An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1
and earlier allows remote attackers to cause a denial of service via
attacker controlled input to wheel cli.
CVE: CVE-2022-40898
Upstream-Status: Backport [88f02bc335]
(From OE-Core rev: 0974291e545aec68755dfb634c75dca37cca1ea9)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To be more uniform with the other new Python classes, rename this to
python_flit_core and update the recipes that use it.
(From OE-Core rev: c0e4ca3c7841028a658f21c11619228022d425b4)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Instead of battling pip to install a wheel, use installer. Installer
does one thing, so it's faster and easier to work with.
This means setuptools, pip, and wheel are no longer part of the
bootstrap phase, so they can be built normally. To avoid sysroot file
conflicts these three recipes can't install .pyc files to the native
sysroot.
We currently patch pypa/installer to allow us to override the interpreter
used, which means we can drop the interpreter seding.
We don't need to recompile any Python which is found in $bindir as
Python doesn't actually load those files.
Across a build of oe-core, the only differences between using pip and
installer are:
- the .dist-info/RECORD files are ordered differently
- the .dist-info/REQUESTED and INSTALLER files are not created
- the hashbang in native scripts is "/usr/bin/env nativepython" instead
of pointing directly at the native sysroot python3.
(From OE-Core rev: f780f6d920d8bbfb674d6066a8b899417decf8d2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
pip_install_wheel shouldn't restricted to just using Pip to install
wheels (the installer module is simplier and likely a better option),
and in the future may be extended to also provide do_compile() using
the build module.
(From OE-Core rev: 3bdf64b97facce9706cc579bdbc9a80e0d48428f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Several recipes are duplicating the same bootstrap logic for installing
a wheel without using any tools. Add an implementation to
pip_install_wheel to centralise the code, and remove the duplicated code
from the following recipes:
- python3-flit-core
- python3-pip
- python3-setuptools
- python3-wheel
(From OE-Core rev: d5d702a2cd06f863340f8e4cdce0904c9d86384d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove the use of PYPA_WHEEL in the native do_install() as this variable
will be disappearing shortly.
Remove the bbfatal_log in the native do_install(), if this breaks then
something has gone very wrong and the user is not expected to fix it.
Also flit_core inherits setuptools3-base, so no need to inherit it again.
(From OE-Core rev: e2c7501645eec12d3168b6e8606549ce3e5f8db2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
pip install would normally install [project.scripts] to ${D}${bindir}
but our naïve bootstrapping only unzipps the wheel to
${D}${PYTHON_SITEPACKAGES_DIR}. Correct this by creating the equivalent
script in do_install:class-native
[YOCTO #14739]
(From OE-Core rev: 19e83270d17984cf6b471c387eb08103816b359f)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport pyproject.toml from flit-backend branch.
Inherit flit_core class to build
Inherit pip_install_wheel to install wheels for target
We need to bootstrap python3-wheel-native in order to have bdist_wheel
available to python3-setuptools-native and the refactored
setuptools3.bbclass. Simply unzip the wheel into
PYTHON_SITEPACKAGES_DIR for class-native.
[YOCTO #14638]
(From OE-Core rev: 764d0c2e079b3511afe03deadf3ec922e41b89aa)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is one of the "new build tools" which are part of pypa (Python
Packaging Authority) toolchain.
Wheels are the official delivery mechanism for Python packages, replacing
the now deprecated Eggs (egg-info).
[YOCTO #14638]
(From OE-Core rev: 78a4bccfa38c2d3a6a4a097319eec28c2bc357a7)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
