Refresh sha256 from PyPI sdist. pyOpenSSL 26.2.0 dropped EC support
from the legacy crypto.PKey API (the call surfaces as "OpenSSL.crypto.Error:
No such key type"); drop the EC-key arm of test.sh accordingly. Upstream
points at the cryptography package for EC key generation.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The wheel's /usr/bin/readelf.py collides with binutils' /usr/bin/readelf
and gets its shebang stripped by CompileAll + DeleteSourceFiles. Rename
to pyreadelf via the Py3Package install hook, matching Fedora's package.
Also depend on python3-asyncio and python3-codecs: elftools.construct.debug
imports pdb, and Python 3.14's pdb pulls in asyncio (via _pyrepl) and
unicodedata (via _pyrepl.utils) at import time.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
pyelftools 0.32 ships a PEP 517 build that requires setuptools as its
backend, so -m build fails with "BackendUnavailable: Cannot import
'setuptools.build_meta'" when only build, installer and wheel are staged.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
aiosignal is a small aio-libs helper that provides a Signal class for
fan-out of coroutine callbacks. Its only practical use is as a runtime
dependency of aiohttp, which is not packaged in this repository, and no
other package here declares aiosignal as a runtime or build dependency.
Drop the package; users who pull in aiohttp via pip on the target will
get aiosignal as a transitive dependency anyway.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Exercise anyio end-to-end with the structured-concurrency example
from the upstream "Creating and managing tasks" docs: spawn 5 child
tasks via create_task_group(), each appending to a shared list, then
verify all completed.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Previous test.sh only confirmed the import smoke check. Add a $2
version check, assert MODE_* constants are distinct ints, and exercise
the loader's error paths (missing file, non-MMDB temp file).
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
maxminddb 3.x switched to PEP 517 with build-system.requires including
setuptools-scm, so the wheel build now fails with "ERROR Missing
dependencies: setuptools-scm". Wire it into PKG_BUILD_DEPENDS and bump.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
zipp is a small backport / forward-port of zipfile.Path, originally
useful when zipfile.Path was new in stdlib (Python 3.8). With the
python3 package now tracking 3.14, zipfile.Path covers what
zipp.Path exposes, and no other package in this repository declares
zipp as a runtime or build dependency.
Drop the package to remove the dead weight; users who still need it
can install it via pip on the target.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Removing the ncursesw path from include avoids seeing the wide-char
version of ncurses, so the host build picks up the narrow static lib
that the OpenWrt SDK stages. To keep that pin from leaking back in
through other curses headers the build host may have under
/usr/include, also force every header check in Python's configure.ac
AC_CHECK_HEADERS(curses.h ncurses.h ncursesw/ncurses.h
ncursesw/curses.h ncursesw/panel.h panel.h) line to "no" via cached
ac_cv_header_* variables.
The narrow ncursesw_* trio was enough on the original reporter's
host; Jan Kardell's review of the first cut hit a build where
`/usr/include/curses.h` and `/usr/include/ncurses.h` from the
distro's libncurses-dev were still being picked up. Adding the
non-wide entries (and panel.h for symmetry, in case a host also
ships /usr/include/panel.h alone) makes the override insensitive to
whichever curses dev packages the host distro happens to provide.
Reported-by: Jan Kardell <jan.kardell@telliq.com>
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
This is the latest 3.14.x point release with assorted bug fixes
from upstream. PYTHON3_PIP_VERSION is bumped from 26.0.1 to 26.1.1
to match the pip wheel bundled in the 3.14.5 source tarball; the
host build's ensurepip lookup of pip-$(PYTHON3_PIP_VERSION).whl
otherwise fails. The set of OpenWrt-side patches still applies
against the new source; only quilt context-line offsets needed
refreshing for the patches that touch Makefile.pre.in.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Bump from 46.0.7 to the current 48.0.0 release. Notable upstream
changes since 46.0.7:
- 48.0.0 drops Python 3.8 support (requires 3.9+); raises
Py_LIMITED_API floor to 0x030900f0.
