Update to 3.10.7, with security fix for CVE-2020-10735

Resolves: rhbz#2075390

00001-rpath.patch

@@ -9,7 +9,7 @@ Subject: [PATCH] 00001: Fixup distutils/unixccompiler.py to remove standard
  1 file changed, 9 insertions(+)
 
 diff --git a/Lib/distutils/unixccompiler.py b/Lib/distutils/unixccompiler.py
-index f0792de74a..4d837936c6 100644
+index d00c48981e..0283a28c19 100644
 --- a/Lib/distutils/unixccompiler.py
 +++ b/Lib/distutils/unixccompiler.py
 @@ -82,6 +82,15 @@ class UnixCCompiler(CCompiler):

00251-change-user-install-location.patch

@@ -2,41 +2,53 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Michal Cyprian <m.cyprian@gmail.com>
 Date: Mon, 26 Jun 2017 16:32:56 +0200
 Subject: [PATCH] 00251: Change user install location
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
 
 Set values of prefix and exec_prefix in distutils install command
 to /usr/local if executable is /usr/bin/python* and RPM build
 is not detected to make pip and distutils install into separate location.
 
 Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
-Downstream only: Awaiting resources to work on upstream PEP
+Downstream only: Reworked in Fedora 36+ to follow https://bugs.python.org/issue43976
+
+pypa/distutils integration: https://github.com/pypa/distutils/pull/70
+
+Also set sysconfig._PIP_USE_SYSCONFIG = False, to force pip-upgraded-pip
+to respect this patched distutils install command.
+See https://bugzilla.redhat.com/show_bug.cgi?id=2014513
+
+Co-authored-by: Miro Hrončok <miro@hroncok.cz>
 ---
- Lib/distutils/command/install.py | 15 +++++++++++++--
+ Lib/distutils/command/install.py |  8 ++++++--
  Lib/site.py                      |  9 ++++++++-
- 2 files changed, 21 insertions(+), 3 deletions(-)
+ Lib/sysconfig.py                 | 16 ++++++++++++++++
+ 3 files changed, 30 insertions(+), 3 deletions(-)
 
 diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py
-index 26696cfb9d..1826cbcb38 100644
+index 01d5331a63..79f70f0de4 100644
 --- a/Lib/distutils/command/install.py
 +++ b/Lib/distutils/command/install.py
-@@ -441,8 +441,19 @@ def finalize_unix(self):
+@@ -159,6 +159,8 @@ class install(Command):
+ 
+     negative_opt = {'no-compile' : 'compile'}
+ 
++    # Allow Fedora to add components to the prefix
++    _prefix_addition = getattr(sysconfig, '_prefix_addition', '')
+ 
+     def initialize_options(self):
+         """Initializes options."""
+@@ -441,8 +443,10 @@ def finalize_unix(self):
                      raise DistutilsOptionError(
                            "must not supply exec-prefix without prefix")
  
 -                self.prefix = os.path.normpath(sys.prefix)
 -                self.exec_prefix = os.path.normpath(sys.exec_prefix)
-+                # self.prefix is set to sys.prefix + /local/
-+                # if neither RPM build nor virtual environment is
-+                # detected to make pip and distutils install packages
-+                # into the separate location.
-+                if (not (hasattr(sys, 'real_prefix') or
-+                    sys.prefix != sys.base_prefix) and
-+                    'RPM_BUILD_ROOT' not in os.environ):
-+                    addition = "/local"
-+                else:
-+                    addition = ""
-+
-+                self.prefix = os.path.normpath(sys.prefix) + addition
-+                self.exec_prefix = os.path.normpath(sys.exec_prefix) + addition
++                self.prefix = (
++                    os.path.normpath(sys.prefix) + self._prefix_addition)
++                self.exec_prefix = (
++                    os.path.normpath(sys.exec_prefix) + self._prefix_addition)
  
              else:
                  if self.exec_prefix is None:
@@ -61,3 +73,30 @@ index 939893eb5e..d1316c3355 100644
      for sitedir in getsitepackages(prefixes):
          if os.path.isdir(sitedir):
              addsitedir(sitedir, known_paths)
+diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py
+index daf9f00006..b88f9a9de0 100644
+--- a/Lib/sysconfig.py
++++ b/Lib/sysconfig.py
+@@ -58,6 +58,22 @@
+         },
+     }
+ 
++# Force pip to use distutils paths instead of sysconfig
++# https://github.com/pypa/pip/issues/10647
++_PIP_USE_SYSCONFIG = False
++
++# This is used by distutils.command.install in the stdlib
++# as well as pypa/distutils (e.g. bundled in setuptools).
++# The self.prefix value is set to sys.prefix + /local/
++# if neither RPM build nor virtual environment is
++# detected to make distutils install packages
++# into the separate location.
++# https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
++if (not (hasattr(sys, 'real_prefix') or
++    sys.prefix != sys.base_prefix) and
++    'RPM_BUILD_ROOT' not in os.environ):
++    _prefix_addition = "/local"
++
+ 
+ # NOTE: site.py has copy of this function.
+ # Sync it when modify this function.

