[PATCHv2] python3: update to version 3.5.5 to fix security issues

[PATCHv2] python3: update to version 3.5.5 to fix security issues

[Derek Straka]

License-Update: checksum change is due to bump in copyright year

Resolves CVE-2017-1000158 and other potential security issues

See https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-5-final

Signed-off-by: Derek Straka <derek@asterius.io>
---
 meta/recipes-devtools/python/{python3_3.5.4.bb => python3_3.5.5.bb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-devtools/python/{python3_3.5.4.bb => python3_3.5.5.bb} (98%)

diff --git a/meta/recipes-devtools/python/python3_3.5.4.bb b/meta/recipes-devtools/python/python3_3.5.5.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.5.4.bb
rename to meta/recipes-devtools/python/python3_3.5.5.bb
index a94d009..8150dd6 100644
--- a/meta/recipes-devtools/python/python3_3.5.4.bb
+++ b/meta/recipes-devtools/python/python3_3.5.5.bb
@@ -38,10 +38,10 @@ SRC_URI += "\
             file://0001-Issue-21272-Use-_sysconfigdata.py-to-initialize-dist.patch \
             file://pass-missing-libraries-to-Extension-for-mul.patch \
            "
-SRC_URI[md5sum] = "fb2780baa260b4e51cbea814f111f303"
-SRC_URI[sha256sum] = "94d93bfabb3b109f8a10365a325f920f9ec98c6e2380bf228f9700a14054c84c"
+SRC_URI[md5sum] = "f3763edf9824d5d3a15f5f646083b6e0"
+SRC_URI[sha256sum] = "063d2c3b0402d6191b90731e0f735c64830e7522348aeb7ed382a83165d45009"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f741e51de91d4eeea5930b9c3c7fa69d"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b6ec515b22618f55fa07276b897bacea"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
-- 
2.7.4

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Alexander Kanavin]

On 03/12/2018 12:18 AM, Derek Straka wrote:
> License-Update: checksum change is due to bump in copyright year
> 
> Resolves CVE-2017-1000158 and other potential security issues
> 
> See https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-5-final
> 
> Signed-off-by: Derek Straka <derek@asterius.io>
> ---
>   meta/recipes-devtools/python/{python3_3.5.4.bb => python3_3.5.5.bb} | 6 +++---

python3-native should be updated at the same time, please do so.

Alex

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Alexander Kanavin]

On 03/15/2018 06:37 PM, Derek Straka wrote:
> Definitely.  I just didn't do the git add.  I'll send out the v2 
> shortly.  Thanks for catching that!

The change is already in master, so you need to rebase.

Alex

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Derek Straka]

[-- Attachment #1: Type: text/plain, Size: 723 bytes --]

Definitely.  I just didn't do the git add.  I'll send out the v2 shortly.
Thanks for catching that!

On Thu, Mar 15, 2018 at 12:25 PM, Alexander Kanavin <
alexander.kanavin@linux.intel.com> wrote:

> On 03/12/2018 12:18 AM, Derek Straka wrote:
>
>> License-Update: checksum change is due to bump in copyright year
>>
>> Resolves CVE-2017-1000158 and other potential security issues
>>
>> See https://docs.python.org/3.5/whatsnew/changelog.html#python-
>> 3-5-5-final
>>
>> Signed-off-by: Derek Straka <derek@asterius.io>
>> ---
>>   meta/recipes-devtools/python/{python3_3.5.4.bb => python3_3.5.5.bb} |
>> 6 +++---
>>
>
> python3-native should be updated at the same time, please do so.
>
> Alex
>

[-- Attachment #2: Type: text/html, Size: 1500 bytes --]

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 897 bytes --]

Whoops, didn't notice that on my review.  Thanks for spotting Alex.

Ross

On 15 March 2018 at 16:25, Alexander Kanavin <
alexander.kanavin@linux.intel.com> wrote:

> On 03/12/2018 12:18 AM, Derek Straka wrote:
>
>> License-Update: checksum change is due to bump in copyright year
>>
>> Resolves CVE-2017-1000158 and other potential security issues
>>
>> See https://docs.python.org/3.5/whatsnew/changelog.html#python-
>> 3-5-5-final
>>
>> Signed-off-by: Derek Straka <derek@asterius.io>
>> ---
>>   meta/recipes-devtools/python/{python3_3.5.4.bb => python3_3.5.5.bb} |
>> 6 +++---
>>
>
> python3-native should be updated at the same time, please do so.
>
> Alex
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 1978 bytes --]

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Derek Straka]

[-- Attachment #1: Type: text/plain, Size: 480 bytes --]

I'll stop failing eventually... I'm surprised I didn't get a bounce from
the patch test script.  In any case, I sent the native version.

