Adding metadata

3 files changed, 141 insertions, 91 deletions

diff --git a/dev-lang/python/files/hashopenssl-3.11.8.patch b/dev-lang/python/files/hashopenssl-3.11.8.patch
new file mode 100644
index 000000000000..ca234eb2eb4f
--- /dev/null
+++ b/dev-lang/python/files/hashopenssl-3.11.8.patch
@@ -0,0 +1,69 @@
+LibreSSL has NID_sha3_256 and NID_sha512_256 now, but it's simpler to
+handle -stable updates if we keep the patch until 7.4 is out.
+
+Index: Modules/_hashopenssl.c
+--- Modules/_hashopenssl.c.orig
++++ Modules/_hashopenssl.c
+@@ -45,10 +45,18 @@
+ 
+ #define MUNCH_SIZE INT_MAX
+ 
++#ifdef NID_id_scrypt
+ #define PY_OPENSSL_HAS_SCRYPT 1
++#endif
++#ifdef NID_sha3_256
+ #define PY_OPENSSL_HAS_SHA3 1
++#endif
++#ifdef NID_shake256
+ #define PY_OPENSSL_HAS_SHAKE 1
++#endif
++#ifdef NID_blake2s256
+ #define PY_OPENSSL_HAS_BLAKE2 1
++#endif
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ #define PY_EVP_MD EVP_MD
+@@ -120,19 +128,27 @@ static const py_hashentry_t py_hashes[] = {
+     PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
+     PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
+     /* truncated sha2 */
++#ifdef NID_sha512_256
+     PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224),
+     PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256),
++#endif
+     /* sha3 */
++#ifdef PY_OPENSSL_HAS_SHA3
+     PY_HASH_ENTRY(Py_hash_sha3_224, NULL, SN_sha3_224, NID_sha3_224),
+     PY_HASH_ENTRY(Py_hash_sha3_256, NULL, SN_sha3_256, NID_sha3_256),
+     PY_HASH_ENTRY(Py_hash_sha3_384, NULL, SN_sha3_384, NID_sha3_384),
+     PY_HASH_ENTRY(Py_hash_sha3_512, NULL, SN_sha3_512, NID_sha3_512),
++#endif
+     /* sha3 shake */
++#ifdef PY_OPENSSL_HAS_SHAKE
+     PY_HASH_ENTRY(Py_hash_shake_128, NULL, SN_shake128, NID_shake128),
+     PY_HASH_ENTRY(Py_hash_shake_256, NULL, SN_shake256, NID_shake256),
++#endif
+     /* blake2 digest */
++#ifdef PY_OPENSSL_HAS_BLAKE2
+     PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256),
+     PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512),
++#endif
+     PY_HASH_ENTRY(NULL, NULL, NULL, 0),
+ };
+ 
+@@ -874,11 +890,15 @@ py_evp_fromname(PyObject *module, const char *digestna
+         goto exit;
+     }
+ 
++#ifndef EVP_MD_FLAG_XOF
++    type = get_hashlib_state(module)->EVPtype;
++#else
+     if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
+         type = get_hashlib_state(module)->EVPXOFtype;
+     } else {
+         type = get_hashlib_state(module)->EVPtype;
+     }
++#endif
+ 
+     self = newEVPobject(type);
+     if (self == NULL) {
diff --git a/dev-lang/python/metadata.xml b/dev-lang/python/metadata.xml
index da65b6c8cd94..23575050ca19 100644
--- a/dev-lang/python/metadata.xml
+++ b/dev-lang/python/metadata.xml
@@ -23,4 +23,4 @@
   <flag name="wininst">Install Windows executables required to create an executable installer for MS Windows</flag>
  </use>
  <origin>ports</origin>
-</pkgmetadata>
\ No newline at end of file
+</pkgmetadata>
diff --git a/dev-lang/python/python-3.11.8.ebuild b/dev-lang/python/python-3.11.8.ebuild
index c7eca9df86cb..29ac169c7af0 100644
--- a/dev-lang/python/python-3.11.8.ebuild
+++ b/dev-lang/python/python-3.11.8.ebuild
@@ -27,7 +27,7 @@ S="${WORKDIR}/${MY_P}"
 LICENSE="PSF-2"
 SLOT="${PYVER}"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="bluetooth build debug +ensurepip examples gdbm libedit libressl +ncurses pgo +readline +sqlite +ssl test tk valgrind"
+IUSE="bluetooth build +ensurepip examples gdbm hardened libedit libressl lto +ncurses pgo +readline +sqlite +ssl test tk valgrind"
 RESTRICT="!test? ( test )"
 
