Accepting request 1085246 from devel:languages:python

- Renamed patches support-pip-23.patch and
  support-tarfile-data-filter.patch to 589-colorized-pip23.patch
  (gh#pypa/build#589) and 609-filter-out-malicious.patch
  (gh#pypa/build#609), respectively.
- Add patch support-pip-23.patch:
  * pip 23 also colorizes output, confusing the test.
- Add patch support-tarfile-data-filter.patch:
  * Set tarfile.data_filter if available.

OBS-URL: https://build.opensuse.org/request/show/1085246
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-build?expand=0&rev=9
This commit is contained in:
Dominique Leuenberger 2023-05-19 09:55:08 +00:00 committed by Git OBS Bridge
commit a890a85289
4 changed files with 137 additions and 4 deletions

36
589-colorized-pip23.patch Normal file
View File

@ -0,0 +1,36 @@
From 4f5362fccc908820574fdbac2f6b6871c0f371c5 Mon Sep 17 00:00:00 2001
From: Henry Schreiner <henryschreineriii@gmail.com>
Date: Wed, 15 Mar 2023 09:33:53 -0400
Subject: [PATCH] tests: strip formatting from stderr (pip 23)
Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>
---
tests/test_main.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/tests/test_main.py b/tests/test_main.py
index e924d8bd..456ff749 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -20,6 +20,8 @@
cwd = os.getcwd()
out = os.path.join(cwd, 'dist')
+ANSI_STRIP = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
+
@pytest.mark.parametrize(
('cli_args', 'build_args', 'hook'),
@@ -368,8 +370,10 @@ def test_output_env_subprocess_error(
assert stdout[:4] == stdout_body
assert stdout[-1].startswith(stdout_error)
- assert len(stderr) == 1
- assert stderr[0].startswith('ERROR: Invalid requirement: ')
+ # Newer versions of pip also color stderr - strip them if present
+ cleaned_stderr = ANSI_STRIP.sub('', '\n'.join(stderr)).strip()
+ assert len(cleaned_stderr.splitlines()) == 1
+ assert cleaned_stderr.startswith('ERROR: Invalid requirement: ')
@pytest.mark.parametrize(

View File

@ -0,0 +1,68 @@
From 083fde33e7593d8ff9add04bd4d237a3ddcbfe44 Mon Sep 17 00:00:00 2001
From: layday <layday@protonmail.com>
Date: Fri, 28 Apr 2023 15:22:53 +0300
Subject: [PATCH] main: filter out malicious files when extracting tar archives
See https://peps.python.org/pep-0706/.
---
src/build/__main__.py | 5 +++--
src/build/util.py | 14 +++++++++++++-
2 files changed, 16 insertions(+), 3 deletions(-)
--- a/src/build/__main__.py
+++ b/src/build/__main__.py
@@ -9,7 +9,6 @@ import platform
import shutil
import subprocess
import sys
-import tarfile
import tempfile
import textwrap
import traceback
@@ -228,6 +227,8 @@ def build_package_via_sdist(
:param isolation: Isolate the build in a separate environment
:param skip_dependency_check: Do not perform the dependency check
"""
+ from .util import TarFile
+
if 'sdist' in distributions:
raise ValueError('Only binary distributions are allowed but sdist was specified')
@@ -238,7 +239,7 @@ def build_package_via_sdist(
sdist_out = tempfile.mkdtemp(prefix='build-via-sdist-')
built: list[str] = []
# extract sdist
- with tarfile.open(sdist) as t:
+ with TarFile.open(sdist) as t:
t.extractall(sdist_out)
try:
builder = _ProjectBuilder(os.path.join(sdist_out, sdist_name[: -len('.tar.gz')]))
--- a/src/build/util.py
+++ b/src/build/util.py
@@ -5,6 +5,7 @@ from __future__ import annotations
import os
import pathlib
import sys
+import tarfile
import tempfile
import pyproject_hooks
@@ -56,6 +57,17 @@ def project_wheel_metadata(
return _project_wheel_metadata(builder)
+# Per https://peps.python.org/pep-0706/, the "data" filter will become
+# the default in Python 3.14.
+if sys.version_info >= (3, 12) and sys.version_info < (3, 14):
+
+ class TarFile(tarfile.TarFile):
+ extraction_filter = tarfile.data_filter
+
+else:
+ TarFile = tarfile.TarFile
+
+
__all__ = [
- 'project_wheel_metadata',
+ 'project_wheel_metadata', 'TarFile',
]

