Log message:
On systems where both of the conditions

1. LD_LIBRARY_PATH does _not_ take precedence over DT_RPATH
   (e.g. Linux)
2. A previous libpython with the same major.minor is already installed
   (e.g. a previous version of this package)

hold, the built python will be linked with the installed libpython,
causing it to report an old teeny version in sys.version_info while
staging the install. Then "make package" fails with PLIST mismatches for
{,Pattern}Grammar.*.pickle.

pkgsrc knows which version we're building. Pass that down instead.

For platforms that weren't having this problem, no functional change
intended. For platforms that were, this simply restores "make package",
so no PKGREVISION bump.

Log message:
python37: fix CVE-2020-14422 using upstream patch

Bump PKGREVISION.

Log message:
python37: updated to 3.7.8

Python 3.7.8 final

Tests

bpo-41009: Fix use of support.require_{linux|mac|freebsd}_version() decorators \ 
as class decorator.
macOS

bpo-41100: Fix configure error when building on macOS 11. Note that 3.7.8 was \ 
released shortly after the first developer preview of macOS 11 (Big Sur); there \ 
are other known issues with building and running on the developer preview. Big \ 
Sur is expected to be fully supported in a future bugfix release of Python 3.8.x \ 
and with 3.9.0.

Python 3.7.8 release candidate 1

Security
bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard \ 
against header injection attacks.
bpo-38576: Disallow control characters in hostnames in http.client, addressing \ 
CVE-2019-18348. Such potentially malicious header injection URLs now cause a \ 
InvalidURL to be raised.
bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the \ 
urllib.request module uses an inefficient regular expression which can be \ 
exploited by an attacker to cause a denial of service. Fix the regex to prevent \ 
the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt \ 
Schwager.

Core and Builtins
bpo-40663: Correctly generate annotations where parentheses are omitted but \ 
required (e.g: Type[(str, int, *other))].
bpo-40417: Fix imp module deprecation warning when PyImport_ReloadModule is \ 
called. Patch by Robert Rouhani.
bpo-20526: Fix PyThreadState_Clear(). PyThreadState.frame is a borrowed \ 
reference, not a strong reference: PyThreadState_Clear() must not call \ 
Py_CLEAR(tstate->frame).
bpo-38894: Fix a bug that was causing incomplete results when calling \ 
pathlib.Path.glob in the presence of symlinks that point to files where the user \ 
does not have read access. Patch by Pablo Galindo and Matt Wozniski.
bpo-39871: Fix a possible SystemError in math.{atan2,copysign,remainder}() when \ 
the first argument cannot be converted to a float. Patch by Zachary Spytz.
bpo-39520: Fix unparsing of ext slices with no items (foo[:,]). Patch by Batuhan \ 
Taskaya.
bpo-24048: Save the live exception during import.c’s remove_module().
bpo-22490: Don’t leak environment variable __PYVENV_LAUNCHER__ into the \ 
interpreter session on macOS.

