PyPI - buildstream-plugins - Versions diffs - 2.2.0.dev2__tar.gz → 2.3.0.dev1__tar.gz - Mend

buildstream-plugins 2.2.0.dev2tar.gz → 2.3.0.dev1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (58) hide show

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/.asf.yaml RENAMED Viewed

@@ -34,6 +34,9 @@ github:
     # disable rebase button:
     rebase: false
+  # Close branches when pull requests are merged
+  del_branch_on_merge: true
   # Enable pages publishing
   ghp_branch: gh-pages
   ghp_path: /docs

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/NEWS RENAMED Viewed

@@ -1,3 +1,13 @@
+=========================
+buildstream-plugins 2.3.0
+=========================
+  o pip: support Python 3.12 and future versions (#67)
+  o cargo, docker: Check tar member paths (#69)
+  o git: add tagger to annotated tags (fix for recent git versions) (#73)
 =========================
 buildstream-plugins 2.2.0
 =========================

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: buildstream-plugins
-Version: 2.2.0.dev2
+Version: 2.3.0.dev1
 Summary: A collection of plugins for BuildStream.
 Home-page: https://buildstream.build
 Author: The Apache Software Foundation
@@ -15,11 +15,11 @@ Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: Apache Software License
 Classifier: Operating System :: POSIX
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.7
 Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: Software Development :: Build Tools
 Description-Content-Type: text/x-rst; charset=UTF-8
 License-File: LICENSE

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/requirements/test-requirements.txt RENAMED Viewed

@@ -1,9 +1,11 @@
+build
 pytest-env
 # Provide option to run tests in parallel, less reliable
 pytest-xdist
 pytest >= 6.0.1
-pytest-datafiles >= 2.0,<3
+pytest-datafiles >= 3.0
 pylint
 pycodestyle
 pyftpdlib
 responses
+wheel

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/setup.cfg RENAMED Viewed

@@ -3,6 +3,7 @@ test = pytest
 [tool:pytest]
 addopts = --verbose --basetemp ./tmp --durations=20
+testpaths = tests
 norecursedirs = tests/sources/pip-build integration-cache tmp __pycache__ .eggs
 python_files = tests/*.py
 markers =
@@ -16,9 +17,6 @@ files = src
 warn_unused_configs = True
 warn_no_return = True
-[mypy-copyreg,grpc,pluginbase,psutil,pyroaring,ruamel,multiprocessing.forkserver]
-ignore_missing_imports = True
 [egg_info]
 tag_build =
 tag_date = 0

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/setup.py RENAMED Viewed

@@ -53,11 +53,11 @@ setup(
         "License :: OSI Approved :: Apache Software License",
         "Operating System :: POSIX",
         "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.7",
         "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",
+        "Programming Language :: Python :: 3.12",
         "Topic :: Software Development :: Build Tools",
     ],
     description="A collection of plugins for BuildStream.",

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/src/buildstream_plugins/__init__.py RENAMED Viewed

@@ -15,4 +15,4 @@
 #
 # Remember to adjust this version number before tagging releases
 #
-__version__ = "2.2.0.dev2"
+__version__ = "2.3.0.dev1"

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/src/buildstream_plugins/sources/cargo.py RENAMED Viewed

@@ -28,6 +28,9 @@ Placing this source in the source list, after a source which stages a
 Cargo.lock file, will allow this source to read the Cargo.lock file and
 obtain the crates automatically into %{vendordir}.
+Set the `ref` field to an empty list like so: `ref: []`, and then run
+`bst source track path_to_bst_file.bst`.
 **Usage:**
 .. code:: yaml
@@ -41,7 +44,7 @@ obtain the crates automatically into %{vendordir}.
    # Internal source reference, this is a list of dictionaries
    # which store the crate names and versions.
    #
-   # This will be automatically updated with `bst track`
+   # This will be automatically updated with `bst source track`
    ref:
    - name: packagename
      version: 1.2.1
@@ -146,8 +149,14 @@ class Crate(SourceFetcher):
         try:
             mirror_file = self._get_mirror_file()
             with tarfile.open(mirror_file) as tar:
-                tar.extractall(path=directory)
                 members = tar.getmembers()
+                if hasattr(tarfile, "tar_filter"):
+                    # Python 3.12+ (and older versions with backports)
+                    tar.extractall(path=directory, filter="tar")
+                else:
+                    for member in members:
+                        self._assert_tarinfo_safe(member, directory)
+                    tar.extractall(path=directory, members=members)
             if members:
                 dirname = members[0].name.split("/")[0]
@@ -184,6 +193,30 @@ class Crate(SourceFetcher):
     #                   Private helpers                    #
     ########################################################
+    # Assert that a tarfile is safe to extract; specifically, make
+    # sure that we don't do anything outside of the target
+    # directory (this is possible, if, say, someone engineered a
+    # tarfile to contain paths that start with ..).
+    def _assert_tarinfo_safe(self, member: tarfile.TarInfo, target_dir: str):
+        final_path = os.path.abspath(os.path.join(target_dir, member.path))
+        if not final_path.startswith(target_dir):
+            raise SourceError(
+                "{}: Tarfile attempts to extract outside the staging area: "
+                "{} -> {}".format(self, member.path, final_path)
+            )
+        if member.islnk():
+            linked_path = os.path.abspath(os.path.join(target_dir, member.linkname))
+            if not linked_path.startswith(target_dir):
+                raise SourceError(
+                    "{}: Tarfile attempts to hardlink outside the staging area: "
+                    "{} -> {}".format(self, member.path, final_path)
+                )
+        # Don't need to worry about symlinks because they're just
+        # files here and won't be able to do much harm once we are
+        # in a sandbox.
     # _download()
     #
     # Downloads the crate from the url and caches it.

