dev-lang/python: Backport secfixes to 3.10.8_p1

Signed-off-by: Michał Górny <mgorny@gentoo.org>

2 files changed, 460 insertions, 0 deletions

diff --git a/dev-lang/python/Manifest b/dev-lang/python/Manifest
index efffbd8b6ce7..0f951ac638d9 100644
--- a/dev-lang/python/Manifest
+++ b/dev-lang/python/Manifest
@@ -14,6 +14,7 @@ DIST Python-3.9.15.tar.xz 19712208 BLAKE2B a8490c998c89ed4e3e87ef48e3b5d622e5d06
 DIST Python-3.9.15.tar.xz.asc 833 BLAKE2B c325fb52fae254153456c24c1039b07c9ccf8734df3665640215d35219ccacb705f99d94c9f8b644d15d4ea4612f5ac0da599814f68f7d3b6fc1fdc175db9002 SHA512 722625091731536757b9db447590c31620665133d45076367a3281f2ee3add23a781b10ce5cea582d65caabb18814583c1a347689d2b396214e36a6771182f38
 DIST python-gentoo-patches-2.7.18_p15.tar.xz 34956 BLAKE2B d173f276dd9c0ce31004dcc55a0d18e9ce25a47683c2df3c4dd62e967dfbbb35be59a2f08cf20f30a19475a8a2344dd95b17400eafa88b5fdbe9270a12ccbf32 SHA512 d9386808265f978808e5c0ffd384cefe54fb0e05aeccfd394167d5227d9cd66e25c8e93c54914762b2cfc3c2dd851b26a7a84d62634c6aa8a0798aacbb7ac25f
 DIST python-gentoo-patches-3.10.8.tar.xz 10104 BLAKE2B a2e5fa956652fda1464c65ba4f648da2d77a545d53bf8d2429bce745c93e82eaea40bf6da3289f4216fe4b029b97ccf6ac0c3cfbdcc179f3c5f9e64e89cd5fe4 SHA512 e506c7fc3f6ebff340f090b462716c745f1acfa95c00a39a58367941efb356b8dcd72a3fa46d6760422733c0d6b65b79f0e8bedc77b93289c51ca4dc2ea0db2a
+DIST python-gentoo-patches-3.10.8_p1.tar.xz 12712 BLAKE2B 54370dc973fedfab4dda33a20733f483f1592fede407541b90d8389bf03f9697bf755e35a39d1d45ea99b42edaa434a0901a35b7058c73fbc4e9ca8472fce35e SHA512 093a9a532713eea68b18a0681db782cf38176f4582473e4fb45c45ce6d27f9a4a7f8fd37141ae44492283bbe9eda698c7190cfd8b4cddaf4f945124b908f3cf2
 DIST python-gentoo-patches-3.11.0.tar.xz 5404 BLAKE2B 7109040bd27e77b4a17e94d24060644ae9b42f618768beb4ae0659c65b33a943e6158ccf8724432ff0f97d7b3a86e2efb99795fbeed801723049a99d2dcc96c3 SHA512 94f3f7f3262f5c064fec4977230bbde09ca8f77e92739aa230f73ef9e1012049a2d9cefc7774a2538f732e0e7ba170214956578d64c19124bd964d4915982bb0
 DIST python-gentoo-patches-3.11.0rc2_p1.tar.xz 6292 BLAKE2B e52e0066ca3f53e2efd2d71c035849cd619d3a8cdeb9767cc28369f4b7f04ffd74419e7c02913d4b10958937dc8960fa4287862e8db627e5f421472a18efeb73 SHA512 a6ae37288e7621275b46ab1a813dfbbbf24ee511d644b4027e396f5cba56fccf94e19cb354468ea4c35cd86db2040b165c87c8e24cc2c9e598e91946a1f80863
 DIST python-gentoo-patches-3.12.0a1.tar.xz 4896 BLAKE2B 2c1582f37372eedd3fddae0a07db718cb9bd2ae41e1b9c5807ee400c554bb9aa928445ea8043fe8d12dc64c6d23766875b5957e10aa8414658cc9e037ad87244 SHA512 d6f6f522ee8c9c616bea4237449417f585b0dd3606307fe80e0a3f719856ea5691c90a6ea5bf8b330d71d88477a5411f66146dc2aebb697edcfa04112bad4e2c
diff --git a/dev-lang/python/python-3.10.8_p1.ebuild b/dev-lang/python/python-3.10.8_p1.ebuild
new file mode 100644
index 000000000000..953092a9ee96
--- /dev/null
