CVS commit: pkgsrc/www/py-gunicorn

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-gunicorn
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Tue, 19 May 2026 11:50:00 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue May 19 11:50:00 UTC 2026

Modified Files:
        pkgsrc/www/py-gunicorn: Makefile PLIST distinfo

Log Message:
py-gunicorn: updated to 26.0.0

26.0.0

Breaking Changes

- **Eventlet worker removed**: The `eventlet` worker class has been dropped.
  Migrate to `gevent`, `gthread`, or `tornado`.

New Features

- **ASGI Framework Compatibility Suite**: New end-to-end compatibility test
  harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep.
  Current grid passes 438/444 tests (98%).

- **ASGI Test Suite Expansion**: 134 additional ASGI unit tests covering
  protocol semantics, lifespan, websockets, and chunked framing.

Security

- **HTTP/1.1 Request-Target Validation** (RFC 9112 sections 3.2.3, 3.2.4):
  - Reject `authority-form` request-target outside `CONNECT`
  - Reject `asterisk-form` request-target outside `OPTIONS`
  - Reject `relative-reference` request-targets

- **Header Field Hardening** (RFC 9110):
  - Reject control characters in header field-value (section 5.5)
  - Reject forbidden trailer field-names (section 6.5.1)
  - Reject `Content-Length` list form (RFC 9112 section 6.3)

- **Request Smuggling Hardening**:
  - Tighten keepalive gate and scope `finish_body` byte cap
  - Keep `_body_receiver` alive across the keepalive smuggling gate so
    pipelined requests cannot re-enter a closed body
  - Address parser/protocol findings from a six-point WSGI/ASGI audit

- **PROXY Protocol (ASGI)**: Enforce `proxy_allow_ips` and tighten v1/v2
  parsing in the ASGI callback parser.

- **Connection Draining**: Drain the connection on close per RFC 9112
  section 9.6 to prevent reset-on-close truncation.

Bug Fixes

- **Body Framing on HEAD/204/304**:
  - Keep `Content-Length` on HEAD and 304 responses
  - Drop body framing on HEAD/204/304 even when the framework set it
  - Warn once when an ASGI app emits a body for a no-body response

- **HTTP/2 ASGI**:
  - Fix `_handle_stream_ended` to set `_body_complete` in the async HTTP/2
    handler so request bodies finalize correctly on stream end
  - Add `InvalidChunkExtension` mapping and fast-parser support in ASGI

- **HTTP/1.1 100-Continue**: Stop adding `Transfer-Encoding: chunked` to
  100-Continue interim responses.

- **WebSocket Close Handshake** (RFC 6455):
  - Comply with the close handshake state machine
  - Close the transport after the close handshake completes
  - Fix binary send when the `text` key is `None`

- **Early Hints**: Validate headers in the `early_hints` callback to match
  `process_headers`; pass only the header name to `InvalidHeader`

- **ASGI Framework Fixes**:
  - Fix ASGI disconnect handling for Django-style apps
  - Fix Litestar request handling (use raw ASGI receive for body/headers)
  - Fix Litestar HTTP endpoints for compatibility tests
  - Fix Quart headers endpoint to normalize keys to lowercase
  - Fix Quart WebSocket close test app (missing `accept()`)
  - Fix duplicate `Transfer-Encoding` header for BlackSheep streaming

Refactoring

- Split `BodyReceiver._closed` into separate transport and body-wait flags
  for clearer keepalive/EOF semantics.

Changes

- **Fast HTTP Parser**: Require `gunicorn_h1c >= 0.6.5`. Drop the last
  `python_only` test markers; the C extension is now used wherever
  available (CPython only; PyPy continues to use the Python parser).

- **Test Dependencies**: Add `h2` and `uvloop` to the `testing` extra;
  remove `eventlet`.

