From ac2bd5b1e8c5d8ee04c12ef6f34f1c9f1f8338c0 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Fri, 3 Jul 2015 09:08:47 -0700 Subject: [PATCH 1/7] Fixes warnings when building python3.dll due to the .def file accumulating multiple copies of each line. Adds shebang line to prepare_ssl so it will run with py.exe. --- PCbuild/prepare_ssl.py | 1 + PCbuild/python3dll.vcxproj | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/PCbuild/prepare_ssl.py b/PCbuild/prepare_ssl.py index 671e526f9cf..4203dab2f8e 100644 --- a/PCbuild/prepare_ssl.py +++ b/PCbuild/prepare_ssl.py @@ -1,3 +1,4 @@ +#! /usr/bin/env python3 # Script for preparing OpenSSL for building on Windows. # Uses Perl to create nmake makefiles and otherwise prepare the way # for building on 32 or 64 bit platforms. diff --git a/PCbuild/python3dll.vcxproj b/PCbuild/python3dll.vcxproj index b03d09fa39f..18ff4a83e91 100644 --- a/PCbuild/python3dll.vcxproj +++ b/PCbuild/python3dll.vcxproj @@ -109,7 +109,7 @@ - + @@ -132,7 +132,7 @@ <_Lines Include="@(_Symbols->'%(Symbol)')" /> - + From a09ef0389badf6646e1d470d722880e6d5d65f33 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Fri, 3 Jul 2015 15:13:48 -0700 Subject: [PATCH 2/7] Issue #24432: Update Windows builds to use OpenSSL 1.0.2c. --- Misc/NEWS | 2 ++ PCbuild/get_externals.bat | 2 +- PCbuild/pyproject.props | 2 +- PCbuild/readme.txt | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index becb9ef1937..95a1237c349 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -343,6 +343,8 @@ Build - Issue #23686: Update OS X 10.5 installer and Windows builds to use OpenSSL 1.0.2a. +- Issue #24432: Update Windows builds to use OpenSSL 1.0.2c. + C API ----- diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index 3836ee468cd..8ece4e32c50 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -54,7 +54,7 @@ echo.Fetching external libraries... for %%e in ( bzip2-1.0.6 nasm-2.11.06 - openssl-1.0.2a + openssl-1.0.2c tcl-8.6.1.0 tk-8.6.1.0 tix-8.4.3.4 diff --git a/PCbuild/pyproject.props b/PCbuild/pyproject.props index 7e6c7dd0eb7..26fd569fc4b 100644 --- a/PCbuild/pyproject.props +++ b/PCbuild/pyproject.props @@ -20,7 +20,7 @@ $(externalsDir)\sqlite-3.8.3.1 $(externalsDir)\bzip2-1.0.6 $(externalsDir)\xz-5.0.5 - $(externalsDir)\openssl-1.0.2a + $(externalsDir)\openssl-1.0.2c $(externalsDir)\tcltk $(externalsDir)\tcltk64 $(tcltkDir)\lib\tcl86t.lib;$(tcltkDir)\lib\tk86t.lib diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt index c27af9989b7..5b3e9809096 100644 --- a/PCbuild/readme.txt +++ b/PCbuild/readme.txt @@ -171,7 +171,7 @@ _lzma Homepage: http://tukaani.org/xz/ _ssl - Python wrapper for version 1.0.2a of the OpenSSL secure sockets + Python wrapper for version 1.0.2c of the OpenSSL secure sockets library, which is built by ssl.vcxproj Homepage: http://www.openssl.org/ From 0454d48e0213d0187e63f78673b31639e3ea94ea Mon Sep 17 00:00:00 2001 From: Ned Deily Date: Fri, 3 Jul 2015 23:35:00 -0700 Subject: [PATCH 3/7] Issue #24432: Update OS X 10.5+ installer builds to use OpenSSL 1.0.2c. --- Mac/BuildScript/build-installer.py | 6 +++--- Mac/BuildScript/openssl_sdk_makedepend.patch | 2 +- Misc/NEWS | 6 ++---- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py index 872828967ea..7fe5512af58 100755 --- a/Mac/BuildScript/build-installer.py +++ b/Mac/BuildScript/build-installer.py @@ -237,9 +237,9 @@ def library_recipes(): result.extend([ dict( - name="OpenSSL 1.0.2a", - url="https://www.openssl.org/source/openssl-1.0.2a.tar.gz", - checksum='a06c547dac9044161a477211049f60ef', + name="OpenSSL 