Library
bpo-40448: ensurepip now disables the use of pip cache when installing the \ 
bundled versions of pip and setuptools. Patch by Krzysztof Konopko.
bpo-40807: Stop codeop._maybe_compile, used by code.InteractiveInterpreter (and \ 
IDLE). from from emitting each warning three times.
bpo-38488: Update ensurepip to install pip 20.1.1 and setuptools 47.1.0.
bpo-40767: webbrowser now properly finds the default browser in pure Wayland \ 
systems by checking the WAYLAND_DISPLAY environment variable. Patch contributed \ 
by Jérémy Attali.
bpo-30008: Fix ssl code to be compatible with OpenSSL 1.1.x builds that use \ 
no-deprecated and --api=1.1.0.
bpo-25872: linecache could crash with a KeyError when accessed from multiple \ 
threads. Fix by Michael Graczyk.
bpo-40515: The ssl and hashlib modules now actively check that OpenSSL is build \ 
with thread support. Python 3.7.0 made thread support mandatory and no longer \ 
works safely with a no-thread builds.
bpo-13097: ctypes now raises an ArgumentError when a callback is invoked with \ 
more than 1024 arguments.
bpo-40559: Fix possible memory leak in the C implementation of asyncio.Task.
bpo-40457: The ssl module now support OpenSSL builds without TLS 1.0 and 1.1 methods.
bpo-40459: platform.win32_ver() now produces correct ptype strings instead of \ 
empty strings.
bpo-40138: Fix the Windows implementation of os.waitpid() for exit code larger \ 
than INT_MAX >> 8. The exit status is now interpreted as an unsigned \ 
number.
bpo-39942: Set “__main__” as the default module name when “__name__” is \ 
missing in typing.TypeVar. Patch by Weipeng Hong.
bpo-40287: Fixed SpooledTemporaryFile.seek() to return the position.
bpo-40196: Fix a bug in the symtable module that was causing incorrectly report \ 
global variables as local. Patch by Pablo Galindo.
bpo-40126: Fixed reverting multiple patches in unittest.mock. Patcher’s \ 
__exit__() is now never called if its __enter__() is failed. Returning true from \ 
__exit__() silences now the exception.
bpo-40089: Fix threading._after_fork(): if fork was not called by a thread \ 
spawned by threading.Thread, threading._after_fork() now creates a _MainThread \ 
instance for _main_thread, instead of a _DummyThread instance.
bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all \ 
WWW-Authenticate HTTP headers and accepts multiple challenges per header: use \ 
the realm of the first Basic challenge.
bpo-40014: Fix os.getgrouplist(): if getgrouplist() function fails because the \ 
group list is too small, retry with a larger group list. On failure, the glibc \ 
implementation of getgrouplist() sets ngroups to the total number of groups. For \ 
other implementations, double the group list size.
bpo-40025: Raise TypeError when _generate_next_value_ is defined after members. \ 
Patch by Ethan Onstott.
bpo-40016: In re docstring, clarify the relationship between inline and argument \ 
compile flags.
bpo-39652: The column name found in sqlite3.Cursor.description is now truncated \ 
on the first ‘[‘ only if the PARSE_COLNAMES option is set.
bpo-38662: The ensurepip module now invokes pip via the runpy module. Hence it \ 
is no longer tightly coupled with the internal API of the bundled pip version, \ 
allowing easier updates to a newer pip version both internally and for \ 
distributors.
bpo-39916: More reliable use of os.scandir() in Path.glob(). It no longer emits \ 
a ResourceWarning when interrupted.
bpo-39850: multiprocessing now supports abstract socket addresses (if abstract \ 
sockets are supported in the running platform). Patch by Pablo Galindo.
bpo-39828: Fix json.tool to catch BrokenPipeError. Patch by Dong-hee Na.
bpo-39040: Fix parsing of invalid mime headers parameters by collapsing \ 
whitespace between encoded words in a bare-quote-string.
bpo-35714: struct.error is now raised if there is a null character in a struct \ 
format string.
bpo-36541: lib2to3 now recognizes named assignment expressions (the walrus \ 
operator, :=)
bpo-29620: assertWarns() no longer raises a RuntimeException when accessing a \ 
module’s __warningregistry__ causes importation of a new module, or when a new \ 
module is imported in another thread. Patch by Kernc.
bpo-34226: Fix cgi.parse_multipart without content_length. Patch by Roger Duran
bpo-31758: Prevent crashes when using an uninitialized _elementtree.XMLParser \ 
object. Patch by Oren Milman.

Documentation
bpo-40561: Provide docstrings for webbrowser open functions.
bpo-27635: The pickle documentation incorrectly claimed that __new__ isn’t \ 
called by default when unpickling.
bpo-39879: Updated Data model docs to include dict() insertion order \ 
preservation. Patch by Furkan Onder and Samy Lahfa.
bpo-39677: Changed operand name of MAKE_FUNCTION from argc to flags for module dis
bpo-39435: Fix an incorrect signature for pickle.loads() in the docs
bpo-38387: Document PyDoc_STRVAR macro in the C-API reference.