- **Docker Build**: Bump GitHub Actions `docker/setup-qemu-action`,
  `docker/setup-buildx-action`, `docker/login-action`,
  `docker/build-push-action`, and `docker/metadata-action` to current
  major versions.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 pkgsrc/www/py-gunicorn/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/py-gunicorn/PLIST
cvs rdiff -u -r1.23 -r1.24 pkgsrc/www/py-gunicorn/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/py-gunicorn/Makefile
diff -u pkgsrc/www/py-gunicorn/Makefile:1.31 pkgsrc/www/py-gunicorn/Makefile:1.32
--- pkgsrc/www/py-gunicorn/Makefile:1.31        Mon Mar 30 11:14:58 2026
+++ pkgsrc/www/py-gunicorn/Makefile     Tue May 19 11:50:00 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.31 2026/03/30 11:14:58 adam Exp $
+# $NetBSD: Makefile,v 1.32 2026/05/19 11:50:00 adam Exp $
 
-DISTNAME=      gunicorn-25.3.0
+DISTNAME=      gunicorn-26.0.0
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    www python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=g/gunicorn/}
@@ -19,11 +19,7 @@ TEST_DEPENDS+=       ${PYPKGPREFIX}-test-cov-[
 
 USE_LANGUAGES= # none
 
-post-install:
-.for bin in gunicorn gunicornc
-       cd ${DESTDIR}${PREFIX}/bin && \
-       ${MV} ${bin} ${bin}-${PYVERSSUFFIX} || ${TRUE}
-.endfor
+PY_RENAME_BINARIES=    gunicorn gunicornc
 
 .include "../../lang/python/wheel.mk"
 .include "../../mk/bsd.pkg.mk"

Index: pkgsrc/www/py-gunicorn/PLIST
diff -u pkgsrc/www/py-gunicorn/PLIST:1.18 pkgsrc/www/py-gunicorn/PLIST:1.19
--- pkgsrc/www/py-gunicorn/PLIST:1.18   Mon Mar 30 11:14:58 2026
+++ pkgsrc/www/py-gunicorn/PLIST        Tue May 19 11:50:00 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.18 2026/03/30 11:14:58 adam Exp $
+@comment $NetBSD: PLIST,v 1.19 2026/05/19 11:50:00 adam Exp $
 bin/gunicorn-${PYVERSSUFFIX}
 bin/gunicornc-${PYVERSSUFFIX}
 ${PYSITELIB}/${WHEEL_INFODIR}/METADATA
@@ -190,9 +190,6 @@ ${PYSITELIB}/gunicorn/workers/base_async
 ${PYSITELIB}/gunicorn/workers/gasgi.py
 ${PYSITELIB}/gunicorn/workers/gasgi.pyc
 ${PYSITELIB}/gunicorn/workers/gasgi.pyo
-${PYSITELIB}/gunicorn/workers/geventlet.py
-${PYSITELIB}/gunicorn/workers/geventlet.pyc
-${PYSITELIB}/gunicorn/workers/geventlet.pyo
 ${PYSITELIB}/gunicorn/workers/ggevent.py
 ${PYSITELIB}/gunicorn/workers/ggevent.pyc
 ${PYSITELIB}/gunicorn/workers/ggevent.pyo

Index: pkgsrc/www/py-gunicorn/distinfo
diff -u pkgsrc/www/py-gunicorn/distinfo:1.23 pkgsrc/www/py-gunicorn/distinfo:1.24
--- pkgsrc/www/py-gunicorn/distinfo:1.23        Mon Mar 30 11:14:58 2026
+++ pkgsrc/www/py-gunicorn/distinfo     Tue May 19 11:50:00 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.23 2026/03/30 11:14:58 adam Exp $
+$NetBSD: distinfo,v 1.24 2026/05/19 11:50:00 adam Exp $
 
-BLAKE2s (gunicorn-25.3.0.tar.gz) = ef7ddc66847727d90cce42a55608171571bc05a5209bee339ea0f7deb8906abd
-SHA512 (gunicorn-25.3.0.tar.gz) = c445f1b5f67fb063734c35d6c78909a102289ef35cf92037806e73345228564ee3919383dbd1dd781bec39d30968350e54db701077e633b55269746accc8c277
-Size (gunicorn-25.3.0.tar.gz) = 634883 bytes
+BLAKE2s (gunicorn-26.0.0.tar.gz) = 177d86da5cf37e207a32f7ae444aaaf3d03df24ab031426150374550ec1f6228
+SHA512 (gunicorn-26.0.0.tar.gz) = 8f8ef933324226c17bf6fc09e79b682a4f0177ef79a2c485b7c93d6a06bc103f145786596c69142e399655c057a2d111a862953cf0d9144b3c21f35b6f6b34ce
+Size (gunicorn-26.0.0.tar.gz) = 727286 bytes

Prev by Date: CVS commit: pkgsrc/www/py-uvicorn
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/www/py-uvicorn
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index