diff --git a/allow-stripping-given-prefix-from-wheel-RECORD-files.patch b/allow-stripping-given-prefix-from-wheel-RECORD-files.patch index d3aa35f488f7cb21c314529440197151a6778227..e038bd5d6a6fee7aaa52fe2f3e6e327b22980afa 100644 --- a/allow-stripping-given-prefix-from-wheel-RECORD-files.patch +++ b/allow-stripping-given-prefix-from-wheel-RECORD-files.patch @@ -12,20 +12,20 @@ diff --git a/src/pip/_internal/commands/install.py b/src/pip/_internal/commands/ index 8c2c32f..674d30c 100644 --- a/src/pip/_internal/commands/install.py +++ b/src/pip/_internal/commands/install.py -@@ -130,6 +130,13 @@ class InstallCommand(RequirementCommand): - default=None, - help="Installation prefix where lib, bin and other top-level " - "folders are placed") +@@ -134,6 +134,13 @@ class InstallCommand(RequirementCommand): + "folders are placed" + ), + ) + self.cmd_opts.add_option( -+ '--strip-file-prefix', -+ dest='strip_file_prefix', -+ metavar='prefix', -+ default=None, -+ help="Strip given prefix from script paths in wheel RECORD." -+ ) ++ '--strip-file-prefix', ++ dest='strip_file_prefix', ++ metavar='prefix', ++ default=None, ++ help="Strip given prefix from script paths in wheel RECORD." ++ ) - self.cmd_opts.add_option(cmdoptions.build_dir()) + self.cmd_opts.add_option(cmdoptions.src()) - +-- 2.23.0 diff --git a/backport-CVE-2021-3572.patch b/backport-CVE-2021-3572.patch deleted file mode 100644 index 869d962d6d6f429f1ad3eecc7372e35cf966a230..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-3572.patch +++ /dev/null @@ -1,44 +0,0 @@ -From ca832b2836e0bffa7cf95589acdcd71230f5834e Mon Sep 17 00:00:00 2001 -From: Pradyun Gedam -Date: Sat, 24 Apr 2021 10:13:15 +0100 -Subject: [PATCH] Don't split git references on unicode separators - -Reference:https://github.com/pypa/pip/commit/ca832b2836e0bffa7cf95589acdcd71230f5834e - -Previously, maliciously formatted tags could be used to hijack a -commit-based pin. Using the fact that the split here allowed for -all of unicode's whitespace characters as separators -- which git allows -as a part of a tag name -- it is possible to force a different revision -to be installed; if an attacker gains access to the repository. - -This change stops splitting the string on unicode characters, by forcing -the splits to happen on newlines and ASCII spaces. ---- - src/pip/_internal/vcs/git.py | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/pip/_internal/vcs/git.py b/src/pip/_internal/vcs/git.py -index 1831aed..37be66c 100644 ---- a/src/pip/_internal/vcs/git.py -+++ b/src/pip/_internal/vcs/git.py -@@ -143,9 +143,15 @@ class Git(VersionControl): - pass - - refs = {} -- for line in output.strip().splitlines(): -+ # NOTE: We do not use splitlines here since that would split on other -+ # unicode separators, which can be maliciously used to install a -+ # different revision. -+ for line in output.strip().split("\n"): -+ line = line.rstrip("\r") -+ if not line: -+ continue - try: -- sha, ref = line.split() -+ sha, ref = line.split(" ", maxsplit=2) - except ValueError: - # Include the offending line to simplify troubleshooting if - # this error ever occurs. --- -1.8.3.1 - diff --git a/dummy-certifi.patch b/dummy-certifi.patch index f873988b839b2887aaa02df4ce7eb9898ac4334a..ede6f03fd61c92c401bb3df9b9c3c14c615a7f00 100644 --- a/dummy-certifi.patch +++ b/dummy-certifi.patch @@ -11,15 +11,15 @@ diff --git a/src/pip/_vendor/certifi/core.py b/src/pip/_vendor/certifi/core.py index 8987449..568d078 100644 --- a/src/pip/_vendor/certifi/core.py +++ b/src/pip/_vendor/certifi/core.py -@@ -9,6 +9,7 @@ This module returns the installation location of cacert.pem or its contents. - import os +@@ -23,6 +23,7 @@ try: + return _PIP_STANDALONE_CERT + raise _PipPatchedCertificate() - try: + raise ImportError # force fallback from importlib.resources import path as get_path, read_text _CACERT_CTX = None -@@ -51,9 +52,7 @@ except ImportError: +@@ -67,9 +68,7 @@ except ImportError: # If we don't have importlib.resources, then we will just do the old logic # of assuming we're on the filesystem and munge the path directly. def where(): diff --git a/emit-a-warning-when-running-with-root-privileges.patch b/emit-a-warning-when-running-with-root-privileges.patch index 7c6a390d3720453eebb179dd1b86f75c3ea73583..cb886a0eeed5262032f60447634ed8c3cba12a4e 100644 --- a/emit-a-warning-when-running-with-root-privileges.patch +++ b/emit-a-warning-when-running-with-root-privileges.patch @@ -19,9 +19,9 @@ index 70bda2e2..1e750ae1 100644 import site +import sys +from os import path - from optparse import SUPPRESS_HELP + from optparse import SUPPRESS_HELP, Values + from typing import Iterable, List, Optional - from pip._vendor import pkg_resources @@ -241,6 +243,23 @@ class InstallCommand(RequirementCommand): raise CommandError("Can not combine '--user' and '--target'") diff --git a/pip-20.3.3.tar.gz b/pip-20.3.3.tar.gz deleted file mode 100644 index eb286c6709419eb7ab4622cc571c14d7fffd4854..0000000000000000000000000000000000000000 Binary files a/pip-20.3.3.tar.gz and /dev/null differ diff --git a/pip-21.3.1.tar.gz b/pip-21.3.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..6b33f4aea56d4470f3776fb8aca3541d5e1d94b1 Binary files /dev/null and b/pip-21.3.1.tar.gz differ diff --git a/python-pip.spec b/python-pip.spec index 47c97878884569adc9b7e07b307556f670f18933..d4aaf51c5d4847c8b09980f1a483ff6b124901de 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -1,12 +1,12 @@ %global srcname pip -%global python_wheelname %{srcname}-%{version}-py2.py3-none-any.whl +%global python_wheelname %{srcname}-%{version}-py3-none-any.whl %global python_wheeldir %{_datadir}/python-wheels %global _description \ pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) Name: python-%{srcname} -Version: 20.3.3 -Release: 4 +Version: 21.3.1 +Release: 1 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org @@ -14,9 +14,7 @@ Source0: %{pypi_source} BuildArch: noarch Patch1: allow-stripping-given-prefix-from-wheel-RECORD-files.patch Patch2: emit-a-warning-when-running-with-root-privileges.patch -Patch3: remove-existing-dist-only-if-path-conflicts.patch Patch6000: dummy-certifi.patch -Patch6001: backport-CVE-2021-3572.patch Source10: pip-allow-older-versions.patch @@ -26,7 +24,7 @@ Source10: pip-allow-older-versions.patch Summary: %{summary} BuildRequires: python%{python3_pkgversion}-devel python%{python3_pkgversion}-setuptools bash-completion ca-certificates Requires: python%{python3_pkgversion}-setuptools ca-certificates -BuildRequires: python%{python3_pkgversion}-pip python%{python3_pkgversion}-wheel +BuildRequires: python%{python3_pkgversion}-wheel %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} %description -n python%{python3_pkgversion}-%{srcname} %{_description} @@ -119,6 +117,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir} %{python_wheeldir}/%{python_wheelname} %changelog +* Mon Dec 20 2021 renhongxun - 21.3.1-1 +- upgrade version to 21.3.1 + * Sat Aug 23 2021 shixuantong - 20.3.3-4 - delete bounded certificate diff --git a/remove-existing-dist-only-if-path-conflicts.patch b/remove-existing-dist-only-if-path-conflicts.patch deleted file mode 100644 index 8a09f051e181c7eaf9a52868f6aac259f34f72ca..0000000000000000000000000000000000000000 --- a/remove-existing-dist-only-if-path-conflicts.