VERSION = 10000*MAJOR + 100*MINOR + PATCH
-
-# For the listed files, we find all XML_COMBINED_VERSION-based #ifs
-SRC = pathlib.Path.cwd()
-SOURCES = [
-    SRC / 'Modules/pyexpat.c',
-    SRC / 'Modules/clinic/pyexpat.c.h',
-]
-versions = set()
-for source in SOURCES:
-    for line in source.read_text().splitlines():
-        if 'XML_COMBINED_VERSION' not in line:
-            continue
-        words = line.split()
-        if words[0] == '#define':
-            continue
-        if len(words) != 4:
-            continue
-        if words[0] not in ('#if', '#elif'):
-            continue
-        if words[1].startswith('(') and words[-1].endswith(')'):
-            words[1] = words[1][1:]
-            words[-1] = words[-1][:-1]
-        if words[1] == 'XML_COMBINED_VERSION':
-            version = int(words[3])
-            if words[2] == '>':
-                versions.add(version+1)
-                continue
-            if words[2] == '>=':
-                versions.add(version)
-                continue
-        raise ValueError(
-            'Unknown line with XML_COMBINED_VERSION, adjust this script:\n\n'
-            f'{line}'
-        )
-
-# We need the highest satisfiable version used in the #ifs, in x.y.z notation
-v = max({v for v in versions if v <= EXPAT_COMBINED_VERSION})
-major, minor_patch = divmod(v, 10000)
-minor, patch = divmod(minor_patch, 100)
-print(f"{major}.{minor}.{patch}")
-

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-*
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

plan.fmf

@@ -1,80 +0,0 @@
-execute:
-  how: tmt
-
-provision:
-  hardware:
-    memory: '>= 3 GB'
-
-environment:
-  pybasever: '3.14'
-
-discover:
-  - name: tests_python
-    how: shell
-    url: https://gitlab.com/redhat/centos-stream/tests/python.git
-    tests:
-    - name: smoke
-      path: /smoke
-      test: "VERSION=${pybasever} CYTHON=true ./venv.sh"
-    - name: smoke_virtualenv
-      path: /smoke
-      test: "VERSION=${pybasever} METHOD=virtualenv CYTHON=true ./venv.sh"
-    - name: debugsmoke
-      path: /smoke
-      test: "PYTHON=python${pybasever}d TOX=false VERSION=${pybasever} CYTHON=true ./venv.sh"
-    - name: selftest
-      path: /selftest
-      test: "VERSION=${pybasever} X='-i test_check_probes' ./parallel.sh"
-    - name: debugtest
-      path: /selftest
-      # test_base_interpreter: https://github.com/python/cpython/issues/131372
-      test: "VERSION=${pybasever} PYTHON=python${pybasever}d X='-i test_check_probes -i test_base_interpreter' ./parallel.sh"
-    - name: freethreadingtest
-      path: /selftest
-      test: "VERSION=${pybasever}t X='-i test_check_probes -i test_base_interpreter' ./parallel.sh"
-    - name: optimizedflags
-      path: /flags
-      test: "python${pybasever} ./assertflags.py -O3 CFLAGS PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS PY_CORE_CFLAGS PY_CFLAGS_NODIST PY_STDMODULE_CFLAGS"
-    - name: debugflags
-      path: /flags
-      test: "python${pybasever}d ./assertflags.py -O0  CFLAGS PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS PY_CORE_CFLAGS PY_CFLAGS_NODIST PY_STDMODULE_CFLAGS"
-    - name: freethreadingflags
-      path: /flags
-      test: "python${pybasever}t ./assertflags.py -O3 CFLAGS PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS PY_CORE_CFLAGS PY_CFLAGS_NODIST PY_STDMODULE_CFLAGS"
-    - name: freethreadingdebugflags
-      path: /flags
-      test: "python${pybasever}td ./assertflags.py -O0 CFLAGS PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS PY_CORE_CFLAGS PY_CFLAGS_NODIST PY_STDMODULE_CFLAGS"
-    - name: marshalparser
-      path: /marshalparser
-      test: "VERSION=${pybasever} SAMPLE=10 ./test_marshalparser_compatibility.sh"
-
-prepare:
-  - name: Install dependencies
-    how: install
-    package:
-    - 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm'
-    - gcc  # for extension building in venv and selftest
-    - gcc-c++ # for test_cppext
-    - gdb  # for test_gdb
-    - "python${pybasever}"  # the test subject
-    - "python${pybasever}-debug"  # for leak testing
-    - "python${pybasever}-devel"  # for extension building in venv and selftest
-    - "python${pybasever}-tkinter"  # for selftest
-    - "python${pybasever}-test"  # for selftest
-    - "python${pybasever}-freethreading"  # for -O... flag test
-    - "python${pybasever}-freethreading-debug"  # for -O... flag test
-    - "python${pybasever}-freethreading-tkinter"  # for freethreadingtest
-    - "python${pybasever}-freethreading-test"  # for freethreadingtest
-    - tox  # for venv tests
-    - virtualenv  # for virtualenv tests
-    - glibc-all-langpacks # for locale tests
-    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
-    - rpm  # for debugging
-    - dnf  # for upgrade
-  - name: Update packages
-    how: shell
-    script: dnf upgrade -y
-  - name: rpm_qa
-    order: 100
-    how: shell
-    script: rpm -qa | sort | tee $TMT_PLAN_DATA/rpmqa.txt