00328-pyc-timestamp-invalidation-mode.patch

@@ -19,7 +19,7 @@ Ideally, we should talk to upstream and explain why we don't want this
  2 files changed, 4 insertions(+), 1 deletion(-)
 
 diff --git a/Lib/py_compile.py b/Lib/py_compile.py
-index 0f9b59025c..59dc3fe50b 100644
+index 388614e51b..db52725016 100644
 --- a/Lib/py_compile.py
 +++ b/Lib/py_compile.py
 @@ -70,7 +70,8 @@ class PycInvalidationMode(enum.Enum):

00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch

@@ -0,0 +1,103 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
+Date: Tue, 7 Dec 2021 14:41:59 +0100
+Subject: [PATCH] 00371: Revert "bpo-1596321: Fix threading._shutdown() for the
+ main thread (GH-28549) (GH-28589)"
+
+This reverts commit 38c67738c64304928c68d5c2bd78bbb01d979b94. It
+introduced regression causing FreeIPA's tests to fail.
+
+For more info see:
+https://bodhi.fedoraproject.org/updates/FEDORA-2021-e152ce5f31
+https://github.com/GrahamDumpleton/mod_wsgi/issues/730
+---
+ Lib/test/test_threading.py | 33 ---------------------------------
+ Lib/threading.py           | 25 ++++++++-----------------
+ 2 files changed, 8 insertions(+), 50 deletions(-)
+
+diff --git a/Lib/test/test_threading.py b/Lib/test/test_threading.py
+index c54806e594..c51de6f4b8 100644
+--- a/Lib/test/test_threading.py
++++ b/Lib/test/test_threading.py
+@@ -928,39 +928,6 @@ def test_debug_deprecation(self):
+                b'is deprecated and will be removed in Python 3.12')
+         self.assertIn(msg, err)
+ 
+-    def test_import_from_another_thread(self):
+-        # bpo-1596321: If the threading module is first import from a thread
+-        # different than the main thread, threading._shutdown() must handle
+-        # this case without logging an error at Python exit.
+-        code = textwrap.dedent('''
+-            import _thread
+-            import sys
+-
+-            event = _thread.allocate_lock()
+-            event.acquire()
+-
+-            def import_threading():
+-                import threading
+-                event.release()
+-
+-            if 'threading' in sys.modules:
+-                raise Exception('threading is already imported')
+-
+-            _thread.start_new_thread(import_threading, ())
+-
+-            # wait until the threading module is imported
+-            event.acquire()
+-            event.release()
+-
+-            if 'threading' not in sys.modules:
+-                raise Exception('threading is not imported')
+-
+-            # don't wait until the thread completes
+-        ''')
+-        rc, out, err = assert_python_ok("-c", code)
+-        self.assertEqual(out, b'')
+-        self.assertEqual(err, b'')
+-
+ 
+ class ThreadJoinOnShutdown(BaseTestCase):
+ 
+diff --git a/Lib/threading.py b/Lib/threading.py
+index 62f49c05cd..433aa11212 100644
+--- a/Lib/threading.py
++++ b/Lib/threading.py
+@@ -1530,29 +1530,20 @@ def _shutdown():
+ 
+     global _SHUTTING_DOWN
+     _SHUTTING_DOWN = True
++    # Main thread
++    tlock = _main_thread._tstate_lock
++    # The main thread isn't finished yet, so its thread state lock can't have
++    # been released.
++    assert tlock is not None
++    assert tlock.locked()
++    tlock.release()
++    _main_thread._stop()
+ 
+     # Call registered threading atexit functions before threads are joined.
+     # Order is reversed, similar to atexit.
+     for atexit_call in reversed(_threading_atexits):
+         atexit_call()
+ 
+-    # Main thread
+-    if _main_thread.ident == get_ident():
+-        tlock = _main_thread._tstate_lock
+-        # The main thread isn't finished yet, so its thread state lock can't
+-        # have been released.
+-        assert tlock is not None
+-        assert tlock.locked()
+-        tlock.release()
+-        _main_thread._stop()
+-    else:
+-        # bpo-1596321: _shutdown() must be called in the main thread.
+-        # If the threading module was not imported by the main thread,
+-        # _main_thread is the thread which imported the threading module.
+-        # In this case, ignore _main_thread, similar behavior than for threads
+-        # spawned by C libraries or using _thread.start_new_thread().
+-        pass
+-
+     # Join all non-deamon threads
+     while True:
+         with _shutdown_locks_lock:

