[python-virtualenv/el5] - Epoch 1 to back down the release in epel5. - Remove the bundled pip - Add a patch to tell the user

Toshio くらとみ toshio at fedoraproject.org
Thu Jun 6 20:33:32 UTC 2013 

commit e28ff2a7cab1232ec872e191e62531d1b2e234dd
Author: Toshio Kuratomi <toshio at fedoraproject.org>
Date:   Thu Jun 6 13:32:51 2013 -0700

    - Epoch 1 to back down the release in epel5.
    - Remove the bundled pip
    - Add a patch to tell the user that pip is insecure on python-2.4 with
      instructions on how to make virtualenv work with a manually downloaded pip

 .gitignore                            |    1 +
 python-virtualenv.spec                |   17 ++++++++++++++++-
 sources                               |    2 +-
 virtualenv-insecure-pip-warning.patch |   23 +++++++++++++++++++++++
 4 files changed, 41 insertions(+), 2 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 0fda0e4..d1e9ca5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 virtualenv-1.9.1.tar.gz
+/virtualenv-1.7.2.tar.gz
diff --git a/python-virtualenv.spec b/python-virtualenv.spec
index 7fcfc2c..56b90ed 100644
--- a/python-virtualenv.spec
+++ b/python-virtualenv.spec
@@ -2,14 +2,16 @@
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
 
 Name:           python-virtualenv
-Version:        1.9.1
+Version:        1.7.2
 Release:        1%{?dist}
+Epoch: 1
 Summary:        Tool to create isolated Python environments
 
 Group:          Development/Languages
 License:        MIT
 URL:            http://pypi.python.org/pypi/virtualenv
 Source0:        http://pypi.python.org/packages/source/v/virtualenv/virtualenv-%{version}.tar.gz
+Patch0: virtualenv-insecure-pip-warning.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
@@ -30,6 +32,8 @@ licensed under an MIT-style permissive license.
 
 %prep
 %setup -q -n virtualenv-%{version}
+%patch0 -p1
+
 %{__sed} -i -e "1s|#!/usr/bin/env python||" virtualenv.py 
 
 %build
@@ -47,6 +51,11 @@ rm -rf $RPM_BUILD_ROOT
 %{__python} setup.py install --skip-build --root $RPM_BUILD_ROOT
 rm -f build/sphinx/html/.buildinfo
 
+# Remove the bundled pip.  Eventually we want to do this (and remove the other bundles)
+# on all releases.  Waiting on maintainer views on
+# https://bugzilla.redhat.com/show_bug.cgi?id=749378
+rm $RPM_BUILD_ROOT%{python_sitelib}/virtualenv_support/pip*tar.gz
+
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -65,6 +74,12 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Jun  6 2013 Toshio Kuratomi <toshio at fedoraproject.org> - 1:1.7.2-1
+- Epoch 1 to back down the release in epel5.
+- Remove the bundled pip
+- Add a patch to tell the user that pip is insecure on python-2.4 with
+  instructions on how to make virtualenv work with a manually downloaded pip
+
 * Tue May 14 2013 Toshio Kuratomi <toshio at fedoraproject.org> - 1.9.1-1
 - Update to upstream 1.9.1 because of security issues with the bundled
   python-pip in older releases.  This is just a quick fix until a
diff --git a/sources b/sources
index c048175..839d740 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-07e09df0adfca0b2d487e39a4bf2270a  virtualenv-1.9.1.tar.gz
+b5d63b05373a4344ae099a68875aae78  virtualenv-1.7.2.tar.gz
diff --git a/virtualenv-insecure-pip-warning.patch b/virtualenv-insecure-pip-warning.patch
new file mode 100644
index 0000000..bad73bd
--- /dev/null
+++ b/virtualenv-insecure-pip-warning.patch
@@ -0,0 +1,23 @@
+Index: virtualenv-1.7.2/virtualenv.py
+===================================================================
+--- virtualenv-1.7.2.orig/virtualenv.py
++++ virtualenv-1.7.2/virtualenv.py
+@@ -634,6 +634,18 @@ def install_pip(py_executable, search_di
+     if is_jython or is_pypy:
+         cmd.remove('-x')
+     if filename == 'pip':
++        if sys.version_info < (2,5):
++            logger.fatal("Can't find any local distributions of pip to install "
++                    "and virtualenv can't download a secure version of pip that "
++                    "works with your python version (2.4.x).  If you evaluate "
++                    "the unfixed security issues in pip-1.1 ( as of this writing: "
++                    "https://github.com/pypa/pip/issues/425 and "
++                    "https://github.com/pypa/pip/issues/725 ) "
++                    "and decide they do not apply to your environment you may "
++                    "manually download the pip-1.1 source distribution from pypi ( "
++                    "https://pypi.python.org/packages/source/p/pip/pip-1.1.tar.gz ) "
++                    "and place it in one of these locations: %r" % search_dirs)
++            sys.exit(1)
+         if never_download:
+             logger.fatal("Can't find any local distributions of pip to install "
+                          "and --never-download is set.  Either re-run virtualenv "

More information about the scm-commits mailing list