When python3 -m build is invoked during host-compile, it fails with:
/builder/staging_dir/hostpkg/bin/python3.14: No module named build
The package's HOST_BUILD_DEPENDS only pulled in python3 and
python-packaging, missing the actual host tooling for the new
pyproject build flow:
- python-build : provides the 'build' module itself
- python-installer : installs the resulting wheel
- python-wheel : wheel format support
- python-flit-core : marshmallow's declared build-backend
(build-backend = "flit_core.buildapi" in
pyproject.toml)
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The three CLI helpers shipped by python3-argcomplete
(activate-global-python-argcomplete, register-python-argcomplete,
python-argcomplete-check-easy-install-script) don't accept a --version
flag and emit no PKG_VERSION string in their usage output. With all
three executables missing the version, the generic CI test stage
fails with "No executables in the package provided version 3.6.3".
Add a test-version.sh that emits a line containing PKG_VERSION so the
framework's "Version check override" passes. The existing test.sh
already exercises the Python module import.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
New features (pipx 1.12.0):
- Add --fetch-python / PIPX_FETCH_PYTHON env var (always|missing|never)
to control standalone Python interpreter downloads
- Add opt-in "uv" backend: pipx can now use "uv venv" and "uv pip" for
managing virtual environments
* When "uv" is on PATH, defaults to using uv for NEW venvs
* Existing venvs keep their recorded backend (pip or uv)
* Set PIPX_DEFAULT_BACKEND=pip to force pip even with uv available
* pipx install pip always uses the pip backend (uv venvs have no pip)
Deprecations:
- --fetch-missing-python and PIPX_FETCH_MISSING_PYTHON deprecated;
use --fetch-python=missing or PIPX_FETCH_PYTHON=missing instead
Changelog:
https://github.com/pypa/pipx/releases/tag/1.12.0
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes:
- Moved "headers" input type back to Mapping to avoid invariance issues
with MutableMapping and inferred dict types.
Users calling Request.headers.update() may need to narrow typing in code
(Closes#7441).
Security:
- CVE-2026-25645: Fixed extract_zipped_paths to extract contents to
a non-deterministic temp directory, to prevent malicious file replacement.
Does not affect default usage of Requests, only apps calling this utility
directly.
Changelog:
https://github.com/psf/requests/releases/tag/v2.34.2
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes (click 8.3.3):
- Fix help strings for "help_option_names" that do not contain "-"
- Help string generation now properly handles option names with dashes
Changelog:
https://github.com/pallets/click/releases
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
apk's ADB binary package format rejects both the backslash-escape and
the percent-encoding variants of the previous CPE id:
cpe:/a:erlang:erlang\/otp ERROR: info field 'tags' has invalid value
cpe:/a:erlang:erlang%2Fotp ERROR: info field 'tags' has invalid value
apk's tag value parser only accepts a restricted alphabet for ADB
package format and neither '\' nor '%' make the cut. The result is
that the package never produces an .apk.
Drop the '/otp' suffix entirely and use cpe:/a:erlang:erlang, which
matches the higher-level Erlang CPE entry. cve scanners that walked
the more specific erlang\/otp entry will fall back to this one.
This effectively reverts the product portion of bfdf01496 ("lang/erlang:
fix PKG_CPE_ID"), which was correct against the NIST 2.3 string but
incompatible with apk's tag parser.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
On some build systems, the miniperl binary is created without execute
permission (errno 126 when running it as /bin/sh). This breaks building
the mro extension and cascades to all dependent packages.
Fix by ensuring chmod +x on miniperl after the main build step.
This matches how many other build systems handle this same issue.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Add source packages and library to version check overrides.
Fixes: b5d3a38e ("python3: move version checks to override")
Signed-off-by: George Sapkin <george@sapk.in>
1.0.1 fixes a false-positive path-traversal check in destinations.py:
the 1.0.0 code used Path.resolve() to validate that each installed file
stays within the --destdir, but Path.resolve() follows symlinks.
