.gitignore

@@ -1 +1,3 @@
-SOURCES/Python-3.9.21.tar.xz
+/*.tar.*
+/*.src.rpm
+/results_python3*

.python3.9.metadata

@@ -1 +0,0 @@
-d968a953f19c6fc3bf54b5ded5c06852197ebddc SOURCES/Python-3.9.21.tar.xz

00414-skip_test_zlib_s390x.patch

@@ -0,0 +1,88 @@
+From f253f1e7e8283b876d40af385d5729646f2c18b6 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Wed, 24 Jan 2024 18:14:14 +0100
+Subject: [PATCH] bpo-46623: Skip two test_zlib tests on s390x (GH-31096)
+
+Skip test_pair() and test_speech128() of test_zlib on s390x since
+they fail if zlib uses the s390x hardware accelerator.
+---
+ Lib/test/test_zlib.py                         | 32 +++++++++++++++++++
+ .../2022-02-03-09-45-26.bpo-46623.vxzuhV.rst  |  2 ++
+ 2 files changed, 34 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
+
+diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
+index aa7943f..8945b10 100644
+--- a/Lib/test/test_zlib.py
++++ b/Lib/test/test_zlib.py
+@@ -2,6 +2,7 @@ import unittest
+ from test import support
+ import binascii
+ import copy
++import os
+ import pickle
+ import random
+ import sys
+@@ -16,6 +17,35 @@ requires_Decompress_copy = unittest.skipUnless(
+         hasattr(zlib.decompressobj(), "copy"),
+         'requires Decompress.copy()')
+ 
++# bpo-46623: On s390x, when a hardware accelerator is used, using different
++# ways to compress data with zlib can produce different compressed data.
++# Simplified test_pair() code:
++#
++#   def func1(data):
++#       return zlib.compress(data)
++#
++#   def func2(data)
++#       co = zlib.compressobj()
++#       x1 = co.compress(data)
++#       x2 = co.flush()
++#       return x1 + x2
++#
++# On s390x if zlib uses a hardware accelerator, func1() creates a single
++# "final" compressed block whereas func2() produces 3 compressed blocks (the
++# last one is a final block). On other platforms with no accelerator, func1()
++# and func2() produce the same compressed data made of a single (final)
++# compressed block.
++#
++# Only the compressed data is different, the decompression returns the original
++# data:
++#
++#   zlib.decompress(func1(data)) == zlib.decompress(func2(data)) == data
++#
++# Make the assumption that s390x always has an accelerator to simplify the skip
++# condition. Windows doesn't have os.uname() but it doesn't support s390x.
++skip_on_s390x = unittest.skipIf(hasattr(os, 'uname') and os.uname().machine == 's390x',
++                                 'skipped on s390x')
++
+ def _zlib_runtime_version_tuple(zlib_version=zlib.ZLIB_RUNTIME_VERSION):
+     # Register "1.2.3" as "1.2.3.0"
+     # or "1.2.0-linux","1.2.0.f","1.2.0.f-linux"
+@@ -187,6 +217,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
+                                          bufsize=zlib.DEF_BUF_SIZE),
+                          HAMLET_SCENE)
+ 
++    @skip_on_s390x
+     def test_speech128(self):
+         # compress more data
+         data = HAMLET_SCENE * 128
+@@ -238,6 +269,7 @@ class CompressTestCase(BaseCompressTestCase, unittest.TestCase):
+ 
+ class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase):
+     # Test compression object
++    @skip_on_s390x
+     def test_pair(self):
+         # straightforward compress/decompress objects
+         datasrc = HAMLET_SCENE * 128
+diff --git a/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
+new file mode 100644
+index 0000000..be085c0
+--- /dev/null
++++ b/Misc/NEWS.d/next/Tests/2022-02-03-09-45-26.bpo-46623.vxzuhV.rst
+@@ -0,0 +1,2 @@
++Skip test_pair() and test_speech128() of test_zlib on s390x since they fail
++if zlib uses the s390x hardware accelerator. Patch by Victor Stinner.
+-- 
+2.46.0
+

