33 changed files with 19 additions and 460 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1 @@
-/*.tar.*
+SOURCES/Python-3.9.25.tar.xz
 /*.src.rpm
 /results_python3*
--- a/.python3.9.metadata
+++ b/.python3.9.metadata
@ -0,0 +1 @@
 36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz
--- a/00478-cve-2026-4519.patch
+++ b/00478-cve-2026-4519.patch
@ -1,123 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: tomcruiseqi <tom33qi@gmail.com>
 Date: Wed, 25 Mar 2026 02:23:45 +0800
 Subject: 00478: CVE-2026-4519
 Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
 Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
 (cherry picked from commit 82a24a4442312bdcfc4c799885e8b3e00990f02b)
 Co-authored-by: Seth Michael Larson <seth@python.org>
 ---
 Lib/test/test_webbrowser.py                        |  5 +++++
 Lib/webbrowser.py                                  | 14 ++++++++++++++
 .../2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst |  1 +
 3 files changed, 20 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
 diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
 index 519a9432ab..f8e9234db8 100644
 --- a/Lib/test/test_webbrowser.py
 +++ b/Lib/test/test_webbrowser.py
@@ -55,6 +55,11 @@ class GenericBrowserCommandTest(CommandTestMixin, unittest.TestCase):
                    options=[],
                    arguments=[URL])
 +    def test_reject_dash_prefixes(self):
 +        browser = self.browser_class(name=CMD_NAME)
 +        with self.assertRaises(ValueError):
 +            browser.open(f"--key=val {URL}")
 +
 class BackgroundBrowserCommandTest(CommandTestMixin, unittest.TestCase):
 diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
 index 6023c1e138..f5349dbce5 100755
 --- a/Lib/webbrowser.py
 +++ b/Lib/webbrowser.py
@@ -154,6 +154,12 @@ class BaseBrowser(object):
     def open_new_tab(self, url):
         return self.open(url, 2)
 +    @staticmethod
 +    def _check_url(url):
 +        """Ensures that the URL is safe to pass to subprocesses as a parameter"""
 +        if url and url.lstrip().startswith("-"):
 +            raise ValueError(f"Invalid URL: {url}")
 +
 class GenericBrowser(BaseBrowser):
     """Class for all browsers started with a command
@@ -171,6 +177,7 @@ class GenericBrowser(BaseBrowser):
     def open(self, url, new=0, autoraise=True):
         sys.audit("webbrowser.open", url)
 +        self._check_url(url)
         cmdline = [self.name] + [arg.replace("%s", url)
                                  for arg in self.args]
         try:
@@ -191,6 +198,7 @@ class BackgroundBrowser(GenericBrowser):
         cmdline = [self.name] + [arg.replace("%s", url)
                                  for arg in self.args]
         sys.audit("webbrowser.open", url)
 +        self._check_url(url)
         try:
             if sys.platform[:3] == 'win':
                 p = subprocess.Popen(cmdline)
@@ -256,6 +264,7 @@ class UnixBrowser(BaseBrowser):
     def open(self, url, new=0, autoraise=True):
         sys.audit("webbrowser.open", url)
 +        self._check_url(url)
         if new == 0:
             action = self.remote_action
         elif new == 1:
@@ -357,6 +366,7 @@ class Konqueror(BaseBrowser):
     def open(self, url, new=0, autoraise=True):
         sys.audit("webbrowser.open", url)
 +        self._check_url(url)