1.0.2c", + url="https://www.openssl.org/source/openssl-1.0.2c.tar.gz", + checksum='8c8d81a9ae7005276e486702edbcd4b6', patches=[ "openssl_sdk_makedepend.patch", ], diff --git a/Mac/BuildScript/openssl_sdk_makedepend.patch b/Mac/BuildScript/openssl_sdk_makedepend.patch index 5903afdbff1..74d712115bd 100644 --- a/Mac/BuildScript/openssl_sdk_makedepend.patch +++ b/Mac/BuildScript/openssl_sdk_makedepend.patch @@ -2,7 +2,7 @@ # Parent 25a9af415e8c3faf591c360d5f0e361d049b2b43 # openssl_sdk_makedepend.patch # -# using openssl 1.0.2a +# using openssl 1.0.2c # # - support building with an OS X SDK # - allow "make depend" to use compilers with names other than "gcc" diff --git a/Misc/NEWS b/Misc/NEWS index 95a1237c349..3d4694fa258 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -340,10 +340,8 @@ Build - Issue #23445: pydebug builds now use "gcc -Og" where possible, to make the resulting executable faster. -- Issue #23686: Update OS X 10.5 installer and Windows builds to use - OpenSSL 1.0.2a. - -- Issue #24432: Update Windows builds to use OpenSSL 1.0.2c. +- Issue #24432: Update Windows builds and OS X 10.5 installer to use OpenSSL + 1.0.2c. C API ----- From 1b7f6fedb3472b709928e8763d0b86f99fb5d7a9 Mon Sep 17 00:00:00 2001 From: Ned Deily Date: Fri, 3 Jul 2015 23:53:51 -0700 Subject: [PATCH 4/7] Updates to the OS X installer for 3.5.0b3: - update installer ReadMe file - suppress installer per-file byte-compilation messages to system log - speed up installer byte-compilation - isolate ensurepip install from user site-packages --- Mac/BuildScript/resources/ReadMe.rtf | 69 +++++++++++++++++++- Mac/BuildScript/scripts/postflight.ensurepip | 10 +-- Mac/BuildScript/scripts/postflight.framework | 16 ++--- 3 files changed, 80 insertions(+), 15 deletions(-) diff --git a/Mac/BuildScript/resources/ReadMe.rtf b/Mac/BuildScript/resources/ReadMe.rtf index d27c6a114fd..65e3f14cd34 100644 --- a/Mac/BuildScript/resources/ReadMe.rtf +++ b/Mac/BuildScript/resources/ReadMe.rtf @@ -1,4 +1,4 @@ -{\rtf1\ansi\ansicpg1252\cocoartf1347\cocoasubrtf570 +{\rtf1\ansi\ansicpg1252\cocoartf1348\cocoasubrtf170 {\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fmodern\fcharset0 CourierNewPSMT;} {\colortbl;\red255\green255\blue255;} \margl1440\margr1440\vieww13380\viewh14600\viewkind0 @@ -24,7 +24,7 @@ Python.org provides two installer variants for download: one that installs a \i0 variant. Unless you are installing to an 10.5 system or you need to build applications that can run on 10.5 systems, use the 10.6 variant if possible. There are some additional operating system functions that are supported starting with 10.6 and you may see better performance using 64-bit mode. By default, Python will automatically run in 64-bit mode if your system supports it. Also see \i Certificate verification and OpenSSL \i0 below. The Pythons installed by these installers are built with private copies of some third-party libraries not included with or newer than those in OS X itself. The list of these libraries varies by installer variant and is included at the end of the License.rtf file. -\b \ul \ulc0 \ +\b \ul \ \ Update your version of Tcl/Tk to use IDLE or other Tk applications \b0 \ulnone \ @@ -36,6 +36,71 @@ To use IDLE or other programs that use the Tkinter graphical user interface tool \i0 for this version of Python and of Mac OS X.