Hello community, here is the log from the commit of package python for openSUSE:Factory checked in at 2015-09-19 06:52:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python (Old) and /work/SRC/openSUSE:Factory/.python.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python" Changes: -------- --- /work/SRC/openSUSE:Factory/python/python-base.changes 2015-06-12 20:28:37.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python.new/python-base.changes 2015-09-19 06:52:48.000000000 +0200 @@ -1,0 +2,13 @@ +Mon Sep 14 15:04:43 UTC 2015 - jmate...@suse.com + +- copy strict-tls-checks subpackage from SLE to retain future compatibility + (not built in openSUSE) +- do this properly to fix bnc#945401 + +------------------------------------------------------------------- +Wed Sep 9 12:19:01 UTC 2015 - dims...@opensuse.org + +- Add python-ncurses-6.0-accessors.patch: Fix build with + NCurses 6.0 and OPAQUE_WINDOW set to 1. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/python/python.changes 2015-06-06 09:49:30.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.python.new/python.changes 2015-09-19 06:52:48.000000000 +0200 @@ -1,0 +2,17 @@ +Mon Sep 14 15:03:30 UTC 2015 - jmate...@suse.com + +- implement python-strict-tls-checks subpackage + * when present, Python will perform TLS certificate checking by default. + it is possible to remove the package to turn off the checks + for compatibility with legacy scripts. + * as discussed in fate#318300 + * this is not built for openSUSE, but retained here in case we want + to build the package for a SLE system + +------------------------------------------------------------------- +Wed Sep 9 12:18:20 UTC 2015 - dims...@opensuse.org + +- Add python-ncurses-6.0-accessors.patch: Fix build with + NCurses 6.0 and OPAQUE_WINDOW set to 1. + +------------------------------------------------------------------- New: ---- python-ncurses-6.0-accessors.patch sle_tls_checks_policy.py ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-base.spec ++++++ --- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200 +++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200 @@ -54,6 +54,8 @@ Patch33: python-2.7.9-ssl_ca_path.patch # PATCH-FEATURE-SLE disable SSL verification-by-default in http clients Patch34: python-2.7.9-sles-disable-verification-by-default.patch +# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dims...@opensuse.org -- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1 +Patch35: python-ncurses-6.0-accessors.patch # COMMON-PATCH-END %define python_version %(echo %{tarversion} | head -c 3) BuildRequires: automake @@ -143,9 +145,10 @@ %patch24 -p1 %patch31 -p1 %patch33 -p1 -%if %{suse_version} == 1315 +%if %{suse_version} == 1315 && !0%{?is_opensuse} %patch34 -p1 %endif +%patch35 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python-doc.spec ++++++ --- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200 +++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200 @@ -55,6 +55,8 @@ Patch33: python-2.7.9-ssl_ca_path.patch # PATCH-FEATURE-SLE disable SSL verification-by-default in http clients Patch34: python-2.7.9-sles-disable-verification-by-default.patch +# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dims...@opensuse.org -- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1 +Patch35: python-ncurses-6.0-accessors.patch # COMMON-PATCH-END Provides: pyth_doc Provides: pyth_ps @@ -98,9 +100,10 @@ %patch24 -p1 %patch31 -p1 %patch33 -p1 -%if %{suse_version} == 1315 +%if %{suse_version} == 1315 && !0%{?is_opensuse} %patch34 -p1 %endif +%patch35 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac ++++++ python.spec ++++++ --- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200 +++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200 @@ -30,6 +30,7 @@ Source2: pythonstart Source3: python.sh Source4: python.csh +Source8: sle_tls_checks_policy.py #Source11: testfiles.tar.bz2 # issues with copyrighted Unicode testing files @@ -59,6 +60,8 @@ Patch33: python-2.7.9-ssl_ca_path.patch # PATCH-FEATURE-SLE disable SSL verification-by-default in http clients Patch34: python-2.7.9-sles-disable-verification-by-default.patch +# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dims...