+++ b/dev-lang/python/python-3.10.8_p1.ebuild
@@ -0,0 +1,459 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+WANT_LIBTOOL="none"
+
+inherit autotools check-reqs flag-o-matic multiprocessing pax-utils
+inherit python-utils-r1 toolchain-funcs verify-sig
+
+MY_PV=${PV/_rc/rc}
+MY_P="Python-${MY_PV%_p*}"
+PYVER=$(ver_cut 1-2)
+PATCHSET="python-gentoo-patches-${MY_PV}"
+
+DESCRIPTION="An interpreted, interactive, object-oriented programming language"
+HOMEPAGE="
+	https://www.python.org/
+	https://github.com/python/cpython/
+"
+SRC_URI="
+	https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz
+	https://dev.gentoo.org/~mgorny/dist/python/${PATCHSET}.tar.xz
+	verify-sig? (
+		https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz.asc
+	)
+"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="PSF-2"
+SLOT="${PYVER}"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="
+	bluetooth build +ensurepip examples gdbm hardened libedit lto
+	+ncurses pgo +readline +sqlite +ssl test tk +xml
+"
+RESTRICT="!test? ( test )"
+
+# Do not add a dependency on dev-lang/python to this ebuild.
+# If you need to apply a patch which requires python for bootstrapping, please
+# run the bootstrap code on your dev box and include the results in the
+# patchset. See bug 447752.
+
+RDEPEND="
+	app-arch/bzip2:=
+	app-arch/xz-utils:=
+	dev-lang/python-exec[python_targets_python3_10(-)]
+	dev-libs/libffi:=
+	sys-apps/util-linux:=
+	>=sys-libs/zlib-1.1.3:=
+	virtual/libcrypt:=
+	virtual/libintl
+	ensurepip? ( dev-python/ensurepip-wheels )
+	gdbm? ( sys-libs/gdbm:=[berkdb] )
+	ncurses? ( >=sys-libs/ncurses-5.2:= )
+	readline? (
+		!libedit? ( >=sys-libs/readline-4.1:= )
+		libedit? ( dev-libs/libedit:= )
+	)
+	sqlite? ( >=dev-db/sqlite-3.3.8:3= )
+	ssl? ( >=dev-libs/openssl-1.1.1:= )
+	tk? (
+		>=dev-lang/tcl-8.0:=
+		>=dev-lang/tk-8.0:=
+		dev-tcltk/blt:=
+		dev-tcltk/tix
+	)
+	xml? ( >=dev-libs/expat-2.1:= )
+	!!<sys-apps/sandbox-2.21
+"
+# bluetooth requires headers from bluez
+DEPEND="
+	${RDEPEND}
+	bluetooth? ( net-wireless/bluez )
+	test? ( app-arch/xz-utils[extra-filters(+)] )
+"
+# autoconf-archive needed to eautoreconf
+BDEPEND="
+	sys-devel/autoconf-archive
+	virtual/awk
+	virtual/pkgconfig
+	verify-sig? ( sec-keys/openpgp-keys-python )
+"
+RDEPEND+="
+	!build? ( app-misc/mime-types )
+"
+
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc
+
+# large file tests involve a 2.5G file being copied (duplicated)
+CHECKREQS_DISK_BUILD=5500M
+
+QA_PKGCONFIG_VERSION=${PYVER}
+
+pkg_pretend() {
+	use test && check-reqs_pkg_pretend
+}
+
+pkg_setup() {
+	use test && check-reqs_pkg_setup
+}
+
+src_unpack() {
+	if use verify-sig; then
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.asc}
+	fi
+	default
+}
+
+src_prepare() {
+	# Ensure that internal copies of expat and libffi are not used.
