f02c0ee1b0
Fixes the following security issues: - bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland. - bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks. Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks. - bpo-43472: Ensures interpreter-level audit hooks receive the cpython.PyInterpreterState_New event when called through the _xxsubinterpreters module. - bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notatation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros. - bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server. - bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access. https://www.python.org/downloads/release/python-395/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
328 lines
10 KiB
Makefile
328 lines
10 KiB
Makefile
################################################################################
|
|
#
|
|
# python3
|
|
#
|
|
################################################################################
|
|
|
|
PYTHON3_VERSION_MAJOR = 3.9
|
|
PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).5
|
|
PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
|
|
PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
|
|
PYTHON3_LICENSE = Python-2.0, others
|
|
PYTHON3_LICENSE_FILES = LICENSE
|
|
PYTHON3_CPE_ID_VENDOR = python
|
|
PYTHON3_CPE_ID_PRODUCT = python
|
|
|
|
# This host Python is installed in $(HOST_DIR), as it is needed when
|
|
# cross-compiling third-party Python modules.
|
|
|
|
HOST_PYTHON3_CONF_OPTS += \
|
|
--without-ensurepip \
|
|
--without-cxx-main \
|
|
--disable-sqlite3 \
|
|
--disable-tk \
|
|
--with-expat=system \
|
|
--disable-curses \
|
|
--disable-codecs-cjk \
|
|
--disable-nis \
|
|
--enable-unicodedata \
|
|
--disable-test-modules \
|
|
--disable-idle3 \
|
|
--disable-ossaudiodev
|
|
|
|
# Make sure that LD_LIBRARY_PATH overrides -rpath.
|
|
# This is needed because libpython may be installed at the same time that
|
|
# python is called.
|
|
# Make python believe we don't have 'hg', so that it doesn't try to
|
|
# communicate over the network during the build.
|
|
HOST_PYTHON3_CONF_ENV += \
|
|
LDFLAGS="$(HOST_LDFLAGS) -Wl,--enable-new-dtags" \
|
|
ac_cv_prog_HAS_HG=/bin/false
|
|
|
|
PYTHON3_DEPENDENCIES = host-python3 libffi
|
|
|
|
HOST_PYTHON3_DEPENDENCIES = host-autoconf-archive host-expat host-zlib host-libffi
|
|
|
|
ifeq ($(BR2_PACKAGE_HOST_PYTHON3_SSL),y)
|
|
HOST_PYTHON3_DEPENDENCIES += host-openssl
|
|
else
|
|
HOST_PYTHON3_CONF_OPTS += --disable-openssl
|
|
endif
|
|
|
|
PYTHON3_INSTALL_STAGING = YES
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_2TO3),y)
|
|
PYTHON3_CONF_OPTS += --enable-lib2to3
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-lib2to3
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_READLINE),y)
|
|
PYTHON3_DEPENDENCIES += readline
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-readline
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_CURSES),y)
|
|
PYTHON3_DEPENDENCIES += ncurses
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-curses
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_DECIMAL),y)
|
|
PYTHON3_DEPENDENCIES += mpdecimal
|
|
PYTHON3_CONF_OPTS += --with-libmpdec=system
|
|
else
|
|
PYTHON3_CONF_OPTS += --with-libmpdec=none
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PYEXPAT),y)
|
|
PYTHON3_DEPENDENCIES += expat
|
|
PYTHON3_CONF_OPTS += --with-expat=system
|
|
else
|
|
PYTHON3_CONF_OPTS += --with-expat=none
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_SQLITE),y)
|
|
PYTHON3_DEPENDENCIES += sqlite
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-sqlite3
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_SSL),y)
|
|
PYTHON3_DEPENDENCIES += openssl
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-openssl
|
|
endif
|
|
|
|
ifneq ($(BR2_PACKAGE_PYTHON3_CODECSCJK),y)
|
|
PYTHON3_CONF_OPTS += --disable-codecs-cjk
|
|
endif
|
|
|
|
ifneq ($(BR2_PACKAGE_PYTHON3_UNICODEDATA),y)
|
|
PYTHON3_CONF_OPTS += --disable-unicodedata
|
|
endif
|
|
|
|
# Disable auto-detection of uuid.h (util-linux)
|
|
# which would add _uuid module support, instead
|
|
# default to the pure python implementation
|
|
PYTHON3_CONF_OPTS += --disable-uuid
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_BZIP2),y)
|
|
PYTHON3_DEPENDENCIES += bzip2
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-bzip2
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_XZ),y)
|
|
PYTHON3_DEPENDENCIES += xz
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-xz
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_ZLIB),y)
|
|
PYTHON3_DEPENDENCIES += zlib
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-zlib
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_OSSAUDIODEV),y)