SOURCES/00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch

@@ -1,119 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Fri, 31 Jan 2025 11:41:34 -0600
-Subject: [PATCH] 00450: CVE-2025-0938: Disallow square brackets ([ and ]) in
- domain names for parsed URLs
-
-Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
----
- Lib/test/test_urlparse.py                     | 37 ++++++++++++++++++-
- Lib/urllib/parse.py                           | 20 +++++++++-
- ...-01-28-14-08-03.gh-issue-105704.EnhHxu.rst |  4 ++
- 3 files changed, 58 insertions(+), 3 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-
-diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index 6f7d40c212..083d08b22e 100644
---- a/Lib/test/test_urlparse.py
-+++ b/Lib/test/test_urlparse.py
-@@ -1146,16 +1146,51 @@ class UrlParseTestCase(unittest.TestCase):
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af::2309::fae7:1234]/Path?Query')
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@[0439:23af:2309::fae7:1234:2342:438e:192.0.2.146]/Path?Query')
-         self.assertRaises(ValueError, urllib.parse.urlsplit, 'Scheme://user@]v6a.ip[/Path')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip]?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip].suffix?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:a1')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:a1')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:1a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:1a')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[::1].suffix:/')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[::1]:?')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@prefix.[v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://user@[v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://[v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip]')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip[')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://]v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix.[v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip].suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip[suffix')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://prefix]v6a.ip')
-+        self.assertRaises(ValueError, urllib.parse.urlsplit, 'scheme://v6a.ip[suffix')
- 
-     def test_splitting_bracketed_hosts(self):
--        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]/path?query')
-+        p1 = urllib.parse.urlsplit('scheme://user@[v6a.ip]:1234/path?query')
-         self.assertEqual(p1.hostname, 'v6a.ip')
-         self.assertEqual(p1.username, 'user')
-         self.assertEqual(p1.path, '/path')
-+        self.assertEqual(p1.port, 1234)
-         p2 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7%test]/path?query')
-         self.assertEqual(p2.hostname, '0439:23af:2309::fae7%test')
-         self.assertEqual(p2.username, 'user')
-         self.assertEqual(p2.path, '/path')
-+        self.assertIs(p2.port, None)
-         p3 = urllib.parse.urlsplit('scheme://user@[0439:23af:2309::fae7:1234:192.0.2.146%test]/path?query')
-         self.assertEqual(p3.hostname, '0439:23af:2309::fae7:1234:192.0.2.146%test')
-         self.assertEqual(p3.username, 'user')
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 9d37dcaa90..fb8f7f1ea8 100644
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -443,6 +443,23 @@ def _checknetloc(netloc):
-             raise ValueError("netloc '" + netloc + "' contains invalid " +
-                              "characters under NFKC normalization")
- 
-+def _check_bracketed_netloc(netloc):
-+    # Note that this function must mirror the splitting
-+    # done in NetlocResultMixins._hostinfo().
-+    hostname_and_port = netloc.rpartition('@')[2]
-+    before_bracket, have_open_br, bracketed = hostname_and_port.partition('[')
-+    if have_open_br:
-+        # No data is allowed before a bracket.
-+        if before_bracket:
-+            raise ValueError("Invalid IPv6 URL")
-+        hostname, _, port = bracketed.partition(']')
-+        # No data is allowed after the bracket but before the port delimiter.
-+        if port and not port.startswith(":"):
-+            raise ValueError("Invalid IPv6 URL")
-+    else:
-+        hostname, _, port = hostname_and_port.partition(':')
-+    _check_bracketed_host(hostname)
-+
- # Valid bracketed hosts are defined in
- # https://www.rfc-editor.org/rfc/rfc3986#page-49 and https://url.spec.whatwg.org/
- def _check_bracketed_host(hostname):
-@@ -506,8 +523,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
-                 (']' in netloc and '[' not in netloc)):
-             raise ValueError("Invalid IPv6 URL")
-         if '[' in netloc and ']' in netloc:
--            bracketed_host = netloc.partition('[')[2].partition(']')[0]
--            _check_bracketed_host(bracketed_host)
-+            _check_bracketed_netloc(netloc)
-     if allow_fragments and '#' in url:
-         url, fragment = url.split('#', 1)
-     if '?' in url:
-diff --git a/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-new file mode 100644
-index 0000000000..bff1bc6b0d
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2025-01-28-14-08-03.gh-issue-105704.EnhHxu.rst
-@@ -0,0 +1,4 @@
-+When using :func:`urllib.parse.urlsplit` and :func:`urllib.parse.urlparse` host
-+parsing would not reject domain names containing square brackets (``[`` and
-+``]``). Square brackets are only valid for IPv6 and IPvFuture hosts according to
-+`RFC 3986 Section 3.2.2 <https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2>`__.

