python/python-pip
SHA256
15
0
Fork 0
forked from pool/python-pip
Code Pull Requests Activity

Update to 26.0.1 (bsc#1257599, CVE-2026-1703)

Browse Source
This commit is contained in:
Daniel Garcia
2026-02-17 09:01:53 +01:00
parent afcd75293a
commit 822aa8091e
7 changed files with 195 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
disable-ssl-context-in-buildenv.patch
View File

@@ -1,21 +1,8 @@
Index: pip-24.2/src/pip/_vendor/requests/adapters.py
Index: pip-26.0/src/pip/_internal/cli/index_command.py
===================================================================
--- pip-24.2.orig/src/pip/_vendor/requests/adapters.py
+++ pip-24.2/src/pip/_vendor/requests/adapters.py
@@ -81,7 +81,7 @@ try:
_preloaded_ssl_context.load_verify_locations(
extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
)
-except ImportError:
+except (ImportError, FileNotFoundError, ssl.SSLError):
# Bypass default SSLContext creation when Python
# interpreter isn't built with the ssl module.
_preloaded_ssl_context = None
Index: pip-24.2/src/pip/_internal/cli/index_command.py
===================================================================
--- pip-24.2.orig/src/pip/_internal/cli/index_command.py
+++ pip-24.2/src/pip/_internal/cli/index_command.py
@@ -43,7 +43,11 @@ def _create_truststore_ssl_context() ->
--- pip-26.0.orig/src/pip/_internal/cli/index_command.py
+++ pip-26.0/src/pip/_internal/cli/index_command.py
@@ -49,7 +49,11 @@ def _create_truststore_ssl_context() ->
return None
ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

17
distutils-reproducible-compile.patch
View File

@@ -1,17 +0,0 @@
---
src/pip/_vendor/distlib/wheel.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: pip-24.1.1/src/pip/_vendor/distlib/wheel.py
===================================================================
--- pip-24.1.1.orig/src/pip/_vendor/distlib/wheel.py
+++ pip-24.1.1/src/pip/_vendor/distlib/wheel.py
@@ -578,7 +578,7 @@ class Wheel(object):
maker.source_dir = workdir
maker.target_dir = None
try:
- for zinfo in zf.infolist():
+ for zinfo in sorted(zf.infolist()):
arcname = zinfo.filename
if isinstance(arcname, text_type):
u_arcname = arcname

BIN
pip-25.0.1-gh.tar.gz LFS
View File

Binary file not shown.

BIN
pip-26.0.1-gh.tar.gz LFS Normal file
View File

Binary file not shown.