|
|
PYTHON3_CONF_OPTS += --enable-ossaudiodev
|
|
else
|
|
PYTHON3_CONF_OPTS += --disable-ossaudiodev
|
|
endif
|
|
|
|
# Make python believe we don't have 'hg', so that it doesn't try to
|
|
# communicate over the network during the build.
|
|
PYTHON3_CONF_ENV += \
|
|
ac_cv_have_long_long_format=yes \
|
|
ac_cv_file__dev_ptmx=yes \
|
|
ac_cv_file__dev_ptc=yes \
|
|
ac_cv_working_tzset=yes \
|
|
ac_cv_prog_HAS_HG=/bin/false
|
|
|
|
# GCC is always compliant with IEEE754
|
|
ifeq ($(BR2_ENDIAN),"LITTLE")
|
|
PYTHON3_CONF_ENV += ac_cv_little_endian_double=yes
|
|
else
|
|
PYTHON3_CONF_ENV += ac_cv_big_endian_double=yes
|
|
endif
|
|
|
|
# uClibc is known to have a broken wcsftime() implementation, so tell
|
|
# Python 3 to fall back to strftime() instead.
|
|
ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
|
|
PYTHON3_CONF_ENV += ac_cv_func_wcsftime=no
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_GETTEXT_PROVIDES_LIBINTL),y)
|
|
PYTHON3_DEPENDENCIES += gettext
|
|
endif
|
|
|
|
PYTHON3_CONF_OPTS += \
|
|
--without-ensurepip \
|
|
--without-cxx-main \
|
|
--with-system-ffi \
|
|
--disable-pydoc \
|
|
--disable-test-modules \
|
|
--disable-tk \
|
|
--disable-nis \
|
|
--disable-idle3 \
|
|
--disable-pyc-build
|
|
|
|
#
|
|
# Some of CPython's source code is generated using Python interpreter
|
|
# and some helper tools such as "Programs/_freeze_importlib" or
|
|
# "Parser/pgen" (look for regen-* targets in Makefile.pre.in for more
|
|
# info). Normally CPython codebase ships with those files
|
|
# pre-generated, so just regular "make" with no additional steps
|
|
# should be sufficient for a succesfull build, however due to
|
|
# Buildroot's "Add importlib fix for PEP 3147 issue" custom patch we
|
|
# end up modifying "Lib/importlib/_bootstrap_external.py" which means
|
|
# we have to do "regen-importlib" step before building CPython
|
|
# (Importlib is a builtin module that needs to be "frozen"/converted
|
|
# to a C array of bytecode using "Programs/_freeze_importlib")
|
|
#
|
|
# To achive that we add pre-build steps to host-python3 as well as
|
|
# python3 that execute "regen-importlib" target.
|
|
#
|
|
# Unfortunately, for the target Python, "Programs/_freeze_importlib"
|
|
# is built for the target, while we need to run them at build time. So
|
|
# when installing host-python3, we copy them to $(HOST_DIR)/bin...
|
|
#
|
|
define HOST_PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
$(HOST_MAKE_ENV) $(PYTHON3_CONF_ENV) $(MAKE) $(HOST_CONFIGURE_OPTS) -C $(@D) regen-importlib
|
|
cp $(@D)/Programs/_freeze_importlib $(HOST_DIR)/bin/python-freeze-importlib
|
|
endef
|
|
|
|
HOST_PYTHON3_PRE_BUILD_HOOKS += HOST_PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
#
|
|
# ... And then, when building the target python we first buid
|
|
# 'Programs/_freeze_importlib' to force GNU Make to update all of the
|
|
# prerequisites of 'Programs/_freeze_importlib', then copy our stashed
|
|
# "host-usable" version over the one that was just build and then
|
|
# build "regen-importlib" target
|
|
#
|
|
define PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
$(TARGET_MAKE_ENV) $(PYTHON3_CONF_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) Programs/_freeze_importlib
|
|
cp $(HOST_DIR)/bin/python-freeze-importlib $(@D)/Programs/_freeze_importlib
|
|
$(TARGET_MAKE_ENV) $(PYTHON3_CONF_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) regen-importlib
