From 822aa8091e4a6546ae4d4423fde56c5ffe1a79c8d173b1c360cf1412a35d1f06 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Moreno Date: Tue, 17 Feb 2026 09:01:53 +0100 Subject: [PATCH] Update to 26.0.1 (bsc#1257599, CVE-2026-1703) --- disable-ssl-context-in-buildenv.patch | 21 +--- distutils-reproducible-compile.patch | 17 --- pip-25.0.1-gh.tar.gz | 3 - pip-26.0.1-gh.tar.gz | 3 + pip-shipped-requests-cabundle.patch | 67 +++-------- python-pip.changes | 162 ++++++++++++++++++++++++++ python-pip.spec | 15 ++- 7 files changed, 195 insertions(+), 93 deletions(-) delete mode 100644 distutils-reproducible-compile.patch delete mode 100644 pip-25.0.1-gh.tar.gz create mode 100644 pip-26.0.1-gh.tar.gz diff --git a/disable-ssl-context-in-buildenv.patch b/disable-ssl-context-in-buildenv.patch index 71942c7..609c439 100644 --- a/disable-ssl-context-in-buildenv.patch +++ b/disable-ssl-context-in-buildenv.patch @@ -1,21 +1,8 @@ -Index: pip-24.2/src/pip/_vendor/requests/adapters.py +Index: pip-26.0/src/pip/_internal/cli/index_command.py =================================================================== ---- pip-24.2.orig/src/pip/_vendor/requests/adapters.py -+++ pip-24.2/src/pip/_vendor/requests/adapters.py -@@ -81,7 +81,7 @@ try: - _preloaded_ssl_context.load_verify_locations( - extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH) - ) --except ImportError: -+except (ImportError, FileNotFoundError, ssl.SSLError): - # Bypass default SSLContext creation when Python - # interpreter isn't built with the ssl module. - _preloaded_ssl_context = None -Index: pip-24.2/src/pip/_internal/cli/index_command.py -=================================================================== ---- pip-24.2.orig/src/pip/_internal/cli/index_command.py -+++ pip-24.2/src/pip/_internal/cli/index_command.py -@@ -43,7 +43,11 @@ def _create_truststore_ssl_context() -> +--- pip-26.0.orig/src/pip/_internal/cli/index_command.py ++++ pip-26.0/src/pip/_internal/cli/index_command.py +@@ -49,7 +49,11 @@ def _create_truststore_ssl_context() -> return None ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) diff --git a/distutils-reproducible-compile.patch b/distutils-reproducible-compile.patch deleted file mode 100644 index 5fe265b..0000000 --- a/distutils-reproducible-compile.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- - src/pip/_vendor/distlib/wheel.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: pip-24.1.1/src/pip/_vendor/distlib/wheel.py -=================================================================== ---- pip-24.1.1.orig/src/pip/_vendor/distlib/wheel.py -+++ pip-24.1.1/src/pip/_vendor/distlib/wheel.py -@@ -578,7 +578,7 @@ class Wheel(object): - maker.source_dir = workdir - maker.target_dir = None - try: -- for zinfo in zf.infolist(): -+ for zinfo in sorted(zf.infolist()): - arcname = zinfo.filename - if isinstance(arcname, text_type): - u_arcname = arcname diff --git a/pip-25.0.1-gh.tar.gz b/pip-25.0.1-gh.tar.gz deleted file mode 100644 index eaaad35..0000000 --- a/pip-25.0.1-gh.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:334371888f0c679c04e819ddc234562feaea81331658a76842b62dc9dc83a832 -size 9224526 diff --git a/pip-26.0.1-gh.tar.gz b/pip-26.0.1-gh.tar.gz new file mode 100644 index 0000000..66151c9 --- /dev/null +++ b/pip-26.0.1-gh.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b70256771f5ea127dae3e4bd6a9c9ab4928d1833519e17b132e76bdeec5a373d +size 9227871 diff --git a/pip-shipped-requests-cabundle.patch b/pip-shipped-requests-cabundle.patch index 5c8796f..33e518b 100644 --- a/pip-shipped-requests-cabundle.patch +++ b/pip-shipped-requests-cabundle.patch @@ -3,11 +3,11 @@ tests/unit/test_options.py | 5 + 2 files changed, 13 insertions(+), 97 deletions(-) -Index: pip-24.3.1/src/pip/_vendor/certifi/core.py +Index: pip-26.0/src/pip/_vendor/certifi/core.py =================================================================== ---- pip-24.3.1.orig/src/pip/_vendor/certifi/core.py -+++ pip-24.3.1/src/pip/_vendor/certifi/core.py -@@ -3,112 +3,15 @@ certifi.py +--- pip-26.0.orig/src/pip/_vendor/certifi/core.py ++++ pip-26.0/src/pip/_vendor/certifi/core.py +@@ -3,81 +3,14 @@ certifi.py ~~~~~~~~~~ This module returns the installation location of cacert.pem or its contents. @@ -15,16 +15,16 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py """ -import sys -import atexit - --def exit_cacert_ctx() -> None: -- _CACERT_CTX.