00382-cve-2015-20107.patch

@@ -0,0 +1,150 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Fri, 3 Jun 2022 11:43:35 +0200
+Subject: [PATCH] 00382: CVE-2015-20107
+
+Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
+
+Upstream: https://github.com/python/cpython/issues/68966
+
+Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
+---
+ Doc/library/mailcap.rst                       | 12 +++++++++
+ Lib/mailcap.py                                | 26 +++++++++++++++++--
+ Lib/test/test_mailcap.py                      |  8 ++++--
+ ...2-04-27-18-25-30.gh-issue-68966.gjS8zs.rst |  4 +++
+ 4 files changed, 46 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+
+diff --git a/Doc/library/mailcap.rst b/Doc/library/mailcap.rst
+index e2e5bb3445..2bc00195cd 100644
+--- a/Doc/library/mailcap.rst
++++ b/Doc/library/mailcap.rst
+@@ -60,6 +60,18 @@ standard.  However, mailcap files are supported on most Unix systems.
+    use) to determine whether or not the mailcap line applies.  :func:`findmatch`
+    will automatically check such conditions and skip the entry if the check fails.
+ 
++   .. versionchanged:: 3.11
++
++      To prevent security issues with shell metacharacters (symbols that have
++      special effects in a shell command line), ``findmatch`` will refuse
++      to inject ASCII characters other than alphanumerics and ``@+=:,./-_``
++      into the returned command line.
++
++      If a disallowed character appears in *filename*, ``findmatch`` will always
++      return ``(None, None)`` as if no entry was found.
++      If such a character appears elsewhere (a value in *plist* or in *MIMEtype*),
++      ``findmatch`` will ignore all mailcap entries which use that value.
++      A :mod:`warning <warnings>` will be raised in either case.
+ 
+ .. function:: getcaps()
+ 
+diff --git a/Lib/mailcap.py b/Lib/mailcap.py
+index ae416a8e9f..444c6408b5 100644
+--- a/Lib/mailcap.py
++++ b/Lib/mailcap.py
+@@ -2,6 +2,7 @@
+ 
+ import os
+ import warnings
++import re
+ 
+ __all__ = ["getcaps","findmatch"]
+ 
+@@ -13,6 +14,11 @@ def lineno_sort_key(entry):
+     else:
+         return 1, 0
+ 
++_find_unsafe = re.compile(r'[^\xa1-\U0010FFFF\w@+=:,./-]').search
++
++class UnsafeMailcapInput(Warning):
++    """Warning raised when refusing unsafe input"""
++
+ 
+ # Part 1: top-level interface.
+ 
+@@ -165,15 +171,22 @@ def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
+     entry to use.
+ 
+     """
++    if _find_unsafe(filename):
++        msg = "Refusing to use mailcap with filename %r. Use a safe temporary filename." % (filename,)
++        warnings.warn(msg, UnsafeMailcapInput)
++        return None, None
+     entries = lookup(caps, MIMEtype, key)
+     # XXX This code should somehow check for the needsterminal flag.
+     for e in entries:
+         if 'test' in e:
+             test = subst(e['test'], filename, plist)
++            if test is None:
++                continue
+             if test and os.system(test) != 0:
+                 continue
+         command = subst(e[key], MIMEtype, filename, plist)
+-        return command, e
++        if command is not None:
++            return command, e
+     return None, None
+ 
+ def lookup(caps, MIMEtype, key=None):
+@@ -206,6 +219,10 @@ def subst(field, MIMEtype, filename, plist=[]):
+             elif c == 's':
+                 res = res + filename
+             elif c == 't':
++                if _find_unsafe(MIMEtype):
++                    msg = "Refusing to substitute MIME type %r into a shell command." % (MIMEtype,)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
+                 res = res + MIMEtype
+             elif c == '{':
+                 start = i
+@@ -213,7 +230,12 @@ def subst(field, MIMEtype, filename, plist=[]):
+                     i = i+1
+                 name = field[start:i]
+                 i = i+1
+-                res = res + findparam(name, plist)
++                param = findparam(name, plist)
++                if _find_unsafe(param):
++                    msg = "Refusing to substitute parameter %r (%s) into a shell command" % (param, name)
++                    warnings.warn(msg, UnsafeMailcapInput)
++                    return None
++                res = res + param
+             # XXX To do:
+             # %n == number of parts if type is multipart/*
+             # %F == list of alternating type and filename for parts
+diff --git a/Lib/test/test_mailcap.py b/Lib/test/test_mailcap.py
+index ef9cad498a..32f07ab290 100644
+--- a/Lib/test/test_mailcap.py
++++ b/Lib/test/test_mailcap.py
+@@ -123,7 +123,8 @@ def test_subst(self):
+             (["", "audio/*", "foo.txt"], ""),
+             (["echo foo", "audio/*", "foo.txt"], "echo foo"),
+             (["echo %s", "audio/*", "foo.txt"], "echo foo.txt"),
+-            (["echo %t", "audio/*", "foo.txt"], "echo audio/*"),
++            (["echo %t", "audio/*", "foo.txt"], None),
++            (["echo %t", "audio/wav", "foo.txt"], "echo audio/wav"),
+             (["echo \\%t", "audio/*", "foo.txt"], "echo %t"),
+             (["echo foo", "audio/*", "foo.txt", plist], "echo foo"),
+             (["echo %{total}", "audio/*", "foo.txt", plist], "echo 3")
+@@ -207,7 +208,10 @@ def test_findmatch(self):
+              ('"An audio fragment"', audio_basic_entry)),
+             ([c, "audio/*"],
+              {"filename": fname},
+-             ("/usr/local/bin/showaudio audio/*", audio_entry)),
++             (None, None)),
++            ([c, "audio/wav"],
++             {"filename": fname},
++             ("/usr/local/bin/showaudio audio/wav", audio_entry)),
+             ([c, "message/external-body"],
+              {"plist": plist},
+              ("showexternal /dev/null default john python.org     /tmp foo bar", message_entry))
+diff --git a/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+new file mode 100644
+index 0000000000..da81a1f699
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2022-04-27-18-25-30.gh-issue-68966.gjS8zs.rst
+@@ -0,0 +1,4 @@
++The deprecated mailcap module now refuses to inject unsafe text (filenames,
++MIME types, parameters) into shell commands. Instead of using such text, it
++will warn and act as if a match was not found (or for test commands, as if
++the test failed).