67
pip-shipped-requests-cabundle.patch
View File

@@ -3,11 +3,11 @@
tests/unit/test_options.py | 5 +
2 files changed, 13 insertions(+), 97 deletions(-)
Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
Index: pip-26.0/src/pip/_vendor/certifi/core.py
===================================================================
--- pip-24.3.1.orig/src/pip/_vendor/certifi/core.py
+++ pip-24.3.1/src/pip/_vendor/certifi/core.py
@@ -3,112 +3,15 @@ certifi.py
--- pip-26.0.orig/src/pip/_vendor/certifi/core.py
+++ pip-26.0/src/pip/_vendor/certifi/core.py
@@ -3,81 +3,14 @@ certifi.py
~~~~~~~~~~
This module returns the installation location of cacert.pem or its contents.
@@ -15,16 +15,16 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
"""
-import sys
-import atexit
-def exit_cacert_ctx() -> None:
- _CACERT_CTX.__exit__(None, None, None) # type: ignore[union-attr]
+def read_text(_module=None, _path=None, encoding="ascii"):
+ with open(where(), "r", encoding=encoding) as data:
+ return data.read()
-def exit_cacert_ctx() -> None:
- _CACERT_CTX.__exit__(None, None, None) # type: ignore[union-attr]
+def where() -> str:
+ return "/etc/ssl/ca-bundle.pem"
-
-if sys.version_info >= (3, 11):
-
- from importlib.resources import as_file, files
@@ -60,7 +60,7 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
- def contents() -> str:
- return files("pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii")
-
-elif sys.version_info >= (3, 7):
-else:
-
- from importlib.resources import path as get_path, read_text
-
@@ -95,58 +95,29 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py
-
- def contents() -> str:
- return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii")
-
-else:
- import os
- import types
- from typing import Union
-
- Package = Union[types.ModuleType, str]
- Resource = Union[str, "os.PathLike"]
-
- # This fallback will work for Python versions prior to 3.7 that lack the
- # importlib.resources module but relies on the existing `where` function
- # so won't address issues with environments like PyOxidizer that don't set
- # __file__ on modules.
- def read_text(
- package: Package,
- resource: Resource,
- encoding: str = 'utf-8',
- errors: str = 'strict'
- ) -> str:
- with open(where(), encoding=encoding) as data:
- return data.read()
-
- # If we don't have importlib.resources, then we will just do the old logic
- # of assuming we're on the filesystem and munge the path directly.
- def where() -> str:
- f = os.path.dirname(__file__)
-
- return os.path.join(f, "cacert.pem")
-
- def contents() -> str:
- return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii")
+def contents() -> str:
+ return read_text(encoding="ascii")
Index: pip-24.3.1/tests/unit/test_options.py
Index: pip-26.0/tests/unit/test_options.py
===================================================================
--- pip-24.3.1.orig/tests/unit/test_options.py
+++ pip-24.3.1/tests/unit/test_options.py
@@ -1,4 +1,5 @@
--- pip-26.0.orig/tests/unit/test_options.py
+++ pip-26.0/tests/unit/test_options.py
@@ -1,6 +1,7 @@
from __future__ import annotations
import os
+import os.path
from collections.abc import Iterator
from contextlib import contextmanager
from optparse import Values
from tempfile import NamedTemporaryFile
@@ -10,6 +11,7 @@ import pip._internal.configuration
from pip._internal.cli.main import main
@@ -15,6 +16,7 @@ from pip._internal.cli.main import main
from pip._internal.commands import create_command
from pip._internal.commands.configuration import ConfigurationCommand
from pip._internal.exceptions import CommandError, PipError
+from pip._vendor.certifi import where
from pip._internal.exceptions import PipError
from tests.lib.options_helpers import AddFakeCommandMixin
@@ -618,6 +620,9 @@ class TestOptionsConfigFiles:
@@ -537,6 +539,9 @@ class TestOptionsConfigFiles:
else:
assert expect == cmd._determine_file(options, need_value=False)

162
python-pip.changes
View File

@@ -1,3 +1,165 @@
-------------------------------------------------------------------
Thu Feb 5 06:51:28 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
- Update to 26.0.1:
* Fix --pre not being respected from the command line when a
requirement file includes an option e.g. -extra-index-url.
(#13788)
-------------------------------------------------------------------
Tue Feb 3 09:10:32 UTC 2026 - Daniel Garcia <daniel.garcia@suse.com>
- Add %{?pythons_for_pypi} macro, to be used in Leap 16.x for short
term interpreter.
- Drop upstreamed patch flit-core.patch
