a14ce17ca6
Fixes the following security issues:
- bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module
which could be abused to read arbitrary files on the disk (directory
traversal vulnerability). Moreover, even source code of Python modules
can contain sensitive data like passwords. Vulnerability reported by
David Schwörer.
- bpo-43285: ftplib no longer trusts the IP address value returned from the
server in response to the PASV command by default. This prevents a
malicious FTP server from using the response to probe IPv4 address and
port combinations on the client network.
Code that requires the former vulnerable behavior may set a
trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to
True to re-enable it.
- bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and
gc.get_referents(). Patch by Pablo Galindo.
Note: 3.9.3 was recalled due to introducing unintentional ABI
incompatibility, and fixes re-released as 3.9.4:
https://www.python.org/downloads/release/python-394/
Add host-autoreconf-archive, as it is needed for autoreconf since:
064bc07f24
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
328 lines
10 KiB
Makefile
328 lines
10 KiB
Makefile
################################################################################
|
|
#
|
|
# python3
|
|
#
|
|
################################################################################
|
|
|
|
PYTHON3_VERSION_MAJOR = 3.9
|
|
PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).4
|
|
PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
|
|
PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
|
|
PYTHON3_LICENSE = Python-2.0, others
|
|
PYTHON3_LICENSE_FILES = LICENSE
|
|
PYTHON3_CPE_ID_VENDOR = python
|
|
PYTHON3_CPE_ID_PRODUCT = python
|
|
|
|
# This host Python is installed in $(HOST_DIR), as it is needed when
|
|
# cross-compiling third-party Python modules.
|
|
|
|
HOST_PYTHON3_CONF_OPTS += \
|
|
--without-ensurepip \
|
|
--without-cxx-main \
|
|
--disable-sqlite3 \
|
|
--disable-tk \
|
|
--with-expat=system \
|
|
--disable-curses \
|
|
--disable-codecs-cjk \
|
|
--disable-nis \
|
|
--enable-unicodedata \
|
|
--disable-test-modules \
|
|
--disable-idle3 \
|
|
--disable-ossaudiodev
|
|
|
|
# Make sure that LD_LIBRARY_PATH overrides -rpath.
|
|
# This is needed because libpython may be installed at the same time that
|
|
# python is called.
|
|
# Make python believe we don't have 'hg', so that it doesn't try to
|
|
# communicate over the network during the build.
|
|
HOST_PYTHON3_CONF_ENV += \
|
|
LDFLAGS="$(HOST_LDFLAGS) -Wl,--enable-new-dtags" \
|
|
ac_cv_prog_HAS_HG=/bin/false
|
|
|
|
PYTHON3_DEPENDENCIES = host-python3 libffi
|
|
|
|
HOST_PYTHON3_DEPENDENCIES = host-autoconf-archive host-expat host-zlib host-libffi
|
|
|
|
ifeq ($(BR2_PACKAGE_HOST_PYTHON3_SSL),y)
|
|
HOST_PYTHON3_DEPENDENCIES += host-openssl
|
|
else
|
|
HOST_PYTHON3_CONF_OPTS += --disable-openssl
|
|
endif
|
|
|
|
PYTHON3_INSTALL_STAGING = YES
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_2TO3),y)
|
|
PYTHON3_CONF_OPTS += --enable-lib2to3
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-lib2to3
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_READLINE),y)
|
|
PYTHON3_DEPENDENCIES += readline
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-readline
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_CURSES),y)
|
|
PYTHON3_DEPENDENCIES += ncurses
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-curses
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_DECIMAL),y)
|
|
PYTHON3_DEPENDENCIES += mpdecimal
|
|
PYTHON3_CONF_OPTS += --with-libmpdec=system
|
|
else
|
|
PYTHON3_CONF_OPTS += --with-libmpdec=none
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PYEXPAT),y)
|
|
PYTHON3_DEPENDENCIES += expat
|
|
PYTHON3_CONF_OPTS += --with-expat=system
|
|
else
|
|
PYTHON3_CONF_OPTS += --with-expat=none
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_SQLITE),y)
|
|
PYTHON3_DEPENDENCIES += sqlite
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-sqlite3
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_SSL),y)
|
|
PYTHON3_DEPENDENCIES += openssl
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-openssl
|
|
endif
|
|
|
|
ifneq ($(BR2_PACKAGE_PYTHON3_CODECSCJK),y)
|
|
PYTHON3_CONF_OPTS += --disable-codecs-cjk
|
|
endif
|
|
|
|
ifneq ($(BR2_PACKAGE_PYTHON3_UNICODEDATA),y)
|
|
PYTHON3_CONF_OPTS += --disable-unicodedata
|
|
endif
|
|
|
|
# Disable auto-detection of uuid.h (util-linux)
|
|
# which would add _uuid module support, instead
|
|
# default to the pure python implementation
|
|
PYTHON3_CONF_OPTS += --disable-uuid
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_BZIP2),y)
|
|
PYTHON3_DEPENDENCIES += bzip2
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-bzip2
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_XZ),y)
|
|
PYTHON3_DEPENDENCIES += xz
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-xz
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_ZLIB),y)
|
|
PYTHON3_DEPENDENCIES += zlib
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-zlib
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_OSSAUDIODEV),y)