\ \b \ul \ +Certificate verification and OpenSSL\ + +\b0 \ulnone \ +Python 3.5 includes a number of network security enhancements that were released in Python 3.4.3 and Python 2.7.10. {\field{\*\fldinst{HYPERLINK "https://www.python.org/dev/peps/pep-0476/"}}{\fldrslt PEP 476}} changes several standard library modules, like +\i httplib +\i0 , +\i urllib +\i0 , and +\i xmlrpclib +\i0 , to by default verify certificates presented by servers over secure (TLS) connections. The verification is performed by the OpenSSL libraries that Python is linked to. Prior to 3.4.3, both python.org installers dynamically linked with Apple-supplied OpenSSL libraries shipped with OS X. OS X provides a multiple level security framework that stores trust certificates in system and user keychains managed by the +\i Keychain Access +\i0 application and the +\i security +\i0 command line utility.\ +\ +For OS X 10.5, Apple provides +\i OpenSSL 0.9.7 +\i0 libraries. This version of Apple's OpenSSL +\b does not +\b0 use the certificates from the system security framework, even when used on newer versions of OS X. Instead it consults a traditional OpenSSL concatenated certificate file ( +\i cafile +\i0 ) or certificate directory ( +\i capath +\i0 ), located in +\f1 /System/Library/OpenSSL +\f0 . These directories are typically empty and not managed by OS X; you must manage them yourself or supply your own SSL contexts. OpenSSL 0.9.7 is obsolete by current security standards, lacking a number of important features found in later versions. Among the problems this causes is the inability to verify higher-security certificates now used by python.org services, including +\i t{\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi"}}{\fldrslt he Python Package Index, PyPI}} +\i0 . To solve this problem, the +\i 10.5+ 32-bit-only python.org variant +\i0 is linked with a private copy of +\i OpenSSL 1.0.2 +\i0 ; it consults the same default certificate directory, +\f1 /System/Library/OpenSSL +\f0 . As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certificate verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust. If you use this Python variant to build standalone applications with third-party tools like {\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/py2app/"}}{\fldrslt +\f1 py2app}}, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.\ +\ +For OS X 10.6+, Apple also provides +\i OpenSSL +\i0 +\i 0.9.8 libraries +\i0 . Apple's 0.9.8 version includes an important additional feature: if a certificate cannot be verified using the manually administered certificates in +\f1 /System/Library/OpenSSL +\f0 , the certificates managed by the system security framework In the user and system keychains are also consulted (using Apple private APIs). For this reason, the +\i 64-bit/32-bit 10.6+ python.org variant +\i0 continues to be dynamically linked with Apple's OpenSSL 0.9.8 since it was felt that the loss of the system-provided certificates and management tools outweighs the additional security features provided by newer versions of OpenSSL. This will likely change in future releases of the python.org installers as Apple has deprecated use of the system-supplied OpenSSL libraries. If you do need features from newer versions of OpenSSL, there are third-party OpenSSL wrapper packages available through +\i PyPI +\i0 .\ +\ +The bundled +\f1 pip +\f0 included with the Python 3.5 installers has its own default certificate store for verifying download connections.\ +\ + +\b \ul Other changes\ + +\b0 \ulnone \ +\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural +\cf0 For other changes in this release, see the +\i What's new +\i0 section in the {\field{\*\fldinst{HYPERLINK "https://www.python.org/doc/"}}{\fldrslt Documentation Set}} for this release and its +\i Release Notes +\i0 link at {\field{\*\fldinst{HYPERLINK "https://www.python.org/downloads/"}}{\fldrslt https://www.python.org/downloads/}}.