Sync from SUSE:ALP:Source:Standard:1.0 saltbundlepy-certifi revision 82863fa4c321bb717f7f9152ecf3fb76

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

python-certifi-shipped-requests-cabundle.patch

@@ -0,0 +1,120 @@
+diff -Nru certifi-2022.9.24.orig/certifi/core.py certifi-2022.9.24/certifi/core.py
+--- certifi-2022.9.24.orig/certifi/core.py	2022-09-13 22:15:32.000000000 +0200
++++ certifi-2022.9.24/certifi/core.py	2022-11-15 12:56:32.415823730 +0100
+@@ -3,106 +3,18 @@
+ ~~~~~~~~~~
+ 
+ This module returns the installation location of cacert.pem or its contents.
+-"""
+-import sys
+-
+ 
+-if sys.version_info >= (3, 11):
++Patched by openSUSE: return the system bundle
++"""
+ 
+-    from importlib.resources import as_file, files
++import io
+ 
+-    _CACERT_CTX = None
+-    _CACERT_PATH = None
+-
+-    def where() -> str:
+-        # This is slightly terrible, but we want to delay extracting the file
+-        # in cases where we're inside of a zipimport situation until someone
+-        # actually calls where(), but we don't want to re-extract the file
+-        # on every call of where(), so we'll do it once then store it in a
+-        # global variable.
+-        global _CACERT_CTX
+-        global _CACERT_PATH
+-        if _CACERT_PATH is None:
+-            # This is slightly janky, the importlib.resources API wants you to
+-            # manage the cleanup of this file, so it doesn't actually return a
+-            # path, it returns a context manager that will give you the path
+-            # when you enter it and will do any cleanup when you leave it. In
+-            # the common case of not needing a temporary file, it will just
+-            # return the file system location and the __exit__() is a no-op.
+-            #
+-            # We also have to hold onto the actual context manager, because
+-            # it will do the cleanup whenever it gets garbage collected, so
+-            # we will also store that at the global level as well.
+-            _CACERT_CTX = as_file(files("certifi").joinpath("cacert.pem"))
+-            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+-
+-        return _CACERT_PATH
+-
+-    def contents() -> str:
+-        return files("certifi").joinpath("cacert.pem").read_text(encoding="ascii")
+-
+-elif sys.version_info >= (3, 7):
+-
+-    from importlib.resources import path as get_path, read_text
+-
+-    _CACERT_CTX = None
+-    _CACERT_PATH = None
+-
+-    def where() -> str:
+-        # This is slightly terrible, but we want to delay extracting the
+-        # file in cases where we're inside of a zipimport situation until
+-        # someone actually calls where(), but we don't want to re-extract
+-        # the file on every call of where(), so we'll do it once then store
+-        # it in a global variable.
+-        global _CACERT_CTX
+-        global _CACERT_PATH
+-        if _CACERT_PATH is None:
+-            # This is slightly janky, the importlib.resources API wants you
+-            # to manage the cleanup of this file, so it doesn't actually
+-            # return a path, it returns a context manager that will give
+-            # you the path when you enter it and will do any cleanup when
+-            # you leave it. In the common case of not needing a temporary
+-            # file, it will just return the file system location and the
+-            # __exit__() is a no-op.
+-            #
+-            # We also have to hold onto the actual context manager, because
+-            # it will do the cleanup whenever it gets garbage collected, so
+-            # we will also store that at the global level as well.
+-            _CACERT_CTX = get_path("certifi", "cacert.pem")
+-            _CACERT_PATH = str(_CACERT_CTX.__enter__())
+-
+-        return _CACERT_PATH
+-
+-    def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
+-
+-else:
+-    import os
+-    import types
+-    from typing import Union
+-
+-    Package = Union[types.ModuleType, str]
+-    Resource = Union[str, "os.PathLike"]
+-
+-    # This fallback will work for Python versions prior to 3.7 that lack the
+-    # importlib.resources module but relies on the existing `where` function
+-    # so won't address issues with environments like PyOxidizer that don't set
+-    # __file__ on modules.
+-    def read_text(
+-        package: Package,
+-        resource: Resource,
+-        encoding: str = 'utf-8',
+-        errors: str = 'strict'
+-    ) -> str:
+-        with open(where(), encoding=encoding) as data:
+-            return data.read()
+-
+-    # If we don't have importlib.resources, then we will just do the old logic
+-    # of assuming we're on the filesystem and munge the path directly.
