[OE-core] [PATCH v3] python3{,-native}: update to 3.7.0
Alejandro Hernandez
alejandro.enedino.hernandez-samaniego at xilinx.com
Wed Sep 19 18:08:38 UTC 2018
I am aware dnf needs an update, but in the meantime you can't break
functionality of other components of the build system when upgrading a
certain component, we either need a patch to dnf to fix compatibility or
the upgrade to dnf as well.
Alejandro
On 9/19/2018 1:44 AM, Jens Rehsack wrote:
> That has already been discussed, dnf needs an update.
> Am Mi., 19. Sep. 2018 um 08:50 Uhr schrieb Alejandro Hernandez
> <alejandro.enedino.hernandez-samaniego at xilinx.com>:
>> Hey Jens,
>>
>> Apart from the python3-native incomplete build which we discussed before
>> and is still there, this is still breaking dnf, hence producing an error
>> when executing do_rootfs for an image.
>>
>> The following error is shown:
>>
>> NOTE: ###### Generate rootfs #######
>> NOTE: Executing 'RSN/usr/bin/createrepo_c --update -q
>> wrkdir/qemux86-poky-linux/core-image-minimal/1.0-r0/oe-rootfs-repo' ...
>> NOTE: Running RSN/usr/bin/dnf -v --rpmverbosity=debug -y -c
>> wrkdir/qemux86-poky-linux/core-image-minimal/1.0-r0/rootfs/etc/dnf/dnf.conf
>> --setoh
>> ERROR: Could not invoke dnf. Command 'RSN/usr/bin/dnf -v
>> --rpmverbosity=debug -y -c
>> wrkdir/qemux86-poky-linux/core-image-minimal/1.0-r0/rootfs:
>> Traceback (most recent call last):
>> File "RSN/usr/lib/python3.7/site-packages/dnf/util.py", line 121, in
>> ensure_dir
>> os.makedirs(dname, mode=0o755)
>> File "RSN/usr/lib/python3.7/os.py", line 221, in makedirs
>> mkdir(name, mode)
>> FileExistsError: [Errno 17] File exists:
>> 'wrkdir/qemux86-poky-linux/core-image-minimal/1.0-r0/temp'
>>
>> Traceback (most recent call last):
>> File "RSN/usr/bin/dnf.real", line 58, in <module>
>> main.user_main(sys.argv[1:], exit_code=True)
>> File "RSN/usr/lib/python3.7/site-packages/dnf/cli/main.py", line 179,
>> in user_main
>>
>> ...
>>
>> File "RSN/usr/lib/python3.7/site-packages/dnf/util.py", line 123, in
>> ensure_dir
>> if e.errno != os.errno.EEXIST or not os.path.isdir(dname):
>> AttributeError: module 'os' has no attribute 'errno'
>>
>>
>> This means either the python3 build needs to be fixed (unlikely) or that
>> the dnf build needs to be fixed to be compatible with python 3.7, and if
>> that's the case the patch to dnf still needs to be provided (even if
>> it's not part of the upgrade), since we need to ensure that we don't
>> break other component's functionality in between patches.
>>
>> This also means that you probably haven't tested running python3.7
>> inside an image, otherwise its likely you would've seen this same issue,
>> while I see no reason why the python3.7 build wouldn't work at runtime,
>> it still needs to be tested, the fact that a package builds successfully
>> doesn't mean it will necessarily run properly.
>>
>> Alejandro
>>
>> On 9/17/2018 11:49 AM, Jens Rehsack wrote:
>>> Update python3 to recent 3.7.0 release.
>>>
>>> Details about new features and bug-fixes can be taken from
>>> * https://docs.python.org/3/whatsnew/3.7.html
>>> * https://docs.python.org/3/whatsnew/3.6.html
>>>
>>> Remove patches when they were fixed upstream and rebase the
>>> remaining ones. If necessary, the patches are adopted to
>>> keep the idea when upstream code was changed. Also remove
>>> backports from 3.6 and 3.7 into 3.5.6 codebase for TLS
>>> and multiprocessing.
>>>
>>> Open TODO: track patches in a -STABLE rebased git branch for
>>> easier rebasing or upstream submitting.
>>>
>>> Enhancement requests for Yocto project
>>> * https://bugzilla.yoctoproject.org/show_bug.cgi?id=12375
>>> * https://bugzilla.yoctoproject.org/show_bug.cgi?id=12901
>>> are solved by this.
>>>
>>> Signed-off-by: Jens Rehsack <sno at netbsd.org>
>>> ---
>>> meta/classes/python3-dir.bbclass | 6 +-
>>> .../python/python3-native_3.5.6.bb | 100 ------
>>> .../python/python3-native_3.7.0.bb | 73 ++++
>>> meta/recipes-devtools/python/python3.inc | 65 +++-
>>> ...hell-version-of-python-config-that-w.patch | 21 +-
>>> ..._sysconfigdata.py-to-initialize-dist.patch | 66 ----
>>> ...ontext-has-improved-default-settings.patch | 272 ---------------
>>> ...d-target-to-split-profile-generation.patch | 40 ---
>>> ...S-1.3-cipher-suites-and-OP_NO_TLSv1_.patch | 227 ------------
>>> ...for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch | 173 ---------
>>> ....3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch | 110 ------
>>> ...ALPN-changes-for-OpenSSL-1.1.0f-2305.patch | 68 ----
>>> .../python3/03-fix-tkinter-detection.patch | 12 +-
>>> .../python3/030-fixup-include-dirs.patch | 9 -
>>> .../080-distutils-dont_adjust_files.patch | 4 +-
>>> .../python/python3/150-fix-setupterm.patch | 17 -
>>> ...GS-for-extensions-when-cross-compili.patch | 53 ++-
>>> .../python3/avoid-ncursesw-include-path.patch | 18 +-
>>> .../python3/avoid_warning_about_tkinter.patch | 18 +-
>>> .../python3/configure.ac-fix-LIBPL.patch | 21 +-
>>> .../python/python3/float-endian.patch | 9 +-
>>> ...ssing-libraries-to-Extension-for-mul.patch | 26 +-
>>> .../python/python3/python-3.3-multilib.patch | 241 +++++++------
>>> .../python/python3/python3-manifest.json | 11 +-
>>> ...CROSSPYTHONPATH-for-PYTHON_FOR_BUILD.patch | 17 +-
>>> .../python/python3/regen-all.patch | 25 --
>>> .../python/python3/signal.patch | 56 ---
>>> ...port_SOURCE_DATE_EPOCH_in_py_compile.patch | 36 +-
>>> .../python3/sysroot-include-headers.patch | 23 +-
>>> .../python3/uuid_when_cross_compiling.patch | 22 ++
>>> meta/recipes-devtools/python/python3_3.5.6.bb | 328 ------------------
>>> meta/recipes-devtools/python/python3_3.7.0.bb | 296 ++++++++++++++++
>>> 32 files changed, 709 insertions(+), 1754 deletions(-)
>>> delete mode 100644 meta/recipes-devtools/python/python3-native_3.5.6.bb
>>> create mode 100644 meta/recipes-devtools/python/python3-native_3.7.0.bb
>>> delete mode 100644 meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/150-fix-setupterm.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/regen-all.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3/signal.patch
>>> create mode 100644 meta/recipes-devtools/python/python3/uuid_when_cross_compiling.patch
>>> delete mode 100644 meta/recipes-devtools/python/python3_3.5.6.bb
>>> create mode 100644 meta/recipes-devtools/python/python3_3.7.0.bb
>>>
>>> diff --git a/meta/classes/python3-dir.bbclass b/meta/classes/python3-dir.bbclass
>>> index 06bb046d9c..ad7ea8dd9a 100644
>>> --- a/meta/classes/python3-dir.bbclass
>>> +++ b/meta/classes/python3-dir.bbclass
>>> @@ -1,4 +1,8 @@
>>> -PYTHON_BASEVERSION = "3.5"
