Skip to content

Commit 0db8c41

Browse files
Merge branch 'main' into gh-150191-fix-test-sni-callback-race
2 parents 5ec6b3d + 4f39efc commit 0db8c41

1,408 files changed

Lines changed: 68106 additions & 171699 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.editorconfig

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
root = true
22

3-
[*.{py,c,cpp,h,js,rst,md,yml,yaml,gram}]
3+
[*.{py,c,cpp,h,js,rst,md,yml,yaml,toml,gram}]
44
trim_trailing_whitespace = true
55
insert_final_newline = true
66
indent_style = space
77

8-
[*.{py,c,cpp,h,gram}]
8+
[*.{py,c,cpp,h,toml,gram}]
99
indent_size = 4
1010

1111
[*.rst]

.github/CODEOWNERS

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -63,29 +63,29 @@
6363
.azure-pipelines/ @AA-Turner
6464

6565
# GitHub & related scripts
66-
.github/ @ezio-melotti @hugovk @AA-Turner @webknjaz
66+
.github/ @ezio-melotti @hugovk @AA-Turner @webknjaz @itamaro @JacobCoffee
6767
Tools/build/compute-changes.py @AA-Turner @hugovk @webknjaz
6868
Lib/test/test_tools/test_compute_changes.py @AA-Turner @hugovk @webknjaz
6969
Tools/build/verify_ensurepip_wheels.py @AA-Turner @pfmoore @pradyunsg
7070

7171
# Pre-commit
72-
.pre-commit-config.yaml @hugovk
73-
.ruff.toml @hugovk @AlexWaygood @AA-Turner
72+
.pre-commit-config.yaml @hugovk @JacobCoffee
73+
.ruff.toml @hugovk @AlexWaygood @AA-Turner @JacobCoffee
7474

7575
# Patchcheck
76-
Tools/patchcheck/ @AA-Turner
76+
Tools/patchcheck/ @AA-Turner @itamaro
7777

7878

7979
# ----------------------------------------------------------------------------
8080
# Build System
8181
# ----------------------------------------------------------------------------
8282

8383
# Autotools
84-
configure* @erlend-aasland @corona10 @AA-Turner @emmatyping
85-
Makefile.pre.in @erlend-aasland @AA-Turner @emmatyping
86-
Modules/makesetup @erlend-aasland @AA-Turner @emmatyping
87-
Modules/Setup* @erlend-aasland @AA-Turner @emmatyping
88-
Tools/build/regen-configure.sh @AA-Turner
84+
configure* @erlend-aasland @corona10 @AA-Turner @emmatyping @itamaro
85+
Makefile.pre.in @erlend-aasland @AA-Turner @emmatyping @itamaro
86+
Modules/makesetup @erlend-aasland @AA-Turner @emmatyping @itamaro
87+
Modules/Setup* @erlend-aasland @AA-Turner @emmatyping @itamaro
88+
Tools/build/regen-configure.sh @AA-Turner @itamaro
8989

9090
# generate-build-details
9191
Tools/build/generate-build-details.py @FFY00

.github/SECURITY.md

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,24 @@
11
# Security Policy
22

3-
## Supported Versions
3+
Python [provides a security policy and threat model](https://devguide.python.org/security/policy/)
4+
in the Python Developer's Guide documenting what bugs are vulnerabilities,
5+
how to structure reports, and what versions of Python accept reports.
46

5-
The Python team applies security fixes according to the table
6-
in [the devguide](
7-
https://devguide.python.org/versions/#supported-versions
8-
).
7+
Python Security Response Team (PSRT) members
8+
balance security work against many other responsibilities. Please be thoughtful
9+
about the time and attention your report requires. Repeated failure to respect
10+
the security policy will result in future reports being rejected, or the
11+
reporter being banned from the ``python`` GitHub organization, regardless of
12+
technical merit.
913

1014
## Reporting a Vulnerability
1115

12-
Please read the guidelines on reporting security issues [on the
13-
official website](https://www.python.org/dev/security/) for
14-
instructions on how to report a security-related problem to
15-
the Python team responsibly.
16+
The [Python security policy](https://devguide.python.org/security/policy/)
17+
documents [how to submit a vulnerability report](https://devguide.python.org/security/policy/#how-to-submit-a-vulnerability-report)
18+
using GitHub Security Advisories. Please read the security policy
19+
prior to filing a vulnerability report, especially the section on [what information to
20+
include and exclude](https://devguide.python.org/security/policy/#what-to-include-and-how-to-structure-a-vulnerability-report)
21+
in vulnerability reports. Following the security policy means the PSRT can
22+
quickly and efficiently triage your report, not following the security policy
23+
will only delay triaging your report.
1624

17-
To reach the response team, email `security at python dot org`.