python3.10.rpmlintrc

@@ -19,9 +19,6 @@ addFilter(r'self-obsoletion python3\.\d+ obsoletes python3\.\d+')
 # intentionally hardcoded
 addFilter(r'hardcoded-library-path in %{_prefix}/lib/(debug/%{_libdir}|python%{pybasever})')
 
-# intentional for our pythonXY package
-addFilter(r'python3\.\d+\.[^:]+: (E|W): devel-file-in-non-devel-package')
-
 # we have non binary stuff, python files
 addFilter(r'only-non-binary-in-usr-lib')
 

python3.10.spec

@@ -13,7 +13,7 @@ URL: https://www.python.org/
 
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
-%global general_version %{pybasever}.0
+%global general_version %{pybasever}.7
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
@@ -31,7 +31,6 @@ License: Python
 # Main Python, i.e. whether this is the main Python version in the distribution
 # that owns /usr/bin/python3 and other unique paths
 # This also means the built subpackages are called python3 rather than python3X
-# WARNING: This also influences the flatpackage bcond below.
 # By default, this is determined by the %%__default_python3_pkgversion value
 %if "%{?__default_python3_pkgversion}" == "%{pybasever}"
 %bcond_without main_python
@@ -39,13 +38,13 @@ License: Python
 %bcond_with main_python
 %endif
 
-# Flat package, i.e. no separate subpackages
-# Default (in Fedora): if this is a main Python, it is not a flatpackage
-# Not supported: Combination of flatpackage enabled and main_python enabled
-%if %{with main_python}
-%bcond_with flatpackage
+# If this is *not* Main Python, should it contain `Provides: python(abi) ...`?
+# In Fedora no package shall depend on an alternative Python via this tag, so we do not provide it.
+# In ELN/RHEL/CentOS we want to allow building against alternative stacks, so the Provide is enabled.
+%if 0%{?fedora}
+%bcond_with python_abi_provides_for_alt_pythons
 %else
-%bcond_without flatpackage
+%bcond_without python_abi_provides_for_alt_pythons
 %endif
 
 # When bootstrapping python3, we need to build setuptools.
@@ -68,8 +67,8 @@ License: Python
 # If the rpmwheels condition is disabled, we use the bundled wheel packages
 # from Python with the versions below.
 # This needs to be manually updated when we update Python.
-%global pip_version 21.2.3
-%global setuptools_version 57.4.0
+%global pip_version 22.2.2
+%global setuptools_version 63.2.0
 
 # Expensive optimizations (mainly, profile-guided optimizations)
 %bcond_without optimizations
@@ -79,11 +78,7 @@ License: Python
 
 # Extra build for debugging the interpreter or C-API extensions
 # (the -debug subpackages)
-%if %{with flatpackage}
-%bcond_with debug_build
-%else
 %bcond_without debug_build
-%endif
 
 # Support for the GDB debugger
 %bcond_without gdb_hooks
@@ -166,6 +161,20 @@ License: Python
 %{warn:Doing a main_python build with wrong %%__default_python3_pkgversion (0%{?__default_python3_pkgversion}, but this is %pyshortver)}
 %endif
 