@opensuse.org -- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1 +Patch35: python-ncurses-6.0-accessors.patch # COMMON-PATCH-END BuildRequires: automake BuildRequires: db-devel @@ -76,6 +79,9 @@ %define python_version %(echo %{tarversion} | head -c 3) %define idle_name idle Requires: python-base = %{version} +%if %{suse_version} == 1315 && !0%{?is_opensuse} +Recommends: python-strict-tls-check +%endif Provides: %{name} = %{python_version} Obsoletes: python-elementtree Obsoletes: python-nothreads @@ -160,6 +166,23 @@ An easy to use interface for GDBM databases. GDBM is the GNU implementation of the standard Unix DBM databases. +%if %{suse_version} == 1315 && !0%{?is_opensuse} +%package strict-tls-check +Summary: Enable secure verification of TLS certificates +Group: Development/Libraries/Python +Requires: %{name} = %{version} +Supplements: %{name} + +%description strict-tls-check +When this package is present, Python performs strict verification of +TLS certificates, including hostname check, by default. This is +the preferred secure setting. + +It is distributed as a separate package, because this behavior +can cause verification errors in improperly written legacy scripts +that rely on earlier non-verification behavior. +%endif + %prep %setup -q -n %{tarname} # COMMON-PREP-BEGIN @@ -178,14 +201,19 @@ %patch24 -p1 %patch31 -p1 %patch33 -p1 -%if %{suse_version} == 1315 +%if %{suse_version} == 1315 && !0%{?is_opensuse} %patch34 -p1 %endif +%patch35 -p1 # drop Autoconf version requirement sed -i 's/^version_required/dnl version_required/' configure.ac # COMMON-PREP-END +%if %{suse_version} == 1315 && !0%{?is_opensuse} +cp %{SOURCE8} Lib/ +%endif + %build # necessary for correct linking with GDBM: export SUSE_ASNEEDED=0 @@ -247,7 +275,9 @@ rm %{buildroot}%{_mandir}/man1/python* rm %{buildroot}%{_libdir}/libpython*.so.* rm %{buildroot}%{_libdir}/python -find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 ! \( -name "ssl.py" \) -exec rm {} ";" +find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 \ + ! \( -name "ssl.py*" -o -name "sle_tls_checks_policy.py*" \) \ + -exec rm {} ";" rm %{buildroot}%{_bindir}/python%{python_version}-config rm %{buildroot}%{_bindir}/python2-config rm %{buildroot}%{_bindir}/python-config @@ -401,6 +431,12 @@ %{_libdir}/python%{python_version}/lib-dynload/gdbm.so %{_libdir}/python%{python_version}/lib-dynload/dbm.so +%if %{suse_version} == 1315 && !0%{?is_opensuse} +%files strict-tls-check +%defattr(644, root, root, 755) +%{_libdir}/python%{python_version}/sle_tls_checks_policy.py* +%endif + %files %defattr(644, root, root, 755) %dir %{_docdir}/%{name} ++++++ python-2.7.9-sles-disable-verification-by-default.patch ++++++ --- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200 +++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200 @@ -1,14 +1,24 @@ Index: Python-2.7.9/Lib/ssl.py =================================================================== ---- Python-2.7.9.orig/Lib/ssl.py 2015-05-14 15:02:05.872792333 +0200 -+++ Python-2.7.9/Lib/ssl.py 2015-05-14 15:23:27.874013424 +0200 -@@ -469,7 +469,8 @@ +--- Python-2.7.9.orig/Lib/ssl.py 2015-08-12 15:53:27.419729448 +0200 ++++ Python-2.7.9/Lib/ssl.py 2015-08-12 15:58:10.668465183 +0200 +@@ -469,7 +469,18 @@ return context # Used by http.client if no context is explicitly passed. -_create_default_https_context = create_default_context -+# PATCH-SLE: still use unverified context. see PEP476 -+_create_default_https_context = _create_unverified_context ++try: ++ # load the TLS checks policy from separate package ++ import sle_tls_checks_policy as policy ++ if policy.get_policy: ++ _create_default_https_context = policy.get_policy() ++ else: ++ # empty policy file means simply enable strict verification ++ _create_default_https_context = create_default_context ++ ++except ImportError: ++ # policy not present, disable verification for backwards compatibility ++ _create_default_https_context = _create_unverified_context # Backwards compatibility alias, even though it's not a public name. ++++++ python-ncurses-6.0-accessors.patch ++++++ Index: Python-2.7.10/Modules/_cursesmodule.c =================================================================== --- Python-2.7.10.orig/Modules/_cursesmodule.c +++ Python-2.7.10/Modules/_cursesmodule.c @@ -807,7 +807,7 @@ PyCursesWindow_EchoChar(PyCursesWindowOb } #ifdef WINDOW_HAS_FLAGS - if (self->win->_flags & _ISPAD) + if (is_pad(self->win)) return PyCursesCheckERR(pechochar(self->win, ch | attr), "echochar"); else @@ -1237,7 +1237,7 @@ PyCursesWindow_NoOutRefresh(PyCursesWind #ifndef WINDOW_HAS_FLAGS if (0) #else - if (self->win->_flags & _ISPAD) + if (is_pad(self->win)) #endif { switch(PyTuple_Size(args)) { @@ -1380,7 +1380,7 @@ PyCursesWindow_Refresh(PyCursesWindowObj #ifndef WINDOW_HAS_FLAGS if (0) #else - if (self->win->_flags & _ISPAD) + if (is_pad(self->win)) #endif { switch(PyTuple_Size(args)) { @@ -1447,7 +1447,7 @@ PyCursesWindow_SubWin(PyCursesWindowObje /* printf("Subwin: %i %i %i %i \n", nlines, ncols, begin_y, begin_x); */ #ifdef WINDOW_HAS_FLAGS - if (self->win->_flags & _ISPAD) + if (is_pad(self->win)) win = subpad(self->win, nlines, ncols, begin_y, begin_x); else #endif ++++++ sle_tls_checks_policy.py ++++++ import ssl def get_policy(): return ssl.create_default_context