 # Do not add a dependency on dev-lang/python to this ebuild.
@@ -39,15 +39,16 @@ RDEPEND="
 	app-arch/bzip2:=
 	app-arch/xz-utils:=
 	app-crypt/libb2
-	<dev-libs/expat-2.6:=
+	>=dev-libs/expat-2.1:=
+	dev-lang/python-exec[python_targets_python3_9(-)]
 	dev-libs/libffi:=
 	dev-python/gentoo-common
+	sys-apps/util-linux:=
 	>=sys-libs/zlib-1.1.3:=
 	virtual/libcrypt:=
 	virtual/libintl
 	ensurepip? ( dev-python/ensurepip-wheels )
 	gdbm? ( sys-libs/gdbm:=[berkdb] )
-	kernel_linux? ( sys-apps/util-linux:= )
 	ncurses? ( >=sys-libs/ncurses-5.2:= )
 	readline? (
 		!libedit? ( >=sys-libs/readline-4.1:= )
@@ -71,7 +72,7 @@ RDEPEND="
 DEPEND="
 	${RDEPEND}
 	bluetooth? ( net-wireless/bluez )
-	test? ( app-arch/xz-utils )
+	test? ( app-arch/xz-utils[extra-filters(+)] )
 	valgrind? ( dev-debug/valgrind )
 "
 # autoconf-archive needed to eautoreconf
@@ -80,17 +81,10 @@ BDEPEND="
 	app-alternatives/awk
 	virtual/pkgconfig
 	verify-sig? ( sec-keys/openpgp-keys-python )
-"
-RDEPEND+="
-	!build? ( app-misc/mime-types )
-"
-if [[ ${PV} != *_alpha* ]]; then
-	RDEPEND+="
-		dev-lang/python-exec[python_targets_python${PYVER/./_}(-)]
-	"
-fi
+	!sys-devel/gcc[libffi(-)]"
+PDEPEND="app-eselect/eselect-python"
 
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/python.org.asc
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/python.org.asc
 
 # large file tests involve a 2.5G file being copied (duplicated)
 CHECKREQS_DISK_BUILD=5500M
@@ -142,71 +136,8 @@ src_prepare() {
 	eautoreconf
 }
 