__exit__(None, None, None) # type: ignore[union-attr] +def read_text(_module=None, _path=None, encoding="ascii"): + with open(where(), "r", encoding=encoding) as data: + return data.read() +-def exit_cacert_ctx() -> None: +- _CACERT_CTX.__exit__(None, None, None) # type: ignore[union-attr] +def where() -> str: + return "/etc/ssl/ca-bundle.pem" +- -if sys.version_info >= (3, 11): - - from importlib.resources import as_file, files @@ -60,7 +60,7 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py - def contents() -> str: - return files("pip._vendor.certifi").joinpath("cacert.pem").read_text(encoding="ascii") - --elif sys.version_info >= (3, 7): +-else: - - from importlib.resources import path as get_path, read_text - @@ -95,58 +95,29 @@ Index: pip-24.3.1/src/pip/_vendor/certifi/core.py - - def contents() -> str: - return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii") -- --else: -- import os -- import types -- from typing import Union -- -- Package = Union[types.ModuleType, str] -- Resource = Union[str, "os.PathLike"] -- -- # This fallback will work for Python versions prior to 3.7 that lack the -- # importlib.resources module but relies on the existing `where` function -- # so won't address issues with environments like PyOxidizer that don't set -- # __file__ on modules. -- def read_text( -- package: Package, -- resource: Resource, -- encoding: str = 'utf-8', -- errors: str = 'strict' -- ) -> str: -- with open(where(), encoding=encoding) as data: -- return data.read() -- -- # If we don't have importlib.resources, then we will just do the old logic -- # of assuming we're on the filesystem and munge the path directly. -- def where() -> str: -- f = os.path.dirname(__file__) -- -- return os.path.join(f, "cacert.pem") -- -- def contents() -> str: -- return read_text("pip._vendor.certifi", "cacert.pem", encoding="ascii") +def contents() -> str: + return read_text(encoding="ascii") -Index: pip-24.3.1/tests/unit/test_options.py +Index: pip-26.0/tests/unit/test_options.py =================================================================== ---- pip-24.3.1.orig/tests/unit/test_options.py -+++ pip-24.3.1/tests/unit/test_options.py -@@ -1,4 +1,5 @@ +--- pip-26.0.orig/tests/unit/test_options.py ++++ pip-26.0/tests/unit/test_options.py +@@ -1,6 +1,7 @@ + from __future__ import annotations + import os +import os.path + from collections.abc import Iterator from contextlib import contextmanager from optparse import Values - from tempfile import NamedTemporaryFile -@@ -10,6 +11,7 @@ import pip._internal.configuration - from pip._internal.cli.main import main +@@ -15,6 +16,7 @@ from pip._internal.cli.main import main from pip._internal.commands import create_command from pip._internal.commands.configuration import ConfigurationCommand + from pip._internal.exceptions import CommandError, PipError +from pip._vendor.certifi import where - from pip._internal.exceptions import PipError from tests.lib.options_helpers import AddFakeCommandMixin -@@ -618,6 +620,9 @@ class TestOptionsConfigFiles: + +@@ -537,6 +539,9 @@ class TestOptionsConfigFiles: else: assert expect == cmd._determine_file(options, need_value=False) diff --git a/python-pip.changes b/python-pip.changes index a947248..324c1c2 100644 --- a/python-pip.changes +++ b/python-pip.changes @@ -1,3 +1,165 @@ +------------------------------------------------------------------- +Thu Feb 5 06:51:28 UTC 2026 - Daniel Garcia + +- Update to 26.0.1: + * Fix --pre not being respected from the command line when a + requirement file includes an option e.g. -extra-index-url. + (#13788) + +------------------------------------------------------------------- +Tue Feb 3 09:10:32 UTC 2026 - Daniel Garcia + +- Add %{?pythons_for_pypi} macro, to be used in Leap 16.x for short + term interpreter. +- Drop upstreamed patch flit-core.patch + +- Update to 26.0 (bsc#1257599, CVE-2026-1703): + # Deprecations and Removals + - Remove support for non-bare project names in egg fragments. + Affected users should use the Direct URL requirement syntax. + (#13157) + # Features + - Display pip’s command-line help in colour, if possible. (#12134) + - Support installing dependencies declared with inline script + metadata (PEP 723) with --requirements-from-script. (#12891) + - Add --all-releases and --only-final options to control pre-release + and final release selection during package installation. (#13221) + - Add --uploaded-prior-to option to only