+%if %{with main_python}
+# To keep the upgrade path clean, we Obsolete python3.X from the python3
+# package and python3.X-foo from individual subpackages.
+# Note that using Obsoletes without package version is not standard practice.
+# Here we assert that *any* version of the system's default interpreter is
+# preferable to an "extra" interpreter. For example, python3-3.6.1 will
+# replace python3.6-3.6.2.
+%define unversioned_obsoletes_of_python3_X_if_main() %{expand:\
+Obsoletes: python%{pybasever}%{?1:-%{1}}\
+}
+%else
+%define unversioned_obsoletes_of_python3_X_if_main() %{nil}
+%endif
+
 # =======================
 # Build-time requirements
 # =======================
@@ -267,7 +276,7 @@ Source11: idle3.appdata.xml
 # Was Patch0 in ivazquez' python3000 specfile
 Patch1: 00001-rpath.patch
 
-# 00251 # 5c445123f04d96be42a35eef5119378ba1713a96
+# 00251 # 08a62456431df182dfad18ad75838f769aca2d08
 # Change user install location
 #
 # Set values of prefix and exec_prefix in distutils install command
@@ -275,7 +284,13 @@ Patch1: 00001-rpath.patch
 # is not detected to make pip and distutils install into separate location.
 #
 # Fedora Change: https://fedoraproject.org/wiki/Changes/Making_sudo_pip_safe
-# Downstream only: Awaiting resources to work on upstream PEP
+# Downstream only: Reworked in Fedora 36+ to follow https://bugs.python.org/issue43976
+#
+# pypa/distutils integration: https://github.com/pypa/distutils/pull/70
+#
+# Also set sysconfig._PIP_USE_SYSCONFIG = False, to force pip-upgraded-pip
+# to respect this patched distutils install command.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=2014513
 Patch251: 00251-change-user-install-location.patch
 
 # 00328 # 318e500c98f5e59eb1f23e0fcd32db69b9bd17e1
@@ -292,6 +307,27 @@ Patch251: 00251-change-user-install-location.patch
 # Ideally, we should talk to upstream and explain why we don't want this
 Patch328: 00328-pyc-timestamp-invalidation-mode.patch
 
+# 00371 # c1754d9c2750f89cb702e1b63a99201f5f7cff00
+# Revert "bpo-1596321: Fix threading._shutdown() for the main thread (GH-28549) (GH-28589)"
+#
+# This reverts commit 38c67738c64304928c68d5c2bd78bbb01d979b94. It
+# introduced regression causing FreeIPA's tests to fail.
+#
+# For more info see:
+# https://bodhi.fedoraproject.org/updates/FEDORA-2021-e152ce5f31
+# https://github.com/GrahamDumpleton/mod_wsgi/issues/730
+Patch371: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
+
+# 00382 # 9e275dcdf3934b827994ecc3247d583d5bab7985
+# CVE-2015-20107
+#
+# Make mailcap refuse to match unsafe filenames/types/params (GH-91993)
+#
+# Upstream: https://github.com/python/cpython/issues/68966
+#
+# Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2075390
+Patch382: 00382-cve-2015-20107.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -310,8 +346,7 @@ Patch328: 00328-pyc-timestamp-invalidation-mode.patch
 # Descriptions, and metadata for subpackages
 # ==========================================
 
-# this if branch is ~300 lines long and contains subpackages' definitions
-%if %{without flatpackage}
+
 %if %{with main_python}
 # Description for the python3X SRPM only:
 %description
@@ -324,17 +359,13 @@ third-party libraries.
 Summary: Python %{pybasever} interpreter
 
 # In order to support multiple Python interpreters for development purposes,
-# packages with the naming scheme flatpackage (e.g. python3.5) exist for
+# packages with fully versioned naming scheme (e.g. python3.9*) exist for
 # non-default versions of Python 3.
 # For consistency, we provide python3.X from python3 as well.
 Provides: python%{pybasever} = %{version}-%{release}
 Provides: python%{pybasever}%{?_isa} = %{version}-%{release}
-# To keep the upgrade path clean, we Obsolete python3.X.
-# Note that using Obsoletes without package version is not standard practice.
-# Here we assert that *any* version of the system's default interpreter is
-# preferable to an "extra" interpreter. For example, python3-3.6.1 will
-# replace python3.6-3.6.2.
-Obsoletes: python%{pybasever}
+
+%unversioned_obsoletes_of_python3_X_if_main
 
 # https://fedoraproject.org/wiki/Changes/Move_usr_bin_python_into_separate_package
 # https://fedoraproject.org/wiki/Changes/Python_means_Python3
@@ -348,15 +379,18 @@ Recommends: %{_bindir}/python
 # python39). However, to align it with the executable names and to prepare for
 # Python 3.10, they were renamed to pythonX.Y (e.g. python3.9, python3.10). We
 # provide and obsolete the previous names.
-# - Here are the tags for the nonflat package, regardless if main_python (e.g.
-#   python3) or not (e.g. python39). For the flat package, the provide is
-#   repeated many lines later.
 Provides: python%{pyshortver} = %{version}-%{release}
 Obsoletes: python%{pyshortver} < %{version}-%{release}
 
