Accepting request 1308385 from devel:languages:python

OBS-URL: https://build.opensuse.org/request/show/1308385
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-requests?expand=0&rev=89

inject-default-ca-bundles.patch

@@ -1,126 +0,0 @@
-From 2769cb607d4e696e2fe70802d4246ccc5abd64a8 Mon Sep 17 00:00:00 2001
-From: Nate Prewitt <nate.prewitt@gmail.com>
-Date: Wed, 29 May 2024 12:48:48 -0700
-Subject: [PATCH 1/3] Consider cert settings when using default context
-
----
- src/requests/adapters.py | 26 ++++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
-
-diff --git a/src/requests/adapters.py b/src/requests/adapters.py
-index 9a58b16025..991b7e21c9 100644
---- a/src/requests/adapters.py
-+++ b/src/requests/adapters.py
-@@ -87,6 +87,23 @@ def SOCKSProxyManager(*args, **kwargs):
-     _preloaded_ssl_context = None
- 
- 
-+def _should_use_default_context(
-+    verify: "bool | str | None",
-+    client_cert: "typing.Tuple[str, str] | str | None",
-+    poolmanager_kwargs: typing.Dict[str, typing.Any],
-+) -> bool:
-+    # Determine if we have and should use our default SSLContext
-+    # to optimize performance on standard requests.
-+    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
-+    should_use_default_ssl_context = (
-+        verify is True
-+        and _preloaded_ssl_context is not None
-+        and not has_poolmanager_ssl_context
-+        and client_cert is None
-+    )
-+    return should_use_default_ssl_context
-+
-+
- def _urllib3_request_context(
-     request: "PreparedRequest",
-     verify: "bool | str | None",
-@@ -98,19 +115,12 @@ def _urllib3_request_context(
-     parsed_request_url = urlparse(request.url)
-     scheme = parsed_request_url.scheme.lower()
-     port = parsed_request_url.port
--
--    # Determine if we have and should use our default SSLContext
--    # to optimize performance on standard requests.
-     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
--    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
--    should_use_default_ssl_context = (
--        _preloaded_ssl_context is not None and not has_poolmanager_ssl_context
--    )
- 
-     cert_reqs = "CERT_REQUIRED"
-     if verify is False:
-         cert_reqs = "CERT_NONE"
--    elif verify is True and should_use_default_ssl_context:
-+    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
-         pool_kwargs["ssl_context"] = _preloaded_ssl_context
-     elif isinstance(verify, str):
-         if not os.path.isdir(verify):
-
-From e341df3efa0323072fab5d16307e2a20295675b9 Mon Sep 17 00:00:00 2001
-From: Nate Prewitt <nate.prewitt@gmail.com>
-Date: Fri, 31 May 2024 11:41:48 -0700
-Subject: [PATCH 2/3] Set default ca_cert bundle if verify is True
-
----
- src/requests/adapters.py | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/src/requests/adapters.py b/src/requests/adapters.py
-index 991b7e21c9..ba5a0ec4f0 100644
---- a/src/requests/adapters.py
-+++ b/src/requests/adapters.py
-@@ -118,15 +118,23 @@ def _urllib3_request_context(
-     poolmanager_kwargs = getattr(poolmanager, "connection_pool_kw", {})
- 
-     cert_reqs = "CERT_REQUIRED"
-+    cert_loc = None
-     if verify is False:
-         cert_reqs = "CERT_NONE"
-     elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
-         pool_kwargs["ssl_context"] = _preloaded_ssl_context
-+    elif verify is True:
-+        # Set default ca cert location if none provided
-+        cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
-     elif isinstance(verify, str):
--        if not os.path.isdir(verify):
--            pool_kwargs["ca_certs"] = verify
-+        cert_loc = verify
-+
-+    if cert_loc is not None:
-+        if not os.path.isdir(cert_loc):
-+            pool_kwargs["ca_certs"] = cert_loc
-         else:
--            pool_kwargs["ca_cert_dir"] = verify
-+            pool_kwargs["ca_cert_dir"] = cert_loc
-+
-     pool_kwargs["cert_reqs"] = cert_reqs
-     if client_cert is not None:
-         if isinstance(client_cert, tuple) and len(client_cert) == 2:
-
-From da96a92e2eb6dfe7c74704267bcb8f9fd6fb92b0 Mon Sep 17 00:00:00 2001
-From: Nate Prewitt <nate.prewitt@gmail.com>
-Date: Fri, 31 May 2024 12:20:11 -0700
-Subject: [PATCH 3/3] Correct comment to match actual behavior
-
----
- src/requests/adapters.py | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/requests/adapters.py b/src/requests/adapters.py
-index ba5a0ec4f0..54143f9e6b 100644
---- a/src/requests/adapters.py
-+++ b/src/requests/adapters.py
-@@ -334,10 +334,8 @@ def cert_verify(self, conn, url, verify, cert):
-         if url.lower().startswith("https") and verify:
-             conn.cert_reqs = "CERT_REQUIRED"
- 
--            # Only load the CA certificates if 'verify' is a string indicating the CA bundle to use.
--            # Otherwise, if verify is a boolean, we don't load anything since
--            # the connection will be using a context with the default certificates already loaded,
--            # and this avoids a call to the slow load_verify_locations()
-+            # Only load the CA certificates if `verify` is a
-+            # string indicating the CA bundle to use.
-             if verify is not True:
-                 # `verify` must be a str with a path then
-                 cert_loc = verify