consider packages uploaded + prior to a given datetime when the upload-time field is available + from a remote index. (#13625) + - Add --use-feature inprocess-build-deps to request that build + dependencies are installed within the same pip install process. + This new mechanism is faster, supports --no-clean and + --no-cache-dir reliably, and supports prompting for + authentication. + - Enabling this feature will also enable --use-feature + build-constraints. This feature will become the default in a + future pip version. (#9081) + - pip cache purge and pip cache remove now clean up empty + directories and legacy files left by older pip versions. (#9058) + # Bug Fixes + - Fix selecting pre-release versions when only pre-releases match. + For example, package>1.0 with versions 1.0, 2.0rc1 now installs + 2.0rc1 instead of failing. (#13746) + - Revisions in version control URLs now must be percent-encoded. For + example, use git+https://example.com/repo.git@issue%231 to specify + the branch issue#1. If you previously used a branch name + containing a % character in a version control URL, you now need to + replace it with %25 to ensure correct percent-encoding. (#13407) + - Preserve original casing when a path is displayed. (#6823) + - Fix bash completion when the $IFS variable has been modified from + its default. (#13555) + - Precompute Python requirements on each candidate, reducing time of + long resolutions. (#13656) + - Skip redundant work converting version objects to strings when + using the importlib.metadata backend. (#13660) + - Fix pip index versions to honor only-binary/no-binary options. + (#13682) + - Fix fallthrough logic for options, allowing overriding global + options with defaults from user config. (#13703) + - Use a path-segment prefix comparison, not char-by-char. (#13777) + +- 25.3: + # Deprecations and Removals + - Remove support for the legacy setup.py develop editable method in + setuptools editable installs; setuptools >= 64 is now required. + (#11457) + - Remove the deprecated --global-option and --build-option. + --config-setting is now the only way to pass options to the build + backend. (#11859) + - Deprecate the PIP_CONSTRAINT environment variable for specifying + build constraints. + - Use the --build-constraint option or the PIP_BUILD_CONSTRAINT + environment variable instead. When build constraints are used, + PIP_CONSTRAINT no longer affects isolated build environments. To + enable this behavior without specifying any build constraints, use + --use-feature=build-constraint. (#13534) + - Remove support for non-standard legacy wheel filenames. (#13581) + - Remove support for the deprecated setup.py bdist_wheel mechanism. + Consequently, --use-pep517 is now always on, and --no-use-pep517 + has been removed. (#6334) + # Features + - When PEP 658 metadata is available, full distribution files are no + longer downloaded when using pip lock or pip install --dry-run. + (#12603) + - Add support for installing an editable requirement written as a + Direct URL (PackageName @ URL). (#13495) + - Add support for build constraints via the --build-constraint + option. This allows constraining the versions of packages used + during the build process (e.g., setuptools) without affecting the + final installation. (#13534) + - On ResolutionImpossible errors, include a note about causes with + no candidates. (#13588) + - Building pip itself from source now uses flit-core instead of + setuptools. This does not affect how pip installs or builds + packages you use. (#13473) + # Bug Fixes + - Handle malformed Version metadata entries and show a sensible + error message instead of crashing. (#13443) + - Permit spaces between a filepath and extras in an install + requirement. (#13523) + - Ensure the self-check files in the cache have the same permissions + as the rest of the cache. (#13528) + - Avoid concurrency issues and improve performance when caching + locally built wheels, especially when the temporary build + directory is on a different filesystem than the cache. The wheel + directory passed to the build backend is now a temporary + subdirectory inside the cache directory. (#13540) + - Include relevant user-supplied constraints in logs when reporting + dependency conflicts. (#13545) + - Fix a regression in configuration parsing that was turning a + single value into a list and thus leading to a validation