Update to 26.0.1 (bsc#1257599, CVE-2026-1703)

disable-ssl-context-in-buildenv.patch

@@ -1,21 +1,8 @@
-Index: pip-24.2/src/pip/_vendor/requests/adapters.py
+Index: pip-26.0/src/pip/_internal/cli/index_command.py
 ===================================================================
---- pip-24.2.orig/src/pip/_vendor/requests/adapters.py
-+++ pip-24.2/src/pip/_vendor/requests/adapters.py
-@@ -81,7 +81,7 @@ try:
-     _preloaded_ssl_context.load_verify_locations(
-         extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
-     )
--except ImportError:
-+except (ImportError, FileNotFoundError, ssl.SSLError):
-     # Bypass default SSLContext creation when Python
-     # interpreter isn't built with the ssl module.
-     _preloaded_ssl_context = None
-Index: pip-24.2/src/pip/_internal/cli/index_command.py
-===================================================================
---- pip-24.2.orig/src/pip/_internal/cli/index_command.py
-+++ pip-24.2/src/pip/_internal/cli/index_command.py
-@@ -43,7 +43,11 @@ def _create_truststore_ssl_context() ->
+--- pip-26.0.orig/src/pip/_internal/cli/index_command.py
++++ pip-26.0/src/pip/_internal/cli/index_command.py
+@@ -49,7 +49,11 @@ def _create_truststore_ssl_context() ->
          return None
  
      ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

distutils-reproducible-compile.patch

@@ -1,17 +0,0 @@
----
- src/pip/_vendor/distlib/wheel.py |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: pip-24.1.1/src/pip/_vendor/distlib/wheel.py
-===================================================================
---- pip-24.1.1.orig/src/pip/_vendor/distlib/wheel.py
-+++ pip-24.1.1/src/pip/_vendor/distlib/wheel.py
-@@ -578,7 +578,7 @@ class Wheel(object):
-             maker.source_dir = workdir
-             maker.target_dir = None
-             try:
--                for zinfo in zf.infolist():
-+                for zinfo in sorted(zf.infolist()):
-                     arcname = zinfo.filename
-                     if isinstance(arcname, text_type):
-                         u_arcname = arcname

pip-shipped-requests-cabundle.patch

@@ -3,11 +3,11 @@
  tests/unit/test_options.py      |    5 +
  2 files changed, 13 insertions(+), 97 deletions(-)
 
-Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
+Index: pip-26.0/src/pip/_vendor/certifi/core.py
 ===================================================================
---- pip-24.3.1.orig/src/pip/_vendor/certifi/core.py
-+++ pip-24.3.1/src/pip/_vendor/certifi/core.py
-@@ -3,112 +3,15 @@ certifi.py
+--- pip-26.0.orig/src/pip/_vendor/certifi/core.py
++++ pip-26.0/src/pip/_vendor/certifi/core.py
+@@ -3,81 +3,14 @@ certifi.py
  ~~~~~~~~~~
  
  This module returns the installation location of cacert.pem or its contents.
@@ -15,16 +15,16 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
  """
 -import sys
 -import atexit
- 
--def exit_cacert_ctx() -> None:
--    _CACERT_CTX.__exit__(None, None, None)  # type: ignore[union-attr]
 +def read_text(_module=None, _path=None, encoding="ascii"):
 +    with open(where(), "r", encoding=encoding) as data:
 +        return data.read()
  
+-def exit_cacert_ctx() -> None:
+-    _CACERT_CTX.__exit__(None, None, None)  # type: ignore[union-attr]
 +def where() -> str:
 +    return "/etc/ssl/ca-bundle.pem"
  
+-
 -if sys.version_info >= (3, 11):
 -
 -    from importlib.resources import as_file, files
@@ -60,7 +60,7 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
 -    def contents() -> str:
 -        return files("pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii")
 -
--elif sys.version_info >= (3, 7):
+-else:
 -
 -    from importlib.resources import path as get_path, read_text
 -
@@ -95,58 +95,29 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
 -
 -    def contents() -> str:
 -        return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii")
--
--else:
--    import os
--    import types
--    from typing import Union
--
--    Package = Union[types.ModuleType, str]
--    Resource = Union[str, "os.PathLike"]
--
--    # This fallback will work for Python versions prior to 3.7 that lack the
--    # importlib.resources module but relies on the existing `where` function
--    # so won't address issues with environments like PyOxidizer that don't set
--    # __file__ on modules.
--    def read_text(
--        package: Package,
--        resource: Resource,
--        encoding: str = 'utf-8',
--        errors: str = 'strict'
--    ) -> str:
--        with open(where(), encoding=encoding) as data:
--            return data.read()
--
--    # If we don't have importlib.resources, then we will just do the old logic
--    # of assuming we're on the filesystem and munge the path directly.
--    def where() -> str:
--        f = os.path.dirname(__file__)
--
--        return os.path.join(f, "cacert.pem")
--
--    def contents() -> str:
--        return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii")
 +def contents() -> str:
 +    return read_text(encoding="ascii")
-Index: pip-24.3.1/tests/unit/test_options.py
+Index: pip-26.0/tests/unit/test_options.py
 ===================================================================
---- pip-24.3.1.orig/tests/unit/test_options.py
-+++ pip-24.3.1/tests/unit/test_options.py
-@@ -1,4 +1,5 @@
+--- pip-26.0.orig/tests/unit/test_options.py
++++ pip-26.0/tests/unit/test_options.py
+@@ -1,6 +1,7 @@
+ from __future__ import annotations
+ 
  import os
 +import os.path
+ from collections.abc import Iterator
  from contextlib import contextmanager
  from optparse import Values
- from tempfile import NamedTemporaryFile
-@@ -10,6 +11,7 @@ import pip._internal.configuration
- from pip._internal.cli.main import main
+@@ -15,6 +16,7 @@ from pip._internal.cli.main import main
  from pip._internal.commands import create_command
  from pip._internal.commands.configuration import ConfigurationCommand
+ from pip._internal.exceptions import CommandError, PipError
 +from pip._vendor.certifi import where
- from pip._internal.exceptions import PipError
  
  from tests.lib.options_helpers import AddFakeCommandMixin
-@@ -618,6 +620,9 @@ class TestOptionsConfigFiles:
+ 
+@@ -537,6 +539,9 @@ class TestOptionsConfigFiles:
          else:
              assert expect == cmd._determine_file(options, need_value=False)
  

python-pip.changes

@@ -1,3 +1,165 @@
+-------------------------------------------------------------------
+Thu Feb  5 06:51:28 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Update to 26.0.1:
+  * Fix --pre not being respected from the command line when a
+    requirement file includes an option e.g. -extra-index-url.
+    (#13788)
+
+-------------------------------------------------------------------
+Tue Feb  3 09:10:32 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
+
+- Add %{?pythons_for_pypi} macro, to be used in Leap 16.x for short
+  term interpreter.
+- Drop upstreamed patch flit-core.patch
+
+- Update to 26.0 (bsc#1257599, CVE-2026-1703):
+  # Deprecations and Removals
+  - Remove support for non-bare project names in egg fragments.
