Hello community,
here is the log from the commit of package python for openSUSE:Factory checked
in at 2015-09-19 06:52:47
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python (Old)
and /work/SRC/openSUSE:Factory/.python.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python"
Changes:
--------
--- /work/SRC/openSUSE:Factory/python/python-base.changes 2015-06-12
20:28:37.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.python.new/python-base.changes 2015-09-19
06:52:48.000000000 +0200
@@ -1,0 +2,13 @@
+Mon Sep 14 15:04:43 UTC 2015 - jmate...@suse.com
+
+- copy strict-tls-checks subpackage from SLE to retain future compatibility
+ (not built in openSUSE)
+- do this properly to fix bnc#945401
+
+-------------------------------------------------------------------
+Wed Sep 9 12:19:01 UTC 2015 - dims...@opensuse.org
+
+- Add python-ncurses-6.0-accessors.patch: Fix build with
+ NCurses 6.0 and OPAQUE_WINDOW set to 1.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/python/python.changes 2015-06-06
09:49:30.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.python.new/python.changes 2015-09-19
06:52:48.000000000 +0200
@@ -1,0 +2,17 @@
+Mon Sep 14 15:03:30 UTC 2015 - jmate...@suse.com
+
+- implement python-strict-tls-checks subpackage
+ * when present, Python will perform TLS certificate checking by default.
+ it is possible to remove the package to turn off the checks
+ for compatibility with legacy scripts.
+ * as discussed in fate#318300
+ * this is not built for openSUSE, but retained here in case we want
+ to build the package for a SLE system
+
+-------------------------------------------------------------------
+Wed Sep 9 12:18:20 UTC 2015 - dims...@opensuse.org
+
+- Add python-ncurses-6.0-accessors.patch: Fix build with
+ NCurses 6.0 and OPAQUE_WINDOW set to 1.
+
+-------------------------------------------------------------------
New:
----
python-ncurses-6.0-accessors.patch
sle_tls_checks_policy.py
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-base.spec ++++++
--- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200
+++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200
@@ -54,6 +54,8 @@
Patch33: python-2.7.9-ssl_ca_path.patch
# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
Patch34: python-2.7.9-sles-disable-verification-by-default.patch
+# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dims...@opensuse.org
-- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1
+Patch35: python-ncurses-6.0-accessors.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@@ -143,9 +145,10 @@
%patch24 -p1
%patch31 -p1
%patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
%patch34 -p1
%endif
+%patch35 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
++++++ python-doc.spec ++++++
--- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200
+++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200
@@ -55,6 +55,8 @@
Patch33: python-2.7.9-ssl_ca_path.patch
# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
Patch34: python-2.7.9-sles-disable-verification-by-default.patch
+# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dims...@opensuse.org
-- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1
+Patch35: python-ncurses-6.0-accessors.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps
@@ -98,9 +100,10 @@
%patch24 -p1
%patch31 -p1
%patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
%patch34 -p1
%endif
+%patch35 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
++++++ python.spec ++++++
--- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200
+++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200
@@ -30,6 +30,7 @@
Source2: pythonstart
Source3: python.sh
Source4: python.csh
+Source8: sle_tls_checks_policy.py
#Source11: testfiles.tar.bz2
# issues with copyrighted Unicode testing files
@@ -59,6 +60,8 @@
Patch33: python-2.7.9-ssl_ca_path.patch
# PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
Patch34: python-2.7.9-sles-disable-verification-by-default.patch
+# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dims...@opensuse.org
-- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1
+Patch35: python-ncurses-6.0-accessors.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@@ -76,6 +79,9 @@
%define python_version %(echo %{tarversion} | head -c 3)
%define idle_name idle
Requires: python-base = %{version}
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+Recommends: python-strict-tls-check
+%endif
Provides: %{name} = %{python_version}
Obsoletes: python-elementtree
Obsoletes: python-nothreads
@@ -160,6 +166,23 @@
An easy to use interface for GDBM databases. GDBM is the GNU
implementation of the standard Unix DBM databases.
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+%package strict-tls-check
+Summary: Enable secure verification of TLS certificates
+Group: Development/Libraries/Python
+Requires: %{name} = %{version}
+Supplements: %{name}
+
+%description strict-tls-check
+When this package is present, Python performs strict verification of
+TLS certificates, including hostname check, by default. This is
+the preferred secure setting.
+
+It is distributed as a separate package, because this behavior
+can cause verification errors in improperly written legacy scripts
+that rely on earlier non-verification behavior.
