Use LLVM21 to build python314

Add patch gh138498-llvm-version-config.patch
bsc#1254826, gh#python/cpython#138498

.gitignore

@@ -2,5 +2,4 @@
 *.obscpio
 _build.*
 .pbuild
-*.orig
 python314-*-build/

CVE-2024-6923-follow-up-EOL-email-headers.patch

@@ -1,41 +0,0 @@
-From 5a8bfd878f086e28f0849bbc3970ad92f6ba37dc Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Fri, 23 Jan 2026 08:59:35 -0600
-Subject: [PATCH] gh-144125: email: verify headers are sound in BytesGenerator
- (cherry picked from commit 052e55e7d44718fe46cbba0ca995cb8fcc359413)
-
-Co-authored-by: Seth Michael Larson <seth@python.org>
-Co-authored-by: Denis Ledoux <dle@odoo.com>
-Co-authored-by: Denis Ledoux <5822488+beledouxdenis@users.noreply.github.com>
-Co-authored-by: Petr Viktorin <302922+encukou@users.noreply.github.com>
-Co-authored-by: Bas Bloemsaat <1586868+basbloemsaat@users.noreply.github.com>
----
- Lib/test/test_email/test_policy.py                                       |    4 ++++
- Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst |    4 ++++
- 2 files changed, 8 insertions(+)
- create mode 100644 Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
-
-Index: Python-3.14.3/Lib/test/test_email/test_policy.py
-===================================================================
---- Python-3.14.3.orig/Lib/test/test_email/test_policy.py	2026-02-03 16:32:20.000000000 +0100
-+++ Python-3.14.3/Lib/test/test_email/test_policy.py	2026-02-13 17:09:32.641745760 +0100
-@@ -323,6 +323,10 @@
-                     message.as_bytes(),
-                     f"{text}\nBody".encode(),
-                 )
-+                self.assertEqual(
-+                    message.as_bytes(),
-+                    f"{text}\nBody".encode(),
-+                )
- 
-     # XXX: Need subclassing tests.
-     # For adding subclassed objects, make sure the usual rules apply (subclass
-Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-21-12-34-05.gh-issue-144125.TAz5uo.rst	2026-02-13 17:09:32.642152246 +0100
-@@ -0,0 +1,4 @@
-+:mod:`~email.generator.BytesGenerator` will now refuse to serialize (write) headers
-+that are unsafely folded or delimited; see
-+:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
-+Bloemsaat and Petr Viktorin in :gh:`121650`).

CVE-2025-12781-b64decode-alt-chars.patch

@@ -1,196 +0,0 @@
-From f922c02c529d25d61aa9c28a8192639c1fce8d4d Mon Sep 17 00:00:00 2001
-From: Serhiy Storchaka <storchaka@gmail.com>
-Date: Wed, 5 Nov 2025 20:12:31 +0200
-Subject: [PATCH] gh-125346: Add more base64 tests
-
-Add more tests for the altchars argument of b64decode() and for the map01
-argument of b32decode().
----
- Doc/library/base64.rst                                                  |   18 ++--
- Lib/base64.py                                                           |   40 +++++++-
- Lib/test/test_base64.py                                                 |   45 ++++++++--
- Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst |    5 +
- 4 files changed, 91 insertions(+), 17 deletions(-)
-
-Index: Python-3.14.3/Doc/library/base64.rst
-===================================================================
---- Python-3.14.3.orig/Doc/library/base64.rst	2026-02-03 16:32:20.000000000 +0100
-+++ Python-3.14.3/Doc/library/base64.rst	2026-02-13 15:43:18.030360439 +0100
-@@ -77,15 +77,20 @@
-    A :exc:`binascii.Error` exception is raised
-    if *s* is incorrectly padded.
- 
--   If *validate* is ``False`` (the default), characters that are neither
-+   If *validate* is false (the default), characters that are neither
-    in the normal base-64 alphabet nor the alternative alphabet are
--   discarded prior to the padding check.  If *validate* is ``True``,
--   these non-alphabet characters in the input result in a
--   :exc:`binascii.Error`.
-+   discarded prior to the padding check, but the ``+`` and ``/`` characters
-+   keep their meaning if they are not in *altchars* (they will be discarded
-+   in future Python versions).
-+   If *validate* is true, these non-alphabet characters in the input
-+   result in a :exc:`binascii.Error`.
- 
-    For more information about the strict base64 check, see :func:`binascii.a2b_base64`
- 
--   May assert or raise a :exc:`ValueError` if the length of *altchars* is not 2.
-+   .. deprecated:: next
-+      Accepting the ``+`` and ``/`` characters with an alternative alphabet
-+      is now deprecated.
-+
- 
- .. function:: standard_b64encode(s)
- 
-@@ -116,6 +121,9 @@
-    ``/`` in the standard Base64 alphabet, and return the decoded
-    :class:`bytes`.
- 
-+   .. deprecated:: next
-+      Accepting the ``+`` and ``/`` characters is now deprecated.
-+
- 
- .. function:: b32encode(s)
- 
-Index: Python-3.14.3/Lib/base64.py
-===================================================================
---- Python-3.14.3.orig/Lib/base64.py	2026-02-13 15:20:33.905228929 +0100
-+++ Python-3.14.3/Lib/base64.py	2026-02-13 15:43:18.030771327 +0100
-@@ -69,20 +69,39 @@
-     The result is returned as a bytes object.  A binascii.Error is raised if
-     s is incorrectly padded.
- 
--    If validate is False (the default), characters that are neither in the
-+    If validate is false (the default), characters that are neither in the
-     normal base-64 alphabet nor the alternative alphabet are discarded prior
--    to the padding check.  If validate is True, these non-alphabet characters
-+    to the padding check.  If validate is true, these non-alphabet characters
-     in the input result in a binascii.Error.
-     For more information about the strict base64 check, see:
- 
-     https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
-     """
-     s = _bytes_from_decode_data(s)
-+    badchar = None
-     if altchars is not None:
-         altchars = _bytes_from_decode_data(altchars)
--        assert len(altchars) == 2, repr(altchars)
-+        if len(altchars) != 2:
-+            raise ValueError(f'invalid altchars: {altchars!r}')
-+        for b in b'+/':
-+            if b not in altchars and b in s:
-+                badchar = b
-+                break
-         s = s.translate(bytes.maketrans(altchars, b'+/'))
--    return binascii.a2b_base64(s, strict_mode=validate)
-+    result = binascii.a2b_base64(s, strict_mode=validate)
-+    if badchar is not None:
-+        import warnings
-+        if validate:
-+            warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
-+                          f'with altchars={altchars!r} and validate=True '
-+                          f'will be an error in future Python versions',
-+                          DeprecationWarning, stacklevel=2)
-+        else:
-+            warnings.warn(f'invalid character {chr(badchar)!a} in Base64 data '
-+                          f'with altchars={altchars!r} and validate=False '
-+                          f'will be discarded in future Python versions',
-+                          FutureWarning, stacklevel=2)
-+    return result
- 
- 
- def standard_b64encode(s):
-@@ -127,8 +146,19 @@
-     The alphabet uses '-' instead of '+' and '_' instead of '/'.
-     """
-     s = _bytes_from_decode_data(s)
-+    badchar = None
-+    for b in b'+/':
-+        if b in s:
-+            badchar = b
-+            break
-     s = s.translate(_urlsafe_decode_translation)
--    return b64decode(s)
-+    result = binascii.a2b_base64(s, strict_mode=False)
-+    if badchar is not None:
-+        import warnings
-+        warnings.warn(f'invalid character {chr(badchar)!a} in URL-safe Base64 data '
-+                      f'will be discarded in future Python versions',
-+                      FutureWarning, stacklevel=2)
-+    return result
- 
- 
- 
-Index: Python-3.14.3/Lib/test/test_base64.py
-===================================================================
---- Python-3.14.3.orig/Lib/test/test_base64.py	2026-02-13 15:20:35.393785541 +0100
-+++ Python-3.14.3/Lib/test/test_base64.py	2026-02-13 15:43:18.031706655 +0100
-@@ -242,6 +242,25 @@
-             eq(base64.b64decode(data, altchars=altchars_str), res)
-             eq(base64.b64decode(data_str, altchars=altchars_str), res)
- 
-+    def test_b64decode_altchars(self):
-+        # Test with arbitrary alternative characters
-+        eq = self.assertEqual
-+        res = b'\xd3V\xbeo\xf7\x1d'
-+        for altchars in b'*$', b'+/', b'/+', b'+_', b'-+', b'-/', b'/_':
-+            data = b'01a%cb%ccd' % tuple(altchars)
-+            data_str = data.decode('ascii')
-+            altchars_str = altchars.decode('ascii')
-+
-+            eq(base64.b64decode(data, altchars=altchars), res)
-+            eq(base64.b64decode(data_str, altchars=altchars), res)
-+            eq(base64.b64decode(data, altchars=altchars_str), res)
-+            eq(base64.b64decode(data_str, altchars=altchars_str), res)
-+
-+        self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+')
-+        self.assertRaises(ValueError, base64.b64decode, b'', altchars=b'+/-')
-+        self.assertRaises(ValueError, base64.b64decode, '', altchars='+')
-+        self.assertRaises(ValueError, base64.b64decode, '', altchars='+/-')
-+
-     def test_b64decode_padding_error(self):
-         self.assertRaises(binascii.Error, base64.b64decode, b'abc')
-         self.assertRaises(binascii.Error, base64.b64decode, 'abc')
-@@ -273,13 +292,25 @@
-             with self.assertRaises(binascii.Error):
-                 base64.b64decode(bstr.decode('ascii'), validate=True)
- 
--        # Normal alphabet characters not discarded when alternative given
--        res = b'\xfb\xef\xff'
--        self.assertEqual(base64.b64decode(b'++//', validate=True), res)
--        self.assertEqual(base64.b64decode(b'++//', '-_', validate=True), res)
--        self.assertEqual(base64.b64decode(b'--__', '-_', validate=True), res)
--        self.assertEqual(base64.urlsafe_b64decode(b'++//'), res)
--        self.assertEqual(base64.urlsafe_b64decode(b'--__'), res)
-+        # Normal alphabet characters will be discarded when alternative given
-+        with self.assertWarns(FutureWarning):
-+            self.assertEqual(base64.b64decode(b'++++', altchars=b'-_'),
-+                             b'\xfb\xef\xbe')
-+        with self.assertWarns(FutureWarning):
-+            self.assertEqual(base64.b64decode(b'////', altchars=b'-_'),
-+                             b'\xff\xff\xff')
-+        with self.assertWarns(DeprecationWarning):
-+            self.assertEqual(base64.b64decode(b'++++', altchars=b'-_', validate=True),
-+                             b'\xfb\xef\xbe')
-+        with self.assertWarns(DeprecationWarning):
-+            self.assertEqual(base64.b64decode(b'////', altchars=b'-_', validate=True),
-+                             b'\xff\xff\xff')
-+        with self.assertWarns(FutureWarning):
-+            self.assertEqual(base64.urlsafe_b64decode(b'++++'), b'\xfb\xef\xbe')
-+        with self.assertWarns(FutureWarning):
-+            self.assertEqual(base64.urlsafe_b64decode(b'////'), b'\xff\xff\xff')
-+        with self.assertRaises(binascii.Error):
-+            base64.b64decode(b'+/!', altchars=b'-_')
- 
-     def test_b32encode(self):
-         eq = self.assertEqual
-Index: Python-3.14.3/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.14.3/Misc/NEWS.d/next/Library/2025-11-06-12-03-29.gh-issue-125346.7Gfpgw.rst	2026-02-13 15:43:18.032082102 +0100
-@@ -0,0 +1,5 @@
-+Accepting ``+`` and ``/`` characters with an alternative alphabet in
-+:func:`base64.b64decode` and :func:`base64.urlsafe_b64decode` is now
-+deprecated.
-+In future Python versions they will be errors in the strict mode and
-+discarded in the non-strict mode.