>>> +PYTHON_BASEVERSION = "3.7"
>>> +# [d][m][u]
>>> +# d: py_debug
>>> +# m: my_malloc
>>> +# u: wide-char unicode
>>> PYTHON_ABI = "m"
>>> PYTHON_DIR = "python${PYTHON_BASEVERSION}"
>>> PYTHON_PN = "python3"
>>> diff --git a/meta/recipes-devtools/python/python3-native_3.5.6.bb b/meta/recipes-devtools/python/python3-native_3.5.6.bb
>>> deleted file mode 100644
>>> index d5953cf4bb..0000000000
>>> --- a/meta/recipes-devtools/python/python3-native_3.5.6.bb
>>> +++ /dev/null
>>> @@ -1,100 +0,0 @@
>>> -require recipes-devtools/python/python3.inc
>>> -
>>> -DISTRO_SRC_URI ?= "file://sitecustomize.py"
>>> -DISTRO_SRC_URI_linuxstdbase = ""
>>> -SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
>>> -file://12-distutils-prefix-is-inside-staging-area.patch \
>>> -file://python-config.patch \
>>> -file://030-fixup-include-dirs.patch \
>>> -file://070-dont-clean-ipkg-install.patch \
>>> -file://080-distutils-dont_adjust_files.patch \
>>> -file://130-readline-setup.patch \
>>> -file://150-fix-setupterm.patch \
>>> -file://python-3.3-multilib.patch \
>>> -file://03-fix-tkinter-detection.patch \
>>> -file://avoid_warning_about_tkinter.patch \
>>> -file://0001-h2py-Fix-issue-13032-where-it-fails-with-UnicodeDeco.patch \
>>> -file://sysroot-include-headers.patch \
>>> -file://unixccompiler.patch \
>>> -${DISTRO_SRC_URI} \
>>> -file://sysconfig.py-add-_PYTHON_PROJECT_SRC.patch \
>>> -file://setup.py-check-cross_compiling-when-get-FLAGS.patch \
>>> -file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \
>>> -file://support_SOURCE_DATE_EPOCH_in_py_compile.patch \
>>> -file://regen-all.patch \
>>> -file://0001-Issue-28043-SSLContext-has-improved-default-settings.patch \
>>> -file://0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch \
>>> -file://0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch \
>>> -file://0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch \
>>> -file://0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch \
>>> -"
>>> -
>>> -EXTRANATIVEPATH += "bzip2-native"
>>> -DEPENDS = "openssl-native bzip2-replacement-native zlib-native readline-native sqlite3-native gdbm-native"
>>> -
>>> -inherit native
>>> -
>>> -EXTRA_OECONF_append = " --bindir=${bindir}/${PN} --without-ensurepip"
>>> -
>>> -EXTRA_OEMAKE = '\
>>> - LIBC="" \
>>> - STAGING_LIBDIR=${STAGING_LIBDIR_NATIVE} \
>>> - STAGING_INCDIR=${STAGING_INCDIR_NATIVE} \
>>> - LIB=${baselib} \
>>> - ARCH=${TARGET_ARCH} \
>>> -'
>>> -
>>> -do_configure_append() {
>>> - autoreconf --verbose --install --force --exclude=autopoint ../Python-${PV}/Modules/_ctypes/libffi
>>> - sed -i -e 's,#define HAVE_GETRANDOM 1,/\* #undef HAVE_GETRANDOM \*/,' ${B}/pyconfig.h
>>> -}
>>> -
>>> -# Regenerate all of the generated files
>>> -# This ensures that pgen and friends get created during the compile phase
>>> -#
>>> -do_compile_prepend() {
>>> - # Assuming https://bugs.python.org/issue33080 has been addressed in Makefile.
>>> - oe_runmake regen-all
>>> -}
>>> -
>>> -do_install() {
>>> - install -d ${D}${libdir}/pkgconfig
>>> - oe_runmake 'DESTDIR=${D}' install
>>> - if [ -e ${WORKDIR}/sitecustomize.py ]; then
>>> - install -m 0644 ${WORKDIR}/sitecustomize.py ${D}/${libdir}/python${PYTHON_MAJMIN}
>>> - fi
>>> - install -d ${D}${bindir}/${PN}
>>> - install -m 0755 Parser/pgen ${D}${bindir}/${PN}
>>> -
>>> - # Make sure we use /usr/bin/env python
>>> - for PYTHSCRIPT in `grep -rIl ${bindir}/${PN}/python ${D}${bindir}/${PN}`; do
>>> - sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT
>>> - done
>>> -
>>> - # Add a symlink to the native Python so that scripts can just invoke
>>> - # "nativepython" and get the right one without needing absolute paths
>>> - # (these often end up too long for the #! parser in the kernel as the
>>> - # buffer is 128 bytes long).
>>> - ln -s python3-native/python3 ${D}${bindir}/nativepython3
>>> -}
>>> -
>>> -python(){
>>> -
>>> - # Read JSON manifest
>>> - import json
>>> - pythondir = d.getVar('THISDIR',True)
>>> - with open(pythondir+'/python3/python3-manifest.json') as manifest_file:
>>> - python_manifest=json.load(manifest_file)
>>> -
>>> - rprovides = d.getVar('RPROVIDES').split()
>>> -
>>> - # Hardcoded since it cant be python3-native-foo, should be python3-foo-native
>>> - pn = 'python3'
>>> -
>>> - for key in python_manifest:
>>> - pypackage = pn + '-' + key + '-native'
>>> - if pypackage not in rprovides:
>>> - rprovides.append(pypackage)
>>> -
>>> - d.setVar('RPROVIDES', ' '.join(rprovides))
>>> -}
>>> diff --git a/meta/recipes-devtools/python/python3-native_3.7.0.bb b/meta/recipes-devtools/python/python3-native_3.7.0.bb
>>> new file mode 100644
>>> index 0000000000..3ef9f0a5e3
>>> --- /dev/null
>>> +++ b/meta/recipes-devtools/python/python3-native_3.7.0.bb
>>> @@ -0,0 +1,73 @@
>>> +require recipes-devtools/python/python3.inc
>>> +
>>> +SRC_URI += "\
>>> + file://12-distutils-prefix-is-inside-staging-area.patch \
>>> + file://0001-Do-not-use-the-shell-version-of-python-config-that-w.patch \
>>> +"
>>> +
>>> +EXTRANATIVEPATH += "bzip2-native"
>>> +DEPENDS = "openssl-native libffi-native bzip2-replacement-native zlib-native \
>>> + util-linux-native readline-native sqlite3-native gdbm-native \
>>> +"
>>> +
>>> +inherit native
>>> +
>>> +EXTRA_OECONF_append = " --bindir=${bindir}/${PN} --without-ensurepip"
>>> +
>>> +EXTRA_OEMAKE = '\
>>> + LIBC="" \
>>> + STAGING_LIBDIR=${STAGING_LIBDIR_NATIVE} \
>>> + STAGING_INCDIR=${STAGING_INCDIR_NATIVE} \
>>> + LIB=${baselib} \
>>> + ARCH=${TARGET_ARCH} \
>>> +'
>>> +
>>> +# Regenerate all of the generated files
>>> +# This ensures that pgen and friends get created during the compile phase
>>> +#
>>> +do_compile_prepend() {
>>> + # Assuming https://bugs.python.org/issue33080 has been addressed in Makefile.
>>> + oe_runmake regen-all
>>> +}
>>> +
>>> +do_install() {
>>> + install -d ${D}${libdir}/pkgconfig
>>> + oe_runmake 'DESTDIR=${D}' install
>>> + if [ -e ${WORKDIR}/sitecustomize.py ]; then
>>> + install -m 0644 ${WORKDIR}/sitecustomize.py ${D}/${libdir}/python${PYTHON_MAJMIN}
>>> + fi
>>> + install -d ${D}${bindir}/${PN}
>>> + install -m 0755 Parser/pgen ${D}${bindir}/${PN}
>>> +
>>> + # Make sure we use /usr/bin/env python
>>> + for PYTHSCRIPT in `grep -rIl ${bindir}/${PN}/python ${D}${bindir}/${PN}`; do
>>> + sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT
>>> + done
>>> +
>>> + # Add a symlink to the native Python so that scripts can just invoke
>>> + # "nativepython" and get the right one without needing absolute paths
>>> + # (these often end up too long for the #! parser in the kernel as the
>>> + # buffer is 128 bytes long).