         # XXX Currently I know no way to prevent KFM from opening a new win.
         if new == 2:
             action = "newTab"
@@ -441,6 +451,7 @@ class Grail(BaseBrowser):
     def open(self, url, new=0, autoraise=True):
         sys.audit("webbrowser.open", url)
 +        self._check_url(url)
         if new:
             ok = self._remote("LOADNEW " + url)
         else:
@@ -599,6 +610,7 @@ if sys.platform[:3] == "win":
     class WindowsDefault(BaseBrowser):
         def open(self, url, new=0, autoraise=True):
             sys.audit("webbrowser.open", url)
 +            self._check_url(url)
             try:
                 os.startfile(url)
             except OSError:
@@ -629,6 +641,7 @@ if sys.platform == 'darwin':
         def open(self, url, new=0, autoraise=True):
             sys.audit("webbrowser.open", url)
 +            self._check_url(url)
             assert "'" not in url
             # hack for local urls
             if not ':' in url:
@@ -666,6 +679,7 @@ if sys.platform == 'darwin':
             self._name = name
         def open(self, url, new=0, autoraise=True):
 +            self._check_url(url)
             if self._name == 'default':
                 script = 'open location "%s"' % url.replace('"', '%22') # opens in default browser
             else:
 diff --git a/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
 new file mode 100644
 index 0000000000..0f27eae99a
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2026-01-16-12-04-49.gh-issue-143930.zYC5x3.rst
@@ -0,0 +1 @@
 +Reject leading dashes in URLs passed to :func:`webbrowser.open`
--- a/00480-cve-2026-4786.patch
+++ b/00480-cve-2026-4786.patch
@ -1,63 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Stan Ulbrych <stan@python.org>
 Date: Mon, 13 Apr 2026 22:41:53 +0100
 Subject: 00480: CVE-2026-4786
 Fix webbrowser `%action` substitution bypass of dash-prefix check
 ---
 Lib/test/test_webbrowser.py                               | 8 ++++++++
 Lib/webbrowser.py                                         | 5 +++--
 .../2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst        | 2 ++
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
 diff --git a/Lib/test/test_webbrowser.py b/Lib/test/test_webbrowser.py
 index f8e9234db8..9156ceec60 100644
 --- a/Lib/test/test_webbrowser.py
 +++ b/Lib/test/test_webbrowser.py
@@ -95,6 +95,14 @@ class ChromeCommandTest(CommandTestMixin, unittest.TestCase):
                    options=[],
                    arguments=[URL])
 +    def test_reject_action_dash_prefixes(self):
 +        browser = self.browser_class(name=CMD_NAME)
 +        with self.assertRaises(ValueError):
 +            browser.open('%action--incognito')
 +        # new=1: action is "--new-window", so "%action" itself expands to
 +        # a dash-prefixed flag even with no dash in the original URL.
 +        with self.assertRaises(ValueError):
 +            browser.open('%action', new=1)
 class MozillaCommandTest(CommandTestMixin, unittest.TestCase):
 diff --git a/Lib/webbrowser.py b/Lib/webbrowser.py
 index f5349dbce5..43ccddf330 100755
 --- a/Lib/webbrowser.py
 +++ b/Lib/webbrowser.py
@@ -264,7 +264,6 @@ class UnixBrowser(BaseBrowser):
     def open(self, url, new=0, autoraise=True):
         sys.audit("webbrowser.open", url)
 -        self._check_url(url)
         if new == 0:
             action = self.remote_action
         elif new == 1:
@@ -278,7 +277,9 @@ class UnixBrowser(BaseBrowser):
             raise Error("Bad 'new' parameter to open(); " +
                         "expected 0, 1, or 2, got %s" % new)
 -        args = [arg.replace("%s", url).replace("%action", action)
 +        self._check_url(url.replace("%action", action))
 +
 +        args = [arg.replace("%action", action).replace("%s", url)
                 for arg in self.remote_args]
         args = [arg for arg in args if arg]
         success = self._invoke(args, True, autoraise, url)
 diff --git a/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
 new file mode 100644
 index 0000000000..45cdeebe1b
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2026-03-31-09-15-51.gh-issue-148169.EZJzz2.rst
@@ -0,0 +1,2 @@
 +A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
 +the dash-prefix safety check.
--- a/00482-cve-2026-6100.patch
+++ b/00482-cve-2026-6100.patch
@ -1,48 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Stan Ulbrych <stan@python.org>
 Date: Mon, 13 Apr 2026 22:42:24 +0100
 Subject: 00482: CVE-2026-6100
 Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
 ---
 .../Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst  | 5 +++++
 Modules/_bz2module.c                                         | 1 +
 Modules/_lzmamodule.c                                        | 1 +
 3 files changed, 7 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
 diff --git a/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
 new file mode 100644
 index 0000000000..b095329bd9
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2026-04-10-16-28-21.gh-issue-148395.kfzm0G.rst
@@ -0,0 +1,5 @@
 +Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
 +:class:`bz2.BZ2Decompressor`
 +when memory allocation fails with :exc:`MemoryError`, which could let a
 +subsequent :meth:`!decompress` call read or write through a stale pointer to
 +the already-released caller buffer.
 diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
 index 880632c623..9b17341e49 100644
 --- a/Modules/_bz2module.c
 +++ b/Modules/_bz2module.c
@@ -559,6 +559,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, Py_ssize_t max_length)
     return result;
 error:
 +    bzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }
 diff --git a/Modules/_lzmamodule.c b/Modules/_lzmamodule.c
 index 2a62a68356..dde81238ef 100644
 --- a/Modules/_lzmamodule.c
 +++ b/Modules/_lzmamodule.c
@@ -1039,6 +1039,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, Py_ssize_t max_length)
     return result;
 error:
 +    lzs->next_in = NULL;
     Py_XDECREF(result);
     return NULL;
 }
--- a/SOURCES/00001-rpath.patch
+++ b/SOURCES/00001-rpath.patch
--- a/SOURCES/00111-no-static-lib.patch
+++ b/SOURCES/00111-no-static-lib.patch
--- a/SOURCES/00189-use-rpm-wheels.patch
+++ b/SOURCES/00189-use-rpm-wheels.patch
--- a/SOURCES/00251-change-user-install-location.patch
+++ b/SOURCES/00251-change-user-install-location.patch
--- a/SOURCES/00328-pyc-timestamp-invalidation-mode.patch
+++ b/SOURCES/00328-pyc-timestamp-invalidation-mode.patch
--- a/SOURCES/00329-fips.patch
+++ b/SOURCES/00329-fips.patch
--- a/SOURCES/00353-architecture-names-upstream-downstream.patch
+++ b/SOURCES/00353-architecture-names-upstream-downstream.patch
--- a/SOURCES/00397-tarfile-filter.patch
+++ b/SOURCES/00397-tarfile-filter.patch
--- a/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
+++ b/SOURCES/00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
--- a/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
+++ b/SOURCES/00422-fix-tests-for-xmlpullparser-with-expat-2-6-0.patch
--- a/SOURCES/00471-cve-2025-12084.patch
+++ b/SOURCES/00471-cve-2025-12084.patch
--- a/SOURCES/00473-cve-2026-0865.patch
+++ b/SOURCES/00473-cve-2026-0865.patch
--- a/SOURCES/00474-cve-2025-15366.patch
+++ b/SOURCES/00474-cve-2025-15366.patch
--- a/SOURCES/00475-cve-2025-15367.patch
+++ b/SOURCES/00475-cve-2025-15367.patch
--- a/SOURCES/00476-cve-2026-1299.patch
+++ b/SOURCES/00476-cve-2026-1299.patch
--- a/SOURCES/Python-3.9.25.tar.xz.asc
+++ b/SOURCES/Python-3.9.25.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEE4/8oOcBIslwITevpsmmV4xAlBWgFAmkFBpsACgkQsmmV4xAl
 BWgwbw//Tx78tZg3/tJ47YDzDCf68XurBPbdgSfmmGTRrveMt6nQbV+c7XKS5MKK
 6hP0jt4W8tP6zC/zRPTexqYwetTaM7+ZKuxzwXABXzi+rfmL/L6BtQQpzwK+vesE
 hSSkjl4R2FF3YBrTBNqG0ewf5j4Y41yc4V9UHJWXbmQt6sg/nF+lDvG3K3wzP6zV
 rs6LsayeO3AXhi7+c0q7d2oYTFhv/RPOGl6/fLy5j1bxNNE1i2yeIfcR9BqjqB9y
 Ue1Tea8RGjh3dSq06/8ubpcqf+tlE4cCDkLERqDWSafZnNA5X4eymAQP9urUoH2n
 78X8DXkGbKqyJ+3w97S6zqVnZvL2jSOog8R+yvT5snqzJDp+UK0lcbowPILsOGm4
 BE54dQTG5bT+1bUicvQZIbP4vOswZufl8LGmodkW06edSEcylwO8bHWNcY/gC5HO
 WcTbqTFyV+FtwAJxsfgkqKcI6xUyYHqeMhqCUvkpHFFMjsinVOBFVbow8fgiJGUV
 GIo3kMNPZPirqgl9bhc3F7qvdgVDQsCqnKJ8B1WegdIlKWxXBj3qQB0U4Qbecpdt
 2AhVQAmcOu4LzJYtatDp/0tw6KMr8nWGdofrLVJgzQuu6MmhGW+2cJ0e+wUAxw6v
 OBjQ0o42ylQKeS8VGP4yFbYv1umeeWHje26z9az3uOVUFaAoptk=
 =5qMt
 -----END PGP SIGNATURE-----
--- a/SOURCES/check-pyc-timestamps.py
+++ b/SOURCES/check-pyc-timestamps.py
--- a/SOURCES/idle3.appdata.xml
+++ b/SOURCES/idle3.appdata.xml
--- a/SOURCES/idle3.desktop
+++ b/SOURCES/idle3.desktop
--- a/SOURCES/pubkeys.txt
+++ b/SOURCES/pubkeys.txt
--- a/SPECS/python3.9.spec