Tests
bpo-40964: Disable remote imaplib tests, host cyrus.andrew.cmu.edu is blocking \ 
incoming connections.
bpo-40055: distutils.tests now saves/restores warnings filters to leave them \ 
unchanged. Importing tests imports docutils which imports pkg_resources which \ 
adds a warnings filter.
bpo-40436: test_gdb and test.pythoninfo now check gdb command exit code.
bpo-39932: Fix multiprocessing test_heap(): a new Heap object is now created for \ 
each test run.
bpo-40162: Update Travis CI configuration to OpenSSL 1.1.1f.
bpo-40146: Update OpenSSL to 1.1.1f in Azure Pipelines.
bpo-40019: test_gdb now skips tests if it detects that gdb failed to read debug \ 
information because the Python binary is optimized.
bpo-27807: test_site.test_startup_imports() is now skipped if a path of sys.path \ 
contains a .pth file.
bpo-39793: Use the same domain when testing make_msgid. Patch by Batuhan Taskaya.
bpo-1812: Fix newline handling in doctest.testfile when loading from a package \ 
whose loader has a get_data method. Patch by Peter Donis.
bpo-37957: test.regrtest now can receive a list of test patterns to ignore \ 
(using the -i/–ignore argument) or a file with a list of patterns to ignore \ 
(using the –ignore-file argument). Patch by Pablo Galindo.
bpo-38502: test.regrtest now uses process groups in the multiprocessing mode \ 
(-jN command line option) if process groups are available: if os.setsid() and \ 
os.killpg() functions are available.
bpo-37421: multiprocessing tests now stop the ForkServer instance if it’s \ 
running: close the “alive” file descriptor to ask the server to stop and \ 
then remove its UNIX address.
bpo-37421: multiprocessing tests now explicitly call _run_finalizers() to \ 
immediately remove temporary directories created by tests.

Build
bpo-40653: Move _dirnameW out of HAVE_SYMLINK to fix a potential compiling issue.
bpo-38360: Support single-argument form of macOS -isysroot flag.
bpo-40204: Pin Sphinx version to 2.3.1 in Doc/Makefile.
bpo-40158: Fix CPython MSBuild Properties in NuGet Package \ 
(build/native/python.props)

Windows
bpo-40164: Updates Windows OpenSSL to 1.1.1g
bpo-39631: Changes the registered MIME type for .py files on Windows to \ 
text/x-python instead of text/plain.
bpo-40650: Include winsock2.h in pytime.c for timeval.
bpo-39930: Ensures the required vcruntime140.dll is included in install packages.
bpo-39847: Avoid hang when computer is hibernated whilst waiting for a mutex \ 
(for lock-related objects from threading) around 49-day uptime.
bpo-38492: Remove pythonw.exe dependency on the Microsoft C++ runtime.

macOS
bpo-39580: Avoid opening Finder window if running installer from the command line.
bpo-40400: Update the macOS installer build scripts to build with Python 3.x and \ 
to build correctly on newer macOS systems with SIP.
bpo-40741: Update macOS installer to use SQLite 3.32.2.
bpo-38329: python.org macOS installers now update the Current version symlink of \ 
/Library/Frameworks/Python.framework/Versions for 3.9 installs. Previously, \ 
Current was only updated for Python 2.x installs. This should make it easier to \ 
embed Python 3 into other macOS applications.
bpo-40164: Update macOS installer builds to use OpenSSL 1.1.1g.

