From 89e22a429ec75ce1935c6055f61a70f565dd488c Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Thu, 23 Oct 2025 11:37:32 -0600
Subject: [PATCH 1/8] Add verbose messages to build.bat

---
 relenv/build/windows.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/relenv/build/windows.py b/relenv/build/windows.py
index 8e7a4f27..105c7d5d 100644
--- a/relenv/build/windows.py
+++ b/relenv/build/windows.py
@@ -146,6 +146,7 @@ def build_python(env, dirs, logfp):
         "-p",
         plat,
         "--no-tkinter",
+        "-vv",
     ]
 
     log.info("Start PCbuild")

From 90d9b32ca6d82747cbed8db27da646b11e8451ae Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Thu, 23 Oct 2025 14:30:08 -0600
Subject: [PATCH 2/8] Update version of xz in externals.spdx.json

---
 relenv/build/windows.py | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/relenv/build/windows.py b/relenv/build/windows.py
index 105c7d5d..dd8fb9fb 100644
--- a/relenv/build/windows.py
+++ b/relenv/build/windows.py
@@ -4,6 +4,7 @@
 The windows build process.
 """
 import glob
+import json
 import logging
 import os
 import pathlib
@@ -120,19 +121,34 @@ def build_python(env, dirs, logfp):
     # XZ-Utils
     if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
         version = "5.6.2"
+        url = f"https://github.com/tukaani-project/xz/releases/download/v{version}/xz-{version}.tar.xz"
+        sha256 = "8bfd20c0e1d86f0402f2497cfa71c6ab62d4cd35fd704276e3140bfb71414519"
+        ref_loc = f"cpe:2.3:a:tukaani:xz:{version}:*:*:*:*:*:*:*"
         target_dir = externals_dir / f"xz-{version}"
         if not target_dir.exists():
             update_props(dirs.source, r"xz-\d+.\d+.\d+", f"xz-{version}")
-            url = f"https://github.com/tukaani-project/xz/releases/download/v{version}/xz-{version}.tar.xz"
             get_externals_source(externals_dir=externals_dir, url=url)
         # Starting with version v5.5.0, XZ-Utils removed the ability to compile
         # with MSBuild. We are bringing the config.h from the last version that
         # had it, 5.4.7
-        config_file = target_dir / "windows" / "config.h"
         config_file = target_dir / "src" / "common" / "config.h"
         config_file_source = dirs.root / "_resources" / "xz" / "config.h"
         if not config_file.exists():
             shutil.copy(str(config_file_source), str(config_file))
+        # Update externals.spdx.json with the correct version, url, and hash
+        # This became a thing in 3.12
+        if env["RELENV_PY_MAJOR_VERSION"] in ["3.12", "3.13", "3.14"]:
+            spdx_json = dirs.source / "Misc" / "externals.spdx.json"
+            with open(str(spdx_json), "r") as f:
+                data