+    Affected users should use the Direct URL requirement syntax.
+    (#13157)
+  # Features
+  - Display pip’s command-line help in colour, if possible. (#12134)
+  - Support installing dependencies declared with inline script
+    metadata (PEP 723) with --requirements-from-script. (#12891)
+  - Add --all-releases and --only-final options to control pre-release
+    and final release selection during package installation. (#13221)
+  - Add --uploaded-prior-to option to only consider packages uploaded
+    prior to a given datetime when the upload-time field is available
+    from a remote index. (#13625)
+  - Add --use-feature inprocess-build-deps to request that build
+    dependencies are installed within the same pip install process.
+    This new mechanism is faster, supports --no-clean and
+    --no-cache-dir reliably, and supports prompting for
+    authentication.
+  - Enabling this feature will also enable --use-feature
+    build-constraints. This feature will become the default in a
+    future pip version. (#9081)
+  - pip cache purge and pip cache remove now clean up empty
+    directories and legacy files left by older pip versions. (#9058)
+  # Bug Fixes
+  - Fix selecting pre-release versions when only pre-releases match.
+    For example, package>1.0 with versions 1.0, 2.0rc1 now installs
+    2.0rc1 instead of failing. (#13746)
+  - Revisions in version control URLs now must be percent-encoded. For
+    example, use git+https://example.com/repo.git@issue%231 to specify
+    the branch issue#1. If you previously used a branch name
+    containing a % character in a version control URL, you now need to
+    replace it with %25 to ensure correct percent-encoding. (#13407)
+  - Preserve original casing when a path is displayed. (#6823)
+  - Fix bash completion when the $IFS variable has been modified from
+    its default. (#13555)
+  - Precompute Python requirements on each candidate, reducing time of
+    long resolutions. (#13656)
+  - Skip redundant work converting version objects to strings when
+    using the importlib.metadata backend. (#13660)
+  - Fix pip index versions to honor only-binary/no-binary options.
+    (#13682)
+  - Fix fallthrough logic for options, allowing overriding global
+    options with defaults from user config. (#13703)
+  - Use a path-segment prefix comparison, not char-by-char. (#13777)
+
+- 25.3:
+  # Deprecations and Removals
+  - Remove support for the legacy setup.py develop editable method in
+    setuptools editable installs; setuptools >= 64 is now required.
+    (#11457)
+  - Remove the deprecated --global-option and --build-option.
+    --config-setting is now the only way to pass options to the build
+    backend. (#11859)
+  - Deprecate the PIP_CONSTRAINT environment variable for specifying
+    build constraints.
+  - Use the --build-constraint option or the PIP_BUILD_CONSTRAINT
+    environment variable instead. When build constraints are used,
+    PIP_CONSTRAINT no longer affects isolated build environments. To
+    enable this behavior without specifying any build constraints, use
+    --use-feature=build-constraint. (#13534)
+  - Remove support for non-standard legacy wheel filenames. (#13581)
+  - Remove support for the deprecated setup.py bdist_wheel mechanism.
+    Consequently, --use-pep517 is now always on, and --no-use-pep517
+    has been removed. (#6334)
+  # Features
+  - When PEP 658 metadata is available, full distribution files are no
+    longer downloaded when using pip lock or pip install --dry-run.
+    (#12603)
+  - Add support for installing an editable requirement written as a
+    Direct URL (PackageName @ URL). (#13495)
+  - Add support for build constraints via the --build-constraint
+    option. This allows constraining the versions of packages used
+    during the build process (e.g., setuptools) without affecting the
+    final installation. (#13534)
+  - On ResolutionImpossible errors, include a note about causes with
+    no candidates. (#13588)
+  - Building pip itself from source now uses flit-core instead of
+    setuptools. This does not affect how pip installs or builds
+    packages you use. (#13473)
+  # Bug Fixes
+  - Handle malformed Version metadata entries and show a sensible
+    error message instead of crashing. (#13443)
+  - Permit spaces between a filepath and extras in an install
+    requirement. (#13523)
+  - Ensure the self-check files in the cache have the same permissions
+    as the rest of the cache. (#13528)
+  - Avoid concurrency issues and improve performance when caching
+    locally built wheels, especially when the temporary build
+    directory is on a different filesystem than the cache. The wheel
+    directory passed to the build backend is now a temporary
+    subdirectory inside the cache directory. (#13540)
