.gitignore

@@ -1 +1,3 @@
-SOURCES/Python-3.9.23.tar.xz
+/*.tar.*
+/*.src.rpm
+/results_python3*

.python3.9.metadata

@@ -1 +0,0 @@
-73d07237b70b19e4cd530bbc204cccd668ec05d4 SOURCES/Python-3.9.23.tar.xz

00189-use-rpm-wheels.patch

@@ -12,7 +12,7 @@ We might eventually pursuit upstream support, but it's low prio
  1 file changed, 26 insertions(+), 11 deletions(-)
 
 diff --git a/Lib/ensurepip/__init__.py b/Lib/ensurepip/__init__.py
-index e510cc7..5bd16a6 100644
+index d61bb089e3..77d7ec5a65 100644
 --- a/Lib/ensurepip/__init__.py
 +++ b/Lib/ensurepip/__init__.py
 @@ -1,3 +1,5 @@
@@ -30,7 +30,7 @@ index e510cc7..5bd16a6 100644
  
  
  __all__ = ["version", "bootstrap"]
--_SETUPTOOLS_VERSION = "58.1.0"
+-_SETUPTOOLS_VERSION = "79.0.1"
 -_PIP_VERSION = "23.0.1"
 +
 +_WHEEL_DIR = "/usr/share/python-wheels/"

00397-tarfile-filter.patch

@@ -1,8 +1,8 @@
-From 8b70605b594b3831331a9340ba764ff751871612 Mon Sep 17 00:00:00 2001
+From fc3e5ff91495aaf9905bd38ac61db0c3279d17e0 Mon Sep 17 00:00:00 2001
 From: Petr Viktorin <encukou@gmail.com>
-Date: Mon, 6 Mar 2023 17:24:24 +0100
-Subject: [PATCH 2/2] CVE-2007-4559, PEP-706: Add filters for tarfile
- extraction (downstream)
+Date: Fri, 21 Nov 2025 14:30:02 +0100
+Subject: [PATCH] CVE-2007-4559, PEP-706: Add filters for tarfile extraction
+ (downstream)
 
 Add and test RHEL-specific ways of configuring the default behavior: environment
 variable and config file.
@@ -13,7 +13,7 @@ variable and config file.
  3 files changed, 169 insertions(+), 4 deletions(-)
 
 diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index b6ad7dbe2a4..dc7050b2c63 100755
+index 209c206..fa3f922 100755
 --- a/Lib/tarfile.py
 +++ b/Lib/tarfile.py
 @@ -72,6 +72,13 @@ __all__ = ["TarFile", "TarInfo", "is_tarfile", "TarError", "ReadError",
@@ -30,7 +30,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755
  
  #---------------------------------------------------------
  # tar constants
-@@ -2197,6 +2204,41 @@ class TarFile(object):
+@@ -2253,6 +2260,41 @@ class TarFile(object):
          if filter is None:
              filter = self.extraction_filter
              if filter is None:
@@ -73,7 +73,7 @@ index b6ad7dbe2a4..dc7050b2c63 100755
              if isinstance(filter, str):
                  raise TypeError(
 diff --git a/Lib/test/test_shutil.py b/Lib/test/test_shutil.py
-index 9041e7aa368..1eb1116cc10 100644
+index 9041e7a..1eb1116 100644
 --- a/Lib/test/test_shutil.py
 +++ b/Lib/test/test_shutil.py
 @@ -1613,7 +1613,8 @@ class TestArchives(BaseTest, unittest.TestCase):
@@ -87,10 +87,10 @@ index 9041e7aa368..1eb1116cc10 100644
  
      def test_unpack_archive_tar(self):
 diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index a66f7efd2d6..6fd3c384b5c 100644
+index 17d2239..8b9aea2 100644
 --- a/Lib/test/test_tarfile.py
 +++ b/Lib/test/test_tarfile.py
-@@ -2,7 +2,7 @@ import sys
+@@ -3,7 +3,7 @@ import sys
  import os
  import io
  from hashlib import sha256
@@ -99,7 +99,7 @@ index a66f7efd2d6..6fd3c384b5c 100644
  from random import Random
  import pathlib
  import shutil
-@@ -2929,7 +2929,11 @@ class NoneInfoExtractTests(ReadTest):
+@@ -2999,7 +2999,11 @@ class NoneInfoExtractTests(ReadTest):
          tar = tarfile.open(tarname, mode='r', encoding="iso8859-1")
          cls.control_dir = pathlib.Path(TEMPDIR) / "extractall_ctrl"
          tar.errorlevel = 0
@@ -112,7 +112,7 @@ index a66f7efd2d6..6fd3c384b5c 100644
          tar.close()
          cls.control_paths = set(
              p.relative_to(cls.control_dir)
-@@ -3592,7 +3596,8 @@ class TestExtractionFilters(unittest.TestCase):
+@@ -4065,7 +4069,8 @@ class TestExtractionFilters(unittest.TestCase):
          """Ensure the default filter does not warn (like in 3.12)"""
          with ArchiveMaker() as arc:
              arc.add('foo')
@@ -122,8 +122,8 @@ index a66f7efd2d6..6fd3c384b5c 100644
              with self.check_context(arc.open(), None):
                  self.expect_file('foo')
  
