setuptools (it's used as a package locator but importlib.metadata in
newer Python core or the external importlib_metadata are preferred).
So drop the RDEP in that case (it's still kept for py27) and bump
revisions.
with Python 3.9+'s definition of PyMODINIT_FUNC and our readline headers
https://github.com/openbsd/src/blob/master/gnu/lib/libreadline/rlstdc.h#L41
(Due to some other strangeness in the build system, on 3.9 it rebuilt a
working version after the first attempt failed and the file was moved out
of the way, but that no longer happens with 3.10+ where readline just
failed).
Fix up PLISTs and WANTLIB for Python 3.11 while there.
Joint work with landry@ tb@ kmos@, ok tb kmos
version in -stable of the previous release when plist is changed etc
(e.g. backporting updates to -stable after swotching the default
Python version during a release cycle means that -current needs
to keep ahead of -stable, to avoid problems with -stable packages
at the next release)
https://docs.python.org/release/3.9.15/whatsnew/changelog.html
gh-97616: Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor
Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer
uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
Also a couple non-security fixes.
ok sthen
gh-97616: Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size. Issue reported by Jordan Limor. Patch by Victor
Stinner.
gh-97612: Fix a shell code injection vulnerability in the
get-remote-certificate.py example script. The script no longer
uses a shell to run openssl commands. Issue reported and
initial fix by Caleb Shortt. Patch by Victor Stinner.
gh-68966: The deprecated mailcap module now refuses to inject unsafe text
(filenames, MIME types, parameters) into shell
commands. Instead of using such text, it will warn and act as
if a match was not found (or for test commands, as if the test
failed).
ok sthen
* gh-95778: Converting between int and str in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10
(decimal) now raises a ValueError if the number of digits in string form
is above a limit to avoid potential denial of service attacks due to the
algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable,
command line flag, or sys APIs. See the integer string conversion length
limitation documentation. The default limit is 4300 digits in string
form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with
feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily,
and Mark Dickinson.
ok sthen
* CVE-2020-10735: converting between int and str in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10
(decimal) now raises a ValueError if the number of digits in string form
is above a limit to avoid potential denial of service attacks due to the
algorithmic complexity.
* gh-87389: http.server: Fix an open redirection vulnerability in the
HTTP server when an URI path starts with //.
* gh-93065: Fix contextvars HAMT implementation to handle iteration over
deep trees to avoid a potential crash of the interpreter.
* gh-90355: Fix ensurepip environment isolation for the subprocess
running pip.
ok sthen
in one of the 3.9.x updates we accidentally lost the "Make sure
CPPFLAGS/LDFLAGS passed to ./configure don't end up -in
PY_CPPFLAGS/PY_LDFLAGS and thus leaking to python extensions" in
a merge.
The original problem this was fixing was a path to the ports WRKDIR
appearing in the built package. (which showed up in "python3.9 -m
sysconfig|grep LDSH" etc).
However that problem no longer shows up in 3.9, so it seems sensible
to sync 3.10 to what we have now for 3.9 and remove the patch, and
update CHANGES.OpenBSD (removing the bogus entry for 3.9, and the
no-longer-needed one for 3.10).
ok kmos@
with cp, presumably it was used as part of build rather than fake-install
and had problems with non-root builds. install has been mocked in ports
builds for some time now (as part of the PORTS_PRIVSEP) so that's not needed.
ok kmos@
for those builds done via MODPY_SETUPTOOLS - I was hoping we'd get
away without it for pep517 setuptools builds but naddy ran into a
build problem with py-cryptography which seems that it can only have
happened if importlib-metadata was installed and junked at the wrong
time during build)
we _may_ need nojunk for the other pep517 backends but let's try to
avoid it if possible first.
OpenBSD 5.4 to prevent picking up ports libreadline if installed during
build, but this was fixed differently in the libreadline port after 5.5
instead (by moving the headers to a directory which is not usually
picked up by default).
Found while investigating why readline is broken in the Python 3.10
port (but doesn't fix that issue). Also changes to the build in py3.10
mean that this patching no longer worked for the original issue.
ok kmos@
change from substring match to equality checks so that e.g. listing multiple
backends for MODPY_PEP517 isn't allowed (AFAIK it won't be needed anyway,
it's possible to just set "yes" instead of a backend name and list the
deps in a port itself, plus it wasn't handled properly in the pile of
.elifs).
for setuptools ports with no distributed setup.py file; this suggests that
they probably ought to use MODPY_PEP517 instead so it's helpful to have
this show up in build logs.
This unbreaks python 3.* on powerpc. The build had enabled PGO
(Profile Guided Optimization), then got "Segmentation fault" from the
./python binary. This seems to be a bug in clang or lld specific to
32-bit powerpc. We continue to --enable-optimizations on powerpc64.
ok kmos@, sthen@
pyproject.toml-only ports - add a comment making it clear that it was
generated by python.port.mk; makes it easier to identify where it came
from when looking at files in a port's WRKSRC