+%if %{with main_python} || %{with python_abi_provides_for_alt_pythons}
 # Packages with Python modules in standard locations automatically
 # depend on python(abi). Provide that here.
 Provides: python(abi) = %{pybasever}
+%else
+# We exclude the `python(abi)` Provides
+%global __requires_exclude ^python\\(abi\\) = 3\\..+
+%global __provides_exclude ^python\\(abi\\) = 3\\..+
+%endif
 
 Requires: %{pkgname}-libs%{?_isa} = %{version}-%{release}
 
@@ -423,6 +457,8 @@ Provides: bundled(python3dist(pip)) = %{pip_version}
 Provides: bundled(python3dist(setuptools)) = %{setuptools_version}
 %endif
 
+%unversioned_obsoletes_of_python3_X_if_main libs
+
 # There are files in the standard library that have python shebang.
 # We've filtered the automatic requirement out so libs are installable without
 # the main package. This however makes it pulled in by default.
@@ -455,15 +491,22 @@ Requires: (python-rpm-macros if rpm-build)
 Requires: (python3-rpm-macros if rpm-build)
 Requires: (pyproject-rpm-macros if rpm-build)
 
+%unversioned_obsoletes_of_python3_X_if_main devel
+
+%if %{with main_python}
 # Python developers are very likely to need pip
 Recommends: %{pkgname}-pip
+%endif
 
 %if %{without bootstrap}
 Requires: (python3-rpm-generators if rpm-build)
 %endif
 
 Provides: %{pkgname}-2to3 = %{version}-%{release}
+
+%if %{with main_python}
 Provides: 2to3 = %{version}-%{release}
+%endif
 
 Conflicts: %{pkgname} < %{version}-%{release}
 
@@ -481,8 +524,12 @@ Summary: A basic graphical development environment for Python
 Requires: %{pkgname} = %{version}-%{release}
 Requires: %{pkgname}-tkinter = %{version}-%{release}
 
+%unversioned_obsoletes_of_python3_X_if_main idle
+
+%if %{with main_python}
 Provides: idle3 = %{version}-%{release}
 Provides: idle = %{version}-%{release}
+%endif
 
 Provides: %{pkgname}-tools = %{version}-%{release}
 Provides: %{pkgname}-tools%{?_isa} = %{version}-%{release}
@@ -505,6 +552,8 @@ configuration, browsers, and other dialogs.
 Summary: A GUI toolkit for Python
 Requires: %{pkgname} = %{version}-%{release}
 
+%unversioned_obsoletes_of_python3_X_if_main tkinter
+
 # The importable module "turtle" is here, so provide python3-turtle.
 # (We don't provide python3-turtledemo, that's not too useful when imported.)
 %py_provides %{pkgname}-turtle
@@ -519,6 +568,8 @@ Summary: The self-test suite for the main python3 package
 Requires: %{pkgname} = %{version}-%{release}
 Requires: %{pkgname}-libs%{?_isa} = %{version}-%{release}
 
+%unversioned_obsoletes_of_python3_X_if_main test
+
 %description -n %{pkgname}-test
 The self-test suite for the Python interpreter.
 
@@ -541,6 +592,8 @@ Requires: %{pkgname}-test%{?_isa} = %{version}-%{release}
 Requires: %{pkgname}-tkinter%{?_isa} = %{version}-%{release}
 Requires: %{pkgname}-idle%{?_isa} = %{version}-%{release}
 
+%unversioned_obsoletes_of_python3_X_if_main debug
+
 %description -n %{pkgname}-debug
 python3-debug provides a version of the Python runtime with numerous debugging
 features enabled, aimed at advanced Python users such as developers of Python
@@ -558,44 +611,6 @@ The debug runtime additionally supports debug builds of C-API extensions
 (with the "d" ABI flag) for debugging issues in those extensions.
 %endif # with debug_build
 