-@@ -3762,6 +3767,123 @@ class TestExtractionFilters(unittest.TestCase):
-             self.expect_exception(TypeError)  # errorlevel is not int
+@@ -4390,6 +4395,123 @@ class OffsetValidationTests(unittest.TestCase):
+             self.assertEqual(members[0].offset, expected_offset)
  
  
 +    @contextmanager
@@ -247,5 +247,5 @@ index a66f7efd2d6..6fd3c384b5c 100644
      support.unlink(TEMPDIR)
      os.makedirs(TEMPDIR)
 -- 
-2.40.1
+2.51.1
 

SOURCES/00467-CVE-2025-8194.patch

@@ -1,215 +0,0 @@
-From eda136637fc7f056b403e1797a9b0403d6914d9e Mon Sep 17 00:00:00 2001
-From: Alexander Urieles <aeurielesn@users.noreply.github.com>
-Date: Tue, 19 Aug 2025 12:18:15 +0200
-Subject: [PATCH] gh-130577: tarfile now validates archives to ensure member 
- offsets are non-negative (GH-137027)
-
-Co-authored-by: Gregory P. Smith <greg@krypto.org>
-(cherry picked from commit 7040aa54f14676938970e10c5f74ea93cd56aa38)
----
- Lib/tarfile.py                                |   3 +
- Lib/test/test_tarfile.py                      | 156 ++++++++++++++++++
- ...-07-23-00-35-29.gh-issue-130577.c7EITy.rst |   3 +
- 3 files changed, 162 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-
-diff --git a/Lib/tarfile.py b/Lib/tarfile.py
-index 21ffd83..fa3f922 100755
---- a/Lib/tarfile.py
-+++ b/Lib/tarfile.py
-@@ -1609,6 +1609,9 @@ class TarInfo(object):
-         """Round up a byte count by BLOCKSIZE and return it,
-            e.g. _block(834) => 1024.
-         """
-+        # Only non-negative offsets are allowed
-+        if count < 0:
-+            raise InvalidHeaderError("invalid offset")
-         blocks, remainder = divmod(count, BLOCKSIZE)
-         if remainder:
-             blocks += 1
-diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
-index 29f65d0..0bba25a 100644
---- a/Lib/test/test_tarfile.py
-+++ b/Lib/test/test_tarfile.py
-@@ -48,6 +48,7 @@ bz2name = os.path.join(TEMPDIR, "testtar.tar.bz2")
- xzname = os.path.join(TEMPDIR, "testtar.tar.xz")
- tmpname = os.path.join(TEMPDIR, "tmp.tar")
- dotlessname = os.path.join(TEMPDIR, "testtar")
-+SPACE = b" "
- 
- sha256_regtype = (
-     "e09e4bc8b3c9d9177e77256353b36c159f5f040531bbd4b024a8f9b9196c71ce"
-@@ -4356,6 +4357,161 @@ class TestExtractionFilters(unittest.TestCase):
-                 self.check_trusted_default(tar, tempdir)
- 
- 
-+class OffsetValidationTests(unittest.TestCase):
-+    tarname = tmpname
-+    invalid_posix_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, space, null terminator: 8 bytes
-+        + b"000755" + SPACE + tarfile.NUL
-+        # uid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0011407" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # magic: 6 bytes, version: 2 bytes
-+        + tarfile.POSIX_MAGIC
-+        # uname: 32 bytes
-+        + tarfile.NUL * 32
-+        # gname: 32 bytes
-+        + tarfile.NUL * 32
-+        # devmajor, space, null terminator: 8 bytes
-+        + tarfile.NUL * 6 + SPACE + tarfile.NUL
-+        # devminor, space, null terminator: 8 bytes
-+        + tarfile.NUL * 6 + SPACE + tarfile.NUL
-+        # prefix: 155 bytes
-+        + tarfile.NUL * tarfile.LENGTH_PREFIX
-+        # padding: 12 bytes
-+        + tarfile.NUL * 12
-+    )
-+    invalid_gnu_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, null terminator: 8 bytes
-+        + b"0000755" + tarfile.NUL
-+        # uid, null terminator: 8 bytes
-+        + b"0000001" + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"0000001" + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0011327" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # magic: 8 bytes
-+        + tarfile.GNU_MAGIC
-+        # uname: 32 bytes
-+        + tarfile.NUL * 32
-+        # gname: 32 bytes
-+        + tarfile.NUL * 32
-+        # devmajor, null terminator: 8 bytes
-+        + tarfile.NUL * 8
-+        # devminor, null terminator: 8 bytes
-+        + tarfile.NUL * 8