-build_cbuild_python() {
-	# Hack to workaround get_libdir not being able to handle CBUILD, bug #794181
-	local cbuild_libdir=$(unset PKG_CONFIG_PATH ; $(tc-getBUILD_PKG_CONFIG) --keep-system-libs --libs-only-L libffi)
-
-	# pass system CFLAGS & LDFLAGS as _NODIST, otherwise they'll get
-	# propagated to sysconfig for built extensions
-	#
-	# -fno-lto to avoid bug #700012 (not like it matters for mini-CBUILD Python anyway)
-	local -x CFLAGS_NODIST="${BUILD_CFLAGS} -fno-lto"
-	local -x LDFLAGS_NODIST=${BUILD_LDFLAGS}
-	local -x CFLAGS= LDFLAGS=
-	local -x BUILD_CFLAGS="${CFLAGS_NODIST}"
-	local -x BUILD_LDFLAGS=${LDFLAGS_NODIST}
-
-	# We need to build our own Python on CBUILD first, and feed it in.
-	# bug #847910
-	local myeconfargs_cbuild=(
-		"${myeconfargs[@]}"
-
-		--prefix="${BROOT}"/usr
-		--libdir="${cbuild_libdir:2}"
-
-		# Avoid needing to load the right libpython.so.
-		--disable-shared
-
-		# As minimal as possible for the mini CBUILD Python
-		# we build just for cross to satisfy --with-build-python.
-		--without-lto
-		--without-readline
-		--disable-optimizations
-	)
-
-	mkdir "${WORKDIR}"/${P}-${CBUILD} || die
-	pushd "${WORKDIR}"/${P}-${CBUILD} &> /dev/null || die
-	# We disable _ctypes and _crypt for CBUILD because Python's setup.py can't handle locating
-	# libdir correctly for cross.
-	PYTHON_DISABLE_MODULES+=" _ctypes _crypt" \
-		ECONF_SOURCE="${S}" econf_build "${myeconfargs_cbuild[@]}"
-
-	# Avoid as many dependencies as possible for the cross build.
-	cat >> Makefile <<-EOF || die
-		MODULE_NIS_STATE=disabled
-		MODULE__DBM_STATE=disabled
-		MODULE__GDBM_STATE=disabled
-		MODULE__DBM_STATE=disabled
-		MODULE__SQLITE3_STATE=disabled
-		MODULE__HASHLIB_STATE=disabled
-		MODULE__SSL_STATE=disabled
-		MODULE__CURSES_STATE=disabled
-		MODULE__CURSES_PANEL_STATE=disabled
-		MODULE_READLINE_STATE=disabled
-		MODULE__TKINTER_STATE=disabled
-		MODULE_PYEXPAT_STATE=disabled
-		MODULE_ZLIB_STATE=disabled
-	EOF
-
-	# Unfortunately, we do have to build this immediately, and
-	# not in src_compile, because CHOST configure for Python
-	# will check the existence of the --with-build-python value
-	# immediately.
-	PYTHON_DISABLE_MODULES+=" _ctypes _crypt" emake
-	popd &> /dev/null || die
-}
-
 src_configure() {
+	local disable
 	# disable automagic bluetooth headers detection
 	if ! use bluetooth; then
 		local -x ac_cv_header_bluetooth_bluetooth_h=no
@@ -215,6 +146,11 @@ src_configure() {
 	append-flags -fwrapv
 	filter-flags -malign-double
 
+	# https://bugs.gentoo.org/700012
+	if is-flagq -flto || is-flagq '-flto=*'; then
+		append-cflags $(test-flags-CC -ffat-lto-objects)
+	fi
+
 	# Export CXX so it ends up in /usr/lib/python3.X/config/Makefile.
 	# PKG_CONFIG needed for cross.
 	tc-export CXX PKG_CONFIG
@@ -236,7 +172,6 @@ src_configure() {
 			--timeout 1200
 
 			-x test_gdb
-			-x test_dtrace
 
 			# All of these seem to occasionally hang for PGO inconsistently
 			# They'll even hang here but be fine in src_test sometimes.
@@ -278,14 +213,13 @@ src_configure() {
 		--with-libc=
 		--enable-loadable-sqlite-extensions
 		--without-ensurepip
-		--without-lto
 		--with-system-expat
 		--with-system-ffi
 		--with-platlibdir=lib
 		--with-pkg-config=yes
 		--with-wheel-pkg-dir="${EPREFIX}"/usr/lib/python/ensurepip
 
-		$(use_with debug assertions)
+		$(use_with lto)
 		$(use_enable pgo optimizations)
 		$(use_with readline readline "$(usex libedit editline readline)")
 		$(use_with valgrind)
@@ -294,21 +228,69 @@ src_configure() {
 	# disable implicit optimization/debugging flags
 	local -x OPT=
 