.github/actionlint.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,12 @@
11
config-variables: null
22

3+
# Pending release of actionlint > 1.7.12 for ubuntu-26.04* support:
4+
# https://github.com/rhysd/actionlint/pull/683
5+
self-hosted-runner:
6+
labels:
7+
- ubuntu-26.04
8+
- ubuntu-26.04-arm
9+
310
paths:
411
.github/workflows/**/*.yml:
512
ignore:

.github/workflows/add-issue-header.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,12 @@ permissions:
1717

1818
jobs:
1919
add-header:
20-
runs-on: ubuntu-latest
20+
runs-on: ubuntu-slim
2121
permissions:
2222
issues: write
2323
timeout-minutes: 5
2424
steps:
25-
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
25+
- uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
2626
with:
2727
# language=JavaScript
2828
script: |

.github/workflows/build.yml

Lines changed: 44 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ jobs:
5353
name: 'Check if Autoconf files are up to date'
5454
# Don't use ubuntu-latest but a specific version to make the job
5555
# reproducible: to get the same tools versions (autoconf, aclocal, ...)
56-
runs-on: ubuntu-24.04
56+
runs-on: ubuntu-26.04
5757
container:
5858
image: ghcr.io/python/autoconf:2025.01.02.12581854023
5959
timeout-minutes: 60
@@ -64,7 +64,7 @@ jobs:
6464
run: |
6565
apt update && apt install git -yq
6666
git config --global --add safe.directory "$GITHUB_WORKSPACE"
67-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
67+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
6868
with:
6969
fetch-depth: 1
7070
persist-credentials: false
@@ -96,12 +96,12 @@ jobs:
9696
name: 'Check if generated files are up to date'
9797
# Don't use ubuntu-latest but a specific version to make the job
9898
# reproducible: to get the same tools versions (autoconf, aclocal, ...)
99-
runs-on: ubuntu-24.04
99+
runs-on: ubuntu-26.04
100100
timeout-minutes: 60
101101
needs: build-context
102102
if: needs.build-context.outputs.run-tests == 'true'
103103
steps:
104-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
104+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
105105
with:
106106
persist-credentials: false
107107
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -239,18 +239,18 @@ jobs:
239239
- false
240240
- true
241241
os:
242-
- ubuntu-24.04
243-
- ubuntu-24.04-arm
242+
- ubuntu-26.04
243+
- ubuntu-26.04-arm
244244
exclude:
245245
# Do not test BOLT with free-threading, to conserve resources
246246
- bolt: true
247247
free-threading: true
248248
# BOLT currently crashes during instrumentation on aarch64
249-
- os: ubuntu-24.04-arm
249+
- os: ubuntu-26.04-arm
250250
bolt: true
251251
include:
252252
# Enable CPU-intensive tests on ARM (default build only)
253-
- os: ubuntu-24.04-arm
253+
- os: ubuntu-26.04-arm
254254
bolt: false
255255
free-threading: false
256256
test-opts: '-u cpu'
@@ -270,29 +270,28 @@ jobs:
270270
strategy:
271271
fail-fast: false
272272
matrix:
273-
os: [ubuntu-24.04]
273+
os: [ubuntu-26.04]
274274
ssllib:
275275
# See Tools/ssl/make_ssl_data.py for notes on adding a new version
276276
## OpenSSL
277277
# Keep 1.1.1w in our list despite it being upstream EOL and otherwise
278278
# unsupported as it most resembles other 1.1.1-work-a-like ssl APIs
279279
# supported by important vendors such as AWS-LC.
280280
- { name: openssl, version: 1.1.1w }
281-
- { name: openssl, version: 3.0.20 }
282-
- { name: openssl, version: 3.3.7 }
283-
- { name: openssl, version: 3.4.5 }
284-
- { name: openssl, version: 3.5.6 }
285-
- { name: openssl, version: 3.6.2 }
286-
- { name: openssl, version: 4.0.0 }
281+
- { name: openssl, version: 3.0.21 }
282+
- { name: openssl, version: 3.4.6 }
283+
- { name: openssl, version: 3.5.7 }
284+
- { name: openssl, version: 3.6.3 }
285+
- { name: openssl, version: 4.0.1 }
287286
## AWS-LC
288-
- { name: aws-lc, version: 1.72.1 }
287+
- { name: aws-lc, version: 5.0.0 }
289288
env:
290289
SSLLIB_VER: ${{ matrix.ssllib.version }}
291290
MULTISSL_DIR: ${{ github.workspace }}/multissl
292291
SSLLIB_DIR: ${{ github.workspace }}/multissl/${{ matrix.ssllib.name }}/${{ matrix.ssllib.version }}
293292
LD_LIBRARY_PATH: ${{ github.workspace }}/multissl/${{ matrix.ssllib.name }}/${{ matrix.ssllib.version }}/lib
294293
steps:
295-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
294+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
296295
with:
297296
persist-credentials: false
298297
- name: Runner image version
@@ -347,15 +346,15 @@ jobs:
347346
- arch: aarch64
348347
runs-on: macos-26
349348
- arch: x86_64
350-
runs-on: ubuntu-24.04
349+
runs-on: ubuntu-26.04
351350