|
|
PYTHON3_CONF_OPTS += --enable-ossaudiodev
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-ossaudiodev
|
|
endif
|
|
|
|
# Make python believe we don't have 'hg', so that it doesn't try to
|
|
# communicate over the network during the build.
|
|
PYTHON3_CONF_ENV += \
|
|
ac_cv_have_long_long_format=yes \
|
|
ac_cv_file__dev_ptmx=yes \
|
|
ac_cv_file__dev_ptc=yes \
|
|
ac_cv_working_tzset=yes \
|
|
ac_cv_prog_HAS_HG=/bin/false
|
|
|
|
# GCC is always compliant with IEEE754
|
|
ifeq ($(BR2_ENDIAN),"LITTLE")
|
|
PYTHON3_CONF_ENV += ac_cv_little_endian_double=yes
|
|
else
|
|
PYTHON3_CONF_ENV += ac_cv_big_endian_double=yes
|
|
endif
|
|
|
|
# uClibc is known to have a broken wcsftime() implementation, so tell
|
|
# Python 3 to fall back to strftime() instead.
|
|
ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
|
|
PYTHON3_CONF_ENV += ac_cv_func_wcsftime=no
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_GETTEXT_PROVIDES_LIBINTL),y)
|
|
PYTHON3_DEPENDENCIES += gettext
|
|
endif
|
|
|
|
PYTHON3_CONF_OPTS += \
|
|
--without-ensurepip \
|
|
--without-cxx-main \
|
|
--with-system-ffi \
|
|
--disable-pydoc \
|
|
--disable-test-modules \
|
|
--disable-tk \
|
|
--disable-nis \
|
|
--disable-idle3 \
|
|
--disable-pyc-build
|
|
|
|
#
|
|
# Some of CPython's source code is generated using Python interpreter
|
|
# and some helper tools such as "Programs/_freeze_importlib" or
|
|
# "Parser/pgen" (look for regen-* targets in Makefile.pre.in for more
|
|
# info). Normally CPython codebase ships with those files
|
|
# pre-generated, so just regular "make" with no additional steps
|
|
# should be sufficient for a succesfull build, however due to
|
|
# Buildroot's "Add importlib fix for PEP 3147 issue" custom patch we
|
|
# end up modifying "Lib/importlib/_bootstrap_external.py" which means
|
|
# we have to do "regen-importlib" step before building CPython
|
|
# (Importlib is a builtin module that needs to be "frozen"/converted
|
|
# to a C array of bytecode using "Programs/_freeze_importlib")
|
|
#
|
|
# To achive that we add pre-build steps to host-python3 as well as
|
|
# python3 that execute "regen-importlib" target.
|
|
#
|
|
# Unfortunately, for the target Python, "Programs/_freeze_importlib"
|
|
# is built for the target, while we need to run them at build time. So
|
|
# when installing host-python3, we copy them to $(HOST_DIR)/bin...
|
|
#
|
|
define HOST_PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
$(HOST_MAKE_ENV) $(PYTHON3_CONF_ENV) $(MAKE) $(HOST_CONFIGURE_OPTS) -C $(@D) regen-importlib
|
|
cp $(@D)/Programs/_freeze_importlib $(HOST_DIR)/bin/python-freeze-importlib
|
|
endef
|
|
|
|
HOST_PYTHON3_PRE_BUILD_HOOKS += HOST_PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
#
|
|
# ... And then, when building the target python we first buid
|
|
# 'Programs/_freeze_importlib' to force GNU Make to update all of the
|
|
# prerequisites of 'Programs/_freeze_importlib', then copy our stashed
|
|
# "host-usable" version over the one that was just build and then
|
|
# build "regen-importlib" target
|
|
#
|
|
define PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
$(TARGET_MAKE_ENV) $(PYTHON3_CONF_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) Programs/_freeze_importlib
|
|
cp $(HOST_DIR)/bin/python-freeze-importlib $(@D)/Programs/_freeze_importlib
|
|
$(TARGET_MAKE_ENV) $(PYTHON3_CONF_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) regen-importlib
|
|
endef
|
|
|
|
PYTHON3_PRE_BUILD_HOOKS += PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