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/src/buildstream_plugins/sources/docker.py RENAMED Viewed

@@ -570,6 +570,12 @@ class DockerSource(Source):
                 # extract files for the current layer
                 with tarfile.open(blob_path, tarinfo=ReadableTarInfo) as tar:
                     with self.tempdir() as td:
+                        if hasattr(tarfile, "tar_filter"):
+                            # Python 3.12+ (and older versions with backports)
+                            tar.extraction_filter = tarfile.tar_filter
+                        else:
+                            for member in extract_fileset:
+                                self._assert_tarinfo_safe(member, td)
                         tar.extractall(path=td, members=extract_fileset)
                         link_files(td, directory)
@@ -618,6 +624,30 @@ class DockerSource(Source):
         return extract_fileset, delete_fileset
+    # Assert that a tarfile is safe to extract; specifically, make
+    # sure that we don't do anything outside of the target
+    # directory (this is possible, if, say, someone engineered a
+    # tarfile to contain paths that start with ..).
+    def _assert_tarinfo_safe(self, member: tarfile.TarInfo, target_dir: str):
+        final_path = os.path.abspath(os.path.join(target_dir, member.path))
+        if not final_path.startswith(target_dir):
+            raise SourceError(
+                "{}: Tarfile attempts to extract outside the staging area: "
+                "{} -> {}".format(self, member.path, final_path)
+            )
+        if member.islnk():
+            linked_path = os.path.abspath(os.path.join(target_dir, member.linkname))
+            if not linked_path.startswith(target_dir):
+                raise SourceError(
+                    "{}: Tarfile attempts to hardlink outside the staging area: "
+                    "{} -> {}".format(self, member.path, final_path)
+                )
+        # Don't need to worry about symlinks because they're just
+        # files here and won't be able to do much harm once we are
+        # in a sandbox.
 # Plugin entry point
 def setup():

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/src/buildstream_plugins/sources/git.py RENAMED Viewed

@@ -654,7 +654,9 @@ class GitMirror(SourceFetcher):
             for tag, commit_ref, annotated in self.tags:
                 if annotated:
                     with TemporaryFile(dir=tmpdir) as tag_file:
-                        tag_data = "object {}\ntype commit\ntag {}\n".format(commit_ref, tag)
+                        tag_data = "object {}\ntype commit\ntag {}\ntagger Unspecified Tagger <unspecified-tagger> 0 +0000\n".format(
+                            commit_ref, tag
+                        )
                         tag_file.write(tag_data.encode("ascii"))
                         tag_file.seek(0, 0)
                         _, tag_ref = self.source.check_output(

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/src/buildstream_plugins/sources/pip.py RENAMED Viewed

@@ -92,6 +92,8 @@ _PYTHON_VERSIONS = [
     "python3.9",
     "python3.10",
     "python3.11",
+    "python3.12",
+    "python3",
 ]
 # List of allowed extensions taken from

{buildstream-plugins-2.2.0.dev2 → buildstream_plugins-2.3.0.dev1}/src/buildstream_plugins.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: buildstream-plugins
-Version: 2.2.0.dev2
+Version: 2.3.0.dev1
 Summary: A collection of plugins for BuildStream.
 Home-page: https://buildstream.build
 Author: The Apache Software Foundation
@@ -15,11 +15,11 @@ Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: Apache Software License
 Classifier: Operating System :: POSIX
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.7
 Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: Software Development :: Build Tools
 Description-Content-Type: text/x-rst; charset=UTF-8
 License-File: LICENSE