-+        # padding: 167 bytes
-+        + tarfile.NUL * 167
-+    )
-+    invalid_v7_header = (
-+        # name: 100 bytes
-+        tarfile.NUL * tarfile.LENGTH_NAME
-+        # mode, space, null terminator: 8 bytes
-+        + b"000755" + SPACE + tarfile.NUL
-+        # uid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # gid, space, null terminator: 8 bytes
-+        + b"000001" + SPACE + tarfile.NUL
-+        # size, space: 12 bytes
-+        + b"\xff" * 11 + SPACE
-+        # mtime, space: 12 bytes
-+        + tarfile.NUL * 11 + SPACE
-+        # chksum: 8 bytes
-+        + b"0010070" + tarfile.NUL
-+        # type: 1 byte
-+        + tarfile.REGTYPE
-+        # linkname: 100 bytes
-+        + tarfile.NUL * tarfile.LENGTH_LINK
-+        # padding: 255 bytes
-+        + tarfile.NUL * 255
-+    )
-+    valid_gnu_header = tarfile.TarInfo("filename").tobuf(tarfile.GNU_FORMAT)
-+    data_block = b"\xff" * tarfile.BLOCKSIZE
-+
-+    def _write_buffer(self, buffer):
-+        with open(self.tarname, "wb") as f:
-+            f.write(buffer)
-+
-+    def _get_members(self, ignore_zeros=None):
-+        with open(self.tarname, "rb") as f:
-+            with tarfile.open(
-+                mode="r", fileobj=f, ignore_zeros=ignore_zeros
-+            ) as tar:
-+                return tar.getmembers()
-+
-+    def _assert_raises_read_error_exception(self):
-+        with self.assertRaisesRegex(
-+            tarfile.ReadError, "file could not be opened successfully"
-+        ):
-+            self._get_members()
-+
-+    def test_invalid_offset_header_validations(self):
-+        for tar_format, invalid_header in (
-+            ("posix", self.invalid_posix_header),
-+            ("gnu", self.invalid_gnu_header),
-+            ("v7", self.invalid_v7_header),
-+        ):
-+            with self.subTest(format=tar_format):
-+                self._write_buffer(invalid_header)
-+                self._assert_raises_read_error_exception()
-+
-+    def test_early_stop_at_invalid_offset_header(self):
-+        buffer = self.valid_gnu_header + self.invalid_gnu_header + self.valid_gnu_header
-+        self._write_buffer(buffer)
-+        members = self._get_members()
-+        self.assertEqual(len(members), 1)
-+        self.assertEqual(members[0].name, "filename")
-+        self.assertEqual(members[0].offset, 0)
-+
-+    def test_ignore_invalid_archive(self):
-+        # 3 invalid headers with their respective data
-+        buffer = (self.invalid_gnu_header + self.data_block) * 3
-+        self._write_buffer(buffer)
-+        members = self._get_members(ignore_zeros=True)
-+        self.assertEqual(len(members), 0)
-+
-+    def test_ignore_invalid_offset_headers(self):
-+        for first_block, second_block, expected_offset in (
-+            (
-+                (self.valid_gnu_header),
-+                (self.invalid_gnu_header + self.data_block),
-+                0,
-+            ),
-+            (
-+                (self.invalid_gnu_header + self.data_block),
-+                (self.valid_gnu_header),
-+                1024,
-+            ),
-+        ):
-+            self._write_buffer(first_block + second_block)
-+            members = self._get_members(ignore_zeros=True)
-+            self.assertEqual(len(members), 1)
-+            self.assertEqual(members[0].name, "filename")
-+            self.assertEqual(members[0].offset, expected_offset)
-+
-+
- def setUpModule():
-     support.unlink(TEMPDIR)
-     os.makedirs(TEMPDIR)
-diff --git a/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-new file mode 100644
-index 0000000..342cabb
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2025-07-23-00-35-29.gh-issue-130577.c7EITy.rst
-@@ -0,0 +1,3 @@
-+:mod:`tarfile` now validates archives to ensure member offsets are
-+non-negative.  (Contributed by Alexander Enrique Urieles Nieto in
-+:gh:`130577`.)
--- 
-2.50.1
-