IDLE
bpo-39885: Make context menu Cut and Copy work again when right-clicking within \ 
a selection.
bpo-40723: Make test_idle pass when run after import.
bpo-27115: For ‘Go to Line’, use a Query box subclass with IDLE standard \ 
behavior and improved error checking.
bpo-39885: Since clicking to get an IDLE context menu moves the cursor, any text \ 
selection should be and now is cleared.
bpo-39852: Edit “Go to line” now clears any selection, preventing accidental \ 
deletion. It also updates Ln and Col on the status bar.
bpo-38439: Add a 256×256 pixel IDLE icon to support more modern environments. \ 
Created by Andrew Clover. Delete the unused macOS idle.icns icon file.
bpo-38689: IDLE will no longer freeze when inspect.signature fails when fetching \ 
a calltip.

Tools/Demos
bpo-40479: Update multissltest helper to test with latest OpenSSL 1.0.2, 1.1.0, \ 
1.1.1, and 3.0.0-alpha.
bpo-40179: Fixed translation of #elif in Argument Clinic.
bpo-40163: Fix multissltest tool. OpenSSL has changed download URL for old \ 
releases. The multissltest tool now tries to download from current and old \ 
download URLs.
bpo-36184: Port python-gdb.py to FreeBSD. python-gdb.py now checks for \ 
“take_gil” function name to check if a frame tries to acquire the GIL, \ 
instead of checking for “pthread_cond_timedwait” which is specific to Linux \ 
and can be a different condition than the GIL.
bpo-39889: Fixed unparse.py for extended slices containing a single element \ 
(e.g. a[i:j,]). Remove redundant tuples when index with a tuple (e.g. a[i, j]).
C API
bpo-39884: _PyMethodDef_RawFastCallDict() and _PyMethodDef_RawFastCallKeywords() \ 
now include the method name in the SystemError “bad call flags” error \ 
message to ease debug.
bpo-38643: PyNumber_ToBase() now raises a SystemError instead of crashing when \ 
called with invalid base.

Log message:
python*: findlib subst class can be a noop

It is licit to be a noop for findlib subst class when PREFIX is
`/usr/local'.

Thanks to <jklos>! (via PR pkg/54758)

Log message:
document non-obvious readline build dependency

Log message:
python3*: link pydoc in ALTERNATIVES instead of pydoc3

Log message:
python37: updated to 3.7.7

Python 3.7.7 final

Library
bpo-13487: Avoid a possible “RuntimeError: dictionary changed size during \ 
iteration” from inspect.getmodule() when it tried to loop through sys.modules.
Documentation
bpo-17422: The language reference no longer restricts default class namespaces \ 
to dicts only.

Python 3.7.7 release candidate 1

Security
bpo-39401: Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll at startup on \ 
Windows 7.
Core and Builtins
bpo-39776: Fix race condition where threads created by PyGILState_Ensure() could \ 
get a duplicate id.