rpminspect.yaml

@@ -1,37 +0,0 @@
-# exclude test XML data (not always valid) from XML validity check:
-xml:
-    ignore:
-        - '/usr/lib*/python*/test/xmltestdata/*'
-        - '/usr/lib*/python*/test/xmltestdata/*/*'
-
-# exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
-badfuncs:
-    allowed:
-        '/usr/lib*/python*/lib-dynload/_socket.*':
-            - inet_aton
-            - inet_ntoa
-
-# exclude the debug build from annocheck entirely
-annocheck:
-    ignore:
-        - '/usr/bin/python*d'
-        - '/usr/lib*/libpython*d.so.1.0'
-        - '/usr/lib*/python*/lib-dynload/*.cpython-*d-*-*-*.so'
-
-# don't report changed content of compiled files
-# that is expected with every toolchain update and not reproducible yet
-changedfiles:
-    # note that this is a posix regex, so no \d
-    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
-
-# files change size all the time, we don't need to VERIFY it
-# however, the INFO is useful, so we don't disable the check entirely
-filesize:
-    # artificially large number, TODO a better way
-    size_threshold: 100000
-
-
-# completely disabled inspections:
-inspections:
-    # we know about our patches, no need to report anything
-    patches: off

rpmlint.toml

@@ -1,106 +0,0 @@
-Filters = [
-
-    # KNOWN BUGS:
-    # https://bugzilla.redhat.com/show_bug.cgi?id=1489816
-    'crypto-policy-non-compliance-openssl',
-
-
-    # TESTS:
-    '(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3\.\d+t?/test',
-
-
-    # OTHER DELIBERATES:
-    # chroot function
-    'missing-call-to-chdir-with-chroot',
-
-    # gethostbyname function calls gethostbyname
-    '(E|W): binary-or-shlib-calls-gethostbyname /usr/lib(64)?/python3\.\d+t?/lib-dynload/_socket\.',
-
-    # intentionally unversioned and selfobsoleted
-    'unversioned-explicit-obsoletes python',
-    'unversioned Obsoletes: Obsoletes: python3\.\d+$',
-    'self-obsoletion python3\.\d+(-\S+)? obsoletes python3\.\d+(-\S+)?',
-
-    # intentionally hardcoded
-    'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})',
-
-    # we have non binary stuff, python files
-    'only-non-binary-in-usr-lib',
-
-    # some devel files that are deliberately needed
-    'devel-file-in-non-devel-package /usr/include/python3\.\d+m?t?/pyconfig-(32|64)\.h',
-    'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+t?/distutils/tests/xxmodule\.c',
-    # ...or are used as test data
-    'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+t?/test',
-
-    # some bytecode is shipped without sources on purpose, as a space optimization
-    # if this regex needs to be relaxed in the future, make sure it **does not** match pyc files in __pycache__
-    'python-bytecode-without-source /usr/lib(64)?/python3\.\d+t?/(encodings|pydoc_data)/[^/]+.pyc',
-
-    # DUPLICATE FILES
-    # test data are often duplicated
-    '(E|W): files-duplicate /usr/lib(64)?/python3\.\d+t?/(test|__phello__)/',
-    # duplicated inits or mains are also common
-    '(E|W): files-duplicate .+__init__\.py.+__init__\.py',