CVE-2025-15366-imap-ctrl-chars.patch

@@ -1,56 +0,0 @@
-From 7485ee5e2cf81d3e5ad0d9c3be73cecd2ab4eec7 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Fri, 16 Jan 2026 10:54:09 -0600
-Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
-
----
- Lib/imaplib.py                                                           |    4 +++-
- Lib/test/test_imaplib.py                                                 |    6 ++++++
- Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst |    1 +
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
-Index: Python-3.14.3/Lib/imaplib.py
-===================================================================
---- Python-3.14.3.orig/Lib/imaplib.py	2026-02-13 15:20:34.675850664 +0100
-+++ Python-3.14.3/Lib/imaplib.py	2026-02-13 15:43:20.726880248 +0100
-@@ -131,7 +131,7 @@
- # We compile these in _mode_xxx.
- _Literal = br'.*{(?P<size>\d+)}$'
- _Untagged_status = br'\* (?P<data>\d+) (?P<type>[A-Z-]+)( (?P<data2>.*))?'
--
-+_control_chars = re.compile(b'[\x00-\x1F\x7F]')
- 
- 
- class IMAP4:
-@@ -1108,6 +1108,8 @@
-             if arg is None: continue
-             if isinstance(arg, str):
-                 arg = bytes(arg, self._encoding)
-+            if _control_chars.search(arg):
-+                raise ValueError("Control characters not allowed in commands")
-             data = data + b' ' + arg
- 
-         literal = self.literal
-Index: Python-3.14.3/Lib/test/test_imaplib.py
-===================================================================
---- Python-3.14.3.orig/Lib/test/test_imaplib.py	2026-02-13 15:20:36.132236378 +0100
-+++ Python-3.14.3/Lib/test/test_imaplib.py	2026-02-13 15:43:20.727593302 +0100
-@@ -663,6 +663,12 @@
-         self.assertEqual(data[0], b'Returned to authenticated state. (Success)')
-         self.assertEqual(client.state, 'AUTH')
- 
-+    def test_control_characters(self):
-+        client, _ = self._setup(SimpleIMAPHandler)
-+        for c0 in support.control_characters_c0():
-+            with self.assertRaises(ValueError):
-+                client.login(f'user{c0}', 'pass')
-+
-     # property tests
- 
-     def test_file_property_should_not_be_accessed(self):
-Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-41-06.gh-issue-143921.AeCOor.rst	2026-02-13 15:43:20.727873249 +0100
-@@ -0,0 +1 @@
-+Reject control characters in IMAP commands.