>>> + ln -s python3-native/python3 ${D}${bindir}/nativepython3
>>> +}
>>> +
>>> +python(){
>>> +
>>> + # Read JSON manifest
>>> + import json
>>> + pythondir = d.getVar('THISDIR',True)
>>> + with open(pythondir+'/python3/python3-manifest.json') as manifest_file:
>>> + python_manifest=json.load(manifest_file)
>>> +
>>> + rprovides = d.getVar('RPROVIDES').split()
>>> +
>>> + # Hardcoded since it cant be python3-native-foo, should be python3-foo-native
>>> + pn = 'python3'
>>> +
>>> + for key in python_manifest:
>>> + pypackage = pn + '-' + key + '-native'
>>> + if pypackage not in rprovides:
>>> + rprovides.append(pypackage)
>>> +
>>> + d.setVar('RPROVIDES', ' '.join(rprovides))
>>> +}
>>> diff --git a/meta/recipes-devtools/python/python3.inc b/meta/recipes-devtools/python/python3.inc
>>> index f565b3f171..b0fc0144a4 100644
>>> --- a/meta/recipes-devtools/python/python3.inc
>>> +++ b/meta/recipes-devtools/python/python3.inc
>>> @@ -3,41 +3,74 @@ HOMEPAGE = "http://www.python.org"
>>> LICENSE = "PSFv2"
>>> SECTION = "devel/python"
>>>
>>> -# TODO Remove this when we upgrade
>>> -INC_PR = "r1"
>>> -PR = "${INC_PR}.0"
>>> +PYTHON_MAJMIN = "3.7"
>>> +DISTRO_SRC_URI ?= "file://sitecustomize.py"
>>> +DISTRO_SRC_URI_linuxstdbase = ""
>>> +SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
>>> + file://python-config.patch \
>>> + file://python-3.3-multilib.patch \
>>> + file://03-fix-tkinter-detection.patch \
>>> + file://avoid_warning_about_tkinter.patch \
>>> + file://unixccompiler.patch \
>>> + file://sysroot-include-headers.patch \
>>> + file://sysconfig.py-add-_PYTHON_PROJECT_SRC.patch \
>>> + file://setup.py-check-cross_compiling-when-get-FLAGS.patch \
>>> + file://030-fixup-include-dirs.patch \
>>> + file://070-dont-clean-ipkg-install.patch \
>>> + file://080-distutils-dont_adjust_files.patch \
>>> + file://130-readline-setup.patch \
>>> + file://0001-h2py-Fix-issue-13032-where-it-fails-with-UnicodeDeco.patch \
>>> + ${DISTRO_SRC_URI} \
>>> + file://support_SOURCE_DATE_EPOCH_in_py_compile.patch \
>>> + file://Use-correct-CFLAGS-for-extensions-when-cross-compili.patch \
>>> +"
>>>
>>> -LIC_FILES_CHKSUM = "file://LICENSE;md5=b6ec515b22618f55fa07276b897bacea"
>>> +SRC_URI[md5sum] = "eb8c2a6b1447d50813c02714af4681f3"
>>> +SRC_URI[sha256sum] = "0382996d1ee6aafe59763426cf0139ffebe36984474d0ec4126dd1c40a8b3549"
>>>
>>> -# TODO consolidate patch set
>>> -SRC_URI[md5sum] = "f5a99f765e765336a3ebbb2a24ca2be3"
>>> -SRC_URI[sha256sum] = "f55cde04f521f273c7cba08912921cc5642cfc15ca7b22d5829f0aff4371155f"
>>> +LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"
>>>
>>> # exclude pre-releases for both python 2.x and 3.x
>>> UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
>>>
>>> -CVE_PRODUCT = "python"
>>> -
>>> -PYTHON_MAJMIN = "3.5"
>>> -PYTHON_BINABI = "${PYTHON_MAJMIN}m"
>>> -
>>> S = "${WORKDIR}/Python-${PV}"
>>>
>>> -inherit autotools bluetooth pkgconfig
>>> +CVE_PRODUCT = "python"
>>> +
>>> +inherit autotools bluetooth pkgconfig python3-dir
>>>
>>> EXTRA_OECONF = "\
>>> - --with-threads \
>>> --with-pymalloc \
>>> --without-cxx-main \
>>> - --with-signal-module \
>>> --enable-shared \
>>> --enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)} \
>>> "
>>>
>>> PACKAGECONFIG[bluetooth] = ",ac_cv_header_bluetooth_bluetooth_h=no ac_cv_header_bluetooth_h=no,${BLUEZ}"
>>>
>>> +do_configure_prepend() {
>>> + libdirleaf="$(echo ${libdir} | sed -e 's:${prefix}/::')"
>>> + sed -i -e "s:SEDMELIBLEAF:${libdirleaf}:g" \
>>> + ${S}/configure.ac
>>> +}
>>> +
>>> +do_install_prepend() {
>>> + MAKESETTINGS="$(egrep '^(ABIFLAGS|MULTIARCH)=' ${B}/Makefile | sed -E -e 's/[[:space:]]//g' -e 's/=/="/' -e 's/$/"/')"
>>> + eval ${MAKESETTINGS}
>>> + if test "${ABIFLAGS}" != "${PYTHON_ABI}"; then
>>> + die "do_install: configure determined ABIFLAGS '${ABIFLAGS}' != '${PYTHON_ABI}' from python3-dir.bbclass"
>>> + fi
>>> + if test "x${BUILD_OS}" = "x${TARGET_OS}"; then
>>> + # no cross-compile at all
>>> + _PYTHON_SYSCONFIGDATA_NAME=${PYTHON_ABI}_${TARGET_OS}_${MULTIARCH}
>>> + else
>>> + # at the very moment, it's the only available target
>>> + _PYTHON_SYSCONFIGDATA_NAME=${PYTHON_ABI}_linux_${MULTIARCH}
>>> + fi
>>> +}
>>> +
>>> do_install_append () {
>>> sed -i -e 's:${HOSTTOOLS_DIR}/install:install:g' \
>>> -e 's:${HOSTTOOLS_DIR}/mkdir:mkdir:g' \
>>> - ${D}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata.py
>>> + ${D}/${libdir}/python${PYTHON_MAJMIN}/_sysconfigdata_${_PYTHON_SYSCONFIGDATA_NAME}.py
>>> }
>>> diff --git a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch
>>> index 8ea3f03fe0..aac34533ef 100644
>>> --- a/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch
>>> +++ b/meta/recipes-devtools/python/python3/0001-Do-not-use-the-shell-version-of-python-config-that-w.patch
>>> @@ -14,25 +14,22 @@ Signed-off-by: Alexander Kanavin <alex.kanavin at gmail.com>
>>> 1 file changed, 3 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/Makefile.pre.in b/Makefile.pre.in
>>> -index 236f005..5c4337f 100644
>>> +index 31b4bcabb3..7da6d6941e 100644
>>> --- a/Makefile.pre.in
>>> +++ b/Makefile.pre.in
>>> -@@ -1348,12 +1348,9 @@ python-config: $(srcdir)/Misc/python-config.in Misc/python-config.sh
>>> +@@ -1415,12 +1415,9 @@ python-config: $(srcdir)/Misc/python-config.in Misc/python-config.sh
>>> sed -e "s, at EXENAME@,$(BINDIR)/python$(LDVERSION)$(EXE)," < $(srcdir)/Misc/python-config.in >python-config.py
>>> - # Replace makefile compat. variable references with shell script compat. ones; $(VAR) -> ${VAR}
>>> + @ # Replace makefile compat. variable references with shell script compat. ones; $(VAR) -> ${VAR}
>>> LC_ALL=C sed -e 's,\$$(\([A-Za-z0-9_]*\)),\$$\{\1\},g' < Misc/python-config.sh >python-config
>>> -- # On Darwin, always use the python version of the script, the shell
>>> -- # version doesn't use the compiler customizations that are provided
>>> -- # in python (_osx_support.py).
>>> -- if test `uname -s` = Darwin; then \
>>> +- @ # On Darwin, always use the python version of the script, the shell
>>> +- @ # version doesn't use the compiler customizations that are provided
>>> +- @ # in python (_osx_support.py).
