.gitignore

@@ -1 +1 @@
-SOURCES/setuptools-41.6.0.zip
+SOURCES/setuptools-50.3.2.zip

.python3x-setuptools.metadata

@@ -1 +1 @@
-79f4ba0be27967d8f02b0d21a1e34fba9432481d SOURCES/setuptools-41.6.0.zip
+2c9279e6b2d521f6799294200a432925113177dc SOURCES/setuptools-50.3.2.zip

SOURCES/CVE-2022-40897.patch

@@ -0,0 +1,13 @@
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 123e958..a90b810 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -215,7 +215,7 @@ def unique_values(func):
+     return wrapper
+ 
+ 
+-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I)
++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I)
+ # this line is here to fix emacs' cruddy broken syntax highlighting
+ 
+ 

SOURCES/create-site-packages.patch

@@ -1,17 +0,0 @@
-diff --git a/setuptools/command/easy_install.py b/setuptools/command/easy_install.py
-index 91c48b3..0c9b0f4 100755
---- a/setuptools/command/easy_install.py
-+++ b/setuptools/command/easy_install.py
-@@ -446,6 +446,12 @@ class easy_install(Command):
-         instdir = normalize_path(self.install_dir)
-         pth_file = os.path.join(instdir, 'easy-install.pth')
- 
-+        if not os.path.exists(instdir):
-+            try:
-+                os.makedirs(instdir)
-+            except (OSError, IOError):
-+                self.cant_write_to_target()
-+
-         # Is it a configured, PYTHONPATH, implicit, or explicit site dir?
-         is_site_dir = instdir in self.all_site_dirs
- 

SPECS/python3x-setuptools.spec

@@ -6,29 +6,32 @@
 %bcond_with tests
 
 %if %{without bootstrap}
-%global python_wheelname %{srcname}-%{version}-py2.py3-none-any.whl
+%global python_wheelname %{srcname}-%{version}-py3-none-any.whl
 %global python3_record %{python3_sitelib}/%{srcname}-%{version}.dist-info/RECORD
 %endif
-%global python_wheeldir %{_datadir}/python38-wheels
+%global python_wheeldir %{_datadir}/python%{python3_pkgversion}-wheels
 
 Name:           python3x-setuptools
 # When updating, update the bundled libraries versions bellow!
-Version:        41.6.0
+Version:        50.3.2
 Release:        5%{?dist}
 Summary:        Easily build and distribute Python packages
 # setuptools is MIT
+# appdirs is MIT
 # packaging is BSD or ASL 2.0
 # pyparsing is MIT
-# six is MIT
+# the setuptools logo has unknown license and possible TM problems,
+# but the sdist **does not** contain it,
+# see https://github.com/pypa/setuptools/issues/2227
 License:        MIT and (BSD or ASL 2.0)
 URL:            https://pypi.python.org/pypi/%{srcname}
 Source0:        %{pypi_source %{srcname} %{version} zip}
 
-# In Fedora, sudo setup.py install installs to /usr/local/lib/pythonX.Y/site-packages
-# But pythonX doesn't own that dir, that would be against FHS
-# We need to create it if it doesn't exist
-# https://bugzilla.redhat.com/show_bug.cgi?id=1576924
-Patch0:         create-site-packages.patch
+# Security fix for CVE-2022-40897
+# Regular Expression Denial of Service (ReDoS) in package_index.py
+# Resolved upstream: https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
+# The patch is backported without test because that requires pytest.timeout.
+Patch1:         CVE-2022-40897.patch
 
 BuildArch:      noarch
 # Exclude i686 arch. Due to a modularity issue it's being added to the
@@ -36,20 +39,23 @@ BuildArch:      noarch
 # See: https://projects.engineering.redhat.com/browse/RCM-72605
 ExcludeArch:    i686
 
-BuildRequires:  gcc
-
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-rpm-macros
 %if %{with tests}
+BuildRequires:  gcc
 BuildRequires:  python%{python3_pkgversion}-pip
 BuildRequires:  python%{python3_pkgversion}-pytest
 BuildRequires:  python%{python3_pkgversion}-mock
 BuildRequires:  python%{python3_pkgversion}-pytest-fixture-config
 BuildRequires:  python%{python3_pkgversion}-pytest-virtualenv
+BuildRequires:  python%{python3_pkgversion}-jaraco-envs
 %endif # with tests
 %if %{without bootstrap}
 BuildRequires:  python%{python3_pkgversion}-pip
 BuildRequires:  python%{python3_pkgversion}-wheel
+# python3 bootstrap: this is built before the final build of python3, which
+# adds the dependency on python3-rpm-generators, so we require it manually
+BuildRequires:  python3-rpm-generators
 %endif # without bootstrap
 
 %description
@@ -58,20 +64,20 @@ you to more easily build and distribute Python packages, especially ones that
 have dependencies on other packages.
 
 This package also contains the runtime components of setuptools, necessary to
-execute the software that requires pkg_resources.py.
+execute the software that requires pkg_resources.
 