CVE-2025-15367-poplib-ctrl-chars.patch

@@ -1,56 +0,0 @@
-From b6f733b285b1c4f27dacb5c2e1f292c914e8b933 Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <seth@python.org>
-Date: Fri, 16 Jan 2026 10:54:09 -0600
-Subject: [PATCH 1/2] Add 'test.support' fixture for C0 control characters
-
----
- Lib/poplib.py                                                            |    2 ++
- Lib/test/test_poplib.py                                                  |    8 ++++++++
- Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst |    1 +
- 3 files changed, 11 insertions(+)
-
-Index: Python-3.14.3/Lib/poplib.py
-===================================================================
---- Python-3.14.3.orig/Lib/poplib.py	2026-02-13 15:20:34.865869684 +0100
-+++ Python-3.14.3/Lib/poplib.py	2026-02-13 15:43:22.865622881 +0100
-@@ -122,6 +122,8 @@
-     def _putcmd(self, line):
-         if self._debugging: print('*cmd*', repr(line))
-         line = bytes(line, self.encoding)
-+        if re.search(b'[\x00-\x1F\x7F]', line):
-+            raise ValueError('Control characters not allowed in commands')
-         self._putline(line)
- 
- 
-Index: Python-3.14.3/Lib/test/test_poplib.py
-===================================================================
---- Python-3.14.3.orig/Lib/test/test_poplib.py	2026-02-13 15:20:36.695240465 +0100
-+++ Python-3.14.3/Lib/test/test_poplib.py	2026-02-13 15:43:22.865782353 +0100
-@@ -17,6 +17,7 @@
- from test.support import threading_helper
- from test.support import asynchat
- from test.support import asyncore
-+from test.support import control_characters_c0
- 
- 
- test_support.requires_working_socket(module=True)
-@@ -395,6 +396,13 @@
-         self.assertIsNone(self.client.sock)
-         self.assertIsNone(self.client.file)
- 
-+    def test_control_characters(self):
-+        for c0 in control_characters_c0():
-+            with self.assertRaises(ValueError):
-+                self.client.user(f'user{c0}')
-+            with self.assertRaises(ValueError):
-+                self.client.pass_(f'{c0}pass')
-+
-     @requires_ssl
-     def test_stls_capa(self):
-         capa = self.client.capa()
-Index: Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ Python-3.14.3/Misc/NEWS.d/next/Security/2026-01-16-11-43-47.gh-issue-143923.DuytMe.rst	2026-02-13 15:43:22.866393092 +0100
-@@ -0,0 +1 @@
-+Reject control characters in POP3 commands.

configure-drop-autoconf-ver-req.patch

@@ -1,17 +0,0 @@
----
- configure.ac |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: Python-3.14.3/configure.ac
-===================================================================
---- Python-3.14.3.orig/configure.ac	2026-02-03 16:32:20.000000000 +0100
-+++ Python-3.14.3/configure.ac	2026-02-13 20:23:46.066774038 +0100
-@@ -12,7 +12,7 @@
- # Set VERSION so we only need to edit in one place (i.e., here)
- m4_define([PYTHON_VERSION], [3.14])
- 
--AC_PREREQ([2.72])
-+dnl AC_PREREQ([2.72])
- 
- AC_INIT([python],[PYTHON_VERSION],[https://github.com/python/cpython/issues/])
- 

gh138131-exclude-pycache-from-digest.patch

@@ -0,0 +1,30 @@
+From 4bb41b28d5bac09bccd636d8c5fefe1a462f63a7 Mon Sep 17 00:00:00 2001
+From: Alm <alon.menczer@gmail.com>
+Date: Mon, 25 Aug 2025 08:56:38 +0300
+Subject: [PATCH 1/4] Exclude .pyc files from the computed digest in the jit
+ stencils
+
+---
+ Tools/jit/_targets.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: Python-3.14.0rc2/Tools/jit/_targets.py
+===================================================================
+--- Python-3.14.0rc2.orig/Tools/jit/_targets.py
++++ Python-3.14.0rc2/Tools/jit/_targets.py
+@@ -69,6 +69,9 @@ class _Target(typing.Generic[_S, _R]):
+         hasher.update(PYTHON_EXECUTOR_CASES_C_H.read_bytes())
+         hasher.update((self.pyconfig_dir / "pyconfig.h").read_bytes())
+         for dirpath, _, filenames in sorted(os.walk(TOOLS_JIT)):
++            # Exclude cache files from digest computation to ensure reproducible builds.
++            if dirpath.endswith("__pycache__"):
++                continue
+             for filename in filenames:
+                 hasher.update(pathlib.Path(dirpath, filename).read_bytes())
+         return hasher.hexdigest()
+Index: Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst
+===================================================================
+--- /dev/null
++++ Python-3.14.0rc2/Misc/NEWS.d/next/Build/2025-08-27-09-52-45.gh-issue-138061.fMVS9w.rst
+@@ -0,0 +1 @@
++Ensure reproducible builds by making JIT stencil header generation deterministic.