SOURCES/Python-3.9.23.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmg/SAkACgkQsmmV4xAl
-BWjuNA/+Ogt83qY+v8J1o1+YRcJo8w3FUhuOgCALHOd1Q562xldiVyH3Y9uo7sla
-j15qz8dFzHPrJddeA993oONnyiXKvsvo8oQ1P41b5BgpifNepCTFVRq/eJA/ZJVV
-Dj1g7XwsFo4tbtu9uG51msGaqNFO9OZkwtZG8ucb0njxoA0sO3kIZhbVVG8g2OKM
-JLw8dxVmZaQzjCQGBqTMf5cnCwP1TFaaVaJjm1+tVga45G+TIFInwR7kowwPyoWD
-7IuZwXu3syPWJP+cMjOxcykMA3HLUBhAV6o9pMvM3JWNdmrwUJRwt41LxY4Q8ZVa
-QubnCB9B/uED+PakumiyH2P+gNhAOwzrq7iC8XvxW+/bsJAObTj4cj1WGY7ot+cE
-kE7pNoe8NwLiCwt3ENO2QieiHFQvYL9Y+ukQwB2xl+ywsyEwa6RLOvSA5GQs+5r4
-Pv/BgE9nDIzLYVnUMtHic75pmI773pUiHuNXOqdMw4kb61GY5fG+kzVY1HEM1Y8p
-krMaEeOEbBNww3Ce0TCzuS/1EhsOB8cB1w9IjtZrtJYCxiVvtdZS8S6F0Y8eJGV2
-xPPcADFv6QKogPrrkbWkwIkT+TKn9s22Dkkr0zdTZ4sTMkGAm08B0kqxbsteI+fJ
-I39hHo92mP6W8PuhFJiBkF4ebm61kMwg0mElcueOZiqwW2zRey0=
-=Lgxm
------END PGP SIGNATURE-----