>>> +- @if test `uname -s` = Darwin; then \
>>> - cp python-config.py python-config; \
>>> - fi
>>> -+ # In OpenEmbedded, always use the python version of the script, the shell
>>> -+ # version is broken in multiple ways, and doesn't return correct directories
>>> ++ @ # In OpenEmbedded, always use the python version of the script, the shell
>>> ++ @ # version is broken in multiple ways, and doesn't return correct directories
>>> + cp python-config.py python-config
>>>
>>>
>>> # Install the include files
>>> ---
>>> -2.11.0
>>> -
>>> diff --git a/meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch b/meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch
>>> deleted file mode 100644
>>> index d1c92e9eed..0000000000
>>> --- a/meta/recipes-devtools/python/python3/0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch
>>> +++ /dev/null
>>> @@ -1,66 +0,0 @@
>>> -From bcddbf40c7f1b80336268cdddacc17369fb0ccea Mon Sep 17 00:00:00 2001
>>> -From: Libin Dang <libin.dang at windriver.com>
>>> -Date: Tue, 11 Apr 2017 14:12:15 +0800
>>> -Subject: [PATCH] Issue #21272: Use _sysconfigdata.py to initialize
>>> - distutils.sysconfig
>>> -
>>> -Backport upstream commit
>>> -https://github.com/python/cpython/commit/409482251b06fe75c4ee56e85ffbb4b23d934159
>>> -
>>> -Upstream-Status: Backport
>>> -
>>> -Signed-off-by: Li Zhou <li.zhou at windriver.com>
>>> ----
>>> - Lib/distutils/sysconfig.py | 35 ++++-------------------------------
>>> - 1 file changed, 4 insertions(+), 31 deletions(-)
>>> -
>>> -diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py
>>> -index 6d5cfd0..9925d24 100644
>>> ---- a/Lib/distutils/sysconfig.py
>>> -+++ b/Lib/distutils/sysconfig.py
>>> -@@ -424,38 +424,11 @@ _config_vars = None
>>> -
>>> - def _init_posix():
>>> - """Initialize the module as appropriate for POSIX systems."""
>>> -- g = {}
>>> -- # load the installed Makefile:
>>> -- try:
>>> -- filename = get_makefile_filename()
>>> -- parse_makefile(filename, g)
>>> -- except OSError as msg:
>>> -- my_msg = "invalid Python installation: unable to open %s" % filename
>>> -- if hasattr(msg, "strerror"):
>>> -- my_msg = my_msg + " (%s)" % msg.strerror
>>> --
>>> -- raise DistutilsPlatformError(my_msg)
>>> --
>>> -- # load the installed pyconfig.h:
>>> -- try:
>>> -- filename = get_config_h_filename()
>>> -- with open(filename) as file:
>>> -- parse_config_h(file, g)
>>> -- except OSError as msg:
>>> -- my_msg = "invalid Python installation: unable to open %s" % filename
>>> -- if hasattr(msg, "strerror"):
>>> -- my_msg = my_msg + " (%s)" % msg.strerror
>>> --
>>> -- raise DistutilsPlatformError(my_msg)
>>> --
>>> -- # On AIX, there are wrong paths to the linker scripts in the Makefile
>>> -- # -- these paths are relative to the Python source, but when installed
>>> -- # the scripts are in another directory.
>>> -- if python_build:
>>> -- g['LDSHARED'] = g['BLDSHARED']
>>> --
>>> -+ # _sysconfigdata is generated at build time, see the sysconfig module
>>> -+ from _sysconfigdata import build_time_vars
>>> - global _config_vars
>>> -- _config_vars = g
>>> -+ _config_vars = {}
>>> -+ _config_vars.update(build_time_vars)
>>> -
>>> -
>>> - def _init_nt():
>>> ---
>>> -1.8.3.1
>>> -
>>> diff --git a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch b/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch
>>> deleted file mode 100644
>>> index 321b4afa12..0000000000
>>> --- a/meta/recipes-devtools/python/python3/0001-Issue-28043-SSLContext-has-improved-default-settings.patch
>>> +++ /dev/null
>>> @@ -1,272 +0,0 @@
>>> -From 758e7463c104f71b810c8588166747eeab6148d7 Mon Sep 17 00:00:00 2001
>>> -From: Christian Heimes <christian at python.org>
>>> -Date: Sat, 10 Sep 2016 22:43:48 +0200
>>> -Subject: [PATCH 1/4] Issue 28043: SSLContext has improved default settings
>>> -
>>> -The options OP_NO_COMPRESSION, OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE, OP_SINGLE_ECDH_USE, OP_NO_SSLv2 (except for PROTOCOL_SSLv2), and OP_NO_SSLv3 (except for PROTOCOL_SSLv3) are set by default. The initial cipher suite list contains only HIGH ciphers, no NULL ciphers and MD5 ciphers (except for PROTOCOL_SSLv2).
>>> -
>>> -Upstream-Status: Backport
>>> -[https://github.com/python/cpython/commit/358cfd426ccc0fcd6a7940d306602138e76420ae]
>>> -
>>> -Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
>>> ----
>>> - Doc/library/ssl.rst | 9 ++++++-
>>> - Lib/ssl.py | 30 +++++----------------
>>> - Lib/test/test_ssl.py | 62 +++++++++++++++++++++++---------------------
>>> - Modules/_ssl.c | 31 ++++++++++++++++++++++
>>> - 4 files changed, 78 insertions(+), 54 deletions(-)
>>> -
>>> -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
>>> -index a2f008346b..14f2d68217 100644
>>> ---- a/Doc/library/ssl.rst
>>> -+++ b/Doc/library/ssl.rst
>>> -@@ -1151,7 +1151,14 @@ to speed up repeated connections from the same clients.
>>> -
>>> - .. versionchanged:: 3.5.3
>>> -
>>> -- :data:`PROTOCOL_TLS` is the default value.
>>> -+ The context is created with secure default values. The options
>>> -+ :data:`OP_NO_COMPRESSION`, :data:`OP_CIPHER_SERVER_PREFERENCE`,
>>> -+ :data:`OP_SINGLE_DH_USE`, :data:`OP_SINGLE_ECDH_USE`,
>>> -+ :data:`OP_NO_SSLv2` (except for :data:`PROTOCOL_SSLv2`),
>>> -+ and :data:`OP_NO_SSLv3` (except for :data:`PROTOCOL_SSLv3`) are
>>> -+ set by default. The initial cipher suite list contains only ``HIGH``
>>> -+ ciphers, no ``NULL`` ciphers and no ``MD5`` ciphers (except for
>>> -+ :data:`PROTOCOL_SSLv2`).
>>> -
>>> -
>>> - :class:`SSLContext` objects have the following methods and attributes:
>>> -diff --git a/Lib/ssl.py b/Lib/ssl.py
>>> -index e1913904f3..4d302a78fa 100644
>>> ---- a/Lib/ssl.py
>>> -+++ b/Lib/ssl.py
>>> -@@ -446,32 +446,16 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
>>> - if not isinstance(purpose, _ASN1Object):
>>> - raise TypeError(purpose)
>>> -
>>> -+ # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
>>> -+ # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
>>> -+ # by default.
>>> - context = SSLContext(PROTOCOL_TLS)
>>> -
>>> -- # SSLv2 considered harmful.
>>> -- context.options |= OP_NO_SSLv2
>>> --
>>> -- # SSLv3 has problematic security and is only required for really old
>>> -- # clients such as IE6 on Windows XP
>>> -- context.options |= OP_NO_SSLv3
>>> --
>>> -- # disable compression to prevent CRIME attacks (OpenSSL 1.0+)
>>> -- context.options |= getattr(_ssl, "OP_NO_COMPRESSION", 0)
>>> --
>>> - if purpose == Purpose.SERVER_AUTH:
>>> - # verify certs and host name in client mode
>>> - context.verify_mode = CERT_REQUIRED
>>> - context.check_hostname = True
>>> - elif purpose == Purpose.CLIENT_AUTH:
>>> -- # Prefer the server's ciphers by default so that we get stronger
>>> -- # encryption
>>> -- context.options |= getattr(_ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
>>> --
>>> -- # Use single use keys in order to improve forward secrecy
>>> -- context.options |= getattr(_ssl, "OP_SINGLE_DH_USE", 0)
>>> -- context.options |= getattr(_ssl, "OP_SINGLE_ECDH_USE", 0)
>>> --
>>> -- # disallow ciphers with known vulnerabilities
>>> - context.set_ciphers(_RESTRICTED_SERVER_CIPHERS)
>>> -
>>> - if cafile or capath or cadata:
>>> -@@ -497,12 +481,10 @@ def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None,
>>> - if not isinstance(purpose, _ASN1Object):
>>> - raise TypeError(purpose)
>>> -
>>> -+ # SSLContext sets OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION,
>>> -+ # OP_CIPHER_SERVER_PREFERENCE, OP_SINGLE_DH_USE and OP_SINGLE_ECDH_USE
>>> -+ # by default.
>>> - context = SSLContext(protocol)
>>> -- # SSLv2 considered harmful.