+%endif
+
%prep
%setup -q -n %{tarname}
# COMMON-PREP-BEGIN
@@ -178,14 +201,19 @@
%patch24 -p1
%patch31 -p1
%patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
%patch34 -p1
%endif
+%patch35 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac
# COMMON-PREP-END
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+cp %{SOURCE8} Lib/
+%endif
+
%build
# necessary for correct linking with GDBM:
export SUSE_ASNEEDED=0
@@ -247,7 +275,9 @@
rm %{buildroot}%{_mandir}/man1/python*
rm %{buildroot}%{_libdir}/libpython*.so.*
rm %{buildroot}%{_libdir}/python
-find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 ! \( -name
"ssl.py" \) -exec rm {} ";"
+find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 \
+ ! \( -name "ssl.py*" -o -name "sle_tls_checks_policy.py*" \) \
+ -exec rm {} ";"
rm %{buildroot}%{_bindir}/python%{python_version}-config
rm %{buildroot}%{_bindir}/python2-config
rm %{buildroot}%{_bindir}/python-config
@@ -401,6 +431,12 @@
%{_libdir}/python%{python_version}/lib-dynload/gdbm.so
%{_libdir}/python%{python_version}/lib-dynload/dbm.so
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+%files strict-tls-check
+%defattr(644, root, root, 755)
+%{_libdir}/python%{python_version}/sle_tls_checks_policy.py*
+%endif
+
%files
%defattr(644, root, root, 755)
%dir %{_docdir}/%{name}
++++++ python-2.7.9-sles-disable-verification-by-default.patch ++++++
--- /var/tmp/diff_new_pack.zuK5Rz/_old 2015-09-19 06:52:50.000000000 +0200
+++ /var/tmp/diff_new_pack.zuK5Rz/_new 2015-09-19 06:52:50.000000000 +0200
@@ -1,14 +1,24 @@
Index: Python-2.7.9/Lib/ssl.py
===================================================================
---- Python-2.7.9.orig/Lib/ssl.py 2015-05-14 15:02:05.872792333 +0200
-+++ Python-2.7.9/Lib/ssl.py 2015-05-14 15:23:27.874013424 +0200
-@@ -469,7 +469,8 @@
+--- Python-2.7.9.orig/Lib/ssl.py 2015-08-12 15:53:27.419729448 +0200
++++ Python-2.7.9/Lib/ssl.py 2015-08-12 15:58:10.668465183 +0200
+@@ -469,7 +469,18 @@
return context
# Used by http.client if no context is explicitly passed.
-_create_default_https_context = create_default_context
-+# PATCH-SLE: still use unverified context. see PEP476
-+_create_default_https_context = _create_unverified_context
++try:
++ # load the TLS checks policy from separate package
++ import sle_tls_checks_policy as policy
++ if policy.get_policy:
++ _create_default_https_context = policy.get_policy()
++ else:
++ # empty policy file means simply enable strict verification
++ _create_default_https_context = create_default_context
++
++except ImportError:
++ # policy not present, disable verification for backwards compatibility
++ _create_default_https_context = _create_unverified_context
# Backwards compatibility alias, even though it's not a public name.
++++++ python-ncurses-6.0-accessors.patch ++++++
Index: Python-2.7.10/Modules/_cursesmodule.c
===================================================================
--- Python-2.7.10.orig/Modules/_cursesmodule.c
+++ Python-2.7.10/Modules/_cursesmodule.c
@@ -807,7 +807,7 @@ PyCursesWindow_EchoChar(PyCursesWindowOb
}
#ifdef WINDOW_HAS_FLAGS
- if (self->win->_flags & _ISPAD)
+ if (is_pad(self->win))
return PyCursesCheckERR(pechochar(self->win, ch | attr),
"echochar");
else
@@ -1237,7 +1237,7 @@ PyCursesWindow_NoOutRefresh(PyCursesWind
#ifndef WINDOW_HAS_FLAGS
if (0)
#else
- if (self->win->_flags & _ISPAD)
+ if (is_pad(self->win))
#endif
{
switch(PyTuple_Size(args)) {
@@ -1380,7 +1380,7 @@ PyCursesWindow_Refresh(PyCursesWindowObj
#ifndef WINDOW_HAS_FLAGS
if (0)
#else
- if (self->win->_flags & _ISPAD)
+ if (is_pad(self->win))
#endif
{
switch(PyTuple_Size(args)) {
@@ -1447,7 +1447,7 @@ PyCursesWindow_SubWin(PyCursesWindowObje
/* printf("Subwin: %i %i %i %i \n", nlines, ncols, begin_y, begin_x); */
#ifdef WINDOW_HAS_FLAGS
- if (self->win->_flags & _ISPAD)
+ if (is_pad(self->win))
win = subpad(self->win, nlines, ncols, begin_y, begin_x);
else
#endif
++++++ sle_tls_checks_policy.py ++++++
import ssl
def get_policy():
return ssl.create_default_context