This affects consumers of tstate->id like the contextvar caching machinery, \ 
which could return invalid cached objects under heavy thread load (observed in \ 
embedded scenarios).
bpo-39778: Fixed a crash due to incorrect handling of weak references in \ 
collections.OrderedDict classes. Patch by Pablo Galindo.
bpo-39382: Fix a use-after-free in the single inheritance path of issubclass(), \ 
when the __bases__ of an object has a single reference, and so does its first \ 
item. Patch by Yonatan Goldschmidt.
bpo-39606: Fix regression caused by fix for bpo-39386, that prevented calling \ 
aclose on an async generator that had already been closed or exhausted.
bpo-39510: Fix segfault in readinto() method on closed BufferedReader.
bpo-39453: Fixed a possible crash in list.__contains__() when a list is changed \ 
during comparing items. Patch by Dong-hee Na.
bpo-39427: Document all possibilities for the -X options in the command line \ 
help section. Patch by Pablo Galindo.
bpo-39421: Fix possible crashes when operating with the functions in the heapq \ 
module and custom comparison operators.
bpo-39386: Prevent double awaiting of async iterator.
bpo-38588: Fix possible crashes in dict and list when calling \ 
PyObject_RichCompareBool().
bpo-39031: When parsing an “elif” node, lineno and col_offset of the node \ 
now point to the “elif” keyword and not to its condition, making it \ 
consistent with the “if” node. Patch by Lysandros Nikolaou.
bpo-38610: Fix possible crashes in several list methods by holding strong \ 
references to list elements when calling PyObject_RichCompareBool().
Library
bpo-39794: Add –without-decimal-contextvar build option. This enables a \ 
thread-local rather than a coroutine local context.
bpo-39769: The compileall.compile_dir() function’s ddir parameter and the \ 
compileall command line flag -d no longer write the wrong pathname to the \ 
generated pyc file for submodules beneath the root of the directory tree being \ 
compiled. This fixes a regression introduced with Python 3.5.
bpo-30566: Fix IndexError when trying to decode an invalid string with punycode \ 
codec.
bpo-39649: Remove obsolete check for __args__ in bdb.Bdb.format_stack_entry.
bpo-27657: The original fix for bpo-27657, “Fix urlparse() with numeric \ 
paths” (GH-16839) included in 3.7.6, inadvertently introduced a behavior \ 
change that broke several third-party packages relying on the original undefined \ 
parsing behavior. The change is reverted in 3.7.7, restoring the behavior of \ 
3.7.5 and earlier releases.
bpo-21016: The pydoc and trace modules now use the sysconfig module to get the \ 
path to the Python standard library, to support uncommon installation path like \ 
/usr/lib64/python3.9/ on Fedora. Patch by Jan Matějek.
bpo-39548: Fix handling of header in urllib.request.AbstractDigestAuthHandler \ 
when the optional qop parameter is not present.
bpo-39450: Striped whitespace from docstring before returning it from \ 
unittest.case.shortDescription().
bpo-39493: Mark typing.IO.closed as a property
bpo-39485: Fix a bug in unittest.mock.create_autospec() that would complain \ 
about the wrong number of arguments for custom descriptors defined in an \ 
extension module returning functions.
bpo-39430: Fixed race condition in lazy imports in tarfile.
bpo-39389: Write accurate compression level metadata in gzip archives, rather \ 
than always signaling maximum compression.
bpo-39274: bool(fraction.Fraction) now returns a boolean even if (numerator != \ 
0) does not return a boolean (ex: numpy number).
bpo-39242: Updated the Gmane domain from news.gmane.org to news.gmane.io which \ 
is used for examples of NNTP news reader server and nntplib tests.
bpo-39152: Fix ttk.Scale.configure([name]) to return configuration tuple for \ 
name or all options. Giovanni Lombardo contributed part of the patch.
bpo-39198: If an exception were to be thrown in Logger.isEnabledFor (say, by \ 
asyncio timeouts or stopit) , the logging global lock may not be released \ 
appropriately, resulting in deadlock. This change wraps that block of code with \ 
try...finally to ensure the lock is released.
bpo-39191: Perform a check for running loop before starting a new task in \ 
loop.run_until_complete() to fail fast; it prevents the side effect of new task \ 
spawning before exception raising.
bpo-38871: Correctly parenthesize filter-based statements that contain lambda \ 
expressions in mod:lib2to3. Patch by Dong-hee Na.