OpenWrt's staging dir and toolchain directories contain many symlinks,
so resolved paths could escape the destdir comparison and trigger:
ValueError: Attempting to write <file> outside of the target directory
1.0.1 replaces Path.resolve() with os.path.abspath(), which normalises
the path without following symlinks, eliminating the false positive.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
perlbase-archive, perlbase-pod, and perlbase-test install Perl script
wrappers (ptar, pod2man, prove, etc.) that do not output the OpenWrt
package version string (5.40.0), causing generic version check failures
in CI.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Starlette is a lightweight ASGI framework/toolkit, which is ideal for
building async web services in Python.
Signed-off-by: George Sapkin <george@sapk.in>
Lightweight JSON-RPC 2.0 protocol implementation and asynchronous server
powered by asyncio. This library is a successor of json-rpc and written
by the same team.
Signed-off-by: George Sapkin <george@sapk.in>
micropython-lib is a companion repository to micropython, versioned in
lockstep. Both are now at 1.28.0 (released 2026-04-06).
The 001-build-unix-ffi.patch remains needed as the upstream has not yet
incorporated the --unix-ffi argument into the tools/build.py script.
test.sh:
- micropython-lib: verify stdlib-replacement modules (collections,
functools, base64) can be imported via the /usr/lib/micropython path
- micropython-lib-unix: verify the micropython-unix wrapper script exists
and that sqlite3/select are importable via the unix-ffi path
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes since 1.27.0:
- New machine.CAN class with bindings for the stm32 port; support across
all ports to follow
- machine.PWM support added to stm32 and alif ports, completing coverage
of all Tier 1/2 MCU-based ports
- Template strings (t-strings, PEP 750) added at the "full feature" level
- weakref module added with weakref.ref and weakref.finalize classes
- f-strings now support nested f-strings within expressions
- Optimisations to native emitter; new RISC-V Zcmp arch flag for RV32
- extmod.mk: add extmod/machine_can.c (shifts the mbedtls hunk by 1 line;
update 040-extmod-use-external-mbedtls.patch accordingly)
micropython-lib is updated in lockstep in a separate commit.
Ref: https://github.com/micropython/micropython/releases/tag/v1.28.0
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Flup was heavily used in downstream distribution (Turris OS)
for their Web UI - reForis. Since there are no other
dependent packages in this repository, Flup is no longer needed.
The package appears to be abandoned and is no longer maintained
The latest version dates back to 2009.
It was previously required for Seafile.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Upstream release 28.5 (2026-04-23), patch release for OTP 28.
Applications updated:
- erl_interface-5.7: new --{enable,disable}-use-embedded-3pp-alternatives
configure option; allows using system zstd, zlib, ryu, openssl, tcl
instead of bundled copies (default: zlib uses OS version if available)
- erts-16.4: fixed bug in enif_make_map_from_arrays for arrays with >= 33
keys (duplicates could produce broken maps); fixed Unicode handling in
erl.exe args_file on Windows
- mnesia-4.25.3: bug fixes
- ssl-11.6: bug fixes
Highlight: new "Secure Coding Guidelines" document added to Design
Principles describing how to write secure Erlang code.
Reference: https://github.com/erlang/otp/releases/tag/OTP-28.5
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
FindLuaJIT.cmake uses NO_DEFAULT_PATH and only searches hardcoded
luajit-specific paths, so it never finds regular Lua. However if
LUAJIT_INCLUDE_DIRS and LUAJIT_LIBRARY are pre-set in the CMake
cache, find_path/find_library skip their searches, the module sets
LUAJIT_FOUND=ON and also sets LUA_INCLUDE_DIR/LUA_LIBRARIES from
those values, and the if(NOT LUAJIT_FOUND) guard skips the broken
find_package(Lua REQUIRED) call that fails under CMake 4.3.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- improve semanage man pages: add examples for -r RANGE flag usage
- semanage: reset active value when deleting boolean customizations
- various libsemanage/libsepol bug fixes and security hardening
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Alexandru Ardelean