>>> -- context.options |= OP_NO_SSLv2
>>> -- # SSLv3 has problematic security and is only required for really old
>>> -- # clients such as IE6 on Windows XP
>>> -- context.options |= OP_NO_SSLv3
>>> -
>>> - if cert_reqs is not None:
>>> - context.verify_mode = cert_reqs
>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
>>> -index ffb7314f57..f91af7bd05 100644
>>> ---- a/Lib/test/test_ssl.py
>>> -+++ b/Lib/test/test_ssl.py
>>> -@@ -73,6 +73,12 @@ NULLBYTECERT = data_file("nullbytecert.pem")
>>> - DHFILE = data_file("dh1024.pem")
>>> - BYTES_DHFILE = os.fsencode(DHFILE)
>>> -
>>> -+# Not defined in all versions of OpenSSL
>>> -+OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
>>> -+OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
>>> -+OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
>>> -+OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
>>> -+
>>> -
>>> - def handle_error(prefix):
>>> - exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
>>> -@@ -839,8 +845,9 @@ class ContextTests(unittest.TestCase):
>>> - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> - # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
>>> - default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
>>> -- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
>>> -- default |= ssl.OP_NO_COMPRESSION
>>> -+ # SSLContext also enables these by default
>>> -+ default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
>>> -+ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE)
>>> - self.assertEqual(default, ctx.options)
>>> - ctx.options |= ssl.OP_NO_TLSv1
>>> - self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
>>> -@@ -1205,16 +1212,29 @@ class ContextTests(unittest.TestCase):
>>> - stats["x509"] += 1
>>> - self.assertEqual(ctx.cert_store_stats(), stats)
>>> -
>>> -+ def _assert_context_options(self, ctx):
>>> -+ self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -+ if OP_NO_COMPRESSION != 0:
>>> -+ self.assertEqual(ctx.options & OP_NO_COMPRESSION,
>>> -+ OP_NO_COMPRESSION)
>>> -+ if OP_SINGLE_DH_USE != 0:
>>> -+ self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
>>> -+ OP_SINGLE_DH_USE)
>>> -+ if OP_SINGLE_ECDH_USE != 0:
>>> -+ self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
>>> -+ OP_SINGLE_ECDH_USE)
>>> -+ if OP_CIPHER_SERVER_PREFERENCE != 0:
>>> -+ self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
>>> -+ OP_CIPHER_SERVER_PREFERENCE)
>>> -+
>>> - def test_create_default_context(self):
>>> - ctx = ssl.create_default_context()
>>> -+
>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
>>> - self.assertTrue(ctx.check_hostname)
>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -- self.assertEqual(
>>> -- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
>>> -- getattr(ssl, "OP_NO_COMPRESSION", 0),
>>> -- )
>>> -+ self._assert_context_options(ctx)
>>> -+
>>> -
>>> - with open(SIGNING_CA) as f:
>>> - cadata = f.read()
>>> -@@ -1222,40 +1242,24 @@ class ContextTests(unittest.TestCase):
>>> - cadata=cadata)
>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -- self.assertEqual(
>>> -- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
>>> -- getattr(ssl, "OP_NO_COMPRESSION", 0),
>>> -- )
>>> -+ self._assert_context_options(ctx)
>>> -
>>> - ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -- self.assertEqual(
>>> -- ctx.options & getattr(ssl, "OP_NO_COMPRESSION", 0),
>>> -- getattr(ssl, "OP_NO_COMPRESSION", 0),
>>> -- )
>>> -- self.assertEqual(
>>> -- ctx.options & getattr(ssl, "OP_SINGLE_DH_USE", 0),
>>> -- getattr(ssl, "OP_SINGLE_DH_USE", 0),
>>> -- )
>>> -- self.assertEqual(
>>> -- ctx.options & getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
>>> -- getattr(ssl, "OP_SINGLE_ECDH_USE", 0),
>>> -- )
>>> -+ self._assert_context_options(ctx)
>>> -
>>> - def test__create_stdlib_context(self):
>>> - ctx = ssl._create_stdlib_context()
>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
>>> - self.assertFalse(ctx.check_hostname)
>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -+ self._assert_context_options(ctx)
>>> -
>>> - ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -+ self._assert_context_options(ctx)
>>> -
>>> - ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1,
>>> - cert_reqs=ssl.CERT_REQUIRED,
>>> -@@ -1263,12 +1267,12 @@ class ContextTests(unittest.TestCase):
>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
>>> - self.assertTrue(ctx.check_hostname)
>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -+ self._assert_context_options(ctx)
>>> -
>>> - ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
>>> - self.assertEqual(ctx.protocol, ssl.PROTOCOL_SSLv23)
>>> - self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
>>> -- self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
>>> -+ self._assert_context_options(ctx)
>>> -
>>> - def test_check_hostname(self):
>>> - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> -diff --git a/Modules/_ssl.c b/Modules/_ssl.c
>>> -index 86482677ae..0d5c121d2c 100644
>>> ---- a/Modules/_ssl.c
>>> -+++ b/Modules/_ssl.c
>>> -@@ -2330,6 +2330,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
>>> - PySSLContext *self;
>>> - long options;
>>> - SSL_CTX *ctx = NULL;
>>> -+ int result;
>>> - #if defined(SSL_MODE_RELEASE_BUFFERS)
>>> - unsigned long libver;
>>> - #endif
>>> -@@ -2393,8 +2394,38 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
>>> - options |= SSL_OP_NO_SSLv2;
>>> - if (proto_version != PY_SSL_VERSION_SSL3)
>>> - options |= SSL_OP_NO_SSLv3;
>>> -+ /* Minimal security flags for server and client side context.
>>> -+ * Client sockets ignore server-side parameters. */
>>> -+#ifdef SSL_OP_NO_COMPRESSION
>>> -+ options |= SSL_OP_NO_COMPRESSION;
>>> -+#endif
>>> -+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
>>> -+ options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
>>> -+#endif
>>> -+#ifdef SSL_OP_SINGLE_DH_USE
>>> -+ options |= SSL_OP_SINGLE_DH_USE;
>>> -+#endif
>>> -+#ifdef SSL_OP_SINGLE_ECDH_USE
>>> -+ options |= SSL_OP_SINGLE_ECDH_USE;
>>> -+#endif
>>> - SSL_CTX_set_options(self->ctx, options);
>>> -
>>> -+ /* A bare minimum cipher list without completly broken cipher suites.
>>> -+ * It's far from perfect but gives users a better head start. */
>>> -+ if (proto_version != PY_SSL_VERSION_SSL2) {
>>> -+ result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:!MD5");
>>> -+ } else {
>>> -+ /* SSLv2 needs MD5 */
>>> -+ result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");
>>> -+ }
>>> -+ if (result == 0) {
>>> -+ Py_DECREF(self);
>>> -+ ERR_clear_error();
>>> -+ PyErr_SetString(PySSLErrorObject,
>>> -+ "No cipher can be selected.");
>>> -+ return NULL;
>>> -+ }
>>> -+
>>> - #if defined(SSL_MODE_RELEASE_BUFFERS)
>>> - /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
>>> - usage for no cost at all. However, don't do this for OpenSSL versions
>>> ---
>>> -2.17.1
>>> -
>>> diff --git a/meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch b/meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch
>>> deleted file mode 100644
>>> index 2b4ba316e4..0000000000
>>> --- a/meta/recipes-devtools/python/python3/0002-Makefile-add-target-to-split-profile-generation.patch
>>> +++ /dev/null
>>> @@ -1,40 +0,0 @@
>>> -From 98586d6dc598e40b8b821b0dde57599e188a7ca4 Mon Sep 17 00:00:00 2001
>>> -From: Anuj Mittal <anuj.mittal at intel.com>
>>> -Date: Tue, 7 Aug 2018 16:43:17 +0800
>>> -Subject: [PATCH 2/2] Makefile: add target to split profile generation
>>> -
>>> -We don't want to have profile task invoked from here and want to use
>>> -qemu-user instead. Split the profile-opt task so qemu can be invoked
>>> -once binaries have been built with instrumentation and then we can go
>>> -ahead and build again using the profile data generated.