+-    def where() -> str:
+-        f = os.path.dirname(__file__)
++def read_text(_module=None, _path=None, encoding="ascii"):
++    with io.open(where(), "r", encoding=encoding) as data:
++        return data.read()
+ 
+-        return os.path.join(f, "cacert.pem")
++def where():
++    return "/etc/ssl/ca-bundle.pem"
+ 
+-    def contents() -> str:
+-        return read_text("certifi", "cacert.pem", encoding="ascii")
++def contents() -> str:
++    return read_text(encoding="ascii")

saltbundlepy-certifi.changes

@@ -0,0 +1,264 @@
+-------------------------------------------------------------------
+Fri Dec 15 15:07:16 UTC 2023 - Victor Zhestkov <vzhestkov@suse.com>
+
+- Update to 2023.7.22:
+  Added certs:
+  * CN=Sectigo Public Server Authentication Root E46 O=Sectigo Limited
+  * CN=Sectigo Public Server Authentication Root R46 O=Sectigo Limited
+  * CN=SSL.com TLS RSA Root CA 2022 O=SSL Corporation
+  * CN=SSL.com TLS ECC Root CA 2022 O=SSL Corporation
+  * CN=Atos TrustedRoot Root CA ECC TLS 2021 O=Atos
+  * CN=Atos TrustedRoot Root CA RSA TLS 2021 O=Atos
+  Removed certs:
+  * CN=Hongkong Post Root CA 1 O=Hongkong Post
+  * CN=E-Tugra Certification Authority O=E-Tu\u011fra EBG Bili\u015fim
+    Teknolojileri ve Hizmetleri A.\u015e. OU=E-Tugra Sertifikasyon Merkezi
+  * CN=E-Tugra Global Root CA RSA v3 O=E-Tugra EBG A.S. OU=E-Tugra Trust Center
+  * CN=E-Tugra Global Root CA ECC v3 O=E-Tugra EBG A.S. OU=E-Tugra Trust Center
+
+- Update to 2023.5.7:
+  Added certs:
+  * CN=BJCA Global Root CA1 O=BEIJING CERTIFICATE AUTHORITY
+
+- Update to 2022.12.7 (bsc#1206212 CVE-2022-23491):
+  * obsoletes removeTrustCor.patch in older dists
+  Removed certs:
+  * CN=Network Solutions Certificate Authority O=Network Solutions L.L.C.
+  * CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden
+  * CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority
+  * CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority
+  * CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority
+
+- Update to 2022.9.24:
+  * (no changes)
+- from version 2022.09.24:
+  * (no changes)
+- from version 2022.09.14:
+  * (no changes)
+- from version 2022.06.15.2:
+  * Only use importlib.resources's new files() /
+    Traversable API on Python ≥3.11 (#204)
+- from version 2022.06.15.1:
+  * Fix deprecation warning on Python 3.11 (#199)
+  * fixes #198 -- update link in license
+- from version 2022.06.15:
+  * Add py.typed to MANIFEST.in to package in sdist (#196)
+- from version 2022.05.18.1:
+  * Add support for Python 3.10 and drop EOL 3.5 (#167)
+- from version 2022.05.18:
+  * Automatically lock github issues after
+    they've been closed for 90 days (#189)
+  * Remove universal wheel, python 2 is unsupported (#187)
+  * Add type annotations to package
+  * Added Required Python Version (#152)
+  * Fix homepage link (#145)
+
+- Update to 2021.10.8:
+  added certs:
+  * CN=TunTrust Root CA O=Agence Nationale de Certification Electronique
+  * CN=HARICA TLS ECC Root CA 2021 O=Hellenic Academic and Research Institutions CA
+
+- Update to 2021.5.30:
+  Added certs:
+  * CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS O=FNMT-RCM OU=Ceres
+  * CN=GlobalSign Root R46 O=GlobalSign nv-sa
+  * CN=GlobalSign Root E46 O=GlobalSign nv-sa
+  * CN=GLOBALTRUST 2020 O=e-commerce monitoring GmbH
+  * CN=ANF Secure Server Root CA O=ANF Autoridad de Certificacion OU=ANF CA Raiz
+  * CN=Certum EC-384 CA O=Asseco Data Systems S.A. OU=Certum Certification Authority
+  * CN=Certum Trusted Root CA O=Asseco Data Systems S.A. OU=Certum Certification Authority
+
+- Update to 2020.12.5:
+  * (no changes)
+
+- Update to 2020.11.8:
+  * Python 3.8+ support
+
+- Update to 2020.6.20:
+  * Updates in enabled CAs
+
+- changes from version 2020.04.05.2:
+  * Document policy for cert addition (#127)
+  * Clarify trust origin is Mozilla (#126)
+  * Fix where() so that it works with importlib.resources when
+    available
+  * Goodbye python 2
+
+- Update to 2020.4.5.1:
