Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python310 for openSUSE:Factory
checked in at 2023-06-22 23:24:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python310 (Old)
and /work/SRC/openSUSE:Factory/.python310.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python310"
Thu Jun 22 23:24:50 2023 rev:32 rq:1094243 version:3.10.11
Changes:
--------
--- /work/SRC/openSUSE:Factory/python310/python310.changes 2023-05-30
22:02:07.578898517 +0200
+++ /work/SRC/openSUSE:Factory/.python310.new.15902/python310.changes
2023-06-22 23:24:56.369668004 +0200
@@ -2 +2 @@
-Sun Apr 30 18:19:01 UTC 2023 - Matej Cepl <mc...@suse.com>
+Tue Jun 20 21:39:58 UTC 2023 - Matej Cepl <mc...@suse.com>
@@ -4 +4,2 @@
-- Why in the world we download from HTTP?
+- Add bpo-37596-make-set-marshalling.patch making marshalling of
+ `set` and `frozenset` deterministic (bsc#1211765).
New:
----
bpo-37596-make-set-marshalling.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python310.spec ++++++
--- /var/tmp/diff_new_pack.Yj9Ovz/_old 2023-06-22 23:24:57.485665171 +0200
+++ /var/tmp/diff_new_pack.Yj9Ovz/_new 2023-06-22 23:24:57.485665171 +0200
@@ -173,6 +173,9 @@
# PATCH-FIX-UPSTREAM CVE-2007-4559-filter-tarfile_extractall.patch bsc#1203750
mc...@suse.com
# PEP 706 â Filter for tarfile.extractall
Patch38: CVE-2007-4559-filter-tarfile_extractall.patch
+# PATCH-FIX-UPSTREAM bpo-37596-make-set-marshalling.patch bsc#1211765
mc...@suse.com
+# Make `set` and `frozenset` marshalling deterministic
+Patch39: bpo-37596-make-set-marshalling.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: fdupes
@@ -432,7 +435,6 @@
%prep
%setup -q -n %{tarname}
%patch02 -p1
-
%patch06 -p1
%patch07 -p1
%patch08 -p1
@@ -447,6 +449,7 @@
%patch36 -p1
%patch37 -p1
%patch38 -p1
+%patch39 -p1
# drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
++++++ CVE-2007-4559-filter-tarfile_extractall.patch ++++++
++++ 757 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/python310/CVE-2007-4559-filter-tarfile_extractall.patch
++++ and
/work/SRC/openSUSE:Factory/.python310.new.15902/CVE-2007-4559-filter-tarfile_extractall.patch
++++++ bpo-37596-make-set-marshalling.patch ++++++
>From 33d95c6facdfda3c8c0feffa7a99184e4abc2f63 Mon Sep 17 00:00:00 2001
From: Brandt Bucher <bra...@python.org>
Date: Wed, 25 Aug 2021 04:14:34 -0700
Subject: [PATCH] bpo-37596: Make `set` and `frozenset` marshalling
deterministic (GH-27926)
---
Lib/test/test_marshal.py | 26
++++++++
Misc/NEWS.d/next/Library/2021-08-23-21-39-59.bpo-37596.ojRcwB.rst | 2
Python/marshal.c | 32
++++++++++
3 files changed, 60 insertions(+)
create mode 100644
Misc/NEWS.d/next/Library/2021-08-23-21-39-59.bpo-37596.ojRcwB.rst
--- a/Lib/test/test_marshal.py
+++ b/Lib/test/test_marshal.py
@@ -1,5 +1,6 @@
from test import support
from test.support import os_helper
+from test.support.script_helper import assert_python_ok
import array
import io
import marshal
@@ -318,6 +319,31 @@ class BugsTestCase(unittest.TestCase):
for i in range(len(data)):
self.assertRaises(EOFError, marshal.loads, data[0: i])
+ def test_deterministic_sets(self):
+ # bpo-37596: To support reproducible builds, sets and frozensets need
to
+ # have their elements serialized in a consistent order (even when they
+ # have been scrambled by hash randomization):
+ for kind in ("set", "frozenset"):
+ for elements in (
+ "float('nan'), b'a', b'b', b'c', 'x', 'y', 'z'",
+ # Also test for bad interactions with backreferencing:
+ "('string', 1), ('string', 2), ('string', 3)",
+ ):
+ s = f"{kind}([{elements}])"
+ with self.subTest(s):
+ # First, make sure that our test case still has different
+ # orders under hash seeds 0 and 1. If this check fails, we
+ # need to update this test with different elements:
+ args = ["-c", f"print({s})"]
+ _, repr_0, _ = assert_python_ok(*args, PYTHONHASHSEED="0")
+ _, repr_1, _ = assert_python_ok(*args, PYTHONHASHSEED="1")
+ self.assertNotEqual(repr_0, repr_1)
+ # Then, perform the actual test:
+ args = ["-c", f"import marshal; print(marshal.dumps({s}))"]
+ _, dump_0, _ = assert_python_ok(*args, PYTHONHASHSEED="0")
+ _, dump_1, _ = assert_python_ok(*args, PYTHONHASHSEED="1")
+ self.assertEqual(dump_0, dump_1)
+
LARGE_SIZE = 2**31
pointer_size = 8 if sys.maxsize > 0xFFFFFFFF else 4
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-08-23-21-39-59.bpo-37596.ojRcwB.rst
@@ -0,0 +1,2 @@
+Ensure that :class:`set` and :class:`frozenset` objects are always
+:mod:`marshalled <marshal>` reproducibly.
--- a/Python/marshal.c
+++ b/Python/marshal.c
@@ -502,9 +502,41 @@ w_complex_object(PyObject *v, char flag,
W_TYPE(TYPE_SET, p);
n = PySet_GET_SIZE(v);
W_SIZE(n, p);
+ // bpo-37596: To support reproducible builds, sets and frozensets need
+ // to have their elements serialized in a consistent order (even when
+ // they have been scrambled by hash randomization). To ensure this, we
+ // use an order equivalent to sorted(v, key=marshal.dumps):
+ PyObject *pairs = PyList_New(0);
+ if (pairs == NULL) {
+ p->error = WFERR_NOMEMORY;
+ return;
+ }
while (_PySet_NextEntry(v, &pos, &value, &hash)) {
+ PyObject *dump = PyMarshal_WriteObjectToString(value, p->version);
+ if (dump == NULL) {
+ p->error = WFERR_UNMARSHALLABLE;
+ goto anyset_done;
+ }
+ PyObject *pair = PyTuple_Pack(2, dump, value);
+ Py_DECREF(dump);
+ if (pair == NULL || PyList_Append(pairs, pair)) {
+ p->error = WFERR_NOMEMORY;
+ Py_XDECREF(pair);
+ goto anyset_done;
+ }
+ Py_DECREF(pair);
+ }
+ if (PyList_Sort(pairs)) {
+ p->error = WFERR_NOMEMORY;
+ goto anyset_done;
+ }
+ for (Py_ssize_t i = 0; i < n; i++) {
+ PyObject *pair = PyList_GET_ITEM(pairs, i);
+ value = PyTuple_GET_ITEM(pair, 1);
w_object(value, p);
}
+ anyset_done:
+ Py_DECREF(pairs);
}
else if (PyCode_Check(v)) {
PyCodeObject *co = (PyCodeObject *)v;