+	rm -r Modules/expat || die
+	rm -r Modules/_ctypes/libffi* || die
+
+	local PATCHES=(
+		"${WORKDIR}/${PATCHSET}"
+	)
+
+	default
+
+	# https://bugs.gentoo.org/850151
+	sed -i -e "s:@@GENTOO_LIBDIR@@:$(get_libdir):g" setup.py || die
+
+	# force the correct number of jobs
+	# https://bugs.gentoo.org/737660
+	local jobs=$(makeopts_jobs)
+	sed -i -e "s:-j0:-j${jobs}:" Makefile.pre.in || die
+	sed -i -e "/self\.parallel/s:True:${jobs}:" setup.py || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# disable automagic bluetooth headers detection
+	if ! use bluetooth; then
+		local -x ac_cv_header_bluetooth_bluetooth_h=no
+	fi
+	local disable
+	use gdbm      || disable+=" gdbm"
+	use ncurses   || disable+=" _curses _curses_panel"
+	use readline  || disable+=" readline"
+	use sqlite    || disable+=" _sqlite3"
+	use ssl       || export PYTHON_DISABLE_SSL="1"
+	use tk        || disable+=" _tkinter"
+	use xml       || disable+=" _elementtree pyexpat" # _elementtree uses pyexpat.
+	export PYTHON_DISABLE_MODULES="${disable}"
+
+	if ! use xml; then
+		ewarn "You have configured Python without XML support."
+		ewarn "This is NOT a recommended configuration as you"
+		ewarn "may face problems parsing any XML documents."
+	fi
+
+	if [[ -n "${PYTHON_DISABLE_MODULES}" ]]; then
+		einfo "Disabled modules: ${PYTHON_DISABLE_MODULES}"
+	fi
+
+	append-flags -fwrapv
+	filter-flags -malign-double
+
+	# https://bugs.gentoo.org/700012
+	if is-flagq -flto || is-flagq '-flto=*'; then
+		append-cflags $(test-flags-CC -ffat-lto-objects)
+	fi
+
+	# Export CXX so it ends up in /usr/lib/python3.X/config/Makefile.
+	# PKG_CONFIG needed for cross.
+	tc-export CXX PKG_CONFIG
+
+	# Fix implicit declarations on cross and prefix builds. Bug #674070.
+	if use ncurses; then
+		append-cppflags -I"${ESYSROOT}"/usr/include/ncursesw
+	fi
+
+	local dbmliborder=
+	if use gdbm; then
+		dbmliborder+="${dbmliborder:+:}gdbm"
+	fi
+
+	if use pgo; then
+		local profile_task_flags=(
+			-m test
+			"-j$(makeopts_jobs)"
+			--pgo-extended
+			-x test_gdb
+			-u-network
+
+			# All of these seem to occasionally hang for PGO inconsistently
+			# They'll even hang here but be fine in src_test sometimes.
+			# bug #828535 (and related: bug #788022)
+			-x test_asyncio
+			-x test_httpservers
+			-x test_logging
+			-x test_multiprocessing_fork
+			-x test_socket
+			-x test_xmlrpc
+		)
+
+		if has_version "app-arch/rpm" ; then
+			# Avoid sandbox failure (attempts to write to /var/lib/rpm)
+			profile_task_flags+=(
+				-x test_distutils
+			)
+		fi
+		local -x PROFILE_TASK="${profile_task_flags[*]}"
+	fi
+
+	local myeconfargs=(
+		# glibc-2.30 removes it; since we can't cleanly force-rebuild
+		# Python on glibc upgrade, remove it proactively to give
+		# a chance for users rebuilding python before glibc
+		ac_cv_header_stropts_h=no
+
+		--enable-shared
+		--without-static-libpython
+		--enable-ipv6
+		--infodir='${prefix}/share/info'
+		--mandir='${prefix}/share/man'
+		--with-computed-gotos
+		--with-dbmliborder="${dbmliborder}"
+		--with-libc=
+		--enable-loadable-sqlite-extensions
+		--without-ensurepip
+		--with-system-expat
+		--with-system-ffi
+		--with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
+
+		$(use_with lto)
+		$(use_enable pgo optimizations)
+		$(use_with readline readline "$(usex libedit editline readline)")
+	)
+
+	# disable implicit optimization/debugging flags
+	local -x OPT=
+
+	if tc-is-cross-compiler ; then
+		# pass system CFLAGS & LDFLAGS as _NODIST, otherwise they'll get
+		# propagated to sysconfig for built extensions
+		local -x CFLAGS_NODIST=${CFLAGS_FOR_BUILD}
+		local -x LDFLAGS_NODIST=${LDFLAGS_FOR_BUILD}
+		local -x CFLAGS= LDFLAGS=
+
+		# We need to build our own Python on CBUILD first, and feed it in.