python-requests.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Oct  1 09:42:41 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 2.32.5
+  * The SSLContext caching feature originally introduced in 2.32.0 has
+    created a new class of issues in Requests that have had negative
+    impact across a number of use cases. The Requests team has decided
+    to revert this feature as long term maintenance of it is proving
+    to be unsustainable in its current iteration.
+  * Added support for Python 3.14.
+  * Dropped support for Python 3.8 following its end of support.
+- Drop inject-default-ca-bundles.patch, fixed upstream
+- Drop revert-caching-default-sslcontext.patch, merged upstream
+- Update BuildRequires from setup.py
+
 -------------------------------------------------------------------
 Mon Jul 14 09:20:12 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 

python-requests.spec

@@ -26,17 +26,13 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-requests%{psuffix}
-Version:        2.32.4
+Version:        2.32.5
 Release:        0
 Summary:        Python HTTP Library
 License:        Apache-2.0
 URL:            https://docs.python-requests.org/
 Source:         https://files.pythonhosted.org/packages/source/r/requests/requests-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM gh#psf/requests#6731
+BuildRequires:  %{python_module base >= 3.9}
-Patch0:         inject-default-ca-bundles.patch
-# PATCH-FIX-UPSTREAM revert-caching-default-sslcontext.patch gh#psf/requests#6767
-Patch1:         revert-caching-default-sslcontext.patch
-BuildRequires:  %{python_module base >= 3.7}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}

requests-2.32.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf
+size 134517

revert-caching-default-sslcontext.patch

@@ -1,109 +0,0 @@
-From d520f46f94d0e637d440c6c0d55aa49240e2d46a Mon Sep 17 00:00:00 2001
-From: Nate Prewitt <nate.prewitt@gmail.com>
-Date: Thu, 18 Jul 2024 09:51:10 -0700
-Subject: [PATCH] Revert caching a default SSLContext
-
----
- src/requests/adapters.py | 55 ++++++++++++----------------------------
- 1 file changed, 16 insertions(+), 39 deletions(-)
-
-Index: requests-2.32.4/src/requests/adapters.py
-===================================================================
---- requests-2.32.4.orig/src/requests/adapters.py
-+++ requests-2.32.4/src/requests/adapters.py
-@@ -27,7 +27,6 @@ from urllib3.poolmanager import PoolMana
- from urllib3.util import Timeout as TimeoutSauce
- from urllib3.util import parse_url
- from urllib3.util.retry import Retry
--from urllib3.util.ssl_ import create_urllib3_context
- 
- from .auth import _basic_auth_str
- from .compat import basestring, urlparse
-@@ -74,36 +73,6 @@ DEFAULT_RETRIES = 0
- DEFAULT_POOL_TIMEOUT = None
- 
- 
--try:
--    import ssl  # noqa: F401
--
--    _preloaded_ssl_context = create_urllib3_context()
--    _preloaded_ssl_context.load_verify_locations(
--        extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
--    )
--except ImportError:
--    # Bypass default SSLContext creation when Python
--    # interpreter isn't built with the ssl module.
--    _preloaded_ssl_context = None
--
--
--def _should_use_default_context(
--    verify: "bool | str | None",
--    client_cert: "typing.Tuple[str, str] | str | None",
--    poolmanager_kwargs: typing.Dict[str, typing.Any],
--) -> bool:
--    # Determine if we have and should use our default SSLContext
--    # to optimize performance on standard requests.
--    has_poolmanager_ssl_context = poolmanager_kwargs.get("ssl_context")
--    should_use_default_ssl_context = (
--        verify is True
--        and _preloaded_ssl_context is not None
--        and not has_poolmanager_ssl_context
--        and client_cert is None
--    )
--    return should_use_default_ssl_context
--
--
- def _urllib3_request_context(
-     request: "PreparedRequest",
-     verify: "bool | str | None",
-@@ -121,8 +90,6 @@ def _urllib3_request_context(
-     cert_loc = None
-     if verify is False:
-         cert_reqs = "CERT_NONE"
--    elif _should_use_default_context(verify, client_cert, poolmanager_kwargs):
--        pool_kwargs["ssl_context"] = _preloaded_ssl_context
-     elif verify is True:
-         # Set default ca cert location if none provided
-         cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
-@@ -332,24 +299,27 @@ class HTTPAdapter(BaseAdapter):
-         :param cert: The SSL certificate to verify.
-         """
-         if url.lower().startswith("https") and verify:
--            conn.cert_reqs = "CERT_REQUIRED"
-+            cert_loc = None
- 
--            # Only load the CA certificates if `verify` is a
--            # string indicating the CA bundle to use.
-+            # Allow self-specified cert location.
-             if verify is not True:
--                # `verify` must be a str with a path then
-                 cert_loc = verify
- 
--                if not os.path.exists(cert_loc):
--                    raise OSError(
--                        f"Could not find a suitable TLS CA certificate bundle, "
--                        f"invalid path: {cert_loc}"
--                    )
--
--                if not os.path.isdir(cert_loc):
--                    conn.ca_certs = cert_loc
--                else:
--                    conn.ca_cert_dir = cert_loc
-+            if not cert_loc:
-+                cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
-+
-+            if not cert_loc or not os.path.exists(cert_loc):
-+                raise OSError(
-+                    f"Could not find a suitable TLS CA certificate bundle, "
-+                    f"invalid path: {cert_loc}"
-+                )
-+
-+            conn.cert_reqs = "CERT_REQUIRED"
-+
-+            if not os.path.isdir(cert_loc):
-+                conn.ca_certs = cert_loc
-+            else:
-+                conn.ca_cert_dir = cert_loc
-         else:
-             conn.cert_reqs = "CERT_NONE"
-             conn.ca_certs = None