+  adds Agencia Catalana de Certificacio (NIF Q-0801176-I) OU=Serveis
+  Publics de Certificacio/Vegeu
+
+- Update to 2019.11.28:
+  * Updates in enabled CAs
+
+- Update to 2019.9.11:
+  * Updates in enabled CAs
+
+- Update to 2019.6.16:
+  * remove Certinomis Root CA
+
+- Update to 2019.3.9:
+  * Add emSign Root CA - G1
+  * Add emSign ECC Root CA - G3
+  * Add Hongkong Post Root CA 3
+
+- Update to 2018.11.29:
+  * Deprecated old_where() has been removed
+  * Removed certificates:
+    Visa eCommerce Root
+    Certplus Root CA G1
+    Certplus Root CA G2
+    OpenTrust Root CA G1
+    OpenTrust Root CA G2
+    OpenTrust Root CA G3
+
+- Update to 2018.4.16:
+  * Remove Elektronik Sertifika Hizket from cacert.pem
+
+- Added:
+  * python-certifi-shipped-requests-cabundle.patch
+  * two-basic-unit-tests.patch
+
+- Removed:
+  * return-CA-bundle-for-distro.patch
+
+-------------------------------------------------------------------
+Tue Oct  3 10:49:11 UTC 2023 - Victor Zhestkov <vzhestkov@suse.com>
+
+- Add openEuler CA bundle path
+
+-------------------------------------------------------------------
+Sat Dec 31 14:36:43 UTC 2022 - dbenini@suse.com
+
+- remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle
+  certs (bsc#1206212 CVE-2022-23491)
+     - TrustCor RootCert CA-1
+     - TrustCor RootCert CA-2
+     - TrustCor ECA-1
+- Add removeTrustCor.patch
+
+-------------------------------------------------------------------
+Thu Aug 25 06:55:42 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
+
+- fix the condition for rhel detection to include Fedora
+
+-------------------------------------------------------------------
+Fri Aug 12 15:58:51 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- fix rhel detection (%%rhel is referring to the major
+  version and exists on all clones as well)
+
+-------------------------------------------------------------------
+Mon Apr  4 12:28:22 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
+
+- Strictly require Python 3.10 with saltbundlepy requrement
+
+-------------------------------------------------------------------
+Fri Mar 18 08:33:18 UTC 2022 - Victor Zhestkov <victor.zhestkov@suse.com>
+
+- Use unified method of returning CA bundle path for the distros
+
+- Added:
+  * return-CA-bundle-for-distro.patch
+- Removed:
+  * python-certifi-shipped-requests-cabundle.patch
+
+-------------------------------------------------------------------
+Sun Feb  4 00:36:29 UTC 2018 - arun@gmx.de
+
+- specfile:
+  * update copyright year
+
+- update to version 2018.1.18:
+  * Remove 1024-bit root certificates
+  * Include license in the list of trove classifiers
+  * Include license file in the generated wheel package
+
+-------------------------------------------------------------------
+Tue Nov 14 23:19:14 UTC 2017 - dmueller@suse.com
+
+- update to 2017.11.5:
+  * Sync with bundle mozilla release
+- remove  python-certifi-fix-version-string.patch: obsolete
+
+-------------------------------------------------------------------
+Wed Oct 18 17:23:39 UTC 2017 - jmatejek@suse.com
+
+- fix macros to support not having python2
+
+-------------------------------------------------------------------
+Thu Oct 12 08:52:57 UTC 2017 - adrian.glaubitz@suse.com
+
+- add patch to fix version string from 2017.07.27.1 to
+  2017.7.27.1 to fix the build on SLE12_SP3 and earlier
+  + python-certifi-fix-version-string.patch
+
+-------------------------------------------------------------------
+Tue Oct  3 05:42:11 UTC 2017 - arun@gmx.de
+
+- updated patch
+
+- update to version 2017.7.27.1:
+  * Use a more expressive API for getting the dir a path is in
+  * set zip_safe=False to help out setuptools (#63)
+  * Change license from ISC to MPL-2.0 in setup.py
+  * Add trove classifiers for missing supported Python versions
+  * Rename [wheel] section to [bdist_wheel] as the former is legacy
+
+-------------------------------------------------------------------
+Mon Jul 10 18:42:12 UTC 2017 - toddrme2178@gmail.com
+
+- Fix wrong-script-interpreter rpmlint error.