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Sat May 6 16:59:52 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Renamed patches support-pip-23.patch and
support-tarfile-data-filter.patch to 589-colorized-pip23.patch
and 609-filter-out-malicious.patch, respectively.
-------------------------------------------------------------------
Tue May 2 10:52:23 UTC 2023 - Ben Greiner <code@bnavigator.de>
- Remove support-tarfile-data-filter.patch: better documentation
required, preferable supported through upstream
* gh#pypa/build#609
* ignore the DeprecationWarning instead
-------------------------------------------------------------------
Tue May 2 08:04:24 UTC 2023 - Steve Kowalik <steven.kowalik@suse.com>
- Add patch support-pip-23.patch:
* pip 23 also colorizes output, confusing the test.
- Add patch support-tarfile-data-filter.patch:
* Set tarfile.data_filter if available.
-------------------------------------------------------------------
Fri Apr 21 12:22:56 UTC 2023 - Dirk Müller <dmueller@suse.com>

View File

@ -27,20 +27,24 @@
# wheeldir of name build does not work well with this packagename gh#openSUSE/python-rpm-macros#157
%define _pyproject_wheeldir distwheel
%define skip_python2 1
%{?sle15_python_module_pythons}
Name: python-build%{psuffix}
Version: 0.10.0
Release: 0
Summary: Simple PEP517 package builder
License: MIT
Group: Development/Languages/Python
URL: https://github.com/pypa/build
Source0: https://github.com/pypa/build/archive/%{version}.tar.gz#/build-%{version}.tar.gz
# Needs the wheels for wheel, flit-core, pytoml, and tomli for testing
Source10: https://files.pythonhosted.org/packages/py2.py3/w/wheel/wheel-0.37.1-py2.py3-none-any.whl
Source11: https://files.pythonhosted.org/packages/py3/f/flit-core/flit_core-3.8.0-py3-none-any.whl
Source12: https://files.pythonhosted.org/packages/py3/t/tomli/tomli-2.0.1-py3-none-any.whl
# PATCH-FIX-UPSTREAM 589-colorized-pip23.patch gh#pypa/build#587 mcepl@suse.com
# Different style of colouring in pip 23 (actually I see it even with pip 22)
Patch0: 589-colorized-pip23.patch
# PATCH-FIX-UPSTREAM 609-filter-out-malicious.patch gh#pypa/build!609 mcepl@suse.com
# With new tarfile filters, there is now new warning
Patch1: 609-filter-out-malicious.patch
BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module flit-core >= 3.4}
BuildRequires: %{python_module pip}
@ -75,6 +79,8 @@ It is a simple build tool and does not perform any dependency management.
%prep
%autosetup -p1 -n build-%{version}
# until we have gh#pypa/build#609
sed -i '/"error",/ a \ "ignore::DeprecationWarning:tarfile",' pyproject.toml
%if !%{with test}
%build
@ -92,7 +98,7 @@ mkdir -p wheels
cp %{SOURCE10} %{SOURCE11} %{SOURCE12} wheels/
export PIP_FIND_LINKS="%{python3_sitelib}/../wheels $PWD/wheels"
pushd tests
%pytest -n auto -x
%pytest -n auto
popd
%endif
@ -108,7 +114,7 @@ popd
%license LICENSE
%python_alternative %{_bindir}/pyproject-build
%{python_sitelib}/build
%{python_sitelib}/build-%{version}*-info
%{python_sitelib}/build-%{version}.dist-info
%endif
%changelog