|
|
#
|
|
# Remove useless files. In the config/ directory, only the Makefile
|
|
# and the pyconfig.h files are needed at runtime.
|
|
#
|
|
define PYTHON3_REMOVE_USELESS_FILES
|
|
rm -f $(TARGET_DIR)/usr/bin/python$(PYTHON3_VERSION_MAJOR)-config
|
|
rm -f $(TARGET_DIR)/usr/bin/python$(PYTHON3_VERSION_MAJOR)m-config
|
|
rm -f $(TARGET_DIR)/usr/bin/python3-config
|
|
rm -f $(TARGET_DIR)/usr/bin/smtpd.py.3
|
|
rm -f $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/distutils/command/wininst*.exe
|
|
for i in `find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/config-$(PYTHON3_VERSION_MAJOR)m-*/ \
|
|
-type f -not -name Makefile` ; do \
|
|
rm -f $$i ; \
|
|
done
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/__pycache__/
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/lib-dynload/sysconfigdata/__pycache__
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/collections/__pycache__
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/importlib/__pycache__
|
|
endef
|
|
|
|
PYTHON3_POST_INSTALL_TARGET_HOOKS += PYTHON3_REMOVE_USELESS_FILES
|
|
|
|
#
|
|
# Make sure libpython gets stripped out on target
|
|
#
|
|
define PYTHON3_ENSURE_LIBPYTHON_STRIPPED
|
|
chmod u+w $(TARGET_DIR)/usr/lib/libpython$(PYTHON3_VERSION_MAJOR)*.so
|
|
endef
|
|
|
|
PYTHON3_POST_INSTALL_TARGET_HOOKS += PYTHON3_ENSURE_LIBPYTHON_STRIPPED
|
|
|
|
PYTHON3_AUTORECONF = YES
|
|
PYTHON3_AUTORECONF_OPTS = --include=$(HOST_DIR)/share/autoconf-archive
|
|
|
|
define PYTHON3_INSTALL_SYMLINK
|
|
ln -fs python3 $(TARGET_DIR)/usr/bin/python
|
|
endef
|
|
|
|
ifneq ($(BR2_PACKAGE_PYTHON),y)
|
|
PYTHON3_POST_INSTALL_TARGET_HOOKS += PYTHON3_INSTALL_SYMLINK
|
|
endif
|
|
|
|
# Some packages may have build scripts requiring python3, whatever is the
|
|
# python version chosen for the target.
|
|
# Only install the python symlink in the host tree if python3 is enabled
|
|
# for the target.
|
|
ifeq ($(BR2_PACKAGE_PYTHON3),y)
|
|
define HOST_PYTHON3_INSTALL_SYMLINK
|
|
ln -fs python3 $(HOST_DIR)/bin/python
|
|
ln -fs python3-config $(HOST_DIR)/bin/python-config
|
|
endef
|
|
|
|
HOST_PYTHON3_POST_INSTALL_HOOKS += HOST_PYTHON3_INSTALL_SYMLINK
|
|
endif
|
|
|
|
# Provided to other packages
|
|
PYTHON3_PATH = $(STAGING_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/
|
|
|
|
# Support for socket.AF_BLUETOOTH
|
|
ifeq ($(BR2_PACKAGE_BLUEZ5_UTILS_HEADERS),y)
|
|
PYTHON3_DEPENDENCIES += bluez5_utils-headers
|
|
endif
|
|
|
|
$(eval $(autotools-package))
|
|
$(eval $(host-autotools-package))
|
|
|
|
ifeq ($(BR2_REPRODUCIBLE),y)
|
|
define PYTHON3_FIX_TIME
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.py' -print0 | \
|
|
xargs -0 --no-run-if-empty touch -d @$(SOURCE_DATE_EPOCH)
|
|
endef
|
|
endif
|
|
|
|
define PYTHON3_CREATE_PYC_FILES
|
|
$(PYTHON3_FIX_TIME)
|
|
PYTHONPATH="$(PYTHON3_PATH)" \
|
|
$(HOST_DIR)/bin/python$(PYTHON3_VERSION_MAJOR) \
|
|
$(TOPDIR)/support/scripts/pycompile.py \
|
|
$(if $(VERBOSE),--verbose) \
|
|
--strip-root $(TARGET_DIR) \
|
|
$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)
|
|
endef
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PYC_ONLY)$(BR2_PACKAGE_PYTHON3_PY_PYC),y)
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_CREATE_PYC_FILES
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PYC_ONLY),y)
|
|
define PYTHON3_REMOVE_PY_FILES
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.py' \
|
|
$(if $(strip $(KEEP_PYTHON_PY_FILES)),-not \( $(call finddirclauses,$(TARGET_DIR),$(KEEP_PYTHON_PY_FILES)) \) ) \
|
|
-print0 | \
|
|
xargs -0 --no-run-if-empty rm -f
|
|
endef
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_REMOVE_PY_FILES
|
|
endif
|
|
|
|
# Normally, *.pyc files should not have been compiled, but just in
|
|
# case, we make sure we remove all of them.
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PY_ONLY),y)
|
|
define PYTHON3_REMOVE_PYC_FILES
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.pyc' -print0 | \
|
|
xargs -0 --no-run-if-empty rm -f
|
|
endef
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_REMOVE_PYC_FILES
|
|
endif
|
|
|
|
# In all cases, we don't want to keep the optimized .opt-1.pyc and
|
|
# .opt-2.pyc files, since they can't work without their non-optimized
|
|
# variant.
|
|
define PYTHON3_REMOVE_OPTIMIZED_PYC_FILES
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.opt-1.pyc' -print0 -o -name '*.opt-2.pyc' -print0 | \
|
|
xargs -0 --no-run-if-empty rm -f
|
|
endef
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_REMOVE_OPTIMIZED_PYC_FILES
|