+- Fix script-without-shebang rpmlint warning.
+
+-------------------------------------------------------------------
+Sun Jun 11 20:37:21 UTC 2017 - dmueller@suse.com
+
+- require ca-certificates-mozilla, otherwise certifi does not
+  provide any ca bundle (the bundled one that openSUSE patches
+  out is the mozilla bundle as well)
+
+-------------------------------------------------------------------
+Sat Jun 10 08:46:52 UTC 2017 - dmueller@suse.com
+
+- update to 2017.4.17
+
+-------------------------------------------------------------------
+Sat Apr  8 17:51:03 UTC 2017 - aloisio@gmx.com
+
+- Updated to version 2017.1.23
+- Converted to single-spec
+- Updated source URL
+
+-------------------------------------------------------------------
+Fri Jun  3 23:00:13 UTC 2016 - jacobwinski@gmail.com
+
+- Update to version 2016.2.28
+- Update copyright year in spec file
+- Fix executable warning (fix taken from python3-certifi)
+
+-------------------------------------------------------------------
+Fri Jan 22 12:22:53 UTC 2016 - michael@stroeder.com
+
+- Update to version 2015.11.20.1
+
+-------------------------------------------------------------------
+Sat Sep 26 10:27:12 UTC 2015 - toddrme2178@gmail.com
+
+- Update to version 2015.9.6.2:
+  * Actually ship weak cert bundle.
+  * Provide old cert bundle.
+  * Use secure roots by default.
+  * Update scripts to use mkcert.org
+  * Concatenate the two roots
+  * Add the needed 1024-bit roots
+  * Move mkcert output to non-core file
+- Fix dependencies on SLES 11
+- Certifi is released under MPL-2.0; fix the license tag
+- Rebase python-certifi-shipped-requests-cabundle.patch
+
+-------------------------------------------------------------------
+Wed Apr 22 13:31:54 UTC 2015 - mcihar@suse.cz
+
+- Initial packaging
+

saltbundlepy-certifi.spec

@@ -0,0 +1,97 @@
+#
+# spec file for package saltbundlepy-certifi
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{?!saltbundlepy_module:%define saltbundlepy_module() saltbundlepy-%{**}}
+%define pythons saltbundlepy
+
+# Disable python bytecompile for all distros
+# It's called explicitly in the spec
+%global __brp_python_bytecompile %{nil}
+
+Name:           saltbundlepy-certifi
+Version:        2023.7.22
+Release:        0
+Summary:        Python package for providing Mozilla's CA Bundle
+License:        MPL-2.0
+Group:          Development/Languages/Python
+URL:            https://pypi.python.org/pypi/certifi
+Source:         https://files.pythonhosted.org/packages/source/c/certifi/certifi-%{version}.tar.gz
+# PATCH-FIX-SUSE -- prefer SUSE certificates
+Patch0:         python-certifi-shipped-requests-cabundle.patch
+# PATCH-FEATURE-UPSTREAM two-basic-unit-tests.patch gh#certifi/python-certifi#137 mcepl@suse.com
+# Add at least primitive test suite (by bnavigator)
+Patch1:         two-basic-unit-tests.patch
+BuildRequires:  %{saltbundlepy_module devel >= 3.10}
+BuildRequires:  %{saltbundlepy_module setuptools}
+BuildRequires:  ca-certificates
+BuildRequires:  fdupes
+BuildRequires:  saltbundlepy-rpm-macros
+Requires:       ca-certificates
+Requires:       ca-certificates-mozilla
+Requires:       saltbundlepy-base
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildArch:      noarch
+%python_subpackages
+
+%description
+Certifi provides Mozilla's carefully curated collection of Root Certificates
+for validating the trustworthiness of SSL certificates while verifying the
+identity of TLS hosts. It has been extracted from the Requests project.