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 854fd7296bb9306d46ba3cc8bb7c6f18a7960ed6 Mon Sep 17 00:00:00 2001 -From: Tomas Hrnciar -Date: Sun, 26 Apr 2020 21:19:03 +0200 -Subject: [PATCH] Prevent removing of the system packages installed under - /usr/lib - -when pip install -U is executed. - -Resolves: rhbz#1550368 - -Co-Authored-By: Michal Cyprian -Co-Authored-By: Victor Stinner ---- - src/pip/_internal/req/req_install.py | 3 ++- - src/pip/_internal/resolution/legacy/resolver.py | 5 ++++- - src/pip/_internal/utils/misc.py | 11 +++++++++++ - 3 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/src/pip/_internal/req/req_install.py b/src/pip/_internal/req/req_install.py -index 4759f4a..2e76e35 100644 ---- a/src/pip/_internal/req/req_install.py -+++ b/src/pip/_internal/req/req_install.py -@@ -41,6 +41,7 @@ from pip._internal.utils.misc import ( - ask_path_exists, - backup_dir, - display_path, -+ dist_in_install_path, - dist_in_site_packages, - dist_in_usersite, - get_distribution, -@@ -447,7 +448,7 @@ class InstallRequirement(object): - "lack sys.path precedence to {} in {}".format( - existing_dist.project_name, existing_dist.location) - ) -- else: -+ elif dist_in_install_path(existing_dist): - self.should_reinstall = True - else: - if self.editable: -diff --git a/src/pip/_internal/resolution/legacy/resolver.py b/src/pip/_internal/resolution/legacy/resolver.py -index c9b4c66..ff361d8 100644 ---- a/src/pip/_internal/resolution/legacy/resolver.py -+++ b/src/pip/_internal/resolution/legacy/resolver.py -@@ -34,6 +34,7 @@ from pip._internal.resolution.base import BaseResolver - from pip._internal.utils.compatibility_tags import get_supported - from pip._internal.utils.logging import indent_log - from pip._internal.utils.misc import dist_in_usersite, normalize_version_info -+from pip._internal.utils.misc import dist_in_install_path - from pip._internal.utils.packaging import check_requires_python, get_requires_python - from pip._internal.utils.typing import MYPY_CHECK_RUNNING - -@@ -204,7 +205,9 @@ class Resolver(BaseResolver): - """ - # Don't uninstall the conflict if doing a user install and the - # conflict is not a user install. -- if not self.use_user_site or dist_in_usersite(req.satisfied_by): -+ if ((not self.use_user_site -+ or dist_in_usersite(req.satisfied_by)) -+ and dist_in_install_path(req.satisfied_by)): - req.should_reinstall = True - req.satisfied_by = None - -diff --git a/src/pip/_internal/utils/misc.py b/src/pip/_internal/utils/misc.py -index 24a7455..5fd48d3 100644 ---- a/src/pip/_internal/utils/misc.py -+++ b/src/pip/_internal/utils/misc.py -@@ -31,7 +31,7 @@ from pip._vendor.six.moves.urllib.parse import unquote as urllib_unquote - - from pip import __version__ - from pip._internal.exceptions import CommandError --from pip._internal.locations import get_major_minor_version, site_packages, user_site -+from pip._internal.locations import distutils_scheme, get_major_minor_version, site_packages, user_site - from pip._internal.utils.compat import WINDOWS, expanduser, stdlib_pkgs, str_to_display - from pip._internal.utils.typing import MYPY_CHECK_RUNNING, cast - from pip._internal.utils.virtualenv import ( -@@ -406,6 +406,16 @@ def dist_in_site_packages(dist): - return dist_location(dist).startswith(normalize_path(site_packages)) - - -+def dist_in_install_path(dist): -+ """ -+ Return True if given Distribution is installed in -+ path matching distutils_scheme layout. -+ """ -+ norm_path = normalize_path(dist_location(dist)) -+ return norm_path.startswith(normalize_path( -+ distutils_scheme("")['purelib'].split('python')[0])) -+ -+ - def dist_is_editable(dist): - # type: (Distribution) -> bool - """ --- -2.25.4 \ No newline at end of file