+		# bug #847910 and bug #864911.
+		local myeconfargs_cbuild=(
+			"${myeconfargs[@]}"
+
+			# As minimal as possible for the mini CBUILD Python
+			# we build just for cross.
+			--without-lto
+			--disable-optimizations
+		)
+
+		# Point the imminent CHOST build to the Python we just
+		# built for CBUILD.
+		export PATH="${WORKDIR}/${P}-${CBUILD}:${PATH}"
+
+		mkdir "${WORKDIR}"/${P}-${CBUILD} || die
+		pushd "${WORKDIR}"/${P}-${CBUILD} &> /dev/null || die
+		ECONF_SOURCE="${S}" econf_build "${myeconfargs_cbuild[@]}"
+
+		# Avoid as many dependencies as possible for the cross build.
+		cat >> Makefile <<-EOF || die
+			MODULE_NIS=disabled
+			MODULE__DBM=disabled
+			MODULE__GDBM=disabled
+			MODULE__DBM=disabled
+			MODULE__SQLITE3=disabled
+			MODULE__HASHLIB=disabled
+			MODULE__SSL=disabled
+			MODULE__CURSES=disabled
+			MODULE__CURSES_PANEL=disabled
+			MODULE_READLINE=disabled
+			MODULE__TKINTER=disabled
+			MODULE_PYEXPAT=disabled
+			MODULE_ZLIB=disabled
+		EOF
+
+		# Unfortunately, we do have to build this immediately, and
+		# not in src_compile, because CHOST configure for Python
+		# will check the existence of the Python it was pointed to
+		# immediately.
+		emake
+		popd &> /dev/null || die
+	fi
+
+	# pass system CFLAGS & LDFLAGS as _NODIST, otherwise they'll get
+	# propagated to sysconfig for built extensions
+	local -x CFLAGS_NODIST=${CFLAGS}
+	local -x LDFLAGS_NODIST=${LDFLAGS}
+	local -x CFLAGS= LDFLAGS=
+
+	econf "${myeconfargs[@]}"
+
+	if grep -q "#define POSIX_SEMAPHORES_NOT_ENABLED 1" pyconfig.h; then
+		eerror "configure has detected that the sem_open function is broken."
+		eerror "Please ensure that /dev/shm is mounted as a tmpfs with mode 1777."
+		die "Broken sem_open function (bug 496328)"
+	fi
+
+	# install epython.py as part of stdlib
+	echo "EPYTHON='python${PYVER}'" > Lib/epython.py || die
+}
+
+src_compile() {
+	# Ensure sed works as expected
+	# https://bugs.gentoo.org/594768
+	local -x LC_ALL=C
+	# Prevent using distutils bundled by setuptools.
+	# https://bugs.gentoo.org/823728
+	export SETUPTOOLS_USE_DISTUTILS=stdlib
+
+	# Save PYTHONDONTWRITEBYTECODE so that 'has_version' doesn't
+	# end up writing bytecode & violating sandbox.
+	# bug #831897
+	local -x _PYTHONDONTWRITEBYTECODE=${PYTHONDONTWRITEBYTECODE}
+
+	if use pgo ; then
+		# bug 660358
+		local -x COLUMNS=80
+		local -x PYTHONDONTWRITEBYTECODE=
+
+		addpredict /usr/lib/python3.10/site-packages
+	fi
+
+	# also need to clear the flags explicitly here or they end up
+	# in _sysconfigdata*
+	emake CPPFLAGS= CFLAGS= LDFLAGS=
+
+	# Restore saved value from above.
+	local -x PYTHONDONTWRITEBYTECODE=${_PYTHONDONTWRITEBYTECODE}
+
+	# Work around bug 329499. See also bug 413751 and 457194.
+	if has_version dev-libs/libffi[pax-kernel]; then
+		pax-mark E python
+	else
+		pax-mark m python
+	fi
+}
+
+src_test() {
+	# Tests will not work when cross compiling.
+	if tc-is-cross-compiler; then
+		elog "Disabling tests due to crosscompiling."
