Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-maturin for openSUSE:Factory checked in at 2026-02-11 18:47:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-maturin (Old) and /work/SRC/openSUSE:Factory/.python-maturin.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-maturin" Wed Feb 11 18:47:36 2026 rev:58 rq:1332281 version:1.11.5 Changes: -------- --- /work/SRC/openSUSE:Factory/python-maturin/python-maturin.changes 2026-01-08 15:26:10.609938323 +0100 +++ /work/SRC/openSUSE:Factory/.python-maturin.new.1670/python-maturin.changes 2026-02-11 18:48:06.827528615 +0100 @@ -1,0 +2,11 @@ +Mon Feb 9 13:16:25 UTC 2026 - Nico Krapp <[email protected]> + +- Update to 1.11.5 + * Allow combining --compatibility pypi with other --compatibility values +- Update to 1.11.4 + * Support armv6l and armv7l in pypi compatibility + * Improve the reliability of maturin's own CI +- Add CVE-2026-25727.patch to bump time crate to 0.3.47 + to fix CVE-2026-25727 (bsc#1257918) + +------------------------------------------------------------------- Old: ---- maturin-1.11.2.tar.gz New: ---- CVE-2026-25727.patch maturin-1.11.5.tar.gz ----------(New B)---------- New: * Improve the reliability of maturin's own CI - Add CVE-2026-25727.patch to bump time crate to 0.3.47 to fix CVE-2026-25727 (bsc#1257918) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-maturin.spec ++++++ --- /var/tmp/diff_new_pack.KgCBR5/_old 2026-02-11 18:48:08.727608407 +0100 +++ /var/tmp/diff_new_pack.KgCBR5/_new 2026-02-11 18:48:08.731608575 +0100 @@ -23,13 +23,16 @@ %endif %{?sle15_python_module_pythons} Name: python-maturin -Version: 1.11.2 +Version: 1.11.5 Release: 0 Summary: Rust/Python Interoperability License: Apache-2.0 OR MIT URL: https://github.com/PyO3/maturin Source: https://files.pythonhosted.org/packages/source/m/maturin/maturin-%{version}.tar.gz Source1: vendor.tar.xz +# PATCH-FIX-UPSTREAM CVE-2026-25727.patch bsc#1257918 +# note that this patch also needs to be applied before running the cargo vendor service +Patch0: CVE-2026-25727.patch BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools-rust >= 1.4.0} ++++++ CVE-2026-25727.patch ++++++ Index: maturin-1.11.5/Cargo.toml =================================================================== --- maturin-1.11.5.orig/Cargo.toml +++ maturin-1.11.5/Cargo.toml @@ -86,7 +86,7 @@ path-slash = "0.2.1" pep440_rs = { version = "0.7.3", features = ["tracing"] } pep508_rs = { version = "0.9.2", features = ["tracing"] } same-file = "1.0.6" -time = "0.3.17" +time = "0.3.47" url = "2.5.0" unicode-xid = { version = "0.2.4", optional = true } @@ -151,7 +151,7 @@ pretty_assertions = "1.3.0" rstest = "0.26.1" rustversion = "1.0.9" serial_test = { version = "3.2.0", default-features = false } -time = { version = "0.3.34", features = ["macros"] } +time = { version = "0.3.47", features = ["macros"] } trycmd = "0.15.0" which = "7.0.0" ++++++ maturin-1.11.2.tar.gz -> maturin-1.11.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/Cargo.lock new/maturin-1.11.5/Cargo.lock --- old/maturin-1.11.2/Cargo.lock 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/Cargo.lock 2006-07-24 03:21:28.000000000 +0200 @@ -1416,7 +1416,7 @@ [[package]] name = "maturin" -version = "1.11.2" +version = "1.11.5" dependencies = [ "anyhow", "base64", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/Cargo.toml new/maturin-1.11.5/Cargo.toml --- old/maturin-1.11.2/Cargo.toml 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/Cargo.toml 2006-07-24 03:21:28.000000000 +0200 @@ -1,7 +1,7 @@ [package] authors = ["konstin <[email protected]>", "messense <[email protected]>"] name = "maturin" -version = "1.11.2" +version = "1.11.5" description = "Build and publish crates with pyo3, cffi and uniffi bindings as well as rust binaries as python packages" exclude = [ "test-crates/**/*", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/Changelog.md new/maturin-1.11.5/Changelog.md --- old/maturin-1.11.2/Changelog.md 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/Changelog.md 2006-07-24 03:21:28.000000000 +0200 @@ -1,5 +1,18 @@ # Changelog +## 1.11.5 + +* Allow combining `--compatibility pypi` with other `--compatibility` values ([#2928](https://github.com/pyo3/maturin/pull/2928)) + +## 1.11.4 + +* Support armv6l and armv7l in pypi compatibility ([#2926](https://github.com/pyo3/maturin/pull/2926)) +* Improve the reliability of maturin's own CI + +## 1.11.3 + +* Fix manylinux2014 compliance check ([#2922](https://github.com/pyo3/maturin/pull/2922)) + ## 1.11.2 * Fix failed release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/PKG-INFO new/maturin-1.11.5/PKG-INFO --- old/maturin-1.11.2/PKG-INFO 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/PKG-INFO 2006-07-24 03:21:28.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.4 Name: maturin -Version: 1.11.2 +Version: 1.11.5 Classifier: Topic :: Software Development :: Build Tools Classifier: Programming Language :: Rust Classifier: Programming Language :: Python :: Implementation :: CPython diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/src/auditwheel/audit.rs new/maturin-1.11.5/src/auditwheel/audit.rs --- old/maturin-1.11.2/src/auditwheel/audit.rs 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/src/auditwheel/audit.rs 2006-07-24 03:21:28.000000000 +0200 @@ -2,10 +2,10 @@ use super::policy::{MANYLINUX_POLICIES, MUSLLINUX_POLICIES, Policy}; use crate::auditwheel::{PlatformTag, find_external_libs}; use crate::compile::BuildArtifact; -use crate::target::Target; +use crate::target::{Arch, Target}; use anyhow::{Context, Result, bail}; use fs_err::File; -use goblin::elf::{Elf, sym::STT_FUNC}; +use goblin::elf::{Elf, sym::STB_WEAK, sym::STT_FUNC}; use lddtree::Library; use once_cell::sync::Lazy; use regex::Regex; @@ -162,7 +162,10 @@ .dynsyms .iter() .filter_map(|sym| { - if sym.st_shndx == goblin::elf::section_header::SHN_UNDEF as usize { + // Do not consider weak symbols as undefined, they are optional at runtime. + if sym.st_shndx == goblin::elf::section_header::SHN_UNDEF as usize + && sym.st_bind() != STB_WEAK + { elf.dynstrtab.get_at(sym.st_name).map(ToString::to_string) } else { None @@ -402,6 +405,10 @@ } } else if let Some(policy) = highest_policy { Ok(policy) + } else if target.target_arch() == Arch::Armv6L || target.target_arch() == Arch::Armv7L { + // Old arm versions + // https://github.com/pypi/warehouse/blob/556e1e3390999381c382873b003a779a1363cb4d/warehouse/forklift/legacy.py#L122-L123 + Ok(Policy::default()) } else { eprintln!( "⚠️ Warning: No compatible platform tag found, using the linux tag instead. \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/src/build_options.rs new/maturin-1.11.5/src/build_options.rs --- old/maturin-1.11.2/src/build_options.rs 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/src/build_options.rs 2006-07-24 03:21:28.000000000 +0200 @@ -730,7 +730,10 @@ }); // Check if PyPI validation is needed before we move platform_tag - let pypi_validation = matches!