- copy strict-tls-checks subpackage from SLE to retain future compatibility

(not built in openSUSE) - do this properly to fix bnc#945401 - implement python-strict-tls-checks subpackage * when present, Python will perform TLS certificate checking by default. it is possible to remove the package to turn off the checks for compatibility with legacy scripts. * as discussed in fate#318300 * this is not built for openSUSE, but retained here in case we want to build the package for a SLE system OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=188
2015-09-14 15:36:31 +00:00 · 2015-09-14 15:36:31 +00:00 · c890c9fda8
commit c890c9fda8
parent fd8094b044
7 changed files with 74 additions and 9 deletions
--- a/python-2.7.9-sles-disable-verification-by-default.patch
+++ b/python-2.7.9-sles-disable-verification-by-default.patch
@ -1,14 +1,24 @@
 Index: Python-2.7.9/Lib/ssl.py
 ===================================================================
--- Python-2.7.9.orig/Lib/ssl.py	2015-05-14 15:02:05.872792333 +0200
+--- Python-2.7.9.orig/Lib/ssl.py	2015-08-12 15:53:27.419729448 +0200
-+++ Python-2.7.9/Lib/ssl.py	2015-05-14 15:23:27.874013424 +0200
+++ Python-2.7.9/Lib/ssl.py	2015-08-12 15:58:10.668465183 +0200
-@@ -469,7 +469,8 @@
+@@ -469,7 +469,18 @@
     return context
 # Used by http.client if no context is explicitly passed.
 -_create_default_https_context = create_default_context
-+# PATCH-SLE: still use unverified context. see PEP476
+try:
-+_create_default_https_context = _create_unverified_context
+    # load the TLS checks policy from separate package
 +    import sle_tls_checks_policy as policy
 +    if policy.get_policy:
 +        _create_default_https_context = policy.get_policy()
 +    else:
 +        # empty policy file means simply enable strict verification
 +        _create_default_https_context = create_default_context
 +
 +except ImportError:
 +    # policy not present, disable verification for backwards compatibility
 +    _create_default_https_context = _create_unverified_context
 # Backwards compatibility alias, even though it's not a public name.
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Mon Sep 14 15:04:43 UTC 2015 - jmatejek@suse.com
 - copy strict-tls-checks subpackage from SLE to retain future compatibility
  (not built in openSUSE)
 - do this properly to fix bnc#945401
 -------------------------------------------------------------------
 Wed Sep  9 12:19:01 UTC 2015 - dimstar@opensuse.org
--- a/python-base.spec
+++ b/python-base.spec
@ -145,7 +145,7 @@ other applications.
 %patch24 -p1
 %patch31 -p1
 %patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
 %patch34 -p1
 %endif
 %patch35 -p1
--- a/python-doc.spec
+++ b/python-doc.spec
@ -100,7 +100,7 @@ Python, and Macintosh Module Reference in PDF format.
 %patch24 -p1
 %patch31 -p1
 %patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
 %patch34 -p1
 %endif
 %patch35 -p1
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,14 @@
 -------------------------------------------------------------------
 Mon Sep 14 15:03:30 UTC 2015 - jmatejek@suse.com
 - implement python-strict-tls-checks subpackage
  * when present, Python will perform TLS certificate checking by default.
    it is possible to remove the package to turn off the checks
    for compatibility with legacy scripts.
  * as discussed in fate#318300
  * this is not built for openSUSE, but retained here in case we want
    to build the package for a SLE system
 -------------------------------------------------------------------
 Wed Sep  9 12:18:20 UTC 2015 - dimstar@opensuse.org
--- a/python.spec
+++ b/python.spec
@ -30,6 +30,7 @@ Source1:        README.SUSE
 Source2:        pythonstart
 Source3:        python.sh
 Source4:        python.csh
 Source8:        sle_tls_checks_policy.py
 #Source11:       testfiles.tar.bz2
 # issues with copyrighted Unicode testing files
@ -78,6 +79,9 @@ BuildRequires:  pkgconfig(x11)
 %define         python_version    %(echo %{tarversion} | head -c 3)
 %define         idle_name         idle
 Requires:       python-base = %{version}
 %if %{suse_version} == 1315 && !0%{?is_opensuse}
 Recommends:     python-strict-tls-check
 %endif
 Provides:       %{name} = %{python_version}
 Obsoletes:      python-elementtree
 Obsoletes:      python-nothreads
@ -162,6 +166,23 @@ Provides:       pygdmod
 An easy to use interface for GDBM databases. GDBM is the GNU
 implementation of the standard Unix DBM databases.
 %if %{suse_version} == 1315 && !0%{?is_opensuse}
 %package strict-tls-check
 Summary:        Enable secure verification of TLS certificates
 Group:          Development/Libraries/Python
 Requires:       %{name} = %{version}
 Supplements:    %{name}
 %description strict-tls-check
 When this package is present, Python performs strict verification of
 TLS certificates, including hostname check, by default. This is
 the preferred secure setting.
 It is distributed as a separate package, because this behavior
 can cause verification errors in improperly written legacy scripts
 that rely on earlier non-verification behavior.
 %endif
 %prep
 %setup -q -n %{tarname}
 # COMMON-PREP-BEGIN
@ -180,7 +201,7 @@ implementation of the standard Unix DBM databases.
 %patch24 -p1
 %patch31 -p1
 %patch33 -p1
-%if %{suse_version} == 1315
+%if %{suse_version} == 1315 && !0%{?is_opensuse}
 %patch34 -p1
 %endif
 %patch35 -p1
@ -189,6 +210,10 @@ implementation of the standard Unix DBM databases.
 sed -i 's/^version_required/dnl version_required/' configure.ac
 # COMMON-PREP-END
 %if %{suse_version} == 1315 && !0%{?is_opensuse}
 cp %{SOURCE8} Lib/
 %endif
 %build
 # necessary for correct linking with GDBM:
 export SUSE_ASNEEDED=0
@ -250,7 +275,9 @@ rm %{buildroot}%{_bindir}/2to3
 rm %{buildroot}%{_mandir}/man1/python*
 rm %{buildroot}%{_libdir}/libpython*.so.*
 rm %{buildroot}%{_libdir}/python
-find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 ! \( -name "ssl.py" \) -exec rm {} ";"
+find %{buildroot}%{_libdir}/python%{python_version} -maxdepth 1 \
    ! \( -name "ssl.py*" -o -name "sle_tls_checks_policy.py*" \) \
    -exec rm {} ";"
 rm %{buildroot}%{_bindir}/python%{python_version}-config
 rm %{buildroot}%{_bindir}/python2-config
 rm %{buildroot}%{_bindir}/python-config
@ -404,6 +431,12 @@ install -m 644 %{SOURCE3} %{SOURCE4} %{buildroot}%{_sysconfdir}/profile.d
 %{_libdir}/python%{python_version}/lib-dynload/gdbm.so
 %{_libdir}/python%{python_version}/lib-dynload/dbm.so
 %if %{suse_version} == 1315 && !0%{?is_opensuse}
 %files strict-tls-check
 %defattr(644, root, root, 755)
 %{_libdir}/python%{python_version}/sle_tls_checks_policy.py*
 %endif
 %files
 %defattr(644, root, root, 755)
 %dir %{_docdir}/%{name}
--- a/sle_tls_checks_policy.py
+++ b/sle_tls_checks_policy.py
@ -0,0 +1,4 @@
 import ssl
 def get_policy():
    return ssl.create_default_context