On Thu, Mar 15, 2018 at 12:31 PM, Alexander Kanavin <
alexander.kanavin@linux.intel.com> wrote:

> On 03/15/2018 06:37 PM, Derek Straka wrote:
>
>> Definitely.  I just didn't do the git add.  I'll send out the v2
>> shortly.  Thanks for catching that!
>>
>
> The change is already in master, so you need to rebase.
>
> Alex
>

[-- Attachment #2: Type: text/html, Size: 949 bytes --]

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 295 bytes --]

On 15 March 2018 at 17:00, Derek Straka <derek@asterius.io> wrote:

> I'll stop failing eventually... I'm surprised I didn't get a bounce from
> the patch test script.  In any case, I sent the native version.
>
>
Git does the right thing and does the merge, so the patch applies.

Ross

[-- Attachment #2: Type: text/html, Size: 735 bytes --]

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Alexander Kanavin]

On 03/15/2018 06:37 PM, Derek Straka wrote:
> Definitely.  I just didn't do the git add.  I'll send out the v2 
> shortly.  Thanks for catching that!

While we're on the subject of python upgrades, I'd like to ask, what 
kind of plan do you have for 3.6/3.7? Is anything in progress? When you 
have some kind of patch ready, we can test it on the autobuilder to iron 
out the issues, and have it ready for when oe-core master reopens for 
version updates.

(I also think that at this point it makes sense to go straight to 3.7 
and test with various pre-release versions)

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Derek Straka]

[-- Attachment #1: Type: text/plain, Size: 922 bytes --]

I'm about half through the 3.6 updates.  I was hoping to get time in the
next two weeks to finish it up.  I can just look at going to 3.7 if that's
preferred.  I don't have a personal preference at this point.

On Thu, Mar 15, 2018 at 1:06 PM, Alexander Kanavin <
alexander.kanavin@linux.intel.com> wrote:

> On 03/15/2018 06:37 PM, Derek Straka wrote:
>
>> Definitely.  I just didn't do the git add.  I'll send out the v2
>> shortly.  Thanks for catching that!
>>
>
> While we're on the subject of python upgrades, I'd like to ask, what kind
> of plan do you have for 3.6/3.7? Is anything in progress? When you have
> some kind of patch ready, we can test it on the autobuilder to iron out the
> issues, and have it ready for when oe-core master reopens for version
> updates.
>
> (I also think that at this point it makes sense to go straight to 3.7 and
> test with various pre-release versions)
>

[-- Attachment #2: Type: text/html, Size: 1403 bytes --]

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Tim Orling]

[-- Attachment #1: Type: text/plain, Size: 1842 bytes --]

I looked into 3.6 as well, but the sheer number of patches we apply is a
pain point to rebase.

I am inclined to vote for 3.6 first and pick up 3.7 when it matures a bit
and is more widely supported. I have fears of rather massive failures in
our python ecosystem (especially in meta-python). Perhaps backward
compatibility will be there, but I need to be convinced. If 3.7 is widely
the _default_ in traditional distros we support, then I will sing a
different tune. Also, I hope to have a ptest strategy for python by the end
of 2.6, which would dramatically increase my comfort level.

—Tim
On Thu, Mar 15, 2018 at 10:17 AM Derek Straka <derek@asterius.io> wrote:

> I'm about half through the 3.6 updates.  I was hoping to get time in the
> next two weeks to finish it up.  I can just look at going to 3.7 if that's
> preferred.  I don't have a personal preference at this point.
>
> On Thu, Mar 15, 2018 at 1:06 PM, Alexander Kanavin <
> alexander.kanavin@linux.intel.com> wrote:
>
>> On 03/15/2018 06:37 PM, Derek Straka wrote:
>>
>>> Definitely.  I just didn't do the git add.  I'll send out the v2
>>> shortly.  Thanks for catching that!
>>>
>>
>> While we're on the subject of python upgrades, I'd like to ask, what kind
>> of plan do you have for 3.6/3.7? Is anything in progress? When you have
>> some kind of patch ready, we can test it on the autobuilder to iron out the
>> issues, and have it ready for when oe-core master reopens for version
>> updates.
>>
>> (I also think that at this point it makes sense to go straight to 3.7 and
>> test with various pre-release versions)
>>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 2690 bytes --]

Re: [PATCHv2] python3: update to version 3.5.5 to fix security issues

[Alexander Kanavin]

On 03/16/2018 07:06 AM, Tim Orling wrote:
> I looked into 3.6 as well, but the sheer number of patches we apply is a 
> pain point to rebase.
> 
> I am inclined to vote for 3.6 first and pick up 3.7 when it matures a 
> bit and is more widely supported. I have fears of rather massive 
> failures in our python ecosystem (especially in meta-python). Perhaps 
> backward compatibility will be there, but I need to be convinced. If 3.7 
> is widely the _default_ in traditional distros we support, then I will 
> sing a different tune. Also, I hope to have a ptest strategy for python 
> by the end of 2.6, which would dramatically increase my comfort level.

Perhaps we can provide both and default to 3.6? Eventually we will have 
to transition to 3.7, and I think it might be easier if it's widely 
available in oe-core, even if it has known (or unknown) issues and is 
off by default. We can then periodically test 3.7 on the AB etc, to 
assess where things are.

Alex