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

python3.9.rpmlintrc

@@ -0,0 +1,90 @@
+# KNOWN BUGS:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1489816
+addFilter(r'crypto-policy-non-compliance-openssl')
+
+
+# TESTS:
+addFilter(r'(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3\.\d+/test')
+
+
+# OTHER DELIBERATES:
+# chroot function
+addFilter(r'missing-call-to-chdir-with-chroot')
+
+# intentionally unversioned and selfobsoleted
+addFilter(r'unversioned-explicit-obsoletes python')
+addFilter(r'self-obsoletion python3\.\d+ obsoletes python3\.\d+')
+
+# intentionally hardcoded
+addFilter(r'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})')
+
+# intentional for our pythonXY package
+addFilter(r'python3\.\d+\.[^:]+: (E|W): devel-file-in-non-devel-package')
+
+# we have non binary stuff, python files
+addFilter(r'only-non-binary-in-usr-lib')
+
+# some devel files that are deliberately needed
+addFilter(r'devel-file-in-non-devel-package /usr/include/python3\.\d+m?/pyconfig-(32|64)\.h')
+addFilter(r'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/distutils/tests/xxmodule\.c')
+
+# some bytecode is shipped without sources on purpose, as a space optimization
+# if this regex needs to be relaxed in the future, make sure it **does not** match pyc files in __pycache__
+addFilter(r'python-bytecode-without-source /usr/lib(64)?/python3\.\d+/(encodings|pydoc_data)/[^/]+.pyc')
+
+# SORRY, NOT SORRY:
+# manual pages
+addFilter(r'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3?-debug|pathfix|msgfmt|pygettext)')
+addFilter(r'no-manual-page-for-binary python3?.*-config$')
+addFilter(r'no-manual-page-for-binary python3\.\d+dm?$')
+
+# missing documentation from subpackages
+addFilter(r'^python3(\.\d+)?-(debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation')
+
+# platform python is obsoleted, but not provided
+addFilter(r'obsolete-not-provided platform-python')
+
+
+# RPMLINT IMPERFECTIONS
+# https://github.com/rpm-software-management/rpmlint/issues/123
+addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3393')
+# https://github.com/rpm-software-management/rpmlint/pull/133
+addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3394')
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1550562
+# https://github.com/rpm-software-management/rpmlint/issues/128
+addFilter(r'python-bytecode-inconsistent-mtime .* 1970')
+
+# we provide python(abi) manually to be sure. createrepo will merge this with the automatic
+addFilter(r'python3(\.\d+)?\.[^:-]+: (E|W): useless-provides python\(abi\)')
+
+# debugsource
+addFilter(r'^python3(\.\d+)?-debugsource\.[^:]+: (E|W): no-documentation')
+
+# debuginfo
+addFilter(r'^python3(\.\d+)?-debuginfo\.[^:]+: (E|W): useless-provides debuginfo\(build-id\)')
+
+# this is OK for F28+
+addFilter(r'library-without-ldconfig-post')
+
+# debug package contains devel and non-devel files
+addFilter(r'python3(\.\d+)?-debug\.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package')
+
+# this goes to other subpackage, hence not actually dangling, the read error is bogus
+addFilter(r'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc python-3\.\d+(-embed)?\.pc')
+addFilter(r'read-error /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc \[Errno 2\]')
+
+# the python-unversioned-command package contains dangling symlinks by design
+addFilter(r'^python-unversioned-command\.[^:]+: (E|W): dangling-relative-symlink '
+          r'(/usr/bin/python \./python3|/usr/share/man/man1/python\.1\S* ./python3\.1\S*)$')
+
+# we need this macro to evaluate, even if the line starts with #
+addFilter(r'macro-in-comment %\{_pyconfig(32|64)_h\}')
+
+# Python modules don't need to be linked against libc
+# Since 3.8 they are no longer linked against libpython3.8.so.1.0
+addFilter(r'E: library-not-linked-against-libc /usr/lib(64)?/python3\.\d+/lib-dynload/')
+addFilter(r'E: shared-lib-without-dependency-information /usr/lib(64)?/python3\.\d+/lib-dynload/')
+
+# SPELLING ERRORS
+addFilter(r'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest) ')

python3.9.spec

@@ -13,7 +13,7 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.23
+%global general_version %{pybasever}.25
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
@@ -321,7 +321,7 @@ Patch1: 00001-rpath.patch
 # See https://bugzilla.redhat.com/show_bug.cgi?id=556092
 Patch111: 00111-no-static-lib.patch
 
-# 00189 # d06cf137c00fd3907b436fdb92a8f007a7f2fb50
+# 00189 # 0c6dd5d318a22bbe89e09e1cd5513eaaca549aa5
 # Instead of bundled wheels, use our RPM packaged wheels
 #
 # We keep them in /usr/share/python-wheels
@@ -334,7 +334,7 @@ Patch189: 00189-use-rpm-wheels.patch
 # When the bundled setuptools/pip wheel is updated, the patch no longer applies cleanly.
 # In such cases, the patch needs to be amended and the versions updated here:
 %global pip_version 23.0.1
-%global setuptools_version 58.1.0
+%global setuptools_version 79.0.1
 
 # 00251 # 1b1047c14ff98eae6d355b4aac4df3e388813f62
 # Change user install location
@@ -438,14 +438,6 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
 # CVE-2023-52425. Future versions of Expat may be more reactive.
 Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
 
-# 00467 #
-# CVE-2025-8194
-#
-# tarfile now validates archives to ensure member offsets are non-negative.
-#
-# Upstream issue: https://github.com/python/cpython/issues/130577
-Patch467: 00467-CVE-2025-8194.patch
-
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1502,6 +1494,10 @@ CheckPython optimized
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
+
+%exclude %{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%exclude %{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@@ -1827,6 +1823,9 @@ CheckPython optimized
 %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 
+%{pylibdir}/_sysconfigdata_d_linux_%{platform_triplet}.py
+%{pylibdir}/__pycache__/_sysconfigdata_d_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %endif # with debug_build
 
 # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig
@@ -1850,6 +1849,15 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Mon Nov 10 2025 Tomas Orsava <torsava@redhat.com> - 3.9.25-2
+- Move _sysconfigdata_d_linux*.py to the debug subpackage
+
+* Mon Nov 03 2025 Karolina Surma <ksurma@redhat.com> - 3.9.25-1
+- Update to Python 3.9.25
+
+* Fri Oct 10 2025 Karolina Surma <ksurma@redhat.com> - 3.9.24-1
+- Update to Python 3.9.24
+
 * Tue Aug 19 2025 Lumír Balhar <lbalhar@redhat.com> - 3.9.23-2
 - Security fix for CVE-2025-8194
 Resolves: RHEL-106374

rpminspect.yaml

@@ -0,0 +1,32 @@
+# exclude test XML data (not always valid) from XML validity check:
+xml:
+    ignore:
+        - /usr/lib*/python*/test/xmltestdata/*
+        - /usr/lib*/python*/test/xmltestdata/*/*
+
+# exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
+badfuncs:
+    ignore:
+        - /usr/lib*/python*/lib-dynload/_socket.*
+
+# don't report changed content of compiled files
+# that is expected with every toolchain update and not reproducible yet
+changedfiles:
+    # note that this is a posix regex, so no \d
+    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
+
+# files change size all the time, we don't need to VERIFY it
+# however, the INFO is useful, so we don't disable the check entirely
+filesize:
+    # artificially large number, TODO a better way
+    size_threshold: 100000
+
+debuginfo:
+    ignore:
+        # libpython3.so doesn't contain compiled code
+        - /usr/lib/debug/usr/lib*/libpython3.so*debug
+
+# completely disabled inspections:
+inspections:
+    # we know about our patches, no need to report anything
+    patches: off

sources

@@ -0,0 +1,2 @@
+SHA512 (Python-3.9.25.tar.xz) = 33fd65952cc3ce5df83825aa32a103935815bdd5a016e5fd9896cafb068a3f89b3a6134458a2694e4f0f4f8a9fbe84739b53116264728b32cde0f03ab210cb19
+SHA512 (Python-3.9.25.tar.xz.asc) = 83f0a0e558aa89a106bdffeeb9b0fa2685fbd7be5c5954f9176c59c6c7023716207b07239f202b3508cbb98ca34572161955f0bfd3732fdb9265721cd6723dbe

tests/.fmf/version

@@ -0,0 +1 @@
+1

tests/provision.fmf

@@ -0,0 +1,4 @@
+---
+standard-inventory-qcow2:
+  qemu:
+    m: 3G  # Amount of VM memory

tests/tests.yml

@@ -0,0 +1,55 @@
+---
+- hosts: localhost
+  tags:
+    - classic
+  tasks:
+    - dnf:
+        name: "*"
+        state: latest
+
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://gitlab.com/redhat/centos-stream/tests/python.git"
+      dest: "python"
+    tests:
+    - smoke:
+        dir: python/smoke
+        run: VERSION=3.9 ./venv.sh
+    - debugsmoke:
+        dir: python/smoke
+        run: PYTHON=python3-debug TOX=false VERSION=3.9 ./venv.sh
+    - selftest:
+        dir: python/selftest
+        run: VERSION=3.9 X="-x test_wsgiref" ./parallel.sh
+    - debugtest:
+        dir: python/selftest
+        run: VERSION=3.9 PYTHON=python3-debug X="-x test_wsgiref" ./parallel.sh
+    - optimizedflags_self:
+        dir: python/flags
+        run: python3 ./assertflags.py -O3 PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS_NODIST PY_CORE_CFLAGS PY_STDMODULE_CFLAGS
+    - optimizedflags_3rd:
+        dir: python/flags
+        run: python3 ./assertflags.py -O2 CFLAGS PY_CFLAGS
+    - debugflags:
+        dir: python/flags
+        run: python3-debug ./assertflags.py -O0
+    - marshalparser:
+        dir: python/marshalparser
+        run: VERSION=3.9 SAMPLE=10 test_marshalparser_compatibility.sh
+    required_packages:
+    - 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm'
+    - 'https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm'
+    - gcc  # for extension building in venv and selftest
+    - gdb  # for test_gdb
+    - python3.9  # the test subject
+    - python3-debug  # for leak testing
+    - python3-devel  # for extension building in venv and selftest
+    - python3-tkinter  # for selftest
+    - python3-test  # for selftest
+    - python3-tox  # for venv tests
+    - glibc-all-langpacks # for locale tests
+    - marshalparser  # for testing compatibility (magic numbers) with marshalparser