gh138498-llvm-version-config.patch

@@ -0,0 +1,212 @@
+Index: Python-3.14.0/Tools/jit/README.md
+===================================================================
+--- Python-3.14.0.orig/Tools/jit/README.md
++++ Python-3.14.0/Tools/jit/README.md
+@@ -9,7 +9,7 @@ Python 3.11 or newer is required to buil
+ 
+ The JIT compiler does not require end users to install any third-party dependencies, but part of it must be *built* using LLVM[^why-llvm]. You are *not* required to build the rest of CPython using LLVM, or even the same version of LLVM (in fact, this is uncommon).
+ 
+-LLVM version 19 is required. Both `clang` and `llvm-readobj` need to be installed and discoverable (version suffixes, like `clang-19`, are okay). It's highly recommended that you also have `llvm-objdump` available, since this allows the build script to dump human-readable assembly for the generated code.
++LLVM version 19 is the officially supported version. You can modify if needed using the `LLVM_VERSION` env var during configure. Both `clang` and `llvm-readobj` need to be installed and discoverable (version suffixes, like `clang-19`, are okay). It's highly recommended that you also have `llvm-objdump` available, since this allows the build script to dump human-readable assembly for the generated code.
+ 
+ It's easy to install all of the required tools:
+ 
+Index: Python-3.14.0/Tools/jit/_llvm.py
+===================================================================
+--- Python-3.14.0.orig/Tools/jit/_llvm.py
++++ Python-3.14.0/Tools/jit/_llvm.py
+@@ -10,8 +10,8 @@ import typing
+ 
+ import _targets
+ 
+-_LLVM_VERSION = 19
+-_LLVM_VERSION_PATTERN = re.compile(rf"version\s+{_LLVM_VERSION}\.\d+\.\d+\S*\s+")
++
++_LLVM_VERSION = "19"
+ _EXTERNALS_LLVM_TAG = "llvm-19.1.7.0"
+ 
+ _P = typing.ParamSpec("_P")
+@@ -56,53 +56,66 @@ async def _run(tool: str, args: typing.I
+ 
+ 
+ @_async_cache
+-async def _check_tool_version(name: str, *, echo: bool = False) -> bool:
++async def _check_tool_version(
++    name: str, llvm_version: str, *, echo: bool = False
++) -> bool:
+     output = await _run(name, ["--version"], echo=echo)
+-    return bool(output and _LLVM_VERSION_PATTERN.search(output))
++    _llvm_version_pattern = re.compile(rf"version\s+{llvm_version}\.\d+\.\d+\S*\s+")
++    return bool(output and _llvm_version_pattern.search(output))
+ 
+ 
+ @_async_cache
+-async def _get_brew_llvm_prefix(*, echo: bool = False) -> str | None:
+-    output = await _run("brew", ["--prefix", f"llvm@{_LLVM_VERSION}"], echo=echo)
++async def _get_brew_llvm_prefix(llvm_version: str, *, echo: bool = False) -> str | None:
++    output = await _run("brew", ["--prefix", f"llvm@{llvm_version}"], echo=echo)
+     return output and output.removesuffix("\n")
+ 
+ 
+ @_async_cache
+-async def _find_tool(tool: str, *, echo: bool = False) -> str | None:
++async def _find_tool(tool: str, llvm_version: str, *, echo: bool = False) -> str | None:
+     # Unversioned executables:
+     path = tool
+-    if await _check_tool_version(path, echo=echo):
++    if await _check_tool_version(path, llvm_version, echo=echo):
+         return path
+     # Versioned executables:
+-    path = f"{tool}-{_LLVM_VERSION}"
+-    if await _check_tool_version(path, echo=echo):
++    path = f"{tool}-{llvm_version}"
++    if await _check_tool_version(path, llvm_version, echo=echo):
+         return path
+     # PCbuild externals:
+     externals = os.environ.get("EXTERNALS_DIR", _targets.EXTERNALS)
+     path = os.path.join(externals, _EXTERNALS_LLVM_TAG, "bin", tool)
+-    if await _check_tool_version(path, echo=echo):
++    if await _check_tool_version(path, llvm_version, echo=echo):
+         return path
+     # Homebrew-installed executables:
+-    prefix = await _get_brew_llvm_prefix(echo=echo)
++    prefix = await _get_brew_llvm_prefix(llvm_version, echo=echo)
+     if prefix is not None:
+         path = os.path.join(prefix, "bin", tool)
+-        if await _check_tool_version(path, echo=echo):
++        if await _check_tool_version(path, llvm_version, echo=echo):
+             return path
+     # Nothing found:
+     return None
+ 
+ 
+ async def maybe_run(
+-    tool: str, args: typing.Iterable[str], echo: bool = False
++    tool: str,
++    args: typing.Iterable[str],
++    echo: bool = False,
++    llvm_version: str = _LLVM_VERSION,
+ ) -> str | None:
+     """Run an LLVM tool if it can be found. Otherwise, return None."""
+-    path = await _find_tool(tool, echo=echo)
++
++    path = await _find_tool(tool, llvm_version, echo=echo)
+     return path and await _run(path, args, echo=echo)
+ 
+ 
+-async def run(tool: str, args: typing.Iterable[str], echo: bool = False) -> str:
++async def run(
++    tool: str,
++    args: typing.Iterable[str],
++    echo: bool = False,
++    llvm_version: str = _LLVM_VERSION,
++) -> str:
+     """Run an LLVM tool if it can be found. Otherwise, raise RuntimeError."""
+-    output = await maybe_run(tool, args, echo=echo)
++
++    output = await maybe_run(tool, args, echo=echo, llvm_version=llvm_version)
+     if output is None:
+-        raise RuntimeError(f"Can't find {tool}-{_LLVM_VERSION}!")
++        raise RuntimeError(f"Can't find {tool}-{llvm_version}!")
+     return output
+Index: Python-3.14.0/Tools/jit/_targets.py
+===================================================================
+--- Python-3.14.0.orig/Tools/jit/_targets.py
++++ Python-3.14.0/Tools/jit/_targets.py
+@@ -48,6 +48,7 @@ class _Target(typing.Generic[_S, _R]):
+     debug: bool = False
+     verbose: bool = False
+     cflags: str = ""
++    llvm_version: str = _llvm._LLVM_VERSION
+     known_symbols: dict[str, int] = dataclasses.field(default_factory=dict)
+     pyconfig_dir: pathlib.Path = pathlib.Path.cwd().resolve()
+ 
+@@ -79,7 +80,9 @@ class _Target(typing.Generic[_S, _R]):
+     async def _parse(self, path: pathlib.Path) -> _stencils.StencilGroup:
+         group = _stencils.StencilGroup()
+         args = ["--disassemble", "--reloc", f"{path}"]
+-        output = await _llvm.maybe_run("llvm-objdump", args, echo=self.verbose)
++        output = await _llvm.maybe_run(
++            "llvm-objdump", args, echo=self.verbose, llvm_version=self.llvm_version
++        )
+         if output is not None:
+             # Make sure that full paths don't leak out (for reproducibility):
+             long, short = str(path), str(path.name)
+@@ -97,7 +100,9 @@ class _Target(typing.Generic[_S, _R]):
+             "--sections",
+             f"{path}",
+         ]
+-        output = await _llvm.run("llvm-readobj", args, echo=self.verbose)
++        output = await _llvm.run(
++            "llvm-readobj", args, echo=self.verbose, llvm_version=self.llvm_version
++        )
+         # --elf-output-style=JSON is only *slightly* broken on Mach-O...
+         output = output.replace("PrivateExtern\n", "\n")
+         output = output.replace("Extern\n", "\n")
+@@ -164,7 +169,9 @@ class _Target(typing.Generic[_S, _R]):
+             # Allow user-provided CFLAGS to override any defaults
+             *shlex.split(self.cflags),
+         ]
+-        await _llvm.run("clang", args, echo=self.verbose)
++        await _llvm.run(
++            "clang", args, echo=self.verbose, llvm_version=self.llvm_version
++        )
+         return await self._parse(o)
+ 
+     async def _build_stencils(self) -> dict[str, _stencils.StencilGroup]:
+@@ -212,6 +219,8 @@ class _Target(typing.Generic[_S, _R]):
+         if not self.stable:
+             warning = f"JIT support for {self.triple} is still experimental!"
+             request = "Please report any issues you encounter.".center(len(warning))
++            if self.llvm_version != _llvm._LLVM_VERSION:
++                request = f"Warning! Building with an LLVM version other than {_llvm._LLVM_VERSION} is not supported."
+             outline = "=" * len(warning)
+             print("\n".join(["", outline, warning, request, outline, ""]))
+         digest = f"// {self._compute_digest()}\n"
+Index: Python-3.14.0/Tools/jit/build.py
+===================================================================
+--- Python-3.14.0.orig/Tools/jit/build.py
++++ Python-3.14.0/Tools/jit/build.py
+@@ -42,6 +42,7 @@ if __name__ == "__main__":
+     parser.add_argument(
+         "--cflags", help="additional flags to pass to the compiler", default=""
+     )
++    parser.add_argument("--llvm-version", help="LLVM version to use")
+     args = parser.parse_args()
+     for target in args.target:
+         target.debug = args.debug
+@@ -49,6 +50,8 @@ if __name__ == "__main__":
+         target.verbose = args.verbose
+         target.cflags = args.cflags
+         target.pyconfig_dir = args.pyconfig_dir
++        if args.llvm_version:
++            target.llvm_version = args.llvm_version
+         target.build(
+             comment=comment,
+             force=args.force,
+Index: Python-3.14.0/configure
+===================================================================
+--- Python-3.14.0.orig/configure
++++ Python-3.14.0/configure
+@@ -10866,7 +10866,7 @@ then :
+ 
+ else case e in #(
+   e) as_fn_append CFLAGS_NODIST " $jit_flags"
+-           REGEN_JIT_COMMAND="\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\""
++           REGEN_JIT_COMMAND="\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\" --llvm-version=\"$LLVM_VERSION\""
+            JIT_STENCILS_H="jit_stencils.h"
+            if test "x$Py_DEBUG" = xtrue
+ then :
+Index: Python-3.14.0/configure.ac
+===================================================================
+--- Python-3.14.0.orig/configure.ac
++++ Python-3.14.0/configure.ac
+@@ -2779,7 +2779,7 @@ AS_VAR_IF([jit_flags],
+           [],
+           [AS_VAR_APPEND([CFLAGS_NODIST], [" $jit_flags"])
+            AS_VAR_SET([REGEN_JIT_COMMAND],
+-                      ["\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\""])
++                      ["\$(PYTHON_FOR_REGEN) \$(srcdir)/Tools/jit/build.py ${ARCH_TRIPLES:-$host} --output-dir . --pyconfig-dir . --cflags=\"$CFLAGS_JIT\" --llvm-version=\"$LLVM_VERSION\""])
+            AS_VAR_SET([JIT_STENCILS_H], ["jit_stencils.h"])
+            AS_VAR_IF([Py_DEBUG],
+                      [true],

gh139257-Support-docutils-0.22.patch

@@ -4,39 +4,13 @@ Date: Tue, 23 Sep 2025 10:20:16 +0200
 Subject: [PATCH 1/2] gh-139257: Support docutils >= 0.22
 
 ---
- Doc/Makefile                       |    2 -
- Doc/conf.py                        |    3 +
  Doc/tools/extensions/pyspecific.py |   68 +++++++++++++++++++++++++------------
- 3 files changed, 50 insertions(+), 23 deletions(-)
+ 1 file changed, 46 insertions(+), 22 deletions(-)
 