|
|
endef
|
|
|
|
PYTHON3_PRE_BUILD_HOOKS += PYTHON3_MAKE_REGEN_IMPORTLIB
|
|
|
|
#
|
|
# Remove useless files. In the config/ directory, only the Makefile
|
|
# and the pyconfig.h files are needed at runtime.
|
|
#
|
|
define PYTHON3_REMOVE_USELESS_FILES
|
|
rm -f $(TARGET_DIR)/usr/bin/python$(PYTHON3_VERSION_MAJOR)-config
|
|
rm -f $(TARGET_DIR)/usr/bin/python$(PYTHON3_VERSION_MAJOR)m-config
|
|
rm -f $(TARGET_DIR)/usr/bin/python3-config
|
|
rm -f $(TARGET_DIR)/usr/bin/smtpd.py.3
|
|
rm -f $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/distutils/command/wininst*.exe
|
|
for i in `find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/config-$(PYTHON3_VERSION_MAJOR)m-*/ \
|
|
-type f -not -name Makefile` ; do \
|
|
rm -f $$i ; \
|
|
done
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/__pycache__/
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/lib-dynload/sysconfigdata/__pycache__
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/collections/__pycache__
|
|
rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/importlib/__pycache__
|
|
endef
|
|
|
|
PYTHON3_POST_INSTALL_TARGET_HOOKS += PYTHON3_REMOVE_USELESS_FILES
|
|
|
|
#
|
|
# Make sure libpython gets stripped out on target
|
|
#
|
|
define PYTHON3_ENSURE_LIBPYTHON_STRIPPED
|
|
chmod u+w $(TARGET_DIR)/usr/lib/libpython$(PYTHON3_VERSION_MAJOR)*.so
|
|
endef
|
|
|
|
PYTHON3_POST_INSTALL_TARGET_HOOKS += PYTHON3_ENSURE_LIBPYTHON_STRIPPED
|
|
|
|
PYTHON3_AUTORECONF = YES
|
|
PYTHON3_AUTORECONF_OPTS = --include=$(HOST_DIR)/share/autoconf-archive
|
|
|
|
define PYTHON3_INSTALL_SYMLINK
|
|
ln -fs python3 $(TARGET_DIR)/usr/bin/python
|
|
endef
|
|
|
|
ifneq ($(BR2_PACKAGE_PYTHON),y)
|
|
PYTHON3_POST_INSTALL_TARGET_HOOKS += PYTHON3_INSTALL_SYMLINK
|
|
endif
|
|
|
|
# Some packages may have build scripts requiring python3, whatever is the
|
|
# python version chosen for the target.
|
|
# Only install the python symlink in the host tree if python3 is enabled
|
|
# for the target.
|
|
ifeq ($(BR2_PACKAGE_PYTHON3),y)
|
|
define HOST_PYTHON3_INSTALL_SYMLINK
|
|
ln -fs python3 $(HOST_DIR)/bin/python
|
|
ln -fs python3-config $(HOST_DIR)/bin/python-config
|
|
endef
|
|
|
|
HOST_PYTHON3_POST_INSTALL_HOOKS += HOST_PYTHON3_INSTALL_SYMLINK
|
|
endif
|
|
|
|
# Provided to other packages
|
|
PYTHON3_PATH = $(STAGING_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/
|
|
|
|
# Support for socket.AF_BLUETOOTH
|
|
ifeq ($(BR2_PACKAGE_BLUEZ5_UTILS_HEADERS),y)
|
|
PYTHON3_DEPENDENCIES += bluez5_utils-headers
|
|
endif
|
|
|
|
$(eval $(autotools-package))
|
|
$(eval $(host-autotools-package))
|
|
|
|
ifeq ($(BR2_REPRODUCIBLE),y)
|
|
define PYTHON3_FIX_TIME
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.py' -print0 | \
|
|
xargs -0 --no-run-if-empty touch -d @$(SOURCE_DATE_EPOCH)
|
|
endef
|
|
endif
|
|
|
|
define PYTHON3_CREATE_PYC_FILES
|
|
$(PYTHON3_FIX_TIME)
|
|
PYTHONPATH="$(PYTHON3_PATH)" \
|
|
$(HOST_DIR)/bin/python$(PYTHON3_VERSION_MAJOR) \
|
|
$(TOPDIR)/support/scripts/pycompile.py \
|
|
$(if $(VERBOSE),--verbose) \
|
|
--strip-root $(TARGET_DIR) \
|
|
$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)
|
|
endef
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PYC_ONLY)$(BR2_PACKAGE_PYTHON3_PY_PYC),y)
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_CREATE_PYC_FILES
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PYC_ONLY),y)
|
|
define PYTHON3_REMOVE_PY_FILES
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.py' \
|
|
$(if $(strip $(KEEP_PYTHON_PY_FILES)),-not \( $(call finddirclauses,$(TARGET_DIR),$(KEEP_PYTHON_PY_FILES)) \) ) \
|
|
-print0 | \
|
|
xargs -0 --no-run-if-empty rm -f
|
|
endef
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_REMOVE_PY_FILES
|
|
endif
|
|
|
|
# Normally, *.pyc files should not have been compiled, but just in
|
|
# case, we make sure we remove all of them.
|
|
ifeq ($(BR2_PACKAGE_PYTHON3_PY_ONLY),y)
|
|
define PYTHON3_REMOVE_PYC_FILES
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.pyc' -print0 | \
|
|
xargs -0 --no-run-if-empty rm -f
|
|
endef
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_REMOVE_PYC_FILES
|
|
endif
|
|
|
|
# In all cases, we don't want to keep the optimized .opt-1.pyc and
|
|
# .opt-2.pyc files, since they can't work without their non-optimized
|
|
# variant.
|
|
define PYTHON3_REMOVE_OPTIMIZED_PYC_FILES
|
|
find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) -name '*.opt-1.pyc' -print0 -o -name '*.opt-2.pyc' -print0 | \
|
|
xargs -0 --no-run-if-empty rm -f
|
|
endef
|
|
PYTHON3_TARGET_FINALIZE_HOOKS += PYTHON3_REMOVE_OPTIMIZED_PYC_FILES
|