>>> -
>>> -Upstream-Status: Inappropriate [OE-specific]
>>> -
>>> -Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
>>> ----
>>> - Makefile.pre.in | 6 ++----
>>> - 1 file changed, 2 insertions(+), 4 deletions(-)
>>> -
>>> -diff --git a/Makefile.pre.in b/Makefile.pre.in
>>> -index 84bc3ff..017a2c4 100644
>>> ---- a/Makefile.pre.in
>>> -+++ b/Makefile.pre.in
>>> -@@ -469,13 +469,12 @@ profile-opt:
>>> - $(MAKE) profile-removal
>>> - $(MAKE) build_all_generate_profile
>>> - $(MAKE) profile-removal
>>> -- @echo "Running code to generate profile data (this can take a while):"
>>> -- $(MAKE) run_profile_task
>>> -- $(MAKE) build_all_merge_profile
>>> -+
>>> -+clean_and_use_profile:
>>> - @echo "Rebuilding with profile guided optimizations:"
>>> - $(MAKE) clean
>>> - $(MAKE) build_all_use_profile
>>> - $(MAKE) profile-removal
>>> -
>>> - build_all_generate_profile:
>>> - $(MAKE) @DEF_MAKE_RULE@ CFLAGS_NODIST="$(CFLAGS) $(EXTRA_CFLAGS) $(PGO_PROF_GEN_FLAG) @LTOFLAGS@" LDFLAGS="$(LDFLAGS) $(PGO_PROF_GEN_FLAG) @LTOFLAGS@" LIBS="$(LIBS)"
>>> ---
>>> -2.17.1
>>> -
>>> diff --git a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch b/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch
>>> deleted file mode 100644
>>> index d48cad7586..0000000000
>>> --- a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch
>>> +++ /dev/null
>>> @@ -1,227 +0,0 @@
>>> -From e950ea68dab006944af194c9910b8f2341d1437d Mon Sep 17 00:00:00 2001
>>> -From: Christian Heimes <christian at python.org>
>>> -Date: Thu, 7 Sep 2017 20:23:52 -0700
>>> -Subject: [PATCH] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3
>>> - (GH-1363) (#3444)
>>> -
>>> -* bpo-29136: Add TLS 1.3 support
>>> -
>>> -TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3
>>> -cipher suites don't overlap with cipher suites from TLS 1.2 and earlier.
>>> -Since Python sets its own set of permitted ciphers, TLS 1.3 handshake
>>> -will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common
>>> -AES-GCM and ChaCha20 suites.
>>> -
>>> -Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with
>>> -OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3
>>> -now.
>>> -
>>> -Signed-off-by: Christian Heimes <christian at python.org>.
>>> -(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3)
>>> -
>>> -Upstream-Status: Backport
>>> -[https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3]
>>> -
>>> -Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
>>> ----
>>> - Doc/library/ssl.rst | 21 ++++++++++++++
>>> - Lib/ssl.py | 7 +++++
>>> - Lib/test/test_ssl.py | 29 ++++++++++++++++++-
>>> - .../2017-09-04-16-39-49.bpo-29136.vSn1oR.rst | 1 +
>>> - Modules/_ssl.c | 13 +++++++++
>>> - 5 files changed, 70 insertions(+), 1 deletion(-)
>>> - create mode 100644 Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
>>> -
>>> -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
>>> -index 14f2d68217..29c5e94cf6 100644
>>> ---- a/Doc/library/ssl.rst
>>> -+++ b/Doc/library/ssl.rst
>>> -@@ -285,6 +285,11 @@ purposes.
>>> -
>>> - 3DES was dropped from the default cipher string.
>>> -
>>> -+ .. versionchanged:: 3.7
>>> -+
>>> -+ TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
>>> -+ and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
>>> -+
>>> -
>>> - Random generation
>>> - ^^^^^^^^^^^^^^^^^
>>> -@@ -719,6 +724,16 @@ Constants
>>> -
>>> - .. versionadded:: 3.4
>>> -
>>> -+.. data:: OP_NO_TLSv1_3
>>> -+
>>> -+ Prevents a TLSv1.3 connection. This option is only applicable in conjunction
>>> -+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.3 as
>>> -+ the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later.
>>> -+ When Python has been compiled against an older version of OpenSSL, the
>>> -+ flag defaults to *0*.
>>> -+
>>> -+ .. versionadded:: 3.7
>>> -+
>>> - .. data:: OP_CIPHER_SERVER_PREFERENCE
>>> -
>>> - Use the server's cipher ordering preference, rather than the client's.
>>> -@@ -783,6 +798,12 @@ Constants
>>> -
>>> - .. versionadded:: 3.3
>>> -
>>> -+.. data:: HAS_TLSv1_3
>>> -+
>>> -+ Whether the OpenSSL library has built-in support for the TLS 1.3 protocol.
>>> -+
>>> -+ .. versionadded:: 3.7
>>> -+
>>> - .. data:: CHANNEL_BINDING_TYPES
>>> -
>>> - List of supported TLS channel binding types. Strings in this list
>>> -diff --git a/Lib/ssl.py b/Lib/ssl.py
>>> -index 4d302a78fa..f233e72e1f 100644
>>> ---- a/Lib/ssl.py
>>> -+++ b/Lib/ssl.py
>>> -@@ -122,6 +122,7 @@ _import_symbols('OP_')
>>> - _import_symbols('ALERT_DESCRIPTION_')
>>> - _import_symbols('SSL_ERROR_')
>>> - _import_symbols('VERIFY_')
>>> -+from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3
>>> -
>>> - from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN
>>> -
>>> -@@ -162,6 +163,7 @@ else:
>>> - # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL')
>>> - # Enable a better set of ciphers by default
>>> - # This list has been explicitly chosen to:
>>> -+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites
>>> - # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
>>> - # * Prefer ECDHE over DHE for better performance
>>> - # * Prefer AEAD over CBC for better performance and security
>>> -@@ -173,6 +175,8 @@ else:
>>> - # * Disable NULL authentication, NULL encryption, 3DES and MD5 MACs
>>> - # for security reasons
>>> - _DEFAULT_CIPHERS = (
>>> -+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:'
>>> -+ 'TLS13-AES-128-GCM-SHA256:'
>>> - 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:'
>>> - 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:'
>>> - '!aNULL:!eNULL:!MD5:!3DES'
>>> -@@ -180,6 +184,7 @@ _DEFAULT_CIPHERS = (
>>> -
>>> - # Restricted and more secure ciphers for the server side
>>> - # This list has been explicitly chosen to:
>>> -+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites
>>> - # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE)
>>> - # * Prefer ECDHE over DHE for better performance
>>> - # * Prefer AEAD over CBC for better performance and security
>>> -@@ -190,6 +195,8 @@ _DEFAULT_CIPHERS = (
>>> - # * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, RC4, and
>>> - # 3DES for security reasons
>>> - _RESTRICTED_SERVER_CIPHERS = (
>>> -+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:'
>>> -+ 'TLS13-AES-128-GCM-SHA256:'
>>> - 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:'
>>> - 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:'
>>> - '!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DES'
>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
>>> -index f91af7bd05..1acc12ec2d 100644
>>> ---- a/Lib/test/test_ssl.py
>>> -+++ b/Lib/test/test_ssl.py
>>> -@@ -150,6 +150,13 @@ class BasicSocketTests(unittest.TestCase):
>>> - ssl.OP_NO_COMPRESSION
>>> - self.assertIn(ssl.HAS_SNI, {True, False})
>>> - self.assertIn(ssl.HAS_ECDH, {True, False})
>>> -+ ssl.OP_NO_SSLv2
>>> -+ ssl.OP_NO_SSLv3
>>> -+ ssl.OP_NO_TLSv1
>>> -+ ssl.OP_NO_TLSv1_3
>>> -+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1):
>>> -+ ssl.OP_NO_TLSv1_1
>>> -+ ssl.OP_NO_TLSv1_2
>>> -
>>> - def test_str_for_enums(self):
>>> - # Make sure that the PROTOCOL_* constants have enum-like string
>>> -@@ -3028,12 +3035,33 @@ else:
>>> - self.assertEqual(s.version(), 'TLSv1')
>>> - self.assertIs(s.version(), None)
>>> -
>>> -+ @unittest.skipUnless(ssl.HAS_TLSv1_3,
>>> -+ "test requires TLSv1.3 enabled OpenSSL")
>>> -+ def test_tls1_3(self):
>>> -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
>>> -+ context.load_cert_chain(CERTFILE)
>>> -+ # disable all but TLS 1.3
>>> -+ context.options |= (
>>> -+ ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
>>> -+ )
>>> -+ with ThreadedEchoServer(context=context) as server:
>>> -+ with context.wrap_socket(socket.socket()) as s:
>>> -+ s.connect((HOST, server.port))
>>> -+ self.assertIn(s.cipher()[0], [
>>> -+ 'TLS13-AES-256-GCM-SHA384',
>>> -+ 'TLS13-CHACHA20-POLY1305-SHA256',
>>> -+ 'TLS13-AES-128-GCM-SHA256',
>>> -+ ])
>>> -+
>>> - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
>>> - def test_default_ecdh_curve(self):
>>> - # Issue #21015: elliptic curve-based Diffie Hellman key exchange
>>> - # should be enabled by default on SSL contexts.
