Accepting request 331039 from devel:languages:python:Factory

- copy strict-tls-checks subpackage from SLE to retain future compatibility
  (not built in openSUSE)
- do this properly to fix bnc#945401
- Add python-ncurses-6.0-accessors.patch: Fix build with
  NCurses 6.0 and OPAQUE_WINDOW set to 1.

OBS-URL: https://build.opensuse.org/request/show/331039
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=117

python-2.7.9-sles-disable-verification-by-default.patch

@@ -1,14 +1,24 @@
 Index: Python-2.7.9/Lib/ssl.py
 ===================================================================
---- Python-2.7.9.orig/Lib/ssl.py	2015-05-14 15:02:05.872792333 +0200
-+++ Python-2.7.9/Lib/ssl.py	2015-05-14 15:23:27.874013424 +0200
-@@ -469,7 +469,8 @@
+--- Python-2.7.9.orig/Lib/ssl.py	2015-08-12 15:53:27.419729448 +0200
++++ Python-2.7.9/Lib/ssl.py	2015-08-12 15:58:10.668465183 +0200
+@@ -469,7 +469,18 @@
      return context
  
  # Used by http.client if no context is explicitly passed.
 -_create_default_https_context = create_default_context
-+# PATCH-SLE: still use unverified context. see PEP476
-+_create_default_https_context = _create_unverified_context
++try:
++    # load the TLS checks policy from separate package
++    import sle_tls_checks_policy as policy
++    if policy.get_policy:
++        _create_default_https_context = policy.get_policy()
++    else:
++        # empty policy file means simply enable strict verification
++        _create_default_https_context = create_default_context
++
++except ImportError:
++    # policy not present, disable verification for backwards compatibility
++    _create_default_https_context = _create_unverified_context
  
  
  # Backwards compatibility alias, even though it's not a public name.

python-base.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Sep 14 15:04:43 UTC 2015 - jmatejek@suse.com
+
+- copy strict-tls-checks subpackage from SLE to retain future compatibility
+  (not built in openSUSE)
+- do this properly to fix bnc#945401
+
+-------------------------------------------------------------------
+Wed Sep  9 12:19:01 UTC 2015 - dimstar@opensuse.org
+
+- Add python-ncurses-6.0-accessors.patch: Fix build with
+  NCurses 6.0 and OPAQUE_WINDOW set to 1.
+
 -------------------------------------------------------------------
 Wed Jun 10 11:19:58 UTC 2015 - dmueller@suse.com
 

python-base.spec

@@ -54,6 +54,8 @@ Patch31:        python-2.7.7-mhlib-linkcount.patch
 Patch33:        python-2.7.9-ssl_ca_path.patch
 # PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
 Patch34:        python-2.7.9-sles-disable-verification-by-default.patch
+# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dimstar@opensuse.org -- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1
+Patch35:        python-ncurses-6.0-accessors.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@@ -143,9 +145,10 @@ other applications.
 %patch24 -p1
 %patch31 -p1
 %patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
 %patch34 -p1
 %endif
+%patch35 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac

python-doc.spec

@@ -55,6 +55,8 @@ Patch31:        python-2.7.7-mhlib-linkcount.patch
 Patch33:        python-2.7.9-ssl_ca_path.patch
 # PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
 Patch34:        python-2.7.9-sles-disable-verification-by-default.patch
+# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dimstar@opensuse.org -- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1
+Patch35:        python-ncurses-6.0-accessors.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@@ -98,9 +100,10 @@ Python, and Macintosh Module Reference in PDF format.
 %patch24 -p1
 %patch31 -p1
 %patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
 %patch34 -p1
 %endif
+%patch35 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac

python-ncurses-6.0-accessors.patch

@@ -0,0 +1,40 @@
+Index: Python-2.7.10/Modules/_cursesmodule.c
+===================================================================
+--- Python-2.7.10.orig/Modules/_cursesmodule.c
++++ Python-2.7.10/Modules/_cursesmodule.c
+@@ -807,7 +807,7 @@ PyCursesWindow_EchoChar(PyCursesWindowOb
+     }
+ 
+ #ifdef WINDOW_HAS_FLAGS
+-    if (self->win->_flags & _ISPAD)
++    if (is_pad(self->win))
+         return PyCursesCheckERR(pechochar(self->win, ch | attr),
+                                 "echochar");
+     else
+@@ -1237,7 +1237,7 @@ PyCursesWindow_NoOutRefresh(PyCursesWind
+ #ifndef WINDOW_HAS_FLAGS
+     if (0)
+ #else
+-        if (self->win->_flags & _ISPAD)
++        if (is_pad(self->win))
+ #endif
+         {
+             switch(PyTuple_Size(args)) {
+@@ -1380,7 +1380,7 @@ PyCursesWindow_Refresh(PyCursesWindowObj
+ #ifndef WINDOW_HAS_FLAGS
+     if (0)
+ #else
+-        if (self->win->_flags & _ISPAD)
++        if (is_pad(self->win))
+ #endif
+         {
+             switch(PyTuple_Size(args)) {
+@@ -1447,7 +1447,7 @@ PyCursesWindow_SubWin(PyCursesWindowObje
+ 
+     /* printf("Subwin: %i %i %i %i   \n", nlines, ncols, begin_y, begin_x); */
+ #ifdef WINDOW_HAS_FLAGS
+-    if (self->win->_flags & _ISPAD)
++    if (is_pad(self->win))
+         win = subpad(self->win, nlines, ncols, begin_y, begin_x);
+     else
+ #endif