- Update to 26.0 (bsc#1257599, CVE-2026-1703):
# Deprecations and Removals
- Remove support for non-bare project names in egg fragments.
Affected users should use the Direct URL requirement syntax.
(#13157)
# Features
- Display pips command-line help in colour, if possible. (#12134)
- Support installing dependencies declared with inline script
metadata (PEP 723) with --requirements-from-script. (#12891)
- Add --all-releases and --only-final options to control pre-release
and final release selection during package installation. (#13221)
- Add --uploaded-prior-to option to only consider packages uploaded
prior to a given datetime when the upload-time field is available
from a remote index. (#13625)
- Add --use-feature inprocess-build-deps to request that build
dependencies are installed within the same pip install process.
This new mechanism is faster, supports --no-clean and
--no-cache-dir reliably, and supports prompting for
authentication.
- Enabling this feature will also enable --use-feature
build-constraints. This feature will become the default in a
future pip version. (#9081)
- pip cache purge and pip cache remove now clean up empty
directories and legacy files left by older pip versions. (#9058)
# Bug Fixes
- Fix selecting pre-release versions when only pre-releases match.
For example, package>1.0 with versions 1.0, 2.0rc1 now installs
2.0rc1 instead of failing. (#13746)
- Revisions in version control URLs now must be percent-encoded. For
example, use git+https://example.com/repo.git@issue%231 to specify
the branch issue#1. If you previously used a branch name
containing a % character in a version control URL, you now need to
replace it with %25 to ensure correct percent-encoding. (#13407)
- Preserve original casing when a path is displayed. (#6823)
- Fix bash completion when the $IFS variable has been modified from
its default. (#13555)
- Precompute Python requirements on each candidate, reducing time of
long resolutions. (#13656)
- Skip redundant work converting version objects to strings when
using the importlib.metadata backend. (#13660)
- Fix pip index versions to honor only-binary/no-binary options.
(#13682)
- Fix fallthrough logic for options, allowing overriding global
options with defaults from user config. (#13703)
- Use a path-segment prefix comparison, not char-by-char. (#13777)
- 25.3:
# Deprecations and Removals
- Remove support for the legacy setup.py develop editable method in
setuptools editable installs; setuptools >= 64 is now required.
(#11457)
- Remove the deprecated --global-option and --build-option.
--config-setting is now the only way to pass options to the build
backend. (#11859)
- Deprecate the PIP_CONSTRAINT environment variable for specifying
build constraints.
- Use the --build-constraint option or the PIP_BUILD_CONSTRAINT
environment variable instead. When build constraints are used,
PIP_CONSTRAINT no longer affects isolated build environments. To
enable this behavior without specifying any build constraints, use
--use-feature=build-constraint. (#13534)
- Remove support for non-standard legacy wheel filenames. (#13581)
- Remove support for the deprecated setup.py bdist_wheel mechanism.
Consequently, --use-pep517 is now always on, and --no-use-pep517
has been removed. (#6334)
# Features
- When PEP 658 metadata is available, full distribution files are no
longer downloaded when using pip lock or pip install --dry-run.
(#12603)
- Add support for installing an editable requirement written as a
Direct URL (PackageName @ URL). (#13495)
- Add support for build constraints via the --build-constraint
option. This allows constraining the versions of packages used
during the build process (e.g., setuptools) without affecting the
final installation. (#13534)
- On ResolutionImpossible errors, include a note about causes with
no candidates. (#13588)
- Building pip itself from source now uses flit-core instead of
setuptools. This does not affect how pip installs or builds
packages you use. (#13473)
# Bug Fixes
- Handle malformed Version metadata entries and show a sensible
error message instead of crashing. (#13443)
- Permit spaces between a filepath and extras in an install
requirement. (#13523)
- Ensure the self-check files in the cache have the same permissions
as the rest of the cache. (#13528)
- Avoid concurrency issues and improve performance when caching
locally built wheels, especially when the temporary build
directory is on a different filesystem than the cache. The wheel
directory passed to the build backend is now a temporary