-%else  # with flatpackage
-
-# We'll not provide this, on purpose
-# No package in Fedora shall ever depend on flatpackage via this
-%global __requires_exclude ^python\\(abi\\) = 3\\..+
-%global __provides_exclude ^python\\(abi\\) = 3\\..+
-
-# Python interpreter packages used to be named (or provide) name pythonXY (e.g.
-# python39). However, to align it with the executable names and to prepare for
-# Python 3.10, they were renamed to pythonX.Y (e.g. python3.9, python3.10). We
-# provide and obsolete the previous names.
-# - Here are the tags for the flat package. For the nonflat package, the
-#   provide is repeated many lines above.
-Provides: python%{pyshortver} = %{version}-%{release}
-Obsoletes: python%{pyshortver} < %{version}-%{release}
-
-%if %{with rpmwheels}
-Requires: python-setuptools-wheel
-Requires: python-pip-wheel
-%else
-Provides: bundled(python3dist(pip)) = %{pip_version}
-Provides: bundled(python3dist(setuptools)) = %{setuptools_version}
-%endif
-
-# The zoneinfo module needs tzdata
-Requires: tzdata
-
-# The description for the flat package (SRPM and built)
-%description
-Python %{pybasever} package for developers.
-
-This package exists to allow developers to test their code against a newer
-version of Python. This is not a full Python stack and if you wish to run
-your applications with Python %{pybasever}, update your Fedora to a newer
-version once Python %{pybasever} is stable.
-
-%endif # with flatpackage
-
 # ======================================================
 # The prep phase of the build:
 # ======================================================
@@ -1058,10 +1073,8 @@ CheckPython() {
   # test_distutils
   #   distutils.tests.test_bdist_rpm tests fail when bootstraping the Python
   #   package: rpmbuild requires /usr/bin/pythonX.Y to be installed
-  # test_frozentable fails with Python 3.10.0a6 (https://bugs.python.org/issue43372)
   LD_LIBRARY_PATH=$ConfDir $ConfDir/python -m test.regrtest \
     -wW --slowest -j0 --timeout=1800 \
-    -i test_frozentable \
     %if %{with bootstrap}
     -x test_distutils \
     %endif
@@ -1100,17 +1113,13 @@ CheckPython optimized
 
 
 %if %{with main_python}
-%if %{without flatpackage}
 %files -n python-unversioned-command
-%endif
 %{_bindir}/python
 %{_mandir}/*/python.1*
 %endif
 
-%if %{without flatpackage}
 %files -n %{pkgname}-libs
 %doc README.rst
-%endif
 
 %dir %{pylibdir}
 %dir %{dynload_dir}
@@ -1118,9 +1127,7 @@ CheckPython optimized
 %license %{pylibdir}/LICENSE.txt
 
 %{pylibdir}/lib2to3
-%if %{without flatpackage}
 %exclude %{pylibdir}/lib2to3/tests
-%endif
 
 %dir %{pylibdir}/unittest/
 %dir %{pylibdir}/unittest/__pycache__/
@@ -1243,6 +1250,12 @@ CheckPython optimized
 %dir %{pylibdir}/site-packages/
 %dir %{pylibdir}/site-packages/__pycache__/
 %{pylibdir}/site-packages/README.txt
+
+%if %{with debug_build}
+%exclude %{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py
+%exclude %{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes}
+%endif
+
 %{pylibdir}/*.py
 %dir %{pylibdir}/__pycache__/
 %{pylibdir}/__pycache__/*%{bytecode_suffixes}
@@ -1307,10 +1320,8 @@ CheckPython optimized
 %{pylibdir}/sqlite3/*.py
 %{pylibdir}/sqlite3/__pycache__/*%{bytecode_suffixes}
 
-%if %{without flatpackage}
 %exclude %{pylibdir}/turtle.py
 %exclude %{pylibdir}/__pycache__/turtle*%{bytecode_suffixes}
-%endif
 
 %{pylibdir}/urllib
 %{pylibdir}/xml
@@ -1336,15 +1347,10 @@ CheckPython optimized
 %endif
 
 
-%if %{without flatpackage}
 %files -n %{pkgname}-devel
-%endif
-
 %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/*
-%if %{without flatpackage}
 %exclude %{pylibdir}/config-%{LDVERSION_optimized}-%{platform_triplet}/Makefile
 %exclude %{_includedir}/python%{LDVERSION_optimized}/%{_pyconfig_h}
-%endif
 %{_includedir}/python%{LDVERSION_optimized}/*.h
 %{_includedir}/python%{LDVERSION_optimized}/internal/
 %{_includedir}/python%{LDVERSION_optimized}/cpython/
@@ -1379,10 +1385,7 @@ CheckPython optimized
 %{_libdir}/pkgconfig/python-%{pybasever}-embed.pc
 
 
-%if %{without flatpackage}
 %files -n %{pkgname}-idle
-%endif
-
 %if %{with main_python}
 %{_bindir}/idle*
 %else
@@ -1397,14 +1400,9 @@ CheckPython optimized
 %{_datadir}/icons/hicolor/*/apps/idle3.*
 %endif
 
-%if %{without flatpackage}
 %files -n %{pkgname}-tkinter
-%endif
-
 %{pylibdir}/tkinter
-%if %{without flatpackage}
 %exclude %{pylibdir}/tkinter/test
-%endif
 %{dynload_dir}/_tkinter.%{SOABI_optimized}.so
 %{pylibdir}/turtle.py
 %{pylibdir}/__pycache__/turtle*%{bytecode_suffixes}
@@ -1415,10 +1413,7 @@ CheckPython optimized
 %{pylibdir}/turtledemo/__pycache__/*%{bytecode_suffixes}
 