-Index: Python-3.14.3/Doc/Makefile
+Index: Python-3.14.2/Doc/tools/extensions/pyspecific.py
 ===================================================================
---- Python-3.14.3.orig/Doc/Makefile	2026-02-03 16:32:20.000000000 +0100
+--- Python-3.14.2.orig/Doc/tools/extensions/pyspecific.py	2025-12-05 17:49:16.000000000 +0100
-+++ Python-3.14.3/Doc/Makefile	2026-02-13 20:28:48.460059340 +0100
++++ Python-3.14.2/Doc/tools/extensions/pyspecific.py	2025-12-11 18:15:44.936875242 +0100
-@@ -14,7 +14,7 @@
- SOURCES      =
- DISTVERSION  = $(shell $(PYTHON) tools/extensions/patchlevel.py)
- REQUIREMENTS = requirements.txt
--SPHINXERRORHANDLING = --fail-on-warning
-+SPHINXERRORHANDLING =
- 
- # Internal variables.
- PAPEROPT_a4     = --define latex_elements.papersize=a4paper
-Index: Python-3.14.3/Doc/conf.py
-===================================================================
---- Python-3.14.3.orig/Doc/conf.py	2026-02-03 16:32:20.000000000 +0100
-+++ Python-3.14.3/Doc/conf.py	2026-02-13 20:21:11.034520886 +0100
-@@ -582,3 +582,6 @@
-         '<meta property="og:image:width" content="200">',
-         '<meta property="og:image:height" content="200">',
-     )
-+
-+# Fix devhelp doc build gh#python/cpython#120150
-+master_doc = 'contents'
-Index: Python-3.14.3/Doc/tools/extensions/pyspecific.py
-===================================================================
---- Python-3.14.3.orig/Doc/tools/extensions/pyspecific.py	2026-02-03 16:32:20.000000000 +0100
-+++ Python-3.14.3/Doc/tools/extensions/pyspecific.py	2026-02-13 17:09:31.987767795 +0100
 @@ -1,12 +1,12 @@
  # -*- coding: utf-8 -*-
  """

python314-base.rpmlintrc

@@ -0,0 +1,4 @@
+addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
+addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
+addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
+addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc")

python314-rpmlintrc

@@ -1,4 +1,3 @@
 addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
 addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
-addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc")