SOURCES/Python-3.9.21.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmdPScsACgkQsmmV4xAl
-BWgZtRAAiPehPRc94kRpNn4CuLw9hDFJmucXfG/Pjf9DdQkrmWAMvFS2kpigd9A0
-3QoDbgZPb8k9XtTrbpT4A0j/SYaqnLXOktXE7CEwM1vRTHbUDm62qxRSIa+RXO1d
-h/EqhF1Rpgl37I1GL3mAHew6KjIq3K/aNvJVTtKA+1xy8XpF5Dbk3feDeTucqYaM
-evtCu2SlwQXRvIbqFciMtRC2bmkNHgRVFpuxInjmp82ED0E6yZ/ecHXjb5Da7lDV
-8uRh9aEjMWY4LHTdl2tWaaerLqYZfvHSlz2xY8W5itSgOAzzJNn3dX8P6EKK5ab7
-IV85vqPX1oMcX0seZd3QlVdOxUPf1tKB7Eo7yHz3gV/KgWzFSAHSZFCwiqyfNfj8
-PibYYwtGG0+S7GJ7bZ2iCCgkqrFBoMQ8yOEDxE7Pt36JSXtZ2grtsFB8WAZqhCMa
-luIjiibGkOzzBRX/neW5RYT1HLNzi140G7XEZeRv3CXzuud66+ynLdOK7uFEr8jq
-W0t/fHbrqcSjyEo9L9VDP4Wd9VU/nwf6tb3Py6nPZKM93ZYqtlJNmzxmOyQOmn30
-bRGEQyzcYmEKMWg6zzO57In/WRytB4BgE7Dj7L876TbnJ8YoR8TVpuQ3sDKoSxwo
-gIdNR/6lcqP0HwDFtqBrcwSQ9Dew6wMz0Pp2EwX90EZLwnBvpeI=
-=taeu
------END PGP SIGNATURE-----

