import python38-3.8.0-6.module+el8.2.0+5978+503155c0

2021-03-31 08:29:49 -04:00 · 2021-03-31 08:29:49 -04:00 · dad30b39b1
commit dad30b39b1
parent d151bf1a72
2 changed files with 7336 additions and 9 deletions
--- a/SOURCES/00329-fips.patch
+++ b/SOURCES/00329-fips.patch
--- a/SPECS/python38.spec
+++ b/SPECS/python38.spec
@ -17,7 +17,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 4%{?dist}
+Release: 6%{?dist}
 License: Python

 # Exclude i686 arch. Due to a modularity issue it's being added to the
@ -278,6 +278,29 @@ Patch274: 00274-fix-arch-names.patch
 # See https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/57#comment-27426
 Patch328: 00328-pyc-timestamp-invalidation-mode.patch

+# 00329 #
+# Support OpenSSL FIPS mode
+# - Fallback implementations md5, sha1, sha256, sha512 are removed in favor of OpenSSL wrappers
+# - In FIPS mode, OpenSSL wrappers are always used in hashlib
+# - add a new "usedforsecurity" keyword argument to the various digest
+#   algorithms in hashlib so that you can whitelist a callsite with
+#   "usedforsecurity=False"
+#   The change has been implemented upstream since Python 3.9:
+#   https://bugs.python.org/issue9216
+# - OpenSSL wrappers for the hashes blake2{b512,s256},
+#     sha3_{224,256,384,512}, shake_{128,256} are now exported from _hashlib
+# - In FIPS mode, the blake2, sha3 and shake hashes use OpenSSL wrappers
+#   and do not offer extended functionality (keys, tree hashing, custom digest size)
+# - In FIPS mode, hmac.HMAC can only be instantiated with an OpenSSL wrapper
+#   or an string with OpenSSL hash name as the "digestmod" argument.
+#   The argument must be specified (instead of defaulting to ‘md5’).
+#
+# - Also while in FIPS mode, we utilize OpenSSL's DRBG and disable the
+#   os.getrandom() function.
+#
+# Resolves: rhbz#1731424
+Patch329: 00329-fips.patch
+
 # 00337 #
 # Adjust the test_min_max_version in test_ssl to accept the new settings in
 # RHEL 8.2 where maximum_version is set to TLS 1.3
@ -305,6 +328,15 @@ Patch337: 00337-test_ssl-test_min_max_version-add-range.patch
 # we enable this in both flat and nonflat package.
 Provides: python%{pybasever} = %{version}-%{release}

+# When the user tries to `yum install python`, yum will list this package among
+# the possible alternatives
+Provides: alternative-for(python)
+
+# Runtime require alternatives
+Requires:         %{_sbindir}/alternatives
+Requires(post):   %{_sbindir}/alternatives
+Requires(postun): %{_sbindir}/alternatives
+
 %if %{without flatpackage}

 # Packages with Python modules in standard locations automatically
@ -368,6 +400,8 @@ Documentation for Python is provided in the %{name}-docs package.
 Packages containing additional libraries for Python are generally named with
 the "%{name}-" prefix.

+For the unversioned "python" executable, see manual page "unversioned-python".
+

 %if %{with main_python}
 # https://fedoraproject.org/wiki/Changes/Move_usr_bin_python_into_separate_package
@ -424,6 +458,9 @@ BuildRequires: python-rpm-macros
 # But we want them when packages BuildRequire python3-devel
 Requires: (python-rpm-macros if rpm-build)
 Requires: (python3-rpm-macros if rpm-build)
+# python38 installs the alternatives master symlink to which we attach a slave
+Requires(post): python38
+Requires(postun): python38

 %if %{without bootstrap}
 # This is not "API" (packages that need setuptools should still BuildRequire it)
@ -459,6 +496,10 @@ Requires: %{name}-tkinter = %{version}-%{release}

 %{?python_provide:%python_provide python38-idle}

+# python38 installs the alternatives master symlink to which we attach a slave
+Requires(post): python38
+Requires(postun): python38
+
 %description idle
 IDLE is Python’s Integrated Development and Learning Environment.