python314.changes

@@ -1,396 +1,9 @@
 -------------------------------------------------------------------
-Thu Feb  5 17:26:23 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
+Thu Dec 12 07:00:00 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 
-- CVE-2025-12781: All `*b64decode` functions should not accept
+- Use LLVM21 to build python314, add patch
-  non-altchars. (bsc#1257108, gh#python/cpython#125346)
+  gh138498-llvm-version-config.patch
-  CVE-2025-12781-b64decode-alt-chars.patch
+  bsc#1254826, gh#python/cpython#138498
-- CVE-2025-15366: IMAP protocol should not accept non-altchars as
-  well. (bsc#1257044, gh-143921)
-  CVE-2025-15366-imap-ctrl-chars.patch
-- CVE-2025-15367: basically the same as the previous patch but for
-  the poplib library. (bsc#1257041, gh#python/cpython#143923)
-  CVE-2025-15367-poplib-ctrl-chars.patch
-- Remove upstreamed patches:
-  - CVE-2025-11468-email-hdr-fold-comment.patch
-  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
-- Add configure-drop-autoconf-ver-req.patch to move some `sed`
-  modifications to patch.
-
--------------------------------------------------------------------
-Thu Feb  5 12:57:09 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
-
-- Update to 3.14.3:
-  - Tools/Demos
-    - gh-142095: Make gdb ‘py-bt’ command use frame from thread
-      local state when available. Patch by Sam Gross and Victor
-      Stinner.
-  - Tests
-    - gh-144415: The Android testbed now distinguishes between
-      stdout/stderr messages which were triggered by a newline,
-      and those triggered by a manual call to flush. This fixes
-      logging of progress indicators and similar content.
-    - gh-143460: Skip tests relying on infinite recusion if stack
-      size is unlimited.
-    - gh-65784: Add support for parametrized resource wantobjects
-      in regrtests, which allows to run Tkinter tests with the
-      specified value of tkinter.wantobjects, for example -u
-      wantobjects=0.
-    - gh-143553: Add support for parametrized resources, such as
-      -u xpickle=2.7.
-    - gh-142836: Accommodated Solaris in
-      test_pdb.test_script_target_anonymous_pipe.
-    - bpo-31391: Forward-port test_xpickle from Python 2 to
-      Python 3 and add the resource back to test’s command line.
-  - Security
-    - gh-144125: BytesGenerator will now refuse to serialize
-      (write) headers that are unsafely folded or delimited; see
-      verify_generated_headers. (Contributed by Bas Bloemsaat and
-      Petr Viktorin in gh-121650).
-    - CVE-2025-11468: Fixed a bug in the folding of comments when
-      flattening an email message using a modern email policy.
-      Comments consisting of a very long sequence of non-foldable
-      characters could trigger a forced line wrap that omitted
-      the required leading space on the continuation line,
-      causing the remainder of the comment to be interpreted as
-      a new header field. This enabled header injection with
-      carefully crafted inputs (bsc#1257029, gh-143935).
-    - CVE-2025-15282: Reject control characters in data: URL
-      media types (bsc#1257046, gh-143925).
-    - CVE-2026-0672: Reject control characters in
-      http.cookies.Morsel fields and values (bsc#1257031,
-      gh-143919).
-    - CVE-2026-0865: Reject C0 control characters within
-      wsgiref.headers.Headers fields, values, and parameters
-      (bsc#1257042, gh-143916).
-  - Library
-    - gh-144380: Improve performance of io.BufferedReader line
-      iteration by ~49%.
-    - gh-144169: Fix three crashes when non-string keyword
-      arguments are supplied to objects in the ast module.
-    - gh-144100: Fixed a crash in ctypes when using a deprecated
-      POINTER(str) type in argtypes. Instead of aborting, ctypes
-      now raises a proper Python exception when the pointer
-      target type is unresolved.
-    - gh-144050: Fix stat.filemode() in the pure-Python
-      implementation to avoid misclassifying invalid mode values
-      as block devices.
-    - gh-144023: Fixed validation of file descriptor 0 in posix
-      functions when used with follow_symlinks parameter.
-    - gh-143999: Fix an issue where inspect.getgeneratorstate()
-      and inspect.getcoroutinestate() could fail for generators
-      wrapped by types.coroutine() in the suspended state.
-    - gh-143831: annotationlib.ForwardRef objects are now
-      hashable when created from annotation scopes with closures.
-      Previously, hashing such objects would throw an exception.
-      Patch by Bartosz Sławecki.
-    - gh-143874: Fixed a bug in pdb where expression results were
-      not sent back to remote client.
-    - gh-143880: Fix data race in functools.partial() in the free
-      threading build.
-    - gh-143706: Fix multiprocessing forkserver so that sys.argv
-      is correctly set before __main__ is preloaded. Previously,
-      sys.argv was empty during main module import in forkserver
-      child processes. This fixes a regression introduced in
-      3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test
-      provided by Thomas Watson, thanks!
-    - gh-143638: Forbid reentrant calls of the pickle.Pickler and
-      pickle.Unpickler methods for the C implementation.
-      Previously, this could cause crash or data corruption, now
-      concurrent calls of methods of the same object raise
-      RuntimeError.
-    - gh-78724: Raise RuntimeError’s when user attempts to call
-      methods on half-initialized Struct objects, For example,
-      created by Struct.__new__(Struct). Patch by Sergey
-      B Kirpichev.
-    - gh-143196: Fix crash when the internal encoder object
-      returned by undocumented function
-      json.encoder.c_make_encoder() was called with non-zero
-      second (_current_indent_level) argument.
-    - gh-143191: _thread.stack_size() now raises ValueError if
-      the stack size is too small. Patch by Victor Stinner.
-    - gh-143602: Fix a inconsistency issue in write() that leads
-      to unexpected buffer overwrite by deduplicating the buffer
-      exports.
-    - gh-143547: Fix sys.unraisablehook() when the hook raises an
-      exception and changes sys.unraisablehook(): hold a strong
-      reference to the old hook. Patch by Victor Stinner.
-    - gh-143517: annotationlib.get_annotations() no longer raises
-      a SyntaxError when evaluating a stringified starred
-      annotation that starts with one or more whitespace
-      characters followed by a *. Patch by Bartosz Sławecki.
-    - gh-143378: Fix use-after-free crashes when a BytesIO object
-      is concurrently mutated during write() or writelines().
-    - gh-143346: Fix incorrect wrapping of the Base64 data in
-      plistlib._PlistWriter when the indent contains a mix of
-      tabs and spaces.
-    - gh-143310: tkinter: fix a crash when a Python list is
-      mutated during the conversion to a Tcl object (e.g., when
-      setting a Tcl variable). Patch by Bénédikt Tran.
-    - gh-143309: Fix a crash in os.execve() on non-Windows
-      platforms when given a custom environment mapping which is
-      then mutated during parsing. Patch by Bénédikt Tran.
-    - gh-143308: pickle: fix use-after-free crashes when
-      a PickleBuffer is concurrently mutated by a custom buffer
-      callback during pickling. Patch by Bénédikt Tran and Aaron
-      Wieczorek.
-    - gh-143237: Fix support of named pipes in the rotating
-      logging handlers.
-    - gh-143249: Fix possible buffer leaks in Windows overlapped
-      I/O on error handling.
-    - gh-143241: zoneinfo: fix infinite loop in
-      ZoneInfo.from_file when parsing a malformed TZif file.
-      Patch by Fatih Celik.
-    - gh-142830: sqlite3: fix use-after-free crashes when the
-      connection’s callbacks are mutated during a callback
-      execution. Patch by Bénédikt Tran.
-    - gh-143200: xml.etree.ElementTree: fix use-after-free
-      crashes in __getitem__() and __setitem__() methods of
-      Element when the element is concurrently mutated. Patch by
-      Bénédikt Tran.
-    - gh-142195: Updated timeout evaluation logic in subprocess
-      to be compatible with deterministic environments like
-      Shadow where time moves exactly as requested.
-    - gh-142164: Fix the ctypes bitfield overflow error message
-      to report the correct offset and size calculation.
-    - gh-143145: Fixed a possible reference leak in ctypes when
-      constructing results with multiple output parameters on
-      error.
-    - gh-122431: Corrected the error message in
-      readline.append_history_file() to state that nelements must
-      be non-negative instead of positive.
-    - gh-143004: Fix a potential use-after-free in
-      collections.Counter.update() when user code mutates the
-      Counter during an update.
-    - gh-143046: The asyncio REPL no longer prints copyright and
-      version messages in the quiet mode (-q). Patch by Bartosz
-      Sławecki.
-    - gh-140648: The asyncio REPL now respects the -I flag
-      (isolated mode). Previously, it would load and execute
-      PYTHONSTARTUP even if the flag was set. Contributed by
-      Bartosz Sławecki.
-    - gh-142991: Fixed socket operations such as recvfrom() and
-      sendto() for FreeBSD divert(4) socket.
-    - gh-143010: Fixed a bug in mailbox where the precise timing
-      of an external event could result in the library opening an
-      existing file instead of a file it expected to create.
-    - gh-142881: Fix concurrent and reentrant call of
-      atexit.unregister().
-    - gh-112127: Fix possible use-after-free in
-      atexit.unregister() when the callback is unregistered
-      during comparison.
-    - gh-142783: Fix zoneinfo use-after-free with descriptor
-      _weak_cache. a descriptor as _weak_cache could cause
-      crashes during object creation. The fix ensures proper
-      reference counting for descriptor-provided objects.
-    - gh-142754: Add the ownerDocument attribute to
-      xml.dom.minidom elements and attributes created by directly
-      instantiating the Element or Attr class. Note that this way
-      of creating nodes is not supported; creator functions like
-      xml.dom.Document.documentElement() should be used instead.
-    - gh-142784: The asyncio REPL now properly closes the loop
-      upon the end of interactive session. Previously, it could
-      cause surprising warnings. Contributed by Bartosz Sławecki.
-    - gh-142555: array: fix a crash in a[i] = v when converting
-      i to an index via i.__index__ or i.__float__ mutates the
-      array.
-    - gh-142594: Fix crash in TextIOWrapper.close() when the
-      underlying buffer’s closed property calls detach().
-    - gh-142451: hmac: Ensure that the HMAC.block_size attribute
-      is correctly copied by HMAC.copy. Patch by Bénédikt Tran.
-    - gh-142495: collections.defaultdict now prioritizes
-      __setitem__() when inserting default values from
-      default_factory. This prevents race conditions where
-      a default value would overwrite a value set before
-      default_factory returns.
-    - gh-142651: unittest.mock: fix a thread safety issue where
-      Mock.call_count may return inaccurate values when the mock
-      is called concurrently from multiple threads.
-    - gh-142595: Added type check during initialization of the
-      decimal module to prevent a crash in case of broken stdlib.
-      Patch by Sergey B Kirpichev.
-    - gh-142556: Fix crash when a task gets re-registered during
-      finalization in asyncio. Patch by Kumar Aditya.
-    - gh-123241: Avoid reference count operations in garbage
-      collection of ctypes objects.
-    - gh-142517: The non-compat32 email policies now correctly
-      handle refolding encoded words that contain bytes that can
-      not be decoded in their specified character set. Previously
-      this resulted in an encoding exception during folding.
-    - gh-112527: The help text for required options in argparse
-      no longer extended with “ (default: None)”.
-    - gh-142346: Fix usage formatting for mutually exclusive
-      groups in argparse when they are preceded by positional
-      arguments or followed or intermixed with other optional
-      arguments.
-    - gh-142315: Pdb can now run scripts from anonymous pipes
-      used in process substitution. Patch by Bartosz Sławecki.
-    - gh-142332: Fix usage formatting for positional arguments in
-      mutually exclusive groups in argparse. in argparse.
-    - gh-142282: Fix winreg.QueryValueEx() to not accidentally
-      read garbage buffer under race condition.
-    - gh-75949: Fix argparse to preserve | separators in mutually
-      exclusive groups when the usage line wraps due to length.
-    - gh-142267: Improve argparse performance by caching the
-      formatter used for argument validation.
-    - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header
-      name defects are now correctly passed to the handle_defect
-      method of policy in FeedParser.
-    - gh-142006: Fix a bug in the email.policy.default folding
-      algorithm which incorrectly resulted in a doubled newline
-      when a line ending at exactly max_line_length was followed
-      by an unfoldable token.
-    - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving
-      underlying cancelled asyncio task running.
-    - gh-139971: pydoc: Ensure that the link to the online
-      documentation of a stdlib module is correct.
-    - gh-139262: Some keystrokes can be swallowed in the new
-      PyREPL on Windows, especially when used together with the
-      ALT key. Fix by Chris Eibl.
-    - gh-138897: Improved license/copyright/credits display in
-      the REPL: now uses a pager.
-    - gh-79986: Add parsing for References and In-Reply-To
-      headers to the email library that parses the header content
-      as lists of message id tokens. This prevents them from
-      being folded incorrectly.
-    - gh-136282: Add support for UNNAMED_SECTION when creating
-      a section via the mapping protocol access
-    - gh-109263: Starting a process from spawn context in
-      multiprocessing no longer sets the start method globally.
-    - gh-133253: Fix thread-safety issues in linecache.
-    - gh-132715: Skip writing objects during marshalling once
-      a failure has occurred.
-  - IDLE
-    - gh-143774: Better explain the operation of Format / Format
-      Paragraph.
-  - Documentation
-    - gh-140806: Add documentation for enum.bin().
-  - Core and Builtins
-    - gh-144307: Prevent a reference leak in module teardown at
-      interpreter finalization.
-    - gh-144194: Fix error handling in perf jitdump
-      initialization on memory allocation failure.
-    - gh-144012: Check if the result is NULL in BINARY_OP_EXTENT
-      opcode.
-    - gh-141805: Fix crash in set when objects with the same hash
-      are concurrently added to the set after removing an element
-      with the same hash while the set still contains elements
-      with the same hash.
-    - gh-143670: Fixes a crash in ga_repr_items_list function.
-    - gh-143377: Fix a crash in _interpreters.capture_exception()
-      when the exception is incorrectly formatted. Patch by
-      Bénédikt Tran.
-    - gh-136924: The interactive help mode in the REPL no longer
-      incorrectly syntax highlights text input as Python code.
-      Contributed by Olga Matoula.
-    - gh-143189: Fix crash when inserting a non-str key into
-      a split table dictionary when the key matches an existing
-      key in the split table but has no corresponding value in
-      the dict.
-    - gh-143228: Fix use-after-free in perf trampoline when
-      toggling profiling while threads are running or during
-      interpreter finalization with daemon threads active. The
-      fix uses reference counting to ensure trampolines are not
-      freed while any code object could still reference them.
-      Pach by Pablo Galindo
-    - gh-142664: Fix a use-after-free crash in
-      memoryview.__hash__ when the __hash__ method of the
-      referenced object mutates that object or the view. Patch by
-      Bénédikt Tran.
-    - gh-142557: Fix a use-after-free crash in bytearray.__mod__
-      when the bytearray is mutated while formatting the %-style
-      arguments. Patch by Bénédikt Tran.
-    - gh-143195: Fix use-after-free crashes in bytearray.hex()
-      and memoryview.hex() when the separator’s __len__() mutates
-      the original object. Patch by Bénédikt Tran.
-    - gh-142975: Fix crash after unfreezing all objects tracked
-      by the garbage collector on the free threaded build.
-    - gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is
-      0. Previously, it was set to 0 in this case.
-    - gh-143003: Fix an overflow of the shared empty buffer in
-      bytearray.extend() when __length_hint__() returns 0 for
-      non-empty iterator.
-    - gh-143006: Fix a possible assertion error when comparing
-      negative non-integer float and int with the same number of
-      bits in the integer part.
-    - gh-143057: Avoid locking in PyTraceMalloc_Track() and
-      PyTraceMalloc_Untrack() when tracemalloc is not enabled.
-    - gh-142776: Fix a file descriptor leak in import.c
-    - gh-142829: Fix a use-after-free crash in
-      contextvars.Context comparison when a custom __eq__ method
-      modifies the context via set().
-    - gh-142766: Clear the frame of a generator when
-      generator.close() is called.
-    - gh-142737: Tracebacks will be displayed in fallback mode
-      even if io.open() is lost. Previously, this would crash the
-      interpreter. Patch by Bartosz Sławecki.
-    - gh-142554: Fix a crash in divmod() when
-      _pylong.int_divmod() does not return a tuple of length two
-      exactly. Patch by Bénédikt Tran.
-    - gh-142560: Fix use-after-free in bytearray search-like
-      methods (find(), count(), index(), rindex(), and rfind())
-      by marking the storage as exported which causes
-      reallocation attempts to raise BufferError. For contains(),
-      split(), and rsplit() the buffer protocol is used for this.
-    - gh-142531: Fix a free-threaded GC performance regression.
-      If there are many untracked tuples, the GC will run too
-      often, resulting in poor performance. The fix is to include
-      untracked tuples in the “long lived” object count. The
-      number of frozen objects is also now included since the
-      free-threaded GC must scan those too.
-    - gh-142402: Fix reference counting when adjacent literal
-      parts are merged while constructing
-      string.templatelib.Template, preventing the displaced
-      string object from leaking.
-    - gh-133932: Fix crash in the free threading build when
-      clearing frames that hold tagged integers.
-    - gh-142343: Fix SIGILL crash on m68k due to incorrect
-      assembly constraint.
-    - gh-100964: Fix reference cycle in exhausted generator
-      frames. Patch by Savannah Ostrowski.
-    - gh-69605: Fix edge-cases around already imported modules in
-      the REPL auto-completion of imports.
-    - gh-138568: Adjusted the built-in help() function so that
-      empty inputs are ignored in interactive mode.
-    - gh-137007: Fix a bug during JIT compilation failure which
-      caused garbage collection debug assertions to fail.
-  - C API
-    - gh-142589: Fix
-      PyUnstable_Object_IsUniqueReferencedTemporary() handling of
-      tagged ints on the interpreter stack.
-    - gh-142571: PyUnstable_CopyPerfMapFile() now checks that
-      opening the file succeeded before flushing.
-  - Build
-    - gh-142454: When calculating the digest of the JIT stencils
-      input, sort the hashed files by filenames before adding
-      their content to the hasher. This ensures deterministic
-      hash input and hence deterministic hash, independent on
-      filesystem order.
-    - gh-141808: When running make clean-retain-profile, keep the
-      generated JIT stencils. That way, the stencils are not
-      generated twice when Profile-guided optimization (PGO) is
-      used. It also allows distributors to supply their own
-      pre-built JIT stencils.
-    - gh-138061: Ensure reproducible builds by making JIT stencil
-      header generation deterministic.
-- Remove upstreamed patches:
-  - CVE-2024-6923-follow-up-EOL-email-headers.patch
-  - CVE-2025-11468-email-hdr-fold-comment.patch
-  - CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
-  - gh138131-exclude-pycache-from-digest.patch
-
--------------------------------------------------------------------
-Thu Jan 29 12:58:15 UTC 2026 - Matej Cepl <mcepl@cepl.eu>
-
-- Add CVE-2024-6923-follow-up-EOL-email-headers.patch which is
-  a follow-up to the previous fix of CVE-2024-6923 further
-  encoding EOL possibly hidden in email headers (bsc#1257181,
-  also bsc#1257181, CVE-2026-1299).
-- Add CVE-2025-11468-email-hdr-fold-comment.patch preserving
-  parens when folding comments in email headers (bsc#1257029,
-  CVE-2025-11468).
-- Add CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch, which
-  rejects control characters in http cookies (bsc#1257031,
-  CVE-2026-0672).
 
