Bump from 46.0.7 to the current 48.0.0 release. Notable upstream
changes since 46.0.7:
- 48.0.0 drops Python 3.8 support (requires 3.9+); raises
Py_LIMITED_API floor to 0x030900f0.
- Adds ML-KEM / ML-DSA post-quantum primitives via OpenSSL 3.5.0+
(in addition to existing AWS-LC / BoringSSL paths).
- BACKWARDS INCOMPATIBLE: stricter X.509 CRL signature-algorithm
matching (mismatched inner/outer algs now raise ValueError at parse
time).
- Drops 32-bit Windows wheels and ships macOS only on arm64.
Replace the old downstream cross-compile fix with a backport of the
upstream-merged version from pyca/cryptography PR #14904
(commit 5d072cb2a685, scheduled for the release after 48.0.0).
Release notes:
https://cryptography.io/en/latest/changelog/#v48-0-0
Fixes: https://github.com/openwrt/packages/issues/29521
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update package to 46.0.7.
Security fix:
- CVE-2026-39892: Non-contiguous buffers could be passed to Python buffer
APIs potentially causing a buffer overflow -- now blocked
Wheels recompiled against OpenSSL 3.5.6 on Windows, macOS, and Linux.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Starting with 46.x, cryptography switched its build backend from
setuptools-rust to maturin. Update PKG_BUILD_DEPENDS accordingly:
replace python-setuptools-rust/host with python-maturin/host and
python-setuptools/host (setuptools is still required by cffi).
Drop 001-Update-ouroboros.patch: the ouroboros crate is no longer a
dependency in 46.x, so the patch (which bumped it from 0.15 to 0.18
to fix RUSTSEC-2023-0042) no longer applies.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
As we're seeing in various test.sh scrip runs, importing 'email' fails
with not finding 'urllib' and vice-versa.
Then via a7e96ec91 ("python3-email: add python3-urllib as dependency")
I created a circular dependency.
So, might as well merge the two packages into one (named python3-urllib)
and updates all dependencies to pull python3-urllib.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
slide-switch is my software, I choose to continue to be sole maintainer.
(This was also the case in #28429.)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
41.0.6 included a fix for CVE-2023-49083 (loading certificates from a
PKCS#7 bundle could lead to a null-pointer-dereference and segfault).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This includes a patch to update the version of ouroboros (Rust crate)
used, to fix RUSTSEC-2023-0042[1]. Upstream has switch from ouroboros to
self_cell so this patch should only be necessary for cryptography 41.
[1]: https://rustsec.org/advisories/RUSTSEC-2023-0042.html
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The host build replaces the use of the host pip requirements file. This
also updates the dependants of cffi to depend on the host build.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
There's been a bit of overlapping opinions on some of these packages.
The best thing to do here is to reduce ownership and relinquish my
control.
This patch does that.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Dropped patches:
0004-Replace-EVP_CIPHER_CTX_cleanup-with-EVP_CIPHER_CTX_r.patch
0005-Switch-get_-Update-APIs-to-get0.patch
Reworked patches:
0001-Add-new-ASN1_STRING_get0_data-API.patch
0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch
These 2 require that we keep only the CUSTOMIZATIONS stuff for now. Maybe
later we can drop this.
Ran 'make package/python-cryptography/refresh'.
Added patch:
0004-disable-rust.patch
upstream did a sloppy job with the CRYPTOGRAPHY_DONT_BUILD_RUST logic; we
need to patch it, to make sure the setuptools-rust isn't installed.
We may need to carry this patch in our tree for a bit longer than upstream,
because in newer versions, CRYPTOGRAPHY_DONT_BUILD_RUST logic gets removed.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This also removes PKG_BUILD_PARALLEL:=0 that was added for packages that
use HOST_PYTHON3_PACKAGE_BUILD_DEPENDS.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.
As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.
The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).
This also updates affected packages, in particular:
* python-zipp: "setuptools_scm[toml]" has been split into
"setuptools-scm toml" to reuse the requirements file for
setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
is toml).
* python-pycparser: This previously used ply 3.10, whereas the
requirements file will now install 3.11.
[1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode
[2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Also:
* Remove patches that are included in the update
* Replace the python3 dependency with a smaller list (python3-urllib is
needed because it is a dependency of python3-email)
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds PKG_BUILD_PARALLEL:=0 to packages that depend on host Python
packages (HOST_PYTHON3_PACKAGE_BUILD_DEPENDS), because installing
packages with multiple concurrent pip processes can lead to errors or
unexpected results[1].
This also:
* Move HOST_PYTHON3_PACKAGE_BUILD_DEPENDS definitions to before
python3-package.mk is included
* Update Python folder readme to include PKG_BUILD_PARALLEL:=0
[1]: https://github.com/pypa/pip/issues/2361
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This removes:
* Python 3 variants (VARIANT:=python3)
* "for Python3" from package titles
* Package selection condition from package dependencies, e.g.
+PACKAGE_python3-six:python3-light replaced with +python3-light
* "Default" package information sections, e.g.
Package/python-six/Default removed and package details merged into
Package/python3-six
* "(Variant for Python3)" from package descriptions
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Since cffi is installed by HOST_PYTHON3_PACKAGE_BUILD_DEPENDS, it
shouldn't be necessary to clear setup_requirements anymore.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This updates all Python packages that download their source from PyPi to
use pypi.mk.
This will allow future improvements/changes to pypi.mk to affect all
relevant packages.
This also makes it easier for future Python packages to start using
pypi.mk, when it's clear how it is used in existing packages.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Upstream backport. It seems the holdup is on python-twisted.
Without this, it fails with
SSL_get0_next_proto_negotiated: symbol not found
Signed-off-by: Rosen Penev <rosenp@gmail.com>
python-cryptography's build depends (host cffi, libffi) were transferred
to python-cffi at some point; this corrects the situation.
python-cryptography's host Python build depends is copied from its
setup.py[1].
[1]: https://github.com/pyca/cryptography/blob/2.6.1/setup.py#L47
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Version 2.6 includes OpenSSL no-engine support.
This also removes python-idna as a dependency. idna became optional with
version 2.5 (https://cryptography.io/en/latest/changelog/#v2-5).
This also updates the package title field and updates both Python 2 and
3 versions to use the same field.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This guarantees for the package feeds that
the mk files will always be available for all packages.
Will need to see about external-feed Python packages
a bit later.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
I admit this may be be a bit aggressive, but the lang
folder is getting cluttered/filled up with Python, PHP, Perl,
Ruby, etc. packages.
Makes sense to try to group them into per-lang folders.
I took the Pythons.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Alexandru Ardelean