- Adds ML-KEM / ML-DSA post-quantum primitives via OpenSSL 3.5.0+
(in addition to existing AWS-LC / BoringSSL paths).
- BACKWARDS INCOMPATIBLE: stricter X.509 CRL signature-algorithm
matching (mismatched inner/outer algs now raise ValueError at parse
time).
- Drops 32-bit Windows wheels and ships macOS only on arm64.
Replace the old downstream cross-compile fix with a backport of the
upstream-merged version from pyca/cryptography PR #14904
(commit 5d072cb2a685, scheduled for the release after 48.0.0).
Release notes:
https://cryptography.io/en/latest/changelog/#v48-0-0
Fixes: https://github.com/openwrt/packages/issues/29521
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
When python3 -m build is invoked during host-compile, it fails with:
/builder/staging_dir/hostpkg/bin/python3.14: No module named build
The package's HOST_BUILD_DEPENDS only pulled in python3 and
python-packaging, missing the actual host tooling for the new
pyproject build flow:
- python-build : provides the 'build' module itself
- python-installer : installs the resulting wheel
- python-wheel : wheel format support
- python-flit-core : marshmallow's declared build-backend
(build-backend = "flit_core.buildapi" in
pyproject.toml)
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The three CLI helpers shipped by python3-argcomplete
(activate-global-python-argcomplete, register-python-argcomplete,
python-argcomplete-check-easy-install-script) don't accept a --version
flag and emit no PKG_VERSION string in their usage output. With all
three executables missing the version, the generic CI test stage
fails with "No executables in the package provided version 3.6.3".
Add a test-version.sh that emits a line containing PKG_VERSION so the
framework's "Version check override" passes. The existing test.sh
already exercises the Python module import.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
New features (pipx 1.12.0):
- Add --fetch-python / PIPX_FETCH_PYTHON env var (always|missing|never)
to control standalone Python interpreter downloads
- Add opt-in "uv" backend: pipx can now use "uv venv" and "uv pip" for
managing virtual environments
* When "uv" is on PATH, defaults to using uv for NEW venvs
* Existing venvs keep their recorded backend (pip or uv)
* Set PIPX_DEFAULT_BACKEND=pip to force pip even with uv available
* pipx install pip always uses the pip backend (uv venvs have no pip)
Deprecations:
- --fetch-missing-python and PIPX_FETCH_MISSING_PYTHON deprecated;
use --fetch-python=missing or PIPX_FETCH_PYTHON=missing instead
Changelog:
https://github.com/pypa/pipx/releases/tag/1.12.0
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes:
- Moved "headers" input type back to Mapping to avoid invariance issues
with MutableMapping and inferred dict types.
Users calling Request.headers.update() may need to narrow typing in code
(Closes#7441).
Security:
- CVE-2026-25645: Fixed extract_zipped_paths to extract contents to
a non-deterministic temp directory, to prevent malicious file replacement.
Does not affect default usage of Requests, only apps calling this utility
directly.
Changelog:
https://github.com/psf/requests/releases/tag/v2.34.2
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes (click 8.3.3):
- Fix help strings for "help_option_names" that do not contain "-"
- Help string generation now properly handles option names with dashes
Changelog:
https://github.com/pallets/click/releases
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Add source packages and library to version check overrides.
Fixes: b5d3a38e ("python3: move version checks to override")
Signed-off-by: George Sapkin <george@sapk.in>
1.0.1 fixes a false-positive path-traversal check in destinations.py:
the 1.0.0 code used Path.resolve() to validate that each installed file
stays within the --destdir, but Path.resolve() follows symlinks.
OpenWrt's staging dir and toolchain directories contain many symlinks,
so resolved paths could escape the destdir comparison and trigger:
ValueError: Attempting to write <file> outside of the target directory
1.0.1 replaces Path.resolve() with os.path.abspath(), which normalises
the path without following symlinks, eliminating the false positive.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Alexandru Ardelean
Wei-Ting Yang
George Sapkin