+++ b/SPECS/python3.9.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 7%{?dist}
+Release: 5%{?dist}
 License: Python
@ -476,26 +476,6 @@ Patch475: 00475-cve-2025-15367.patch
 # gh-144125: email: verify headers are sound in BytesGenerator
 Patch476: 00476-cve-2026-1299.patch
 # 00478 # 88bb1e37c971fd1d6bda82a68b5ad873ed099f08
 # CVE-2026-4519
 #
 # Reject leading dashes in webbrowser URLs (GH-143931) (GH-146359)
 #
 # Cherry-picked from Python 3.10: ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
 Patch478: 00478-cve-2026-4519.patch
 # 00480 # 9f4b1483ecfbc8c08117133c239fba544fcb42e7
 # CVE-2026-4786
 #
 # Fix webbrowser `%%action` substitution bypass of dash-prefix check
 Patch480: 00480-cve-2026-4786.patch
 # 00482 # 51e25e8a804257b707e2021655037d07dcfa9cd6
 # CVE-2026-6100
 #
 # Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
 Patch482: 00482-cve-2026-6100.patch
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -1907,14 +1887,6 @@ CheckPython optimized
 # ======================================================
 %changelog
 * Fri Apr 17 2026 Charalampos Stratakis <cstratak@redhat.com> - 3.9.25-7
 - Security fixes for CVE-2026-4786 and CVE-2026-6100
 Resolves: RHEL-167919, RHEL-168161
 * Thu Mar 26 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-6
 - Security fix for CVE-2026-4519
 Resolves: RHEL-158117
 * Mon Mar 09 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.9.25-5
 - Rebuilding previous fixes for different build target
 Related: RHEL-143117, RHEL-143174, RHEL-144897
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/python3.9.rpmlintrc
+++ b/python3.9.rpmlintrc
@ -1,90 +0,0 @@
 # KNOWN BUGS:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1489816
 addFilter(r'crypto-policy-non-compliance-openssl')
 # TESTS:
 addFilter(r'(zero-length|pem-certificate|uncompressed-zip) /usr/lib(64)?/python3\.\d+/test')
 # OTHER DELIBERATES:
 # chroot function
 addFilter(r'missing-call-to-chdir-with-chroot')
 # intentionally unversioned and selfobsoleted
 addFilter(r'unversioned-explicit-obsoletes python')
 addFilter(r'self-obsoletion python3\.\d+ obsoletes python3\.\d+')
 # intentionally hardcoded
 addFilter(r'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})')
 # intentional for our pythonXY package
 addFilter(r'python3\.\d+\.[^:]+: (E|W): devel-file-in-non-devel-package')
 # we have non binary stuff, python files
 addFilter(r'only-non-binary-in-usr-lib')
 # some devel files that are deliberately needed
 addFilter(r'devel-file-in-non-devel-package /usr/include/python3\.\d+m?/pyconfig-(32|64)\.h')
 addFilter(r'devel-file-in-non-devel-package /usr/lib(64)?/python3\.\d+/distutils/tests/xxmodule\.c')
 # some bytecode is shipped without sources on purpose, as a space optimization
 # if this regex needs to be relaxed in the future, make sure it **does not** match pyc files in __pycache__
 addFilter(r'python-bytecode-without-source /usr/lib(64)?/python3\.\d+/(encodings|pydoc_data)/[^/]+.pyc')
 # SORRY, NOT SORRY:
 # manual pages
 addFilter(r'no-manual-page-for-binary (idle|pydoc|pyvenv|2to3|python3?-debug|pathfix|msgfmt|pygettext)')
 addFilter(r'no-manual-page-for-binary python3?.*-config$')
 addFilter(r'no-manual-page-for-binary python3\.\d+dm?$')