+		return
+	fi
+
+	local test_opts=(
+		-u-network
+		-j "$(makeopts_jobs)"
+
+		# fails
+		-x test_gdb
+	)
+
+	if use sparc ; then
+		# bug #788022
+		test_opts+=(
+			-x test_multiprocessing_fork
+			-x test_multiprocessing_forkserver
+		)
+	fi
+
+	# bug 660358
+	local -x COLUMNS=80
+	local -x PYTHONDONTWRITEBYTECODE=
+	# workaround https://bugs.gentoo.org/775416
+	addwrite /usr/lib/python3.10/site-packages
+
+	emake test EXTRATESTOPTS="${test_opts[*]}" \
+		CPPFLAGS= CFLAGS= LDFLAGS= < /dev/tty || die "emake test failed"
+}
+
+src_install() {
+	local libdir=${ED}/usr/lib/python${PYVER}
+
+	emake DESTDIR="${D}" altinstall
+
+	# Fix collisions between different slots of Python.
+	rm "${ED}/usr/$(get_libdir)/libpython3.so" || die
+
+	# Cheap hack to get version with ABIFLAGS
+	local abiver=$(cd "${ED}/usr/include"; echo python*)
+	if [[ ${abiver} != python${PYVER} ]]; then
+		# Replace python3.X with a symlink to python3.Xm
+		rm "${ED}/usr/bin/python${PYVER}" || die
+		dosym "${abiver}" "/usr/bin/python${PYVER}"
+		# Create python3.X-config symlink
+		dosym "${abiver}-config" "/usr/bin/python${PYVER}-config"
+		# Create python-3.5m.pc symlink
+		dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc"
+	fi
+
+	# python seems to get rebuilt in src_install (bug 569908)
+	# Work around it for now.
+	if has_version dev-libs/libffi[pax-kernel]; then
+		pax-mark E "${ED}/usr/bin/${abiver}"
+	else
+		pax-mark m "${ED}/usr/bin/${abiver}"
+	fi
+
+	rm -r "${libdir}"/ensurepip/_bundled || die
+	if ! use ensurepip; then
+		rm -r "${libdir}"/ensurepip || die
+	fi
+	if ! use sqlite; then
+		rm -r "${libdir}/"{sqlite3,test/test_sqlite*} || die
+	fi
+	if ! use tk; then
+		rm -r "${ED}/usr/bin/idle${PYVER}" || die
+		rm -r "${libdir}/"{idlelib,tkinter,test/test_tk*} || die
+	fi
+
+	dodoc Misc/{ACKS,HISTORY,NEWS}
+
+	if use examples; then
+		docinto examples
+		find Tools -name __pycache__ -exec rm -fr {} + || die
+		dodoc -r Tools
+	fi
+	insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510
+	local libname=$(
+		printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' |
+		emake --no-print-directory -s -f - 2>/dev/null
+	)
+	newins Tools/gdb/libpython.py "${libname}"-gdb.py
+
+	newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER}
+	newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER}
+	sed \
+		-e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \
+		-e "s:@PYDOC@:pydoc${PYVER}:" \
+		-i "${ED}/etc/conf.d/pydoc-${PYVER}" \
+		"${ED}/etc/init.d/pydoc-${PYVER}" || die "sed failed"
+
+	# python-exec wrapping support
+	local pymajor=${PYVER%.*}
+	local EPYTHON=python${PYVER}
+	local scriptdir=${D}$(python_get_scriptdir)
+	mkdir -p "${scriptdir}" || die
+	# python and pythonX
+	ln -s "../../../bin/${abiver}" "${scriptdir}/python${pymajor}" || die
+	ln -s "python${pymajor}" "${scriptdir}/python" || die
+	# python-config and pythonX-config
+	# note: we need to create a wrapper rather than symlinking it due
+	# to some random dirname(argv[0]) magic performed by python-config
+	cat > "${scriptdir}/python${pymajor}-config" <<-EOF || die
+		#!/bin/sh
+		exec "${abiver}-config" "\${@}"
+	EOF
+	chmod +x "${scriptdir}/python${pymajor}-config" || die
+	ln -s "python${pymajor}-config" "${scriptdir}/python-config" || die
+	# 2to3, pydoc
+	ln -s "../../../bin/2to3-${PYVER}" "${scriptdir}/2to3" || die
+	ln -s "../../../bin/pydoc${PYVER}" "${scriptdir}/pydoc" || die
+	# idle
+	if use tk; then
+		ln -s "../../../bin/idle${PYVER}" "${scriptdir}/idle" || die
+	fi
+}