These patches address issues:
CVE-2019-16056: email.utils.parseaddr mistakenly parse an email
CVE-2019-16935: A reflected XSS in python/Lib/DocXMLRPCServer.py (for
Python 2.7)
CVE-2019-16935 was fixed for python3 in #10109
Links to Python issues:
https://bugs.python.org/issue34155https://bugs.python.org/issue38243
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
- Remove PKG_BUILD_DEPENDS as it is no longer necessary.
- The Python3 is already included in DEPENDS.
- Remove PKG_BUILD_DIR and PKG_UNPACK was for dual Python version.
- Change TITLE and description
- Add source package
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
And splitting the gunicorn[3] binary/executable away from the
python[3]-gunicorn libraries. This was inspired from Debian packaging.
The gunicorn[3] binaries require the new `python[3]-pkg-resources`
libraries to run, which add ~1.1 MB on the [ram]disk when uncompressed.
For the Python2 variant, the `_gaiohttp.py` is dropped as it fails to
compile, so it would likely be unusable anyway:
```
File "/usr/lib/python2.7/site-packages/gunicorn/workers/_gaiohttp.py", line 84
yield from self.wsgi.close()
^
SyntaxError: invalid syntax
```
People around the web recommend this as well:
https://stackoverflow.com/questions/25611140/syntax-error-installing-gunicornhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803170https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803202
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Some packages just install some Python binaries, that may need their
shebang fixed.
This change adds some utilities to help with that and try to centralize the
sed rules a bit.
It also removes the logic from the `python-package-install.sh` into the
`python-package[3].mk` files. This does 2 things:
1. It minimizes the need for the shell script to know the Python
version 2/3
2. Makes the logic re-usable in packages; especially if the install rules
differ a bit
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This package is required by other packages to run some binaries via
`load_entry_point`.
So, this splits this package away from setuptools.
setuptools is pretty big, akd pkg-resources is also big, but not as big.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
As I remember this worked.
But since `set -e` is set, I am a bit paranoid about it. In the sense that
it may fail if `ver` != 3.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Go 1.13 added a new -trimpath option to the "go build" command[1] that
removes system paths from compiled executables. This replaces the
previous -trimpath flags.
There are still system paths in the compiled executable (for crti.o and
crtn.o, when cross-compiling); these appear to be stripped during the
packaging process.
[1]: https://golang.org/doc/go1.13#trimpath
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Alexandru Ardelean
Rosen Penev
Jeffery To
Stefaan Ghysels
Josef Schlehofer
Alexander Ryzhov
Richard Yu
Jan Pavlinec
Eneas U de Queiroz
Karel Kočí
Michael Heimpold
Sven Eckelmann