 # missing documentation from subpackages
 addFilter(r'^python3(\.\d+)?-(debug|tkinter|test|idle)\.[^:]+: (E|W): no-documentation')
 # platform python is obsoleted, but not provided
 addFilter(r'obsolete-not-provided platform-python')
 # RPMLINT IMPERFECTIONS
 # https://github.com/rpm-software-management/rpmlint/issues/123
 addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3393')
 # https://github.com/rpm-software-management/rpmlint/pull/133
 addFilter(r'python-bytecode-wrong-magic-value .* expected 33\d\d \(3\.7\), found 3394')
 # https://bugzilla.redhat.com/show_bug.cgi?id=1550562
 # https://github.com/rpm-software-management/rpmlint/issues/128
 addFilter(r'python-bytecode-inconsistent-mtime .* 1970')
 # we provide python(abi) manually to be sure. createrepo will merge this with the automatic
 addFilter(r'python3(\.\d+)?\.[^:-]+: (E|W): useless-provides python\(abi\)')
 # debugsource
 addFilter(r'^python3(\.\d+)?-debugsource\.[^:]+: (E|W): no-documentation')
 # debuginfo
 addFilter(r'^python3(\.\d+)?-debuginfo\.[^:]+: (E|W): useless-provides debuginfo\(build-id\)')
 # this is OK for F28+
 addFilter(r'library-without-ldconfig-post')
 # debug package contains devel and non-devel files
 addFilter(r'python3(\.\d+)?-debug\.[^:]+: (E|W): (non-)?devel-file-in-(non-)?devel-package')
 # this goes to other subpackage, hence not actually dangling, the read error is bogus
 addFilter(r'dangling-relative-symlink /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc python-3\.\d+(-embed)?\.pc')
 addFilter(r'read-error /usr/lib(64)?/pkgconfig/python-3\.\d+dm?(-embed)?\.pc \[Errno 2\]')
 # the python-unversioned-command package contains dangling symlinks by design
 addFilter(r'^python-unversioned-command\.[^:]+: (E|W): dangling-relative-symlink '
          r'(/usr/bin/python \./python3|/usr/share/man/man1/python\.1\S* ./python3\.1\S*)$')
 # we need this macro to evaluate, even if the line starts with #
 addFilter(r'macro-in-comment %\{_pyconfig(32|64)_h\}')
 # Python modules don't need to be linked against libc
 # Since 3.8 they are no longer linked against libpython3.8.so.1.0
 addFilter(r'E: library-not-linked-against-libc /usr/lib(64)?/python3\.\d+/lib-dynload/')
 addFilter(r'E: shared-lib-without-dependency-information /usr/lib(64)?/python3\.\d+/lib-dynload/')
 # SPELLING ERRORS
 addFilter(r'spelling-error .* en_US (bytecode|pyc|filename|tkinter|namespaces|pytest) ')
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,32 +0,0 @@
 # exclude test XML data (not always valid) from XML validity check:
 xml:
    ignore:
        - /usr/lib*/python*/test/xmltestdata/*
        - /usr/lib*/python*/test/xmltestdata/*/*
 # exclude _socket from ipv4 only functions check, it has both ipv4 and ipv6 only
 badfuncs:
    ignore:
        - /usr/lib*/python*/lib-dynload/_socket.*
 # don't report changed content of compiled files
 # that is expected with every toolchain update and not reproducible yet
 changedfiles:
    # note that this is a posix regex, so no \d
    exclude_path: (\.so(\.[0-9]+(\.[0-9]+)?)?$|^/usr/bin/python[0-9]+\.[0-9]+d?m?$)
 # files change size all the time, we don't need to VERIFY it
 # however, the INFO is useful, so we don't disable the check entirely
 filesize:
    # artificially large number, TODO a better way
    size_threshold: 100000
 debuginfo:
    ignore:
        # libpython3.so doesn't contain compiled code
        - /usr/lib/debug/usr/lib*/libpython3.so*debug
 # completely disabled inspections:
 inspections:
    # we know about our patches, no need to report anything
    patches: off
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SHA512 (Python-3.9.25.tar.xz) = 33fd65952cc3ce5df83825aa32a103935815bdd5a016e5fd9896cafb068a3f89b3a6134458a2694e4f0f4f8a9fbe84739b53116264728b32cde0f03ab210cb19
 SHA512 (Python-3.9.25.tar.xz.asc) = 83f0a0e558aa89a106bdffeeb9b0fa2685fbd7be5c5954f9176c59c6c7023716207b07239f202b3508cbb98ca34572161955f0bfd3732fdb9265721cd6723dbe
--- a/tests/.fmf/version
+++ b/tests/.fmf/version
@ -1 +0,0 @@
 1
--- a/tests/provision.fmf
+++ b/tests/provision.fmf
@ -1,4 +0,0 @@
 ---
 standard-inventory-qcow2:
  qemu:
    m: 3G  # Amount of VM memory
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,59 +0,0 @@
 ---
 - hosts: localhost
  tags:
    - classic
  tasks:
    - dnf:
        name: "*"
        state: latest
    - dnf:
        name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
        state: installed
    - dnf:
        name: "https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
        state: installed
 - hosts: localhost
  roles:
  - role: standard-test-basic
    tags:
    - classic
    repositories:
    - repo: "https://gitlab.com/redhat/centos-stream/tests/python.git"
      dest: "python"
    tests:
    - smoke:
        dir: python/smoke
        run: VERSION=3.9 ./venv.sh
    - debugsmoke:
        dir: python/smoke
        run: PYTHON=python3-debug TOX=false VERSION=3.9 ./venv.sh
    - selftest:
        dir: python/selftest
        run: VERSION=3.9 X="-x test_wsgiref" ./parallel.sh
    - debugtest:
        dir: python/selftest
        run: VERSION=3.9 PYTHON=python3-debug X="-x test_wsgiref" ./parallel.sh
    - optimizedflags_self:
        dir: python/flags
        run: python3 ./assertflags.py -O3 PY_BUILTIN_MODULE_CFLAGS PY_CFLAGS_NODIST PY_CORE_CFLAGS PY_STDMODULE_CFLAGS
    - optimizedflags_3rd:
        dir: python/flags
        run: python3 ./assertflags.py -O2 CFLAGS PY_CFLAGS
    - debugflags:
        dir: python/flags
        run: python3-debug ./assertflags.py -O0
    - marshalparser:
        dir: python/marshalparser
        run: VERSION=3.9 SAMPLE=10 test_marshalparser_compatibility.sh
    required_packages:
    - gcc  # for extension building in venv and selftest
    - gdb  # for test_gdb
    - python3.9  # the test subject
    - python3-debug  # for leak testing
    - python3-devel  # for extension building in venv and selftest
    - python3-tkinter  # for selftest
    - python3-test  # for selftest
    - python3-tox  # for venv tests
    - glibc-all-langpacks # for locale tests
    - marshalparser  # for testing compatibility (magic numbers) with marshalparser
		`@ -0,0 +1 @@`
							`36c7257ec30dca042679626d0dff79715acd4efb SOURCES/Python-3.9.25.tar.xz`
		`@ -1,2 +0,0 @@`
			`SHA512 (Python-3.9.25.tar.xz) = 33fd65952cc3ce5df83825aa32a103935815bdd5a016e5fd9896cafb068a3f89b3a6134458a2694e4f0f4f8a9fbe84739b53116264728b32cde0f03ab210cb19`
			`SHA512 (Python-3.9.25.tar.xz.asc) = 83f0a0e558aa89a106bdffeeb9b0fa2685fbd7be5c5954f9176c59c6c7023716207b07239f202b3508cbb98ca34572161955f0bfd3732fdb9265721cd6723dbe`