 # Virtual provides for the packages bundled by setuptools.
-# You can find the versions in setuptools/setuptools/_vendor/vendored.txt
-%global bundled() %{expand:
-Provides: bundled(python%{1}dist(packaging)) = 16.8
-Provides: bundled(python%{1}dist(pyparsing)) = 2.2.1
-Provides: bundled(python%{1}dist(six)) = 1.10.0
+# Copied from Fedora where you can generate it with:
+# %%{_rpmconfigdir}/pythonbundles.py --namespace 'python%%{python3_pkgversion}dist' pkg_resources/_vendor/vendored.txt
+%global bundled %{expand:
+Provides: bundled(python%{python3_version}dist(appdirs)) = 1.4.3
+Provides: bundled(python%{python3_version}dist(packaging)) = 20.4
+Provides: bundled(python%{python3_version}dist(pyparsing)) = 2.2.1
 }
 
 %package -n python%{python3_pkgversion}-setuptools
 Summary:        Easily build and distribute Python 3 packages
-%{?python_provide:%python_provide python%{python3_pkgversion}-setuptools}
-%{bundled 3.8}
+%{bundled}
 
 %if %{with bootstrap}
 Provides:       python%{python3_version}dist(setuptools) = %{version}
@@ -79,10 +85,10 @@ Provides:       python%{python3_version}dist(setuptools) = %{version}
 
 # Require alternatives version that implements the --keep-foreign flag
 Requires(postun): alternatives >= 1.19.1-1
-# python38 installs the alternatives master symlink to which we attach a slave
-Requires: python38
-Requires(post): python38
-Requires(postun): python38
+# python39 installs the alternatives master symlink to which we attach a slave
+Requires: python%{python3_pkgversion}
+Requires(post): python%{python3_pkgversion}
+Requires(postun): python%{python3_pkgversion}
 
 
 %description -n python%{python3_pkgversion}-setuptools
@@ -91,12 +97,12 @@ you to more easily build and distribute Python 3 packages, especially ones that
 have dependencies on other packages.
 
 This package also contains the runtime components of setuptools, necessary to
-execute the software that requires pkg_resources.py.
+execute the software that requires pkg_resources.
 
 %if %{without bootstrap}
 %package -n python%{python3_pkgversion}-setuptools-wheel
 Summary:        The setuptools wheel
-%{bundled 3.8}
+%{bundled}
 
 %description -n python%{python3_pkgversion}-setuptools-wheel
 A Python wheel of setuptools to use with venv.
@@ -113,8 +119,9 @@ find setuptools pkg_resources -name \*.py | xargs sed -i -e '1 {/^#!\//d}'
 rm -f setuptools/*.exe
 # These tests require internet connection
 rm setuptools/tests/test_integration.py 
-# Spurious executable perm https://github.com/pypa/setuptools/pull/1441
-chmod -x README.rst
+# We don't do linting or coverage here
+sed -i pytest.ini -e 's/ --flake8//' \
+                  -e 's/ --cov//'
 
 %build
 # Warning, different bootstrap meaning here, has nothing to do with our bcond
@@ -136,7 +143,9 @@ chmod -x README.rst
 %py3_install
 %endif
 
-rm -rf %{buildroot}%{python3_sitelib}/setuptools/tests
+# This is not installed (in 45.2.0 anyway), but better be safe than sorry
+rm -rf %{buildroot}%{python3_sitelib}/{setuptools,pkg_resources}/tests
+
 %if %{without bootstrap}
 sed -i '/^setuptools\/tests\//d' %{buildroot}%{python3_record}
 %endif
@@ -144,7 +153,7 @@ sed -i '/^setuptools\/tests\//d' %{buildroot}%{python3_record}
 find %{buildroot}%{python3_sitelib} -name '*.exe' | xargs rm -f
 
 # Don't ship these
-rm -r docs/{Makefile,conf.py,_*}
+rm -r docs/{conf.py,_*}
 
 %if %{without bootstrap}
 mkdir -p %{buildroot}%{python_wheeldir}
@@ -161,26 +170,23 @@ touch %{buildroot}%{_bindir}/easy_install-3
 
 %if %{with tests}
 %check
-# --ignore=pavement.py: No python3-paver in Fedora
+# Upstream tests
+# --ignore=pavement.py:
 #   pavement.py is only used by upstream to do releases and vendoring, we don't ship it
-# --deselect=setuptools/tests/test_setuptools.py::TestDepends::testRequire
-#   Test failure reported upstream: https://github.com/pypa/setuptools/issues/1896
-PYTHONDONTWRITEBYTECODE=1 PYTHONPATH=$(pwd) pytest-%{python3_version} \
-    --ignore=pavement.py \
-    --deselect=setuptools/tests/test_setuptools.py::TestDepends::testRequire
+PYTHONPATH=$(pwd) %pytest --ignore=pavement.py
 %endif # with tests
 
 
 %post -n python%{python3_pkgversion}-setuptools
-alternatives --add-slave python3 %{_bindir}/python3.8 \
+alternatives --add-slave python3 %{_bindir}/python%{python3_version} \
     %{_bindir}/easy_install-3 \
     easy_install-3 \
-    %{_bindir}/easy_install-3.8 \
+    %{_bindir}/easy_install-%{python3_version} \
 