bpo-39142: A change was made to logging.config.dictConfig to avoid converting \ 
instances of named tuples to ConvertingTuple. It’s assumed that named tuples \ 
are too specialised to be treated like ordinary tuples; if a user of named \ 
tuples requires ConvertingTuple functionality, they will have to implement that \ 
themselves in their named tuple class.
bpo-38971: Open issue in the BPO indicated a desire to make the implementation \ 
of codecs.open() at parity with io.open(), which implements a try/except to \ 
assure file stream gets closed before an exception is raised.
bpo-39057: urllib.request.proxy_bypass_environment() now ignores leading dots \ 
and no longer ignores a trailing newline.
bpo-39056: Fixed handling invalid warning category in the -W option. No longer \ 
import the re module if it is not needed.
bpo-39055: base64.b64decode() with validate=True raises now a binascii.Error if \ 
the input ends with a single \n.
bpo-38878: Fixed __subclasshook__ of os.PathLike to return a correct result upon \ 
inheritence. Patch by Bar Harel.
bpo-35182: Fixed Popen.communicate() subsequent call crash when the child \ 
process has already closed any piped standard stream, but still continues to be \ 
running. Patch by Andriy Maletsky.
bpo-38473: Use signature from inner mock for autospecced methods attached with \ 
unittest.mock.attach_mock(). Patch by Karthikeyan Singaravelan.
bpo-38293: Add copy.copy() and copy.deepcopy() support to property() objects.
bpo-37953: In typing, improved the __hash__ and __eq__ methods for ForwardReferences.
bpo-36406: Handle namespace packages in doctest. Patch by Karthikeyan Singaravelan.
Documentation
bpo-13790: Change ‘string’ to ‘specification’ in format doc.
bpo-39530: Fix misleading documentation about mixed-type numeric comparisons.
bpo-17422: The language reference now specifies restrictions on class \ 
namespaces. Adapted from a patch by Ethan Furman.
bpo-39654: In pyclbr doc, update ‘class’ to ‘module’ where appropriate \ 
and add readmodule comment. Patch by Hakan Çelik.
bpo-39392: Explain that when filling with turtle, overlap regions may be left \ 
unfilled.
bpo-39381: Mention in docs that asyncio.get_event_loop() implicitly creates new \ 
event loop only if called from the main thread.
bpo-38918: Add an entry for __module__ in the “function” & “method” \ 
sections of the inspect docs types and members table
bpo-3530: In the ast module documentation, fix a misleading NodeTransformer \ 
example and add advice on when to use the fix_missing_locations function.
Tests
bpo-38546: Fix test_ressources_gced_in_workers() of test_concurrent_futures: \ 
explicitly stop the manager to prevent leaking a child process running in the \ 
background after the test completes.
Build
bpo-39144: The ctags and etags build targets both include Modules/_ctypes and \ 
Python standard library source files.
Windows
bpo-38597: distutils will no longer statically link vcruntime140.dll when a \ 
redistributable version is unavailable. All future releases of CPython will \ 
include a copy of this DLL to ensure distributed extensions can continue to \ 
load.
bpo-38380: Update Windows builds to use SQLite 3.31.1
bpo-39439: Reduce overhead when using multiprocessing in a Windows virtual \ 
environment
bpo-39185: The build.bat script has additional options for very-quiet output \ 
(-q) and very-verbose output (-vv)
macOS
bpo-38380: Update macOS builds to use SQLite 3.31.1
IDLE
bpo-39781: Selecting code context lines no longer causes a jump.
bpo-39663: Add tests for pyparse find_good_parse_start().
bpo-39600: In the font configuration window, remove duplicated font names.
bpo-30780: Add remaining configdialog tests for buttons and highlights and keys tabs.
bpo-39388: IDLE Settings Cancel button now cancels pending changes
bpo-39050: Make IDLE Settings dialog Help button work again.
bpo-34118: Tag memoryview, range, and tuple as classes, the same as list, \ 
etcetera, in the library manual built-in functions list.
bpo-38792: Close an IDLE shell calltip if a KeyboardInterrupt or shell restart \ 
occurs. Patch by Zackery Spytz.
bpo-32989: Add tests for editor newline_and_indent_event method. Remove dead \ 
code from pyparse find_good_parse_start method.

Log message:
Revbump packages depending on libffi after .so version change.

Requested by Matthias Ferdinand and Oskar on pkgsrc-users.

Log message:
*: Remove obsolete BUILDLINK_API_DEPENDS.openssl.

Log message:
python*: Switch to USE_X11=weak