 -------------------------------------------------------------------
 Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
@@ -398,7 +11,7 @@ Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 * Update to 3.14.2:
 - Security
   - gh-142145: Remove quadratic behavior in xml.minidom node ID
-    cache clearing (CVE-2025-12084, bsc#1254997).
+    cache clearing.
   - gh-119452: Fix a potential memory denial of service in the
     http.server module. When a malicious user is connected to the
     CGI server on Windows, it could cause an arbitrary amount of
@@ -460,10 +73,10 @@ Thu Dec 11 17:37:09 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
   - gh-139700: Check consistency of the zip64 end of central
     directory record. Support records with “zip64 extensible
     data” if there are no bytes prepended to the ZIP file.
-    (CVE-2025-8291, bsc#1251305)
   - gh-139283: sqlite3: correctly handle maximum number of rows
     to fetch in Cursor.fetchmany and reject negative values for
-    Cursor.arraysize. Patch by Bénédikt Tran.
+    Cursor.arraysize. Patch by Bénédikt Tran. (CVE-2025-8291,
+    bsc#1251305)
   - gh-137836: Add support of the “plaintext” element, RAWTEXT
     elements “xmp”, “iframe”, “noembed” and “noframes”, and
     optionally RAWTEXT element “noscript” in
@@ -4411,7 +4024,7 @@ Tue Nov 19 22:08:24 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
       generated URLs beginning with four slashes (rather than
       two) when given a Windows UNC path.
     - gh-126156: Improved performances of creating Morsel objects
-      by a factor of 3.8x (bsc#1257031, CVE-2026-0672).
+      by a factor of 3.8x.
     - gh-126105: Fix a crash in ast when the ast.AST._fields
       attribute is deleted.
     - gh-126106: Fixes a possible NULL pointer dereference in
@@ -5066,8 +4679,7 @@ Sat Sep  7 15:36:03 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
       now refuse to serialize (write) headers
       that are unsafely folded or delimited; see
       verify_generated_headers. (Contributed by Bas Bloemsaat and
-      Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780,
+      Petr Viktorin in gh-121650.; CVE-2024-6923, bsc#1228780)
-      bsc#1257181)
     - gh-121723: Make logging.config.dictConfig() accept any
       object implementing the Queue public API. See the queue
       configuration section for details. Patch by Bénédikt Tran.