error. + (#13548) + - For Python versions that do not support PEP 706, pip will now + raise an installation error for a source distribution when it + includes a symlink that points outside the source distribution + archive. (#13550) + - Prevent --user installs if site.ENABLE_USER_SITE is set to False. + (#8794) + +------------------------------------------------------------------- +Wed Aug 13 12:25:02 UTC 2025 - Markéta Machová + +- update to 25.2 + # 25.1 + * Drop support for Python 3.8. + * On python 3.14+, the pkg_resources metadata backend cannot be used + anymore. + * Hide --no-python-version-warning from CLI help and documentation + as it's useless since Python 2 support was removed. + * A warning is emitted when the deprecated pkg_resources library is + used to inspect and discover installed packages. + * Deprecate the legacy setup.py bdist_wheel mechanism. To silence + the warning, and future-proof their setup, users should enable + --use-pep517 or add a pyproject.toml file to the projects they + control. + * Using --debug also enables verbose logging. + * Display a transient progress bar during package installation. + * Add a --group option which allows installation from PEP 735 + Dependency Groups. + * Use PEP 753 "Well-known Project URLs in Metadata" normalization + rules when identifying an equivalent project URL to replace + a missing Home-Page field in pip show. + * Add a new, experimental, pip lock command, implementing PEP 751. + * Resolvelib 1.1.0 fixes a known issue where pip would report a + ResolutionImpossible error even though there is a valid solution. + However, some very complex dependency resolutions that previously + resolved may resolve slower or fail with an ResolutionTooDeep error. + # 25.2 + * Declare support for Python 3.14 + * Automatic download resumption and retrying is enabled by default. + * Requires-Python error message displays version clauses in numerical + order. + * Show time taken instead of eta 0:00:00 at download completion. + * Remove warning when cloning from a Git reference that does not look + like a commit hash. + * pip's own licensing metadata now follows PEP 639. In addition, the + licenses of pip's vendored dependencies are now included in the + License-File metadata field and in the wheel. +- Drop no-longer-applicable distutils-reproducible-compile.patch + * distlib was trimmed https://github.com/pypa/pip/pull/13342 +- Add upstream flit-core.patch to fix build + ------------------------------------------------------------------- Thu Apr 17 12:40:51 UTC 2025 - Felix Stegmeier diff --git a/python-pip.spec b/python-pip.spec index bca25cb..1f82b09 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -1,7 +1,7 @@ # # spec file for package python-pip # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -31,9 +31,10 @@ %endif # in order to avoid rewriting for subpackage generator %define mypython python +%{?pythons_for_pypi} %{?sle15_python_module_pythons} Name: python-pip%{psuffix} -Version: 25.0.1 +Version: 26.0.1 Release: 0 Summary: A Python package management system License: MIT @@ -42,13 +43,10 @@ URL: https://pip.pypa.io Source: https://github.com/pypa/pip/archive/%{version}.tar.gz#/pip-%{version}-gh.tar.gz # PATCH-FIX-OPENSUSE pip-shipped-requests-cabundle.patch -- adapted patch from python-certifi package Patch0: pip-shipped-requests-cabundle.patch -# PATCH-FIX-UPSTREAM distutils-reproducible-compile.patch gh#python/cpython#8057 mcepl@suse.com -# To get reproducible builds, byte_compile() of distutils.util now sorts filenames. -Patch1: distutils-reproducible-compile.patch # PATCH-FIX-OPENSUSE: deal missing ca-certificates as "ssl not available" -Patch2: disable-ssl-context-in-buildenv.patch -BuildRequires: %{python_module base >= 3.7} -BuildRequires: %{python_module setuptools >= 40.8.0} +Patch1: disable-ssl-context-in-buildenv.patch +BuildRequires: %{python_module base >= 3.9} +BuildRequires: %{python_module flit-core >= 3.11} # The rpm python-wheel build is bootstrap friendly since 0.42 BuildRequires: %{python_module wheel} BuildRequires: fdupes @@ -73,6 +71,7 @@ BuildRequires: %{python_module installer} # Test requirements: BuildRequires: %{python_module pip = %{version}} BuildRequires: %{python_module pretend} +BuildRequires: %{python_module pytest-socket} BuildRequires: %{python_module pytest-xdist} BuildRequires: %{python_module pytest} BuildRequires: %{python_module scripttest}