subdirectory inside the cache directory. (#13540)
- Include relevant user-supplied constraints in logs when reporting
dependency conflicts. (#13545)
- Fix a regression in configuration parsing that was turning a
single value into a list and thus leading to a validation error.
(#13548)
- For Python versions that do not support PEP 706, pip will now
raise an installation error for a source distribution when it
includes a symlink that points outside the source distribution
archive. (#13550)
- Prevent --user installs if site.ENABLE_USER_SITE is set to False.
(#8794)
-------------------------------------------------------------------
Wed Aug 13 12:25:02 UTC 2025 - Markéta Machová <mmachova@suse.com>
- update to 25.2
# 25.1
* Drop support for Python 3.8.
* On python 3.14+, the pkg_resources metadata backend cannot be used
anymore.
* Hide --no-python-version-warning from CLI help and documentation
as it's useless since Python 2 support was removed.
* A warning is emitted when the deprecated pkg_resources library is
used to inspect and discover installed packages.
* Deprecate the legacy setup.py bdist_wheel mechanism. To silence
the warning, and future-proof their setup, users should enable
--use-pep517 or add a pyproject.toml file to the projects they
control.
* Using --debug also enables verbose logging.
* Display a transient progress bar during package installation.
* Add a --group option which allows installation from PEP 735
Dependency Groups.
* Use PEP 753 "Well-known Project URLs in Metadata" normalization
rules when identifying an equivalent project URL to replace
a missing Home-Page field in pip show.
* Add a new, experimental, pip lock command, implementing PEP 751.
* Resolvelib 1.1.0 fixes a known issue where pip would report a
ResolutionImpossible error even though there is a valid solution.
However, some very complex dependency resolutions that previously
resolved may resolve slower or fail with an ResolutionTooDeep error.
# 25.2
* Declare support for Python 3.14
* Automatic download resumption and retrying is enabled by default.
* Requires-Python error message displays version clauses in numerical
order.
* Show time taken instead of eta 0:00:00 at download completion.
* Remove warning when cloning from a Git reference that does not look
like a commit hash.
* pip's own licensing metadata now follows PEP 639. In addition, the
licenses of pip's vendored dependencies are now included in the
License-File metadata field and in the wheel.
- Drop no-longer-applicable distutils-reproducible-compile.patch
* distlib was trimmed https://github.com/pypa/pip/pull/13342
- Add upstream flit-core.patch to fix build
-------------------------------------------------------------------
Thu Apr 17 12:40:51 UTC 2025 - Felix Stegmeier <felix.stegmeier@suse.com>

15
python-pip.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-pip
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,9 +31,10 @@
%endif
# in order to avoid rewriting for subpackage generator
%define mypython python
%{?pythons_for_pypi}
%{?sle15_python_module_pythons}
Name: python-pip%{psuffix}
Version: 25.0.1
Version: 26.0.1
Release: 0
Summary: A Python package management system
License: MIT
@@ -42,13 +43,10 @@ URL: https://pip.pypa.io
Source: https://github.com/pypa/pip/archive/%{version}.tar.gz#/pip-%{version}-gh.tar.gz
# PATCH-FIX-OPENSUSE pip-shipped-requests-cabundle.patch -- adapted patch from python-certifi package
Patch0: pip-shipped-requests-cabundle.patch
# PATCH-FIX-UPSTREAM distutils-reproducible-compile.patch gh#python/cpython#8057 mcepl@suse.com
# To get reproducible builds, byte_compile() of distutils.util now sorts filenames.
Patch1: distutils-reproducible-compile.patch
# PATCH-FIX-OPENSUSE: deal missing ca-certificates as "ssl not available"
Patch2: disable-ssl-context-in-buildenv.patch
BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module setuptools >= 40.8.0}
Patch1: disable-ssl-context-in-buildenv.patch
BuildRequires: %{python_module base >= 3.9}
BuildRequires: %{python_module flit-core >= 3.11}
# The rpm python-wheel build is bootstrap friendly since 0.42
BuildRequires: %{python_module wheel}
BuildRequires: fdupes
@@ -73,6 +71,7 @@ BuildRequires: %{python_module installer}
# Test requirements:
BuildRequires: %{python_module pip = %{version}}
BuildRequires: %{python_module pretend}
BuildRequires: %{python_module pytest-socket}
BuildRequires: %{python_module pytest-xdist}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module scripttest}