python314.rpmlintrc

@@ -0,0 +1,4 @@
+addFilter("pem-certificate.*/usr/lib.*/python.*/test/*.pem")
+addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/tests/*.c")
+addFilter("devel-file-in-non-devel-package.*/usr/lib.*/python.*/test/*.cpp")
+addFilter("python-bytecode-inconsistent-mtime.*/usr/lib.*/python.*/*.pyc")

python314.spec

@@ -54,6 +54,8 @@
 %bcond_with GIL
 %endif
 
+%define llvm_version 21
+
 %if 0%{?do_profiling} && !0%{?want_reproducible_builds}
 %bcond_without profileopt
 %else
@@ -124,7 +126,7 @@
 # %%define tarversion %%{version}
 # %%endif
 # We don't process beta signs well
-%define         folderversion 3.14.3
+%define         folderversion 3.14.2
 %define         sitedir         %{_libdir}/python%{python_version}
 # three possible ABI kinds: m - pymalloc, d - debug build; see PEP 3149
 %define         abi_kind   %{nil}
@@ -162,7 +164,7 @@
 # _md5.cpython-38m-x86_64-linux-gnu.so
 %define dynlib() %{sitedir}/lib-dynload/%{1}.cpython-%{abi_tag}-%{archname}-%{_os}%{?_gnu}%{?armsuffix}.so
 Name:           %{python_pkg_name}%{psuffix}
-Version:        3.14.3
+Version:        3.14.2
 %define         tarversion %{version}
 %define         tarname    Python-%{tarversion}
 Release:        0
@@ -203,15 +205,14 @@ Patch02:        F00251-change-user-install-location.patch
 Patch03:        python-3.3.0b1-localpath.patch
 # replace DATE, TIME and COMPILER by fixed definitions to aid reproducible builds
 Patch04:        python-3.3.0b1-fix_date_time_compiler.patch
-# PATCH-FIX-OPENSUSE configure-drop-autoconf-ver-req.patch mcepl@suse.com
-# don't require minimal version of Autoconf
-Patch05:        configure-drop-autoconf-ver-req.patch
 # PATCH-FEATURE-UPSTREAM bpo-31046_ensurepip_honours_prefix.patch bpo#31046 mcepl@suse.com
 # ensurepip should honour the value of $(prefix)
 Patch07:        bpo-31046_ensurepip_honours_prefix.patch
 # PATCH-FIX-SLE skip-test_pyobject_freed_is_freed.patch mcepl@suse.com
 # skip a test failing on SLE-15
 Patch09:        skip-test_pyobject_freed_is_freed.patch
+# PATCH-FIX-UPSTREAM gh138498-llvm-version-config gh#python/cpython#138498  daniel.garcia@suse.com
+Patch10:        gh138498-llvm-version-config.patch
 # PATCH-FIX-OPENSUSE CVE-2023-52425-libexpat-2.6.0-backport-15.6.patch
 # This problem on libexpat is patched on 15.6 without version
 # update, this patch changes the tests to match the libexpat provided
@@ -223,22 +224,11 @@ Patch40:        fix-test-recursion-limit-15.6.patch
 # PATCH-FIX-UPSTREAM bsc1243155-sphinx-non-determinism.patch bsc#1243155 mcepl@suse.com
 # Doc: Generate ids for audit_events using docname
 Patch41:        bsc1243155-sphinx-non-determinism.patch
+# PATCH-FIX-UPSTREAM gh138131-exclude-pycache-from-digest.patch bsc#1244680 daniel.garcia@suse.com
+Patch44:        gh138131-exclude-pycache-from-digest.patch
 # PATCH-FIX-OPENSUSE gh139257-Support-docutils-0.22.patch gh#python/cpython#139257 daniel.garcia@suse.com
 Patch45:        gh139257-Support-docutils-0.22.patch
-# PATCH-FIX-UPSTREAM CVE-2024-6923-follow-up-EOL-email-headers.patch bsc#1257181 mcepl@suse.com
+#### Python 3.14 DEVELOPMENT PATCHES
-# Encode newlines in headers when using ByteGenerator
-# patch from gh#python/cpython#144125
-Patch46:        CVE-2024-6923-follow-up-EOL-email-headers.patch
-# PATCH-FIX-UPSTREAM CVE-2025-12781-b64decode-alt-chars.patch bsc#1257108 mcepl@suse.com
-# Fix decoding with non-standard Base64 alphabet gh#python/cpython#125346
-Patch49:        CVE-2025-12781-b64decode-alt-chars.patch
-# PATCH-FIX-UPSTREAM CVE-2025-15366-imap-ctrl-chars.patch bsc#1257044 mcepl@suse.com
-# Reject control characters in wsgiref.headers.Headers
-Patch50:        CVE-2025-15366-imap-ctrl-chars.patch
-# PATCH-FIX-UPSTREAM CVE-2025-15367-poplib-ctrl-chars.patch bsc#1257041 mcepl@suse.com
-# Reject control characters in poplib
-Patch51:        CVE-2025-15367-poplib-ctrl-chars.patch
-#### Python 3.14 END OF PATCHES
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -283,7 +273,7 @@ BuildRequires:  python3-python-docs-theme >= 2022.1
 
 %if %{with experimental_jit}
 # needed for experimental_jit
-BuildRequires:  clang19 llvm19
+BuildRequires:  clang%{llvm_version} llvm%{llvm_version}
 BuildRequires:  llvm
 %endif
 
@@ -523,6 +513,12 @@ other applications.
 %prep
 %autosetup -p1 -n %{tarname}
 
+# Fix devhelp doc build gh#python/cpython#120150
+echo "master_doc = 'contents'" >> Doc/conf.py
+
+# drop Autoconf version requirement
+sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
+
 %if %{primary_interpreter}
 # fix shebangs - convert /usr/local/bin/python and /usr/bin/env/python to /usr/bin/python3
 for dir in Lib Tools; do
@@ -542,7 +538,7 @@ done
 sed -i -e '/Breakpoint 3 at ...pdb.py:97/s/97/96/' Lib/test/test_pdb.py
 %endif
 
-# Removing vendored expat gh#python/cpython#92875
+# Cannot remove it because of gh#python/cpython#92875
 rm -r Modules/expat
 
 # drop duplicate README from site-packages
@@ -551,6 +547,9 @@ rm Lib/site-packages/README.txt
 # Add vendored bluez-devel files
 tar xvf %{SOURCE21}
 
+# Don't fail on warnings when building documentation
+sed -i -e '/^SPHINXERRORHANDLING/s/--fail-on-warning//' Doc/Makefile
+
 %build
 export SUSE_VERSION="0%{?suse_version}"
 export SLE_VERSION="0%{?sle_version}"
@@ -580,6 +579,7 @@ sed -e 's/-fprofile-correction//' -i Makefile.pre.in
 %endif
 
 export CFLAGS="%{optflags} -IVendor/"
+export LLVM_VERSION=%{llvm_version}
 
 %configure \
     --with-platlibdir=%{_lib} \