+
+Note that on SUSE packages the used CA bundle is actually the system bundle
+
+%prep
+%autosetup -p1 -n certifi-%{version}
+
+%if 0%{?suse_version}
+export CA_BUNDLE_PATH=/etc/ssl/ca-bundle.pem
+%endif
+%if 0%{?rhel} || 0%{?fedora} || 0%{?openeuler_version}
+export CA_BUNDLE_PATH=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+%endif
+%if 0%{?debian_version} || 0%{?ubuntu_version}
+export CA_BUNDLE_PATH=/etc/ssl/certs/ca-certificates.crt
+%endif
+if [ -z "${CA_BUNDLE_PATH}" ]; then
+    echo "Error: Unable to define CA bundle path!"
+    exit 1
+fi
+sed -i "s#/etc/ssl/ca-bundle.pem#${CA_BUNDLE_PATH}#" certifi/core.py
+
+%build
+%python_build
+
+%install
+%python_install
+
+%{python_expand chmod +x %{buildroot}%{$python_sitelib}/certifi/core.py
+ sed -i "s|#!/usr/bin/env python|#!%{__$python}|" %{buildroot}/%{$python_sitelib}/certifi/core.py
+ rm %{buildroot}%{$python_sitelib}/certifi/cacert.pem
+ find %{buildroot}%{$python_sitelib} -name '*.pyc' -delete
+ %{__$python} -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}
+ %{__$python} -O -m compileall -d %{$python_sitelib} %{buildroot}%{$python_sitelib}
+ %fdupes %{buildroot}%{$python_sitelib}
+}
+
+%files %{python_files}
+%defattr(-,root,root,-)
+%doc README.rst LICENSE
+%{python_sitelib}/certifi/
+%{python_sitelib}/certifi-%{version}-py*.egg-info
+
+%changelog

two-basic-unit-tests.patch

@@ -0,0 +1,83 @@
+From 7d617ff9dddee73bde86b79c9aa2f1c98f19e339 Mon Sep 17 00:00:00 2001
+From: Benjamin Greiner <code@bnavigator.de>
+Date: Sun, 16 Aug 2020 20:17:39 +0200
+Subject: [PATCH 1/2] add 2 basic unit tests
+
+---
+ .github/workflows/python-package.yml |   40 +++++++++++++++++++++++++++++++++++
+ certifi/tests/__init__.py            |    2 +
+ certifi/tests/test_certifi.py        |   19 ++++++++++++++++
+ 3 files changed, 61 insertions(+)
+ create mode 100644 certifi/tests/__init__.py
+ create mode 100755 certifi/tests/test_certifi.py
+
+--- /dev/null
++++ b/certifi/tests/__init__.py
+@@ -0,0 +1,2 @@
++# certifi.tests module
++
+--- /dev/null
++++ b/certifi/tests/test_certifi.py
+@@ -0,0 +1,19 @@
++# -*- coding: utf-8 -*-
++"""
++unit tests to make sure everything behaves as expected
++"""
++
++import os
++import unittest
++
++import certifi
++
++
++class TestCertifi(unittest.TestCase):
++    def test_cabundle_exists(self):
++        """Check that the reported bundle exists"""
++        self.assertTrue(os.path.exists(certifi.where()))
++
++    def test_read_contents(self):
++        """Check that the returned contents contain a certificate"""
++        self.assertIn("-----BEGIN CERTIFICATE-----", certifi.contents())
+--- /dev/null
++++ b/.github/workflows/python-package.yml
+@@ -0,0 +1,40 @@
++# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
++# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
++
++name: Python package
++
++on:
++  push:
++    branches: [ master ]
++  pull_request:
++    branches: [ master ]
++
++jobs:
++  build:
++
++    runs-on: ubuntu-latest
++    strategy:
++      matrix:
++        python-version: [3.5, 3.6, 3.7, 3.8]
++
++    steps:
++    - uses: actions/checkout@v2
++    - name: Set up Python ${{ matrix.python-version }}
++      uses: actions/setup-python@v2
++      with:
++        python-version: ${{ matrix.python-version }}
++    - name: Install test dependencies
++      run: |
++        python -m pip install --upgrade pip
++        pip install pytest
++    #    pip install flake8 pytest
++    #    if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
++    #- name: Lint with flake8
++    #  run: |
++    #    # stop the build if there are Python syntax errors or undefined names
++    #   flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
++    #    # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
++    #    flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
++    - name: Test with pytest
++      run: |
++        pytest