Update SQLite to 3.50.3 for binary releases.

gpshead · gpshead · commit cfb565dc8bfc · 2025-07-27T02:11:49.000Z
diff --git a/Android/android.py b/Android/android.py
@@ -187,7 +187,7 @@ def unpack_deps(host, prefix_dir):
     os.chdir(prefix_dir)
     deps_url = "https://github.com/beeware/cpython-android-source-deps/releases/download"
     for name_ver in ["bzip2-1.0.8-3", "libffi-3.4.4-3", "openssl-3.0.15-4",
-                     "sqlite-3.49.1-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
+                     "sqlite-3.50.3-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
         filename = f"{name_ver}-{host}.tar.gz"
         download(f"{deps_url}/{name_ver}/{filename}")
         shutil.unpack_archive(filename)
diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
@@ -37,6 +37,7 @@
 Usage: see USAGE variable in the script.
 """
 import platform, os, sys, getopt, textwrap, shutil, stat, time, pwd, grp
+import hashlib
 try:
     import urllib2 as urllib_request
 except ImportError:
@@ -359,9 +360,9 @@ def library_recipes():
                   ),
           ),
           dict(
-              name="SQLite 3.49.1",
-              url="https://sqlite.org/2025/sqlite-autoconf-3490100.tar.gz",
-              checksum="106642d8ccb36c5f7323b64e4152e9b719f7c0215acf5bfeac3d5e7f97b59254",
+              name="SQLite 3.50.3",
+              url="https://www.sqlite.org/2025/sqlite-autoconf-3500300.tar.gz",
+              checksum="sha3-256:c3df1542703a666d3f41bb623e9bed7d6e1dc81c57f0c45e3122403f862c520d",
               extra_cflags=('-Os '
                             '-DSQLITE_ENABLE_FTS5 '
                             '-DSQLITE_ENABLE_FTS4 '
@@ -795,7 +796,7 @@ def downloadURL(url, fname):
 def verifyThirdPartyFile(url, checksum, fname):
     """
     Download file from url to filename fname if it does not already exist.
-    Abort if file contents does not match supplied md5 checksum.
+    Abort if file contents does not match supplied hashlib checksum.
     """
     name = os.path.basename(fname)
     if os.path.exists(fname):
@@ -805,16 +806,30 @@ def verifyThirdPartyFile(url, checksum, fname):
         print("Downloading %s"%(name,))
         downloadURL(url, fname)
         print("Archive for %s stored as %s"%(name, fname))
-    if len(checksum) == 32:
+    if ':' in checksum:
+        algo, _, checksum = checksum.partition(':')
+        assert algo in hashlib.algorithms_guaranteed, f"Unsupported {algo}, try sha3-256 or sha256 instead."
+        if algo in ("md5", "sha1"):
+            raise ValueError(f"Known insecure checksum algorithm {algo} for {fname}.")
+        if algo.startswith(("shake", "blake")):
+            raise ValueError(f"Please stick to sha2 or sha3 standard checksum algorithms, not {algo}")
+    # TODO remove length based logic AND legacy md5s after updating the ones we already list.
+    elif len(checksum) == 32:
         algo = 'md5'
+        print("WARNING: insecure md5 used for {fname}", file=sys.stderr)
     elif len(checksum) == 64:
         algo = 'sha256'
     else:
         raise ValueError(checksum)
-    if os.system(
-            'CHECKSUM=$(openssl %s %s) ; test "${CHECKSUM##*= }" = "%s"'
-                % (algo, shellQuote(fname), checksum) ):
-        fatal('%s checksum mismatch for file %s' % (algo, fname))
+    with open(fname, 'rb') as downloaded_file:
+        if hasattr(hashlib, 'file_digest'):
+            hasher = hashlib.file_digest(downloaded_file, algo)  # 3.11+
+        else:
+            hasher = hashlib.new(algo, downloaded_file.read())
+        computed_checksum = hasher.hexdigest()
+        if computed_checksum != checksum:
+            fatal(f"{algo} hashlib checksum mismatch for file {fname}")
+
 