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

python3.9.rpmlintrc

@@ -0,0 +1,90 @@
+# KNOWN BUGS:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1489816
+addFilter(r'crypto-policy-non-compliance-openssl')
+
+
+# TESTS:
+addFilter(r'(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3\.\d+/test')
+
+
+# OTHER DELIBERATES:
+# chroot function
+addFilter(r'missing-call-to-chdir-with-chroot')
+
+# intentionally unversioned and selfobsoleted
+addFilter(r'unversioned-explicit-obsoletes python')
+addFilter(r'self-obsoletion python3\.\d+ obsoletes python3\.\d+')
+
+# intentionally hardcoded
+addFilter(r'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})')
+
+# intentional for our pythonXY package
+addFilter(r'python3\.\d+\.[^:]+: (E|W): devel-file-in-non-devel-package')
+
+# we have non binary stuff, python files
+addFilter(r'only-non-binary-in-usr-lib')
+
+# some devel files that are deliberately needed
+addFilter(r'devel-file-in-non-devel-package /usr/include/python3\.\d+m?/pyconfig-(32|64)\.h')
+addFilter(r'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/distutils/tests/xxmodule\.c')
+
+# some bytecode is shipped without sources on purpose, as a space optimization
+# if this regex needs to be relaxed in the future, make sure it **does not** match pyc files in __pycache__
+addFilter(r'python-bytecode-without-source /usr/lib(64)?/python3\.\d+/(encodings|pydoc_data)/[^/]+.pyc')
+
+# SORRY, NOT SORRY:
+# manual pages
+addFilter(r'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3?-debug|pathfix|msgfmt|pygettext)')
+addFilter(r'no-manual-page-for-binary python3?.*-config$')
+addFilter(r'no-manual-page-for-binary python3\.\d+dm?$')
+
+# missing documentation from subpackages
+addFilter(r'^python3(\.\d+)?-(debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation')
+
+# platform python is obsoleted, but not provided
+addFilter(r'obsolete-not-provided platform-python')
+
+
+# RPMLINT IMPERFECTIONS
+# https://github.com/rpm-software-management/rpmlint/issues/123
+addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3393')
+# https://github.com/rpm-software-management/rpmlint/pull/133
+addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3394')
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1550562
+# https://github.com/rpm-software-management/rpmlint/issues/128
+addFilter(r'python-bytecode-inconsistent-mtime .* 1970')
+
+# we provide python(abi) manually to be sure. createrepo will merge this with the automatic
+addFilter(r'python3(\.\d+)?\.[^:-]+: (E|W): useless-provides python\(abi\)')
+
+# debugsource
+addFilter(r'^python3(\.\d+)?-debugsource\.[^:]+: (E|W): no-documentation')
+
+# debuginfo
+addFilter(r'^python3(\.\d+)?-debuginfo\.[^:]+: (E|W): useless-provides debuginfo\(build-id\)')
+
+# this is OK for F28+
+addFilter(r'library-without-ldconfig-post')
+
+# debug package contains devel and non-devel files
+addFilter(r'python3(\.\d+)?-debug\.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package')
+
+# this goes to other subpackage, hence not actually dangling, the read error is bogus
+addFilter(r'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc python-3\.\d+(-embed)?\.pc')
+addFilter(r'read-error /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc \[Errno 2\]')
+
+# the python-unversioned-command package contains dangling symlinks by design
+addFilter(r'^python-unversioned-command\.[^:]+: (E|W): dangling-relative-symlink '
+          r'(/usr/bin/python \./python3|/usr/share/man/man1/python\.1\S* ./python3\.1\S*)$')
+
+# we need this macro to evaluate, even if the line starts with #
+addFilter(r'macro-in-comment %\{_pyconfig(32|64)_h\}')
+
+# Python modules don't need to be linked against libc
+# Since 3.8 they are no longer linked against libpython3.8.so.1.0
+addFilter(r'E: library-not-linked-against-libc /usr/lib(64)?/python3\.\d+/lib-dynload/')
+addFilter(r'E: shared-lib-without-dependency-information /usr/lib(64)?/python3\.\d+/lib-dynload/')
+
+# SPELLING ERRORS
+addFilter(r'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest) ')

python3.9.spec

@@ -13,11 +13,11 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.21
+%global general_version %{pybasever}.20
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: Python
 
 
@@ -416,6 +416,12 @@ Patch353: 00353-architecture-names-upstream-downstream.patch
 # - https://access.redhat.com/articles/7004769
 Patch397: 00397-tarfile-filter.patch
 
+# 00414 #
+#
+# Skip test_pair() and test_speech128() of test_zlib on s390x since
+# they fail if zlib uses the s390x hardware accelerator.
+Patch414: 00414-skip_test_zlib_s390x.patch
+
 # 00415 #
 # [CVE-2023-27043] gh-102988: Reject malformed addresses in email.parseaddr() (#111116)
 #
@@ -437,10 +443,6 @@ Patch415: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-par
 # CVE-2023-52425. Future versions of Expat may be more reactive.
 Patch422: 00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
 
-# 00450 # 4ab8663661748eb994c09e4ae89f59eb84c5d3ea
-# CVE-2025-0938: Disallow square brackets ([ and ]) in domain names for parsed URLs
-Patch450: 00450-cve-2025-0938-disallow-square-brackets-and-in-domain-names-for-parsed-urls.patch
-
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -1845,16 +1847,6 @@ CheckPython optimized
 # ======================================================
 
