All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/python-pyyaml: bump to version 5.3.1
@ 2020-03-26 10:04 James Hilliard
  2020-03-26 21:24 ` Thomas Petazzoni
  2020-04-02  8:42 ` Peter Korsgaard
  0 siblings, 2 replies; 4+ messages in thread
From: James Hilliard @ 2020-03-26 10:04 UTC (permalink / raw)
  To: buildroot

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
---
 package/python-pyyaml/python-pyyaml.hash | 6 +++---
 package/python-pyyaml/python-pyyaml.mk   | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/python-pyyaml/python-pyyaml.hash b/package/python-pyyaml/python-pyyaml.hash
index e0d182bcbb..1161ae1021 100644
--- a/package/python-pyyaml/python-pyyaml.hash
+++ b/package/python-pyyaml/python-pyyaml.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/PyYAML/json
-md5	adbb0d336b509d6472d3b095a0f1cf30  PyYAML-5.3.tar.gz
-sha256	e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615  PyYAML-5.3.tar.gz
+md5  d3590b85917362e837298e733321962b  PyYAML-5.3.1.tar.gz
+sha256  b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d  PyYAML-5.3.1.tar.gz
 # Locally computed sha256 checksums
-sha256	a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56  LICENSE
+sha256  a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56  LICENSE
diff --git a/package/python-pyyaml/python-pyyaml.mk b/package/python-pyyaml/python-pyyaml.mk
index 5d9246d37c..78506390a4 100644
--- a/package/python-pyyaml/python-pyyaml.mk
+++ b/package/python-pyyaml/python-pyyaml.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_PYYAML_VERSION = 5.3
+PYTHON_PYYAML_VERSION = 5.3.1
 PYTHON_PYYAML_SOURCE = PyYAML-$(PYTHON_PYYAML_VERSION).tar.gz
-PYTHON_PYYAML_SITE = https://files.pythonhosted.org/packages/3d/d9/ea9816aea31beeadccd03f1f8b625ecf8f645bd66744484d162d84803ce5
+PYTHON_PYYAML_SITE = https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c
 PYTHON_PYYAML_SETUP_TYPE = distutils
 PYTHON_PYYAML_LICENSE = MIT
 PYTHON_PYYAML_LICENSE_FILES = LICENSE
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] package/python-pyyaml: bump to version 5.3.1
  2020-03-26 10:04 [Buildroot] [PATCH 1/1] package/python-pyyaml: bump to version 5.3.1 James Hilliard
@ 2020-03-26 21:24 ` Thomas Petazzoni
  2020-04-02  8:42 ` Peter Korsgaard
  1 sibling, 0 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2020-03-26 21:24 UTC (permalink / raw)
  To: buildroot

On Thu, 26 Mar 2020 04:04:04 -0600
James Hilliard <james.hilliard1@gmail.com> wrote:

> Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
> ---
>  package/python-pyyaml/python-pyyaml.hash | 6 +++---
>  package/python-pyyaml/python-pyyaml.mk   | 4 ++--
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/python-pyyaml/python-pyyaml.hash b/package/python-pyyaml/python-pyyaml.hash
> index e0d182bcbb..1161ae1021 100644
> --- a/package/python-pyyaml/python-pyyaml.hash
> +++ b/package/python-pyyaml/python-pyyaml.hash
> @@ -1,5 +1,5 @@
>  # md5, sha256 from https://pypi.org/pypi/PyYAML/json
> -md5	adbb0d336b509d6472d3b095a0f1cf30  PyYAML-5.3.tar.gz
> -sha256	e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615  PyYAML-5.3.tar.gz
> +md5  d3590b85917362e837298e733321962b  PyYAML-5.3.1.tar.gz
> +sha256  b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d  PyYAML-5.3.1.tar.gz
>  # Locally computed sha256 checksums
> -sha256	a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56  LICENSE
> +sha256  a2adb9c959b797494a0ef80bdf60e22db2749ee3e0c0908556e3eb548f967c56  LICENSE

It was good to update the indentation here... but you forgot to update
the hash itself, as the LICENSE file changed!

I updated this, explained what the LICENSE file change was in the
commit log, and applied.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] package/python-pyyaml: bump to version 5.3.1
  2020-03-26 10:04 [Buildroot] [PATCH 1/1] package/python-pyyaml: bump to version 5.3.1 James Hilliard
  2020-03-26 21:24 ` Thomas Petazzoni
@ 2020-04-02  8:42 ` Peter Korsgaard
  2020-04-07 18:21   ` Peter Korsgaard
  1 sibling, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2020-04-02  8:42 UTC (permalink / raw)
  To: buildroot

>>>>> "James" == James Hilliard <james.hilliard1@gmail.com> writes:

 > Signed-off-by: James Hilliard <james.hilliard1@gmail.com>

Can you please mention whenever version bumps have security
implications? E.G. looking at the 5.3.1 release the only change is:

#386: Prevents arbitrary code execution during python/object/new
 constructor

https://github.com/yaml/pyyaml/pull/386

Which sounds very much like a security bump to me.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] package/python-pyyaml: bump to version 5.3.1
  2020-04-02  8:42 ` Peter Korsgaard
@ 2020-04-07 18:21   ` Peter Korsgaard
  0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2020-04-07 18:21 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

>>>>> "James" == James Hilliard <james.hilliard1@gmail.com> writes:
 >> Signed-off-by: James Hilliard <james.hilliard1@gmail.com>

 > Can you please mention whenever version bumps have security
 > implications? E.G. looking at the 5.3.1 release the only change is:

 > #386: Prevents arbitrary code execution during python/object/new
 >  constructor

 > https://github.com/yaml/pyyaml/pull/386

 > Which sounds very much like a security bump to me.

Committed to 2020.02.x after adding that information, thanks.

I didn't backport it to 2019.02.x / 2019.11.x yet, as we need to ensure
it doesn't break the version checks in docker-compose.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-07 18:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-26 10:04 [Buildroot] [PATCH 1/1] package/python-pyyaml: bump to version 5.3.1 James Hilliard
2020-03-26 21:24 ` Thomas Petazzoni
2020-04-02  8:42 ` Peter Korsgaard
2020-04-07 18:21   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.