@ -511,6 +552,9 @@ Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 Requires: %{name}-test%{?_isa} = %{version}-%{release}
 Requires: %{name}-tkinter%{?_isa} = %{version}-%{release}
 Requires: %{name}-idle%{?_isa} = %{version}-%{release}
+# python38 installs the alternatives master symlink to which we attach a slave
+Requires(post): python38
+Requires(postun): python38

 %{?python_provide:%python_provide python38-debug}

@ -604,6 +648,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch251 -p1
 %patch274 -p1
 %patch328 -p1
+%patch329 -p1
 %patch337 -p1


@ -967,6 +1012,21 @@ mkdir -p %{buildroot}/%{rpmmacrodir}/
 install -m 644 %{SOURCE3} \
    %{buildroot}/%{rpmmacrodir}/

+# All ghost files controlled by alternatives need to exist for the files
+# section check to succeed
+# - Don't list /usr/bin/python as a ghost file so `yum install /usr/bin/python`
+#   doesn't install this package
+touch %{buildroot}%{_bindir}/unversioned-python
+touch %{buildroot}%{_mandir}/man1/python.1.gz
+touch %{buildroot}%{_bindir}/python3
+touch %{buildroot}%{_mandir}/man1/python3.1.gz
+touch %{buildroot}%{_bindir}/pydoc3
+touch %{buildroot}%{_bindir}/pydoc-3
+touch %{buildroot}%{_bindir}/idle3
+touch %{buildroot}%{_bindir}/python3-config
+touch %{buildroot}%{_bindir}/python3-debug
+touch %{buildroot}%{_bindir}/python3-debug-config
+

 # ======================================================
 # Checks for packaging issues
@ -1054,6 +1114,117 @@ CheckPython optimized
 %endif # with tests


+%post
+# Alternative for /usr/bin/python -> /usr/bin/python3 + man page
+alternatives --install %{_bindir}/unversioned-python \
+                       python \
+                       %{_bindir}/python3 \
+                       300 \
+             --slave   %{_bindir}/python \
+                       unversioned-python \
+                       %{_bindir}/python3 \
+             --slave   %{_mandir}/man1/python.1.gz \
+                       unversioned-python-man \
+                       %{_mandir}/man1/python3.1.gz
+
+# Alternative for /usr/bin/python -> /usr/bin/python3.8 + man page
+alternatives --install %{_bindir}/unversioned-python \
+                       python \
+                       %{_bindir}/python3.8 \
+                       208 \
+             --slave   %{_bindir}/python \
+                       unversioned-python \
+                       %{_bindir}/python3.8 \
+             --slave   %{_mandir}/man1/python.1.gz \
+                       unversioned-python-man \
+                       %{_mandir}/man1/python3.8.1.gz
+
+# Alternative for /usr/bin/python3 -> /usr/bin/python3.8 + related files
+# Create only if it doesn't exist already
+EXISTS=`alternatives --display python3 | \
+        grep -c "^/usr/bin/python3.8 - priority [0-9]*"`
+
+if [ $EXISTS -eq 0 ]; then
+    alternatives --install %{_bindir}/python3 \
+                           python3 \
+                           %{_bindir}/python3.8 \
+                           3800 \
+                 --slave   %{_mandir}/man1/python3.1.gz \
+                           python3-man \
+                           %{_mandir}/man1/python3.8.1.gz \
+                 --slave   %{_bindir}/pydoc3 \
+                           pydoc3 \
+                           %{_bindir}/pydoc3.8 \
+                 --slave   %{_bindir}/pydoc-3 \
+                           pydoc-3 \
+                           %{_bindir}/pydoc3.8
+fi
+
+%postun
+# Do this only during uninstall process (not during update)
+if [ $1 -eq 0 ]; then
+    alternatives --remove python \
+                        %{_bindir}/python3.8
+
+    alternatives --remove python3 \
+                        %{_bindir}/python3.8
+
+    # Remove link python → python3 if no other python3.* exists
+    if ! alternatives --display python3 > /dev/null; then
+        alternatives --remove python \
+                            %{_bindir}/python3
+    fi
+fi
+
+
+%post devel
+alternatives --add-slave python3 %{_bindir}/python3.8 \
+    %{_bindir}/python3-config \
+    python3-config \
+    %{_bindir}/python3.8-config
+
+%postun devel
+# Do this only during uninstall process (not during update)
+if [ $1 -eq 0 ]; then
+    alternatives --remove-slave python3 %{_bindir}/python3.8 \
+        python3-config
+fi
+
+
+%post debug
+alternatives --add-slave python3 %{_bindir}/python3.8 \
+    %{_bindir}/python3-debug \
+    python3-debug \
+    %{_bindir}/python3.8d
+alternatives --add-slave python3 %{_bindir}/python3.8 \
+    %{_bindir}/python3-debug-config \
+    python3-debug-config \
+    %{_bindir}/python3.8d-config
+
+%postun debug
+# Do this only during uninstall process (not during update)
+if [ $1 -eq 0 ]; then
+    alternatives --remove-slave python3 %{_bindir}/python3.8 \
+        python3-debug
+    alternatives --remove-slave python3 %{_bindir}/python3.8 \
+        python3-debug-config
+fi
+
+
+%post idle
+alternatives --add-slave python3 %{_bindir}/python3.8 \
+    %{_bindir}/idle3 \
+    idle3 \
+    %{_bindir}/idle3.8
+
+%postun idle
+# Do this only during uninstall process (not during update)
+if [ $1 -eq 0 ]; then
+    alternatives --remove-slave python3 %{_bindir}/python3.8 \
+       idle3
+fi
+
+
 %files -n python38-rpm-macros
 %license LICENSE
 %doc README.rst
@ -1062,6 +1233,15 @@ CheckPython optimized
 %files
 %doc README.rst