python.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon Sep 14 15:03:30 UTC 2015 - jmatejek@suse.com
+
+- implement python-strict-tls-checks subpackage
+  * when present, Python will perform TLS certificate checking by default.
+    it is possible to remove the package to turn off the checks
+    for compatibility with legacy scripts.
+  * as discussed in fate#318300
+  * this is not built for openSUSE, but retained here in case we want
+    to build the package for a SLE system
+
+-------------------------------------------------------------------
+Wed Sep  9 12:18:20 UTC 2015 - dimstar@opensuse.org
+
+- Add python-ncurses-6.0-accessors.patch: Fix build with
+  NCurses 6.0 and OPAQUE_WINDOW set to 1.
+
 -------------------------------------------------------------------
 Sun May 24 14:36:10 UTC 2015 - michael@stroeder.com
 

python.spec

@@ -30,6 +30,7 @@ Source1:        README.SUSE
 Source2:        pythonstart
 Source3:        python.sh
 Source4:        python.csh
+Source8:        sle_tls_checks_policy.py
 #Source11:       testfiles.tar.bz2
 # issues with copyrighted Unicode testing files
 
@@ -59,6 +60,8 @@ Patch31:        python-2.7.7-mhlib-linkcount.patch
 Patch33:        python-2.7.9-ssl_ca_path.patch
 # PATCH-FEATURE-SLE disable SSL verification-by-default in http clients
 Patch34:        python-2.7.9-sles-disable-verification-by-default.patch
+# PATCH-FIX-UPSTREAM python-ncurses-6.0-accessors.patch dimstar@opensuse.org -- Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1
+Patch35:        python-ncurses-6.0-accessors.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -76,6 +79,9 @@ BuildRequires:  pkgconfig(x11)
 %define         python_version    %(echo %{tarversion} | head -c 3)
 %define         idle_name         idle
 Requires:       python-base = %{version}
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+Recommends:     python-strict-tls-check
+%endif
 Provides:       %{name} = %{python_version}
 Obsoletes:      python-elementtree
 Obsoletes:      python-nothreads
@@ -160,6 +166,23 @@ Provides:       pygdmod
 An easy to use interface for GDBM databases. GDBM is the GNU
 implementation of the standard Unix DBM databases.
 
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+%package strict-tls-check
+Summary:        Enable secure verification of TLS certificates
+Group:          Development/Libraries/Python
+Requires:       %{name} = %{version}
+Supplements:    %{name}
+
+%description strict-tls-check
+When this package is present, Python performs strict verification of
+TLS certificates, including hostname check, by default. This is
+the preferred secure setting.
+
+It is distributed as a separate package, because this behavior
+can cause verification errors in improperly written legacy scripts
+that rely on earlier non-verification behavior.
+%endif
+
 %prep
 %setup -q -n %{tarname}
 # COMMON-PREP-BEGIN
@@ -178,14 +201,19 @@ implementation of the standard Unix DBM databases.
 %patch24 -p1
 %patch31 -p1
 %patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
 %patch34 -p1
 %endif
+%patch35 -p1
 
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
 # COMMON-PREP-END
 
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+cp %{SOURCE8} Lib/
+%endif
+
 %build
 # necessary for correct linking with GDBM:
 export SUSE_ASNEEDED=0
@@ -247,7 +275,9 @@ rm %{buildroot}%{_bindir}/2to3
 rm %{buildroot}%{_mandir}/man1/python*
 rm %{buildroot}%{_libdir}/libpython*.so.*
 rm %{buildroot}%{_libdir}/python
-find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 ! \( -name "ssl.py" \) -exec rm {} ";"
+find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 \
+    ! \( -name "ssl.py*" -o -name "sle_tls_checks_policy.py*" \) \
+    -exec rm {} ";"
 rm %{buildroot}%{_bindir}/python%{python_version}-config
 rm %{buildroot}%{_bindir}/python2-config
 rm %{buildroot}%{_bindir}/python-config
@@ -401,6 +431,12 @@ install -m 644 %{SOURCE3} %{SOURCE4} %{buildroot}%{_sysconfdir}/profile.d
 %{_libdir}/python%{python_version}/lib-dynload/gdbm.so
 %{_libdir}/python%{python_version}/lib-dynload/dbm.so
 
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
+%files strict-tls-check
+%defattr(644, root, root, 755)
+%{_libdir}/python%{python_version}/sle_tls_checks_policy.py*
+%endif
+
 %files
 %defattr(644, root, root, 755)
 %dir %{_docdir}/%{name}

sle_tls_checks_policy.py

@@ -0,0 +1,4 @@
+import ssl
+
+def get_policy():
+    return ssl.create_default_context