+  - Include relevant user-supplied constraints in logs when reporting
+    dependency conflicts. (#13545)
+  - Fix a regression in configuration parsing that was turning a
+    single value into a list and thus leading to a validation error.
+    (#13548)
+  - For Python versions that do not support PEP 706, pip will now
+    raise an installation error for a source distribution when it
+    includes a symlink that points outside the source distribution
+    archive. (#13550)
+  - Prevent --user installs if site.ENABLE_USER_SITE is set to False.
+    (#8794)
+
+-------------------------------------------------------------------
+Wed Aug 13 12:25:02 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- update to 25.2
+  # 25.1
+  * Drop support for Python 3.8.
+  * On python 3.14+, the pkg_resources metadata backend cannot be used
+    anymore.
+  * Hide --no-python-version-warning from CLI help and documentation
+    as it's useless since Python 2 support was removed.
+  * A warning is emitted when the deprecated pkg_resources library is
+    used to inspect and discover installed packages.
+  * Deprecate the legacy setup.py bdist_wheel mechanism. To silence
+    the warning, and future-proof their setup, users should enable
+    --use-pep517 or add a pyproject.toml file to the projects they
+    control.
+  * Using --debug also enables verbose logging.
+  * Display a transient progress bar during package installation.
+  * Add a --group option which allows installation from PEP 735
+    Dependency Groups.
+  * Use PEP 753 "Well-known Project URLs in Metadata" normalization
+    rules when identifying an equivalent project URL to replace
+    a missing Home-Page field in pip show.
+  * Add a new, experimental, pip lock command, implementing PEP 751.
+  * Resolvelib 1.1.0 fixes a known issue where pip would report a
+    ResolutionImpossible error even though there is a valid solution.
+    However, some very complex dependency resolutions that previously
+    resolved may resolve slower or fail with an ResolutionTooDeep error.
+  # 25.2
+  * Declare support for Python 3.14
+  * Automatic download resumption and retrying is enabled by default.
+  * Requires-Python error message displays version clauses in numerical
+    order.
+  * Show time taken instead of eta 0:00:00 at download completion.
+  * Remove warning when cloning from a Git reference that does not look
+    like a commit hash.
+  * pip's own licensing metadata now follows PEP 639. In addition, the
+    licenses of pip's vendored dependencies are now included in the
+    License-File metadata field and in the wheel.
+- Drop no-longer-applicable distutils-reproducible-compile.patch
+  * distlib was trimmed https://github.com/pypa/pip/pull/13342
+- Add upstream flit-core.patch to fix build
+
 -------------------------------------------------------------------
 Thu Apr 17 12:40:51 UTC 2025 - Felix Stegmeier <felix.stegmeier@suse.com>
 

python-pip.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-pip
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,9 +31,10 @@
 %endif
 # in order to avoid rewriting for subpackage generator
 %define mypython python
+%{?pythons_for_pypi}
 %{?sle15_python_module_pythons}
 Name:           python-pip%{psuffix}
-Version:        25.0.1
+Version:        26.0.1
 Release:        0
 Summary:        A Python package management system
 License:        MIT
@@ -42,13 +43,10 @@ URL:            https://pip.pypa.io
 Source:         https://github.com/pypa/pip/archive/%{version}.tar.gz#/pip-%{version}-gh.tar.gz
 # PATCH-FIX-OPENSUSE pip-shipped-requests-cabundle.patch -- adapted patch from python-certifi package
 Patch0:         pip-shipped-requests-cabundle.patch
-# PATCH-FIX-UPSTREAM distutils-reproducible-compile.patch gh#python/cpython#8057 mcepl@suse.com
-# To get reproducible builds, byte_compile() of distutils.util now sorts filenames.
-Patch1:         distutils-reproducible-compile.patch
 # PATCH-FIX-OPENSUSE: deal missing ca-certificates as "ssl not available"
-Patch2:         disable-ssl-context-in-buildenv.patch
-BuildRequires:  %{python_module base >= 3.7}
-BuildRequires:  %{python_module setuptools >= 40.8.0}
+Patch1:         disable-ssl-context-in-buildenv.patch
+BuildRequires:  %{python_module base >= 3.9}
+BuildRequires:  %{python_module flit-core >= 3.11}
 # The rpm python-wheel build is bootstrap friendly since 0.42
 BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
@@ -73,6 +71,7 @@ BuildRequires:  %{python_module installer}
 # Test requirements:
 BuildRequires:  %{python_module pip = %{version}}
 BuildRequires:  %{python_module pretend}
+BuildRequires:  %{python_module pytest-socket}
 BuildRequires:  %{python_module pytest-xdist}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module scripttest}