(&build_options.platform_tag[..], [PlatformTag::Pypi]); + let pypi_validation = build_options + .platform_tag + .iter() + .any(|platform_tag| platform_tag == &PlatformTag::Pypi); let platform_tags = if build_options.platform_tag.is_empty() { #[cfg(feature = "zig")] @@ -749,10 +752,9 @@ // Zig bundles musl 1.2 Some(PlatformTag::Musllinux { major: 1, minor: 2 }) } else { - // With zig we can compile to any glibc version that we want, but - // there are some black-listed libc symbols in auditwheel for manylinux <= 2.17/2024. - // Thus we let auditwheel decide the compatibility tag. - None + // With zig we can compile to any glibc version that we want, so we pick the lowest + // one supported by the rust compiler + Some(target.get_minimum_manylinux_tag()) } } else { // Defaults to musllinux_1_2 for musl target if it's not bin bindings @@ -770,16 +772,24 @@ } else if let [PlatformTag::Pypi] = &build_options.platform_tag[..] { // Avoid building for architectures we already know aren't allowed on PyPI if !is_arch_supported_by_pypi(&target) { - bail!("Target {} architecture is not supported by PyPI", target); + bail!("Rust target {target} is not supported by PyPI"); } // The defaults are already targeting PyPI: manylinux on linux, // and the native tag on windows and mac Vec::new() - } else if build_options.platform_tag.iter().all(|tag| !tag.is_pypi()) { - // All non-PyPI tags - use as-is - build_options.platform_tag } else { - bail!("The 'pypi' compatibility option cannot be combined with other platform tags"); + if build_options.platform_tag.iter().any(|tag| tag.is_pypi()) + && !is_arch_supported_by_pypi(&target) + { + bail!("Rust target {target} is not supported by PyPI"); + } + + // All non-PyPI tags - use as-is + build_options + .platform_tag + .into_iter() + .filter(|platform_tag| platform_tag != &PlatformTag::Pypi) + .collect() }; for platform_tag in &platform_tags { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/src/target/mod.rs new/maturin-1.11.5/src/target/mod.rs --- old/maturin-1.11.2/src/target/mod.rs 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/src/target/mod.rs 2006-07-24 03:21:28.000000000 +0200 @@ -99,33 +99,39 @@ LoongArch64, } -impl fmt::Display for Arch { - fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { +impl Arch { + pub fn as_str(&self) -> &str { match *self { - Arch::Aarch64 => write!(f, "aarch64"), - Arch::Armv5teL => write!(f, "armv5tel"), - Arch::Armv6L => write!(f, "armv6l"), - Arch::Armv7L => write!(f, "armv7l"), - Arch::Powerpc => write!(f, "ppc"), - Arch::Powerpc64Le => write!(f, "ppc64le"), - Arch::Powerpc64 => write!(f, "ppc64"), - Arch::X86 => write!(f, "i686"), - Arch::X86_64 => write!(f, "x86_64"), - Arch::S390X => write!(f, "s390x"), - Arch::Wasm32 => write!(f, "wasm32"), - Arch::Riscv32 => write!(f, "riscv32"), - Arch::Riscv64 => write!(f, "riscv64"), - Arch::Mips64el => write!(f, "mips64el"), - Arch::Mips64 => write!(f, "mips64"), - Arch::Mipsel => write!(f, "mipsel"), - Arch::Mips => write!(f, "mips"), - Arch::Sparc64 => write!(f, "sparc64"), - Arch::Sparcv9 => write!(f, "sparcv9"), - Arch::LoongArch64 => write!(f, "loongarch64"), + Arch::Aarch64 => "aarch64", + Arch::Armv5teL => "armv5tel", + Arch::Armv6L => "armv6l", + Arch::Armv7L => "armv7l", + Arch::Powerpc => "ppc", + Arch::Powerpc64Le => "ppc64le", + Arch::Powerpc64 => "ppc64", + Arch::X86 => "i686", + Arch::X86_64 => "x86_64", + Arch::S390X => "s390x", + Arch::Wasm32 => "wasm32", + Arch::Riscv32 => "riscv32", + Arch::Riscv64 => "riscv64", + Arch::Mips64el => "mips64el", + Arch::Mips64 => "mips64", + Arch::Mipsel => "mipsel", + Arch::Mips => "mips", + Arch::Sparc64 => "sparc64", + Arch::Sparcv9 => "sparcv9", + Arch::LoongArch64 => "loongarch64", } } } +impl fmt::Display for Arch { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.write_str(self.as_str()) + } +} + impl Arch { /// Represents the hardware platform. /// diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/maturin-1.11.2/src/target/pypi_tags.rs new/maturin-1.11.5/src/target/pypi_tags.rs --- old/maturin-1.11.2/src/target/pypi_tags.rs 2006-07-24 03:21:28.000000000 +0200 +++ new/maturin-1.11.5/src/target/pypi_tags.rs 2006-07-24 03:21:28.000000000 +0200 @@ -23,23 +23,31 @@ LINUX_PLATFORM_RE, MACOS_ARCHES, MACOS_MAJOR_VERSIONS, MACOS_PLATFORM_RE, MANYLINUX_ARCHES, MUSLLINUX_ARCHES, WINDOWS_ARCHES, }; -use crate::target::{Os, Target}; +use crate::target::{Arch, Os, Target}; use anyhow::{Result, anyhow, bail}; use target_lexicon::Environment; /// Check for target architectures that we know aren't supported by PyPI to error early. pub fn is_arch_supported_by_pypi(target: &Target) -> bool { - let arch = target.target_arch().to_string(); + let arch = target.target_arch(); match target.target_os() { Os::Windows => WINDOWS_ARCHES.contains(&arch.as_str()), Os::Macos => { // macOS uses arm64 in platform tags, but target triple uses aarch64 - let normalized_arch = if arch == "aarch64" { "arm64" } else { &arch }; + let normalized_arch = if arch == Arch::Aarch64 { + "arm64" + } else { + arch.as_str() + }; MACOS_ARCHES.contains(&normalized_arch) } Os::Ios => { // iOS uses arm64 in platform tags, but target triple uses aarch64 - let normalized_arch = if arch == "aarch64" { "arm64" } else { &arch }; + let normalized_arch = if arch == Arch::Aarch64 { + "arm64" + } else { + arch.as_str() + }; // PyPI allows iOS with arm64 and x86_64 (simulator) matches!(normalized_arch, "arm64" | "x86_64") } @@ -54,23 +62,25 @@ }; ANDROID_ARCHES.contains(&android_arch) } - Os::Linux => match target.target_env() { - Environment::Gnu - | Environment::Gnuabi64 - | Environment::Gnueabi - | Environment::Gnueabihf => { - let arch1 = arch.as_str(); - MANYLINUX_ARCHES.contains(&arch1) + Os::Linux => { + // Old arm versions + // https://github.com/pypi/warehouse/blob/556e1e3390999381c382873b003a779a1363cb4d/warehouse/forklift/legacy.py#L122-L123 + if arch == Arch::Armv6L || arch == Arch::Armv7L { + return true; } - Environment::Musl - | Environment::Musleabi - | Environment::Musleabihf - | Environment::Muslabi64 => { - let arch1 = arch.as_str(); - MUSLLINUX_ARCHES.contains(&arch1) + + match target.target_env() { + Environment::Gnu + | Environment::Gnuabi64 + | Environment::Gnueabi + | Environment::Gnueabihf => MANYLINUX_ARCHES.contains(&arch.as_str()), + Environment::Musl + | Environment::Musleabi + | Environment::Musleabihf + | Environment::Muslabi64 => MUSLLINUX_ARCHES.contains(&arch.as_str()), + _ => false, } - _ => false, - }, + } _ => false, } } @@ -105,6 +115,12 @@ }; } + // Old arm versions + // https://github.com/pypi/warehouse/blob/556e1e3390999381c382873b003a779a1363cb4d/warehouse/forklift/legacy.py#L122-L123 + if platform_tag == "linux_armv6l" || platform_tag == "linux_armv7l" { + return true; + } + // iOS if let Some(captures) = IOS_PLATFORM_RE.captures(platform_tag) { let arch = captures.name("arch").unwrap().as_str(); @@ -176,6 +192,10 @@ // musllinux platforms ("musllinux_1_1_x86_64", true), ("musllinux_1_1_riscv64", false), + // Old arm versions + // https://github.com/pypi/warehouse/blob/556e1e3390999381c382873b003a779a1363cb4d/warehouse/forklift/legacy.py#L122-L123 + ("linux_armv6l", true), + ("linux_armv7l", true), // macOS platforms ("macosx_9_0_x86_64", false), // Invalid major version ("macosx_10_9_x86_64", true), ++++++ vendor.tar.xz ++++++ /work/SRC/openSUSE:Factory/python-maturin/vendor.tar.xz /work/SRC/openSUSE:Factory/.python-maturin.new.1670/vendor.tar.xz differ: char 15, line 1