 
-%if %{without flatpackage}
 %files -n %{pkgname}-test
-%endif
-
 %{pylibdir}/ctypes/test
 %{pylibdir}/distutils/tests
 %{pylibdir}/sqlite3/test
@@ -1441,10 +1436,7 @@ CheckPython optimized
 # all of the other subpackages
 
 %if %{with debug_build}
-%if %{without flatpackage}
 %files -n %{pkgname}-debug
-%endif
-
 %if %{with main_python}
 %{_bindir}/python3-debug
 %{_bindir}/python-debug
@@ -1560,6 +1552,9 @@ CheckPython optimized
 %{dynload_dir}/_testinternalcapi.%{SOABI_debug}.so
 %{dynload_dir}/_testmultiphase.%{SOABI_debug}.so
 
+%{pylibdir}/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}.py
+%{pylibdir}/__pycache__/_sysconfigdata_%{ABIFLAGS_debug}_linux_%{platform_triplet}%{bytecode_suffixes}
+
 %endif # with debug_build
 
 # We put the debug-gdb.py file inside /usr/lib/debug to avoid noise from ldconfig
@@ -1583,6 +1578,45 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Wed Sep 07 2022 Miro Hrončok <mhroncok@redhat.com> - 3.10.7-1
+- Update to 3.10.7
+- Contains security fix for CVE-2020-10735
+
+* Tue Aug 02 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.10.6-1
+- Update to 3.10.6
+
+* Thu Jun 09 2022 Charalampos Stratakis <cstratak@redhat.com> - 3.10.5-2
+- Security fix for CVE-2015-20107
+Resolves: rhbz#2075390
+
+* Tue Jun 07 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.10.5-1
+- Update to 3.10.5
+
+* Sat May 14 2022 Tomas Orsava <torsava@redhat.com> - 3.10.4-2
+- Move _sysconfigdata_d_linux*.py to the debug subpackage
+
+* Fri Mar 25 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.10.4-1
+- Update to 3.10.4
+
+* Fri Mar 18 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.10.3-1
+- Update to 3.10.3
+
+* Mon Jan 17 2022 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.10.2-1
+- Update to 3.10.2
+
+* Mon Jan 10 2022 Miro Hrončok <mhroncok@redhat.com> - 3.10.1-3
+- Backport fixes for two Python 3.10.1 regressions
+- Fixes: rhbz#2030621
+- Fixes: rhbz#2034962
+
+* Thu Dec 09 2021 Miro Hrončok <mhroncok@redhat.com> - 3.10.1-2
+- Instruct pip to use distutils
+- Instruct pypa/distutils to add /local/ addition to prefix
+- Fixes rhbz#2014513
+
+* Tue Dec 07 2021 Tomáš Hrnčiar <thrnciar@redhat.com> - 3.10.1-1
+- Update to 3.10.1
+
 * Mon Oct 04 2021 Miro Hrončok <mhroncok@redhat.com> - 3.10.0-1
 - Update to 3.10.0 final
 

sources

@@ -1,2 +1,2 @@
-SHA512 (Python-3.10.0.tar.xz) = 82b2729afc7d72a80882f199970667dce7d971a2e5ecfe6cf84f7b68612ab2caf6ed6d7a8cb81f24ea85cb0816464bb2e8b2e6884eda62fa40742edc674193bd
-SHA512 (Python-3.10.0.tar.xz.asc) = 67236e02bc49da1423717cb54216b745f613ba2fc4b372a4aa15a36ab15fe69d9b9087070382957d480df7576d13056caedcd979fb56531799a1190b822f673d
+SHA512 (Python-3.10.7.tar.xz) = dc3432d72ee7382617318c9645204876d13bb61d4caf3fbbb65e6b14897261123c743049657c95e159e5566daf4dcde613d2e393f025de758f610b44eb958313
+SHA512 (Python-3.10.7.tar.xz.asc) = a65d152d87870de763de3384a1c0ff0309068a2af0fcdfa39a6f968a52b59c56229553cf6a955ec0af1d3db5bf4641c4e91d6150764548d2e9fb0e9a01ab759d

tests/tests.yml

@@ -21,6 +21,9 @@
     - smoke:
         dir: python/smoke
         run: VERSION=3.10 ./venv.sh
+    - smoke_virtualenv:
+        dir: python/smoke
+        run: VERSION=3.10 METHOD=virtualenv ./venv.sh
     - debugsmoke:
         dir: python/smoke
         run: PYTHON=python3-debug TOX=false VERSION=3.10 ./venv.sh
@@ -44,7 +47,8 @@
     - python3-devel  # for extension building in venv and selftest
     - python3-tkinter  # for selftest
     - python3-test  # for selftest
-    - python3-tox  # for venv tests
+    - tox  # for venv tests
+    - virtualenv  # for virtualenv tests
     - glibc-all-langpacks # for locale tests
     - marshalparser  # for testing compatibility (magic numbers) with marshalparser
     - rpm  # for debugging