 def build_universal_openssl(basedir, archList):
     """
diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json
@@ -94,18 +94,18 @@
           "checksumValue": "e335aeb44fa36cde60ecbb6a9f8be6f5d449d645ce9b0199ee53a7e6728d19d2"
         }
       ],
-      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.49.1.0.tar.gz",
+      "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.3.0.tar.gz",
       "externalRefs": [
         {
           "referenceCategory": "SECURITY",
-          "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.49.1.0:*:*:*:*:*:*:*",
+          "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.3.0:*:*:*:*:*:*:*",
           "referenceType": "cpe23Type"
         }
       ],
       "licenseConcluded": "NOASSERTION",
       "name": "sqlite",
       "primaryPackagePurpose": "SOURCE",
-      "versionInfo": "3.49.1.0"
+      "versionInfo": "3.50.3.0"
     },
     {
       "SPDXID": "SPDXRef-PACKAGE-tcl-core",
@@ -214,4 +214,4 @@
     }
   ],
   "spdxVersion": "SPDX-2.3"
-}
+}
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
@@ -56,7 +56,7 @@ set libraries=%libraries%                                       bzip2-1.0.8
 if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries%  libffi-3.4.4
 if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries%     openssl-3.0.16
 set libraries=%libraries%                                       mpdecimal-4.0.0
-set libraries=%libraries%                                       sqlite-3.49.1.0
+set libraries=%libraries%                                       sqlite-3.50.3.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0
 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.15.0
 set libraries=%libraries%                                       xz-5.2.5
diff --git a/PCbuild/python.props b/PCbuild/python.props
@@ -74,7 +74,7 @@
   <Import Project="$(ExternalProps)" Condition="$(ExternalProps) != '' and Exists('$(ExternalProps)')" />
 
   <PropertyGroup>
-    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.49.1.0\</sqlite3Dir>
+    <sqlite3Dir Condition="$(sqlite3Dir) == ''">$(ExternalsDir)sqlite-3.50.3.0\</sqlite3Dir>
     <bz2Dir Condition="$(bz2Dir) == ''">$(ExternalsDir)bzip2-1.0.8\</bz2Dir>
     <lzmaDir Condition="$(lzmaDir) == ''">$(ExternalsDir)xz-5.2.5\</lzmaDir>
     <libffiDir Condition="$(libffiDir) == ''">$(ExternalsDir)libffi-3.4.4\</libffiDir>
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
@@ -237,7 +237,7 @@ _ssl
     again when building.
 
 _sqlite3
-    Wraps SQLite 3.49.1, which is itself built by sqlite3.vcxproj
+    Wraps SQLite 3.50.3, which is itself built by sqlite3.vcxproj
     Homepage:
         https://www.sqlite.org/
 

Original file line number	Diff line number	Diff line change
`@@ -94,18 +94,18 @@`
`94`	`94`	`"checksumValue": "e335aeb44fa36cde60ecbb6a9f8be6f5d449d645ce9b0199ee53a7e6728d19d2"`
`95`	`95`	`}`
`96`	`96`	`],`
`97`		`- "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.49.1.0.tar.gz",`
	`97`	`+ "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.3.0.tar.gz",`
`98`	`98`	`"externalRefs": [`
`99`	`99`	`{`
`100`	`100`	`"referenceCategory": "SECURITY",`
`101`		`- "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.49.1.0:::::::*",`
	`101`	`+ "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.3.0:::::::*",`
`102`	`102`	`"referenceType": "cpe23Type"`
`103`	`103`	`}`
`104`	`104`	`],`
`105`	`105`	`"licenseConcluded": "NOASSERTION",`
`106`	`106`	`"name": "sqlite",`
`107`	`107`	`"primaryPackagePurpose": "SOURCE",`
`108`		`- "versionInfo": "3.49.1.0"`
	`108`	`+ "versionInfo": "3.50.3.0"`
`109`	`109`	`},`
`110`	`110`	`{`
`111`	`111`	`"SPDXID": "SPDXRef-PACKAGE-tcl-core",`
`@@ -214,4 +214,4 @@`
`214`	`214`	`}`
`215`	`215`	`],`
`216`	`216`	`"spdxVersion": "SPDX-2.3"`
`217`		`-}`
	`217`	`+}`