-	# https://bugs.gentoo.org/700012
-	if tc-is-lto; then
-		append-cflags $(test-flags-CC -ffat-lto-objects)
-		myeconfargs+=(
-			--with-lto
+	if tc-is-cross-compiler ; then
+		# Hack to workaround get_libdir not being able to handle CBUILD, bug #794181
+		local cbuild_libdir=$(unset PKG_CONFIG_PATH ; $(tc-getBUILD_PKG_CONFIG) --keep-system-libs --libs-only-L libffi)
+
+		# pass system CFLAGS & LDFLAGS as _NODIST, otherwise they'll get
+		# propagated to sysconfig for built extensions
+		local -x CFLAGS_NODIST=${CFLAGS_FOR_BUILD}
+		local -x LDFLAGS_NODIST=${LDFLAGS_FOR_BUILD}
+		local -x CFLAGS= LDFLAGS=
+
+		# We need to build our own Python on CBUILD first, and feed it in.
+		# bug #847910
+		local myeconfargs_cbuild=(
+			"${myeconfargs[@]}"
+
+			--libdir="${cbuild_libdir:2}"
+
+			# Avoid needing to load the right libpython.so.
+			--disable-shared
+
+			# As minimal as possible for the mini CBUILD Python
+			# we build just for cross to satisfy --with-build-python.
+			--without-lto
+			--without-readline
+			--disable-optimizations
 		)
-	fi
 
-	if tc-is-cross-compiler ; then
-		build_cbuild_python
 		myeconfargs+=(
 			# Point the imminent CHOST build to the Python we just
 			# built for CBUILD.
 			--with-build-python="${WORKDIR}"/${P}-${CBUILD}/python
 		)
+
+		mkdir "${WORKDIR}"/${P}-${CBUILD} || die
+		pushd "${WORKDIR}"/${P}-${CBUILD} &> /dev/null || die
+		# We disable _ctypes and _crypt for CBUILD because Python's setup.py can't handle locating
+		# libdir correctly for cross.
+		PYTHON_DISABLE_MODULES="${PYTHON_DISABLE_MODULES} _ctypes _crypt" \
+			ECONF_SOURCE="${S}" econf_build "${myeconfargs_cbuild[@]}"
+
+		# Avoid as many dependencies as possible for the cross build.
+		cat >> Makefile <<-EOF || die
+			MODULE_NIS_STATE=disabled
+			MODULE__DBM_STATE=disabled
+			MODULE__GDBM_STATE=disabled
+			MODULE__DBM_STATE=disabled
+			MODULE__SQLITE3_STATE=disabled
+			MODULE__HASHLIB_STATE=disabled
+			MODULE__SSL_STATE=disabled
+			MODULE__CURSES_STATE=disabled
+			MODULE__CURSES_PANEL_STATE=disabled
+			MODULE_READLINE_STATE=disabled
+			MODULE__TKINTER_STATE=disabled
+			MODULE_PYEXPAT_STATE=disabled
+			MODULE_ZLIB_STATE=disabled
+		EOF
+
+		# Unfortunately, we do have to build this immediately, and
+		# not in src_compile, because CHOST configure for Python
+		# will check the existence of the --with-build-python value
+		# immediately.
+		PYTHON_DISABLE_MODULES="${PYTHON_DISABLE_MODULES} _ctypes _crypt" emake
+		popd &> /dev/null || die
 	fi
 
 	# pass system CFLAGS & LDFLAGS as _NODIST, otherwise they'll get
@@ -356,7 +338,6 @@ src_compile() {
 	# Prevent using distutils bundled by setuptools.
 	# https://bugs.gentoo.org/823728
 	export SETUPTOOLS_USE_DISTUTILS=stdlib
-	export PYTHONSTRICTEXTENSIONBUILD=1
 
 	# Save PYTHONDONTWRITEBYTECODE so that 'has_version' doesn't
 	# end up writing bytecode & violating sandbox.