>>> - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> - context.load_cert_chain(CERTFILE)
>>> -+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
>>> -+ # cipher name.
>>> -+ context.options |= ssl.OP_NO_TLSv1_3
>>> - # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
>>> - # explicitly using the 'ECCdraft' cipher alias. Otherwise,
>>> - # our default cipher list should prefer ECDH-based ciphers
>>> -@@ -3394,7 +3422,6 @@ else:
>>> - s.sendfile(file)
>>> - self.assertEqual(s.recv(1024), TEST_DATA)
>>> -
>>> --
>>> - def test_main(verbose=False):
>>> - if support.verbose:
>>> - import warnings
>>> -diff --git a/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
>>> -new file mode 100644
>>> -index 0000000000..e76997ef83
>>> ---- /dev/null
>>> -+++ b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst
>>> -@@ -0,0 +1 @@
>>> -+Add TLS 1.3 cipher suites and OP_NO_TLSv1_3.
>>> -diff --git a/Modules/_ssl.c b/Modules/_ssl.c
>>> -index 0d5c121d2c..c71d89607c 100644
>>> ---- a/Modules/_ssl.c
>>> -+++ b/Modules/_ssl.c
>>> -@@ -4842,6 +4842,11 @@ PyInit__ssl(void)
>>> - #if HAVE_TLSv1_2
>>> - PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1);
>>> - PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2);
>>> -+#endif
>>> -+#ifdef SSL_OP_NO_TLSv1_3
>>> -+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3);
>>> -+#else
>>> -+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", 0);
>>> - #endif
>>> - PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE",
>>> - SSL_OP_CIPHER_SERVER_PREFERENCE);
>>> -@@ -4890,6 +4895,14 @@ PyInit__ssl(void)
>>> - Py_INCREF(r);
>>> - PyModule_AddObject(m, "HAS_ALPN", r);
>>> -
>>> -+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3)
>>> -+ r = Py_True;
>>> -+#else
>>> -+ r = Py_False;
>>> -+#endif
>>> -+ Py_INCREF(r);
>>> -+ PyModule_AddObject(m, "HAS_TLSv1_3", r);
>>> -+
>>> - /* Mappings for error codes */
>>> - err_codes_to_names = PyDict_New();
>>> - err_names_to_codes = PyDict_New();
>>> ---
>>> -2.17.1
>>> -
>>> diff --git a/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch b/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
>>> deleted file mode 100644
>>> index 56d591d1b5..0000000000
>>> --- a/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
>>> +++ /dev/null
>>> @@ -1,173 +0,0 @@
>>> -From 170a614904febd14ff6cfd7a75c9bccc114b3948 Mon Sep 17 00:00:00 2001
>>> -From: Christian Heimes <christian at python.org>
>>> -Date: Tue, 14 Aug 2018 16:56:32 +0200
>>> -Subject: [PATCH] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761)
>>> -
>>> -Backport of TLS 1.3 related fixes from 3.7.
>>> -
>>> -Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git
>>> -master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
>>> -default. Some test cases only apply to TLS 1.2.
>>> -
>>> -OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
>>> -1.3. The feature is enabled by default for maximum compatibility with
>>> -broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
>>> -it to verify default options
>>> -
>>> -Signed-off-by: Christian Heimes <christian at python.org>
>>> -
>>> -Upstream-Status: Backport
>>> -[https://github.com/python/cpython/commit/2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826]
>>> -
>>> -Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
>>> ----
>>> - Doc/library/ssl.rst | 9 ++++++
>>> - Lib/test/test_asyncio/test_events.py | 6 +++-
>>> - Lib/test/test_ssl.py | 29 +++++++++++++++----
>>> - .../2018-08-14-08-57-01.bpo-32947.mqStVW.rst | 2 ++
>>> - Modules/_ssl.c | 4 +++
>>> - 5 files changed, 44 insertions(+), 6 deletions(-)
>>> - create mode 100644 Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
>>> -
>>> -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
>>> -index 29c5e94cf6..f63a3deec5 100644
>>> ---- a/Doc/library/ssl.rst
>>> -+++ b/Doc/library/ssl.rst
>>> -@@ -757,6 +757,15 @@ Constants
>>> -
>>> - .. versionadded:: 3.3
>>> -
>>> -+.. data:: OP_ENABLE_MIDDLEBOX_COMPAT
>>> -+
>>> -+ Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make
>>> -+ a TLS 1.3 connection look more like a TLS 1.2 connection.
>>> -+
>>> -+ This option is only available with OpenSSL 1.1.1 and later.
>>> -+
>>> -+ .. versionadded:: 3.6.7
>>> -+
>>> - .. data:: OP_NO_COMPRESSION
>>> -
>>> - Disable compression on the SSL channel. This is useful if the application
>>> -diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py
>>> -index 492a84a231..6f208474b9 100644
>>> ---- a/Lib/test/test_asyncio/test_events.py
>>> -+++ b/Lib/test/test_asyncio/test_events.py
>>> -@@ -1169,7 +1169,11 @@ class EventLoopTestsMixin:
>>> - self.loop.run_until_complete(f_c)
>>> -
>>> - # close connection
>>> -- proto.transport.close()
>>> -+ # transport may be None with TLS 1.3, because connection is
>>> -+ # interrupted, server is unable to send session tickets, and
>>> -+ # transport is closed.
>>> -+ if proto.transport is not None:
>>> -+ proto.transport.close()
>>> - server.close()
>>> -
>>> - def test_legacy_create_server_ssl_match_failed(self):
>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
>>> -index 1acc12ec2d..a2e1d32a62 100644
>>> ---- a/Lib/test/test_ssl.py
>>> -+++ b/Lib/test/test_ssl.py
>>> -@@ -78,6 +78,7 @@ OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
>>> - OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
>>> - OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
>>> - OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
>>> -+OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
>>> -
>>> -
>>> - def handle_error(prefix):
>>> -@@ -155,8 +156,8 @@ class BasicSocketTests(unittest.TestCase):
>>> - ssl.OP_NO_TLSv1
>>> - ssl.OP_NO_TLSv1_3
>>> - if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1):
>>> -- ssl.OP_NO_TLSv1_1
>>> -- ssl.OP_NO_TLSv1_2
>>> -+ ssl.OP_NO_TLSv1_1
>>> -+ ssl.OP_NO_TLSv1_2
>>> -
>>> - def test_str_for_enums(self):
>>> - # Make sure that the PROTOCOL_* constants have enum-like string
>>> -@@ -854,7 +855,8 @@ class ContextTests(unittest.TestCase):
>>> - default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
>>> - # SSLContext also enables these by default
>>> - default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
>>> -- OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE)
>>> -+ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
>>> -+ OP_ENABLE_MIDDLEBOX_COMPAT)
>>> - self.assertEqual(default, ctx.options)
>>> - ctx.options |= ssl.OP_NO_TLSv1
>>> - self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
>>> -@@ -1860,11 +1862,26 @@ else:
>>> - self.sock, server_side=True)
>>> - self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol())
>>> - self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
>>> -- except (ssl.SSLError, ConnectionResetError) as e:
>>> -+ except (ConnectionResetError, BrokenPipeError) as e:
>>> - # We treat ConnectionResetError as though it were an
>>> - # SSLError - OpenSSL on Ubuntu abruptly closes the
>>> - # connection when asked to use an unsupported protocol.
>>> - #
>>> -+ # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
>>> -+ # tries to send session tickets after handshake.
>>> -+ # https://github.com/openssl/openssl/issues/6342
>>> -+ self.server.conn_errors.append(str(e))
>>> -+ if self.server.chatty:
>>> -+ handle_error(
>>> -+ "\n server: bad connection attempt from " + repr(
>>> -+ self.addr) + ":\n")
>>> -+ self.running = False
>>> -+ self.close()
>>> -+ return False
>>> -+ except (ssl.SSLError, OSError) as e:
>>> -+ # OSError may occur with wrong protocols, e.g. both
>>> -+ # sides use PROTOCOL_TLS_SERVER.
>>> -+ #
>>> - # XXX Various errors can have happened here, for example
>>> - # a mismatching protocol version, an invalid certificate,
>>> - # or a low-level bug. This should be made more discriminating.