 %changelog
-* Mon Feb 10 2025 Charalampos Stratakis <cstratak@redhat.com> - 3.9.21-2
-- Security fix for CVE-2025-0938
-Resolves: RHEL-77263
-
-* Wed Dec 04 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.21-1
-- Update to 3.9.21
-- Security fix for CVE-2024-11168 and CVE-2024-9287
-Resolves: RHEL-64889
-Resolves: RHEL-69942
-
 * Mon Sep 09 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.20-1
 - Update to 3.9.20
 Resolves: RHEL-57422

rpminspect.yaml

@@ -0,0 +1,32 @@
+# exclude test XML data (not always valid) from XML validity check:
+xml:
+    ignore:
+        - /usr/lib*/python*/test/xmltestdata/*
+        - /usr/lib*/python*/test/xmltestdata/*/*
+
+# exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
+badfuncs:
+    ignore:
+        - /usr/lib*/python*/lib-dynload/_socket.*
+
+# don't report changed content of compiled files
+# that is expected with every toolchain update and not reproducible yet
+changedfiles:
+    # note that this is a posix regex, so no \d
+    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
+
+# files change size all the time, we don't need to VERIFY it
+# however, the INFO is useful, so we don't disable the check entirely
+filesize:
+    # artificially large number, TODO a better way
+    size_threshold: 100000
+
+debuginfo:
+    ignore:
+        # libpython3.so doesn't contain compiled code
+        - /usr/lib/debug/usr/lib*/libpython3.so*debug
+
+# completely disabled inspections:
+inspections:
+    # we know about our patches, no need to report anything
+    patches: off

sources

@@ -0,0 +1,2 @@
+SHA512 (Python-3.9.20.tar.xz) = c828f33edf1704e3149499d6d34e89264cb5cdb2b09ff05561641b359716d7996f0fe928629e09f006b1fd7850fdaf937275919c7fdd83f5efc32707c64d814b
+SHA512 (Python-3.9.20.tar.xz.asc) = f21c012f4f642542479ba329da9654589e5a7f7305c39fb1b6f136b578316bdb115cef9773c9a9fe4e195677af01cb80af05780613cca83f42fae131862a9584

tests/.fmf/version

@@ -0,0 +1 @@
+1

tests/provision.fmf

@@ -0,0 +1,4 @@
+---
+standard-inventory-qcow2:
+  qemu:
+    m: 3G  # Amount of VM memory

tests/tests.yml

@@ -0,0 +1,55 @@
+---
+- hosts: localhost
+  tags:
+    - classic
+  tasks:
+    - dnf:
+        name: "*"
+        state: latest
+
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/python.git"
+      dest: "python"
+    tests:
+    - smoke:
+        dir: python/smoke
+        run: VERSION=3.9 ./venv.sh
+    - debugsmoke:
+        dir: python/smoke
+        run: PYTHON=python3-debug TOX=false VERSION=3.9 ./venv.sh
+    - selftest:
+        dir: python/selftest
+        run: VERSION=3.9 X="-x test_wsgiref" ./parallel.sh
+    - debugtest:
+        dir: python/selftest
+        run: VERSION=3.9 PYTHON=python3-debug X="-x test_wsgiref" ./parallel.sh
+    - optimizedflags_self:
+        dir: python/flags
+        run: python3 ./assertflags.py -O3 PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS_NODIST PY_CORE_CFLAGS PY_STDMODULE_CFLAGS
+    - optimizedflags_3rd:
+        dir: python/flags
+        run: python3 ./assertflags.py -O2 CFLAGS PY_CFLAGS
+    - debugflags:
+        dir: python/flags
+        run: python3-debug ./assertflags.py -O0
+    - marshalparser:
+        dir: python/marshalparser
+        run: VERSION=3.9 SAMPLE=10 test_marshalparser_compatibility.sh
+    required_packages:
+    - 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm'
+    - 'https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm'
+    - gcc  # for extension building in venv and selftest
+    - gdb  # for test_gdb
+    - python3.9  # the test subject
+    - python3-debug  # for leak testing
+    - python3-devel  # for extension building in venv and selftest
+    - python3-tkinter  # for selftest
+    - python3-test  # for selftest
+    - python3-tox  # for venv tests
+    - glibc-all-langpacks # for locale tests
+    - marshalparser  # for testing compatibility (magic numbers) with marshalparser