352351
runs-on: ${{ matrix.runs-on }}
353352
steps:
354-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
353+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
355354
with:
356355
persist-credentials: false
357356
- name: Build and test
358-
run: python3 Platforms/Android ci --fast-ci ${{ matrix.arch }}-linux-android
357+
run: JAVA_HOME="${JAVA_HOME_21_X64:-$JAVA_HOME_21_arm64}" python3 Platforms/Android ci --fast-ci ${{ matrix.arch }}-linux-android
359358

360359
build-ios:
361360
name: iOS
@@ -364,7 +363,7 @@ jobs:
364363
timeout-minutes: 60
365364
runs-on: macos-14
366365
steps:
367-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
366+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
368367
with:
369368
persist-credentials: false
370369

@@ -394,15 +393,15 @@ jobs:
394393

395394
test-hypothesis:
396395
name: "Hypothesis tests on Ubuntu"
397-
runs-on: ubuntu-24.04
396+
runs-on: ubuntu-26.04
398397
timeout-minutes: 60
399398
needs: build-context
400399
if: needs.build-context.outputs.run-ubuntu == 'true'
401400
env:
402-
OPENSSL_VER: 3.5.6
401+
OPENSSL_VER: 3.5.7
403402
PYTHONSTRICTEXTENSIONBUILD: 1
404403
steps:
405-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
404+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
406405
with:
407406
persist-credentials: false
408407
- name: Register gcc problem matcher
@@ -505,13 +504,13 @@ jobs:
505504
strategy:
506505
fail-fast: false
507506
matrix:
508-
os: [ubuntu-24.04]
507+
os: [ubuntu-26.04]
509508
env:
510-
OPENSSL_VER: 3.5.6
509+
OPENSSL_VER: 3.5.7
511510
PYTHONSTRICTEXTENSIONBUILD: 1
512511
ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
513512
steps:
514-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
513+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
515514
with:
516515
persist-credentials: false
517516
- name: Runner image version
@@ -520,10 +519,6 @@ jobs:
520519
run: echo "::add-matcher::.github/problem-matchers/gcc.json"
521520
- name: Install dependencies
522521
run: sudo ./.github/workflows/posix-deps-apt.sh
523-
- name: Set up GCC-10 for ASAN
524-
uses: egor-tensin/setup-gcc@a2861a8b8538f49cf2850980acccf6b05a1b2ae4 # v2.0
525-
with:
526-
version: 10
527522
- name: Configure OpenSSL env vars
528523
run: |
529524
echo "MULTISSL_DIR=${GITHUB_WORKSPACE}/multissl" >> "$GITHUB_ENV"
@@ -559,7 +554,6 @@ jobs:
559554
- Thread
560555
free-threading:
561556
- false
562-
- true
563557
sanitizer:
564558
- TSan
565559
include:
@@ -571,14 +565,25 @@ jobs:
571565
sanitizer: ${{ matrix.sanitizer }}
572566
free-threading: ${{ matrix.free-threading }}
573567

568+
# XXX: Temporarily allow this job to fail to not block PRs.
569+
build-san-free-threading:
570+
# ${{ '' } is a hack to nest jobs under the same sidebar category.
571+
name: Sanitizers${{ '' }} # zizmor: ignore[obfuscation]
572+
needs: build-context
573+
if: needs.build-context.outputs.run-ubuntu == 'true'
574+
uses: ./.github/workflows/reusable-san.yml
575+
with:
576+
sanitizer: TSan
577+
free-threading: true
578+
574579
cross-build-linux:
575580
name: Cross build Linux
576-
runs-on: ubuntu-latest
581+
runs-on: ubuntu-26.04
577582
timeout-minutes: 60
578583
needs: build-context
579584
if: needs.build-context.outputs.run-ubuntu == 'true'
580585
steps:
581-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
586+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
582587
with:
583588
persist-credentials: false
584589
- name: Runner image version
@@ -602,6 +607,9 @@ jobs:
602607
run: ./configure --prefix="$BUILD_DIR/cross-python" --with-build-python="$BUILD_DIR/host-python/bin/python3"
603608
- name: Install cross Python
604609
run: make -j8 install
610+
- name: Display build info
611+
run: |
612+
"$BUILD_DIR/cross-python/bin/python3" -m test.pythoninfo
605613
- name: Run test subset with host build
606614
run: |
607615
"$BUILD_DIR/cross-python/bin/python3" -m test test_sysconfig test_site test_embed
@@ -671,6 +679,7 @@ jobs:
671679
- test-hypothesis
672680
- build-asan
673681
- build-san
682+
- build-san-free-threading
674683
- cross-build-linux
675684
- cifuzz
676685
if: always()
@@ -682,6 +691,7 @@ jobs:
682691
allowed-failures: >-
683692
build-android,
684693
build-emscripten,
694+
build-san-free-threading,
685695
build-windows-msi,
686696
build-ubuntu-ssltests,
687697
test-hypothesis,

0 commit comments

Comments
 (0)