>>> -@@ -2974,7 +2991,7 @@ else:
>>> - # Block on the accept and wait on the connection to close.
>>> - evt.set()
>>> - remote, peer = server.accept()
>>> -- remote.recv(1)
>>> -+ remote.send(remote.recv(4))
>>> -
>>> - t = threading.Thread(target=serve)
>>> - t.start()
>>> -@@ -2982,6 +2999,8 @@ else:
>>> - evt.wait()
>>> - client = context.wrap_socket(socket.socket())
>>> - client.connect((host, port))
>>> -+ client.send(b'data')
>>> -+ client.recv()
>>> - client_addr = client.getsockname()
>>> - client.close()
>>> - t.join()
>>> -diff --git a/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
>>> -new file mode 100644
>>> -index 0000000000..28de360c36
>>> ---- /dev/null
>>> -+++ b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
>>> -@@ -0,0 +1,2 @@
>>> -+Add OP_ENABLE_MIDDLEBOX_COMPAT and test workaround for TLSv1.3 for future
>>> -+compatibility with OpenSSL 1.1.1.
>>> -diff --git a/Modules/_ssl.c b/Modules/_ssl.c
>>> -index c71d89607c..eb123a87ba 100644
>>> ---- a/Modules/_ssl.c
>>> -+++ b/Modules/_ssl.c
>>> -@@ -4858,6 +4858,10 @@ PyInit__ssl(void)
>>> - PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
>>> - SSL_OP_NO_COMPRESSION);
>>> - #endif
>>> -+#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
>>> -+ PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
>>> -+ SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
>>> -+#endif
>>> -
>>> - #if HAVE_SNI
>>> - r = Py_True;
>>> ---
>>> -2.17.1
>>> -
>>> diff --git a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch b/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
>>> deleted file mode 100644
>>> index b97d5501e1..0000000000
>>> --- a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
>>> +++ /dev/null
>>> @@ -1,110 +0,0 @@
>>> -From 0c9354362bfa5f90fbea8ff8237a1f1f5dba686f Mon Sep 17 00:00:00 2001
>>> -From: Christian Heimes <christian at python.org>
>>> -Date: Wed, 12 Sep 2018 15:20:31 +0800
>>> -Subject: [PATCH] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
>>> -
>>> -Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
>>> -1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
>>> -default.
>>> -
>>> -Also update multissltests and Travis config to test with latest OpenSSL.
>>> -
>>> -Signed-off-by: Christian Heimes <christian at python.org>
>>> -(cherry picked from commit e8eb6cb7920ded66abc5d284319a8539bdc2bae3)
>>> -
>>> -Co-authored-by: Christian Heimes <christian at python.org
>>> -
>>> -Upstream-Status: Backport
>>> -[https://github.com/python/cpython/commit/3e630c541b35c96bfe5619165255e559f577ee71]
>>> -
>>> -Tweaked patch to not take changes for multissltests and Travis config.
>>> -
>>> -Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
>>> ----
>>> - Lib/test/test_ssl.py | 51 ++++++++++++++++++++++----------------------
>>> - 1 file changed, 26 insertions(+), 25 deletions(-)
>>> -
>>> -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
>>> -index a2e1d32a62..c484ead5ff 100644
>>> ---- a/Lib/test/test_ssl.py
>>> -+++ b/Lib/test/test_ssl.py
>>> -@@ -3024,17 +3024,21 @@ else:
>>> - sock.do_handshake()
>>> - self.assertEqual(cm.exception.errno, errno.ENOTCONN)
>>> -
>>> -- def test_default_ciphers(self):
>>> -- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> -- try:
>>> -- # Force a set of weak ciphers on our client context
>>> -- context.set_ciphers("DES")
>>> -- except ssl.SSLError:
>>> -- self.skipTest("no DES cipher available")
>>> -- with ThreadedEchoServer(CERTFILE,
>>> -- ssl_version=ssl.PROTOCOL_SSLv23,
>>> -- chatty=False) as server:
>>> -- with context.wrap_socket(socket.socket()) as s:
>>> -+ def test_no_shared_ciphers(self):
>>> -+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> -+ server_context.load_cert_chain(SIGNED_CERTFILE)
>>> -+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>>> -+ client_context.verify_mode = ssl.CERT_REQUIRED
>>> -+ client_context.check_hostname = True
>>> -+
>>> -+ client_context.set_ciphers("AES128")
>>> -+ server_context.set_ciphers("AES256")
>>> -+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
>>> -+ client_context.options |= ssl.OP_NO_TLSv1_3
>>> -+ with ThreadedEchoServer(context=server_context) as server:
>>> -+ with client_context.wrap_socket(
>>> -+ socket.socket(),
>>> -+ server_hostname="localhost") as s:
>>> - with self.assertRaises(OSError):
>>> - s.connect((HOST, server.port))
>>> - self.assertIn("no shared cipher", str(server.conn_errors[0]))
>>> -@@ -3067,9 +3071,9 @@ else:
>>> - with context.wrap_socket(socket.socket()) as s:
>>> - s.connect((HOST, server.port))
>>> - self.assertIn(s.cipher()[0], [
>>> -- 'TLS13-AES-256-GCM-SHA384',
>>> -- 'TLS13-CHACHA20-POLY1305-SHA256',
>>> -- 'TLS13-AES-128-GCM-SHA256',
>>> -+ 'TLS_AES_256_GCM_SHA384',
>>> -+ 'TLS_CHACHA20_POLY1305_SHA256',
>>> -+ 'TLS_AES_128_GCM_SHA256',
>>> - ])
>>> -
>>> - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
>>> -@@ -3391,22 +3395,19 @@ else:
>>> - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> - client_context.verify_mode = ssl.CERT_REQUIRED
>>> - client_context.load_verify_locations(SIGNING_CA)
>>> -- if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):
>>> -- client_context.set_ciphers("AES128:AES256")
>>> -- server_context.set_ciphers("AES256")
>>> -- alg1 = "AES256"
>>> -- alg2 = "AES-256"
>>> -- else:
>>> -- client_context.set_ciphers("AES:3DES")
>>> -- server_context.set_ciphers("3DES")
>>> -- alg1 = "3DES"
>>> -- alg2 = "DES-CBC3"
>>> -+ client_context.set_ciphers("AES128:AES256")
>>> -+ server_context.set_ciphers("AES256")
>>> -+ expected_algs = [
>>> -+ "AES256", "AES-256",
>>> -+ # TLS 1.3 ciphers are always enabled
>>> -+ "TLS_CHACHA20", "TLS_AES",
>>> -+ ]
>>> -
>>> - stats = server_params_test(client_context, server_context)
>>> - ciphers = stats['server_shared_ciphers'][0]
>>> - self.assertGreater(len(ciphers), 0)
>>> - for name, tls_version, bits in ciphers:
>>> -- if not alg1 in name.split("-") and alg2 not in name:
>>> -+ if not any (alg in name for alg in expected_algs):
>>> - self.fail(name)
>>> -
>>> - def test_read_write_after_close_raises_valuerror(self):
>>> ---
>>> -2.17.1
>>> -
>>> diff --git a/meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch b/meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch
>>> deleted file mode 100644
>>> index d609847204..0000000000
>>> --- a/meta/recipes-devtools/python/python3/0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch
>>> +++ /dev/null
>>> @@ -1,68 +0,0 @@
>>> -From 7b40cb7293cb14e5c7c8ed123efaf9acb33edae2 Mon Sep 17 00:00:00 2001
>>> -From: Christian Heimes <christian at python.org>
>>> -Date: Tue, 15 Aug 2017 10:33:43 +0200
>>> -Subject: [PATCH] bpo-30714: ALPN changes for OpenSSL 1.1.0f (#2305)
>>> -
>>> -OpenSSL 1.1.0 to 1.1.0e aborted the handshake when server and client
>>> -could not agree on a protocol using ALPN. OpenSSL 1.1.0f changed that.
>>> -The most recent version now behaves like OpenSSL 1.0.2 again. The ALPN
>>> -callback can pretend to not been set.
>>> -
>>> -See https://github.com/openssl/openssl/pull/3158 for more details
>>> -
>>> -Signed-off-by: Christian Heimes <christian at python.org>
>>> -
>>> -Upstream-Status: Backport
>>> -[https://github.com/python/cpython/commit/7b40cb7293cb14e5c7c8ed123efaf9acb33edae2]
More information about the Openembedded-core
mailing list