-    '(E|W): files-duplicate .+__main__\.py.+__main__\.py',
-    # files in the debugsource package
-    '(E|W): files-duplicate /usr/src/debug',
-    # general waste report
-    '(E|W): files-duplicated-waste',
-
-    # SORRY, NOT SORRY:
-    # manual pages
-    'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3?-debug|pathfix|msgfmt|pygettext)',
-    'no-manual-page-for-binary python3?.*-config$',
-    'no-manual-page-for-binary python3\.\d+t?dm?$',
-
-    # missing documentation from subpackages
-    '^python3(\.\d+)?-(freethreading(-debug)?|debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation',
-
-    # platform python is obsoleted, but not provided
-    'obsolete-not-provided platform-python',
-
-    # we have extra tokens at the end of %endif/%else directives, we consider them useful
-    'extra tokens at the end of %(endif|else) directive',
-
-
-    # RPMLINT IMPERFECTIONS
-    # https://github.com/rpm-software-management/rpmlint/issues/780
-    '/usr/lib/debug',
-
-    # we provide python(abi) manually to be sure. createrepo will merge this with the automatic
-    'python3(\.\d+)?\.[^:-]+: (E|W): useless-provides python\(abi\)',
-
-    # debugsource and debuginfo have no docs
-    '^python3(\.\d+)?-debug(source|info)\.[^:]+: (E|W): no-documentation',
-
-    # this is OK for F28+
-    'library-without-ldconfig-post',
-
-    # freethreading/debug package contains devel and non-devel files
-    'python3(\.\d+)?-(freethreading(-debug)?|debug)\.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package',
-
-    # this goes to other subpackage, hence not actually dangling
-    'dangling-relative-symlink /usr/bin/python python3',
-    'dangling-relative-symlink /usr/share/man/man1/python\.1\.gz python3\.1\.gz',
-    'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\d+t?d?m?(-embed)?\.pc python-3\.\d+t?(-embed)?\.pc',
-
-    # the python-unversioned-command package contains dangling symlinks by design
-    '^python-unversioned-command\.[^:]+: (E|W): dangling-relative-symlink (/usr/bin/python \./python3|/usr/share/man/man1/python\.1\S* ./python3\.1\S*)$',
-
-    # we need this macro to evaluate, even if the line starts with #
-    'macro-in-comment %\{_pyconfig(32|64)_h\}',
-
-    # Python modules don't need to be linked against libc
-    # Since 3.8 they are no longer linked against libpython3.8.so.1.0
-    '(E|W): library-not-linked-against-libc /usr/lib(64)?/python3\.\d+/lib-dynload/',
-    '(E|W): shared-lib(rary)?-without-dependency-information /usr/lib(64)?/python3\.\d+/lib-dynload/',
-
-    # specfile-errors are listed twice, once with reason and once without
-    # we filter out the empty ones
-    '\bpython3(\.\d+)?\.(src|spec): (E|W): specfile-error\s+$',
-
-    # SPELLING ERRORS
-    'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest|unittest|gil) ',
-
-]

sources

@@ -1 +0,0 @@
-SHA512 (Python-3.14.3.tar.xz) = 9fd875f7a1d96d64e7150913ef38b72b0aeecfcbc24ba46967e57b6495146b0cba6b940c273561fc4d656b6d0ce2e23ffb7bd32bcd0b61fd59a6d90585998c07