 %postun -n python%{python3_pkgversion}-setuptools
 # Do this only during uninstall process (not during update)
 if [ $1 -eq 0 ]; then
-    alternatives --keep-foreign --remove-slave python3 %{_bindir}/python3.8 \
+    alternatives --keep-foreign --remove-slave python3 %{_bindir}/python%{python3_version} \
         easy_install-3
 fi
 
@@ -191,6 +197,8 @@ fi
 %{python3_sitelib}/easy_install.py
 %{python3_sitelib}/pkg_resources/
 %{python3_sitelib}/setuptools*/
+%{python3_sitelib}/_distutils_hack/
+%{python3_sitelib}/distutils-precedence.pth
 %{python3_sitelib}/__pycache__/*
 %{_bindir}/easy_install-3.*
 %ghost %{_bindir}/easy_install-3
@@ -205,19 +213,77 @@ fi
 
 
 %changelog
-* Mon Aug 02 2021 Tomas Orsava <torsava@redhat.com> - 41.6.0-5
+* Tue Oct 03 2023 Lumír Balhar <lbalhar@redhat.com> - 50.3.2-5
+- Fix for CVE-2022-40897
+Resolves: RHEL-9764
+
+* Thu Aug 05 2021 Tomas Orsava <torsava@redhat.com> - 50.3.2-4
 - Adjusted the postun scriptlets to enable upgrading to RHEL 9
 - Resolves: rhbz#1933055
 
-* Mon Mar 09 2020 Tomas Orsava <torsava@redhat.com> - 41.6.0-4
-- Implement the alternatives system for the executables
-- Resolves: rhbz#1807041
+* Tue Jan 05 2021 Tomas Orsava <torsava@redhat.com> - 50.3.2-3
+- Convert from Fedora to the python39 module in RHEL8
+- Resolves: rhbz#1877430
 
-* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-3
-- Exclude unsupported i686 arch
+* Fri Dec  4 2020 Miro Hrončok <mhroncok@redhat.com> - 50.3.2-2
+- Disable tests in Fedora ELN (and RHEL)
 
-* Mon Nov 18 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-2
-- Convert to RHEL8 python38 module
+* Tue Oct 20 2020 Tomas Hrnciar <thrnciar@redhat.com> - 50.3.2-1
+- Update to 50.3.2 (#1889093)
+
+* Fri Sep 04 2020 Tomas Hrnciar <thrnciar@redhat.com> - 50.1.0-1
+- Update to 50.1.0 (#1873889)
+
+* Fri Aug 21 2020 Petr Viktorin <pviktori@redhat.com> - 49.6.0-1
+- Update to 49.6.0 (#1862791)
+
+* Wed Jul 29 2020 Miro Hrončok <mhroncok@redhat.com> - 49.1.3-1
+- Update to 49.1.3 (#1853597)
+- https://setuptools.readthedocs.io/en/latest/history.html#v49-1-3
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 47.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jun 26 2020 Miro Hrončok <mhroncok@redhat.com> - 47.3.1-1
+- Update to 47.3.1 (#1847049)
+- https://setuptools.readthedocs.io/en/latest/history.html#v47-3-1
+
+* Mon Jun 01 2020 Charalampos Stratakis <cstratak@redhat.com> - 47.1.1-1
+- Update to 47.1.1 (#1841123)
+- https://setuptools.readthedocs.io/en/latest/history.html#v47-1-1
+
+* Sun May 24 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-4
+- Rebuilt for Python 3.9
+
+* Thu May 21 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-3
+- Bootstrap for Python 3.9
+
+* Thu May 21 2020 Miro Hrončok <mhroncok@redhat.com> - 46.4.0-2
+- Bootstrap for Python 3.9
+
+* Mon May 18 2020 Tomas Hrnciar <thrnciar@redhat.com> - 46.4.0-1
+- Update to 46.4.0 (#1835411)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-4-0
+
+* Tue May 12 2020 Tomas Hrnciar <thrnciar@redhat.com> - 46.2.0-1
+- Update to 46.2.0 (#1833826)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-2-0
+
+* Thu Mar 26 2020 Miro Hrončok <mhroncok@redhat.com> - 46.1.3-1
+- Upgrade to 46.1.3 (#1817189)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-1-3
+
+* Tue Mar 10 2020 Miro Hrončok <mhroncok@redhat.com> - 46.0.0-1
+- Upgrade to 46.0.0 (#1811340)
+- https://setuptools.readthedocs.io/en/latest/history.html#v46-0-0
+
+* Tue Feb 11 2020 Miro Hrončok <mhroncok@redhat.com> - 45.2.0-1
+- Upgrade to 45.2.0 (#1775943)
+- https://setuptools.readthedocs.io/en/latest/history.html#v45-2-0
+- No longer supports Python 2
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 41.6.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
 * Mon Nov 04 2019 Tomas Orsava <torsava@redhat.com> - 41.6.0-1
 - Upgrade to 41.6.0 (#1758945).