\ +\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural + +\b \cf0 \ul \ Python 3 and Python 2 Co-existence\ \b0 \ulnone \ diff --git a/Mac/BuildScript/scripts/postflight.ensurepip b/Mac/BuildScript/scripts/postflight.ensurepip index bf893d1da61..3074fa36fc0 100755 --- a/Mac/BuildScript/scripts/postflight.ensurepip +++ b/Mac/BuildScript/scripts/postflight.ensurepip @@ -10,15 +10,15 @@ RELFWKBIN="../../..${FWK}/bin" umask 022 -"${FWK}/bin/python${PYVER}" -m ensurepip --upgrade +"${FWK}/bin/python${PYVER}" -E -s -m ensurepip --upgrade -"${FWK}/bin/python${PYVER}" -Wi \ - "${FWK}/lib/python${PYVER}/compileall.py" \ +"${FWK}/bin/python${PYVER}" -E -s -Wi \ + "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \ -f -x badsyntax \ "${FWK}/lib/python${PYVER}/site-packages" -"${FWK}/bin/python${PYVER}" -Wi -O \ - "${FWK}/lib/python${PYVER}/compileall.py" \ +"${FWK}/bin/python${PYVER}" -E -s -Wi -O \ + "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \ -f -x badsyntax \ "${FWK}/lib/python${PYVER}/site-packages" diff --git a/Mac/BuildScript/scripts/postflight.framework b/Mac/BuildScript/scripts/postflight.framework index eb082979be4..0f2e52c4ca1 100755 --- a/Mac/BuildScript/scripts/postflight.framework +++ b/Mac/BuildScript/scripts/postflight.framework @@ -6,23 +6,23 @@ PYVER="@PYVER@" FWK="/Library/Frameworks/Python.framework/Versions/@PYVER@" -"${FWK}/bin/python@PYVER@" -Wi \ - "${FWK}/lib/python${PYVER}/compileall.py" \ +"${FWK}/bin/python@PYVER@" -E -s -Wi \ + "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \ -f -x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data' \ "${FWK}/lib/python${PYVER}" -"${FWK}/bin/python@PYVER@" -Wi -O \ - "${FWK}/lib/python${PYVER}/compileall.py" \ +"${FWK}/bin/python@PYVER@" -E -s -Wi -O \ + "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \ -f -x 'bad_coding|badsyntax|site-packages|lib2to3/tests/data' \ "${FWK}/lib/python${PYVER}" -"${FWK}/bin/python@PYVER@" -Wi \ - "${FWK}/lib/python${PYVER}/compileall.py" \ +"${FWK}/bin/python@PYVER@" -E -s -Wi \ + "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \ -f -x badsyntax \ "${FWK}/lib/python${PYVER}/site-packages" -"${FWK}/bin/python@PYVER@" -Wi -O \ - "${FWK}/lib/python${PYVER}/compileall.py" \ +"${FWK}/bin/python@PYVER@" -E -s -Wi -O \ + "${FWK}/lib/python${PYVER}/compileall.py" -q -j0 \ -f -x badsyntax \ "${FWK}/lib/python${PYVER}/site-packages" From 06606e716540d6607a0a5496ab9d81f0ee646247 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Sat, 4 Jul 2015 11:48:37 -0700 Subject: [PATCH 5/7] Ignore user environment/site-packages for ensurepip and compile_all Remove build condition to prevent old strings hanging around Add -h option to build.bat --- Tools/msi/build.bat | 16 +++++++++++++--- Tools/msi/bundle/packagegroups/postinstall.wxs | 2 +- Tools/msi/msi.targets | 2 +- Tools/msi/pip/pip.wxs | 4 ++-- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/Tools/msi/build.bat b/Tools/msi/build.bat index 4dfa5fb8bdb..1dc05c39974 100644 --- a/Tools/msi/build.bat +++ b/Tools/msi/build.bat @@ -8,9 +8,10 @@ set BUILDX64= set BUILDDOC= :CheckOpts -if '%1'=='-x86' (set BUILDX86=1) && shift && goto CheckOpts -if '%1'=='-x64' (set BUILDX64=1) && shift && goto CheckOpts -if '%1'=='--doc' (set BUILDDOC=1) && shift && goto CheckOpts +if "%1" EQU "-h" goto Help +if "%1" EQU "-x86" (set BUILDX86=1) && shift && goto CheckOpts +if "%1" EQU "-x64" (set BUILDX64=1) && shift && goto CheckOpts +if "%1" EQU "--doc" (set BUILDDOC=1) && shift && goto CheckOpts if not defined BUILDX86 if not defined BUILDX64 (set BUILDX86=1) && (set BUILDX64=1) @@ -44,3 +45,12 @@ if defined BUILDX64 ( msbuild "%D%bundle\snapshot.wixproj" /p:Platform=x64 if errorlevel 1 goto :eof ) + +exit /B 0 + +:Help +echo build.bat [-x86] [-x64] [--doc] [-h] +echo. +echo -x86 Build x86 installers +echo -x64 Build x64 installers +echo --doc Build CHM documentation diff --git a/Tools/msi/bundle/packagegroups/postinstall.wxs b/Tools/msi/bundle/packagegroups/postinstall.wxs index b20cc501b76..35978cc7c6f 100644 --- a/Tools/msi/bundle/packagegroups/postinstall.wxs +++ b/Tools/msi/bundle/packagegroups/postinstall.wxs @@ -36,7 +36,7 @@ - + - + <_Content>$([System.IO.File]::ReadAllText(%(WxlTemplate.FullPath)).Replace(`{{ShortVersion}}`, `$(MajorVersionNumber).$(MinorVersionNumber)`).Replace(`{{LongVersion}}`, `$(PythonVersion)`).Replace(`{{Bitness}}`, `$(Bitness)`)) <_ExistingContent Condition="Exists('$(IntermediateOutputPath)%(WxlTemplate.Filename).wxl')">$([System.IO.File]::ReadAllText($(IntermediateOutputPath)%(WxlTemplate.Filename).wxl)) diff --git a/Tools/msi/pip/pip.wxs b/Tools/msi/pip/pip.wxs index 4c3dc59ec3b..c46a8681888 100644 --- a/Tools/msi/pip/pip.wxs +++ b/Tools/msi/pip/pip.wxs @@ -27,8 +27,8 @@ - - + + (&DefaultFeature=3) AND NOT (!DefaultFeature=3) From a1005ed1aa6a4aa749aadaac090189ffcef587c3 Mon Sep 17 00:00:00 2001 From: R David Murray Date: Sat, 4 Jul 2015 15:44:14 -0400 Subject: [PATCH 6/7] #24584: replace dead link with pointer to archive.org. --- Doc/library/unittest.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/unittest.rst b/Doc/library/unittest.rst index bdb18bc41fa..e7e3262f9e1 100644 --- a/Doc/library/unittest.rst +++ b/Doc/library/unittest.rst @@ -47,7 +47,7 @@ test runner Module :mod:`doctest` Another test-support module with a very different flavor. - `Simple Smalltalk Testing: With Patterns `_ + `Simple Smalltalk Testing: With Patterns `_ Kent Beck's original paper on testing frameworks using the pattern shared by :mod:`unittest`. From f1ce6deb4111267ab8de5cd6430c1bcebe1084bc Mon Sep 17 00:00:00 2001 From: Ned Deily Date: Sat, 4 Jul 2015 15:05:07 -0700 Subject: [PATCH 7/7] =?UTF-8?q?Issue=20#24330:=20Update=20IDLE=20doc=20and?= =?UTF-8?q?=20help=20to=20note=20"Configure=20IDLE"=20difference=20on=20OS?= =?UTF-8?q?=20X.=20=20Original=20patch=20by=20Andr=C3=A9=20Freitas.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Doc/library/idle.rst | 3 ++- Lib/idlelib/help.txt | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Doc/library/idle.rst b/Doc/library/idle.rst index c842b2639cc..24e22c103de 100644 --- a/Doc/library/idle.rst +++ b/Doc/library/idle.rst @@ -248,7 +248,8 @@ Configure IDLE help sources can be specified. Non-default user setting are saved in a .idlerc directory in the user's home directory. Problems caused by bad user configuration files are solved by editing or deleting one or more of the - files in .idlerc. + files in .idlerc. On OS X, open the configuration dialog by selecting + Preferences in the application menu. Configure Extensions Open a configuration dialog for setting preferences for extensions diff --git a/Lib/idlelib/help.txt b/Lib/idlelib/help.txt index 7eff3700405..95401734984 100644 --- a/Lib/idlelib/help.txt +++ b/Lib/idlelib/help.txt @@ -129,7 +129,9 @@ Options Menu (Shell and Editor): Configure IDLE -- Open a configuration dialog. Fonts, indentation, keybindings, and color themes may be altered. Startup Preferences may be set, and additional Help - sources can be specified. + sources can be specified. On OS X, open the + configuration dialog by selecting Preferences + in the application menu. --- Code Context (toggle) -- Open a pane at the top of the edit window