+# Alternatives
+%ghost %{_bindir}/unversioned-python
+%ghost %{_mandir}/man1/python.1.gz
+%ghost %{_bindir}/python3
+%ghost %{_mandir}/man1/python3.1.gz
+%ghost %{_bindir}/pydoc3
+%ghost %{_bindir}/pydoc-3
+
+
 %if %{with main_python}
 %{_bindir}/pydoc*
 %{_bindir}/python3
@ -1141,11 +1321,8 @@ CheckPython optimized
 %{pylibdir}/pydoc_data

 %{dynload_dir}/_blake2.%{SOABI_optimized}.so
-%{dynload_dir}/_md5.%{SOABI_optimized}.so
-%{dynload_dir}/_sha1.%{SOABI_optimized}.so
-%{dynload_dir}/_sha256.%{SOABI_optimized}.so
 %{dynload_dir}/_sha3.%{SOABI_optimized}.so
-%{dynload_dir}/_sha512.%{SOABI_optimized}.so
+%{dynload_dir}/_hmacopenssl.%{SOABI_optimized}.so

 %{dynload_dir}/_asyncio.%{SOABI_optimized}.so
 %{dynload_dir}/_bisect.%{SOABI_optimized}.so
@ -1340,6 +1517,9 @@ CheckPython optimized
 %{_bindir}/python%{pybasever}-config
 %{_bindir}/python%{LDVERSION_optimized}-config
 %{_bindir}/python%{LDVERSION_optimized}-*-config
+# Alternatives
+%ghost %{_bindir}/python3-config
+
 %{_libdir}/libpython%{LDVERSION_optimized}.so
 %{_libdir}/pkgconfig/python-%{LDVERSION_optimized}.pc
 %{_libdir}/pkgconfig/python-%{LDVERSION_optimized}-embed.pc
@ -1355,6 +1535,8 @@ CheckPython optimized
 %{_bindir}/idle*
 %else
 %{_bindir}/idle%{pybasever}
+# Alternatives
+%ghost %{_bindir}/idle3
 %endif

 %{pylibdir}/idlelib
@ -1420,16 +1602,15 @@ CheckPython optimized

 # Analog of the core subpackage's files:
 %{_bindir}/python%{LDVERSION_debug}
+# Alternatives
+%ghost %{_bindir}/python3-debug

 # Analog of the -libs subpackage's files:
 # ...with debug builds of the built-in "extension" modules:

 %{dynload_dir}/_blake2.%{SOABI_debug}.so
-%{dynload_dir}/_md5.%{SOABI_debug}.so
-%{dynload_dir}/_sha1.%{SOABI_debug}.so
-%{dynload_dir}/_sha256.%{SOABI_debug}.so
 %{dynload_dir}/_sha3.%{SOABI_debug}.so
-%{dynload_dir}/_sha512.%{SOABI_debug}.so
+%{dynload_dir}/_hmacopenssl.%{SOABI_debug}.so

 %{dynload_dir}/_asyncio.%{SOABI_debug}.so
 %{dynload_dir}/_bisect.%{SOABI_debug}.so
@ -1506,6 +1687,8 @@ CheckPython optimized
 %{_includedir}/python%{LDVERSION_debug}
 %{_bindir}/python%{LDVERSION_debug}-config
 %{_bindir}/python%{LDVERSION_debug}-*-config
+%ghost %{_bindir}/python3-debug-config
+
 %{_libdir}/libpython%{LDVERSION_debug}.so
 %{_libdir}/libpython%{LDVERSION_debug}.so.1.0
 %{_libdir}/pkgconfig/python-%{LDVERSION_debug}.pc
@ -1549,6 +1732,14 @@ CheckPython optimized
 # ======================================================

 %changelog
+* Mon Feb 24 2020 Tomas Orsava <torsava@redhat.com> - 3.8.0-6
+- Implement alternatives for /usr/bin/python, python3 and related executables
+- Resolves: rhbz#1807041
+
+* Fri Jan 10 2020 Charalampos Stratakis <cstratak@redhat.com> - 3.8.0-5
+- Add support for FIPS mode
+- Resolves: rhbz#1793589
+
 * Thu Dec 12 2019 Tomas Orsava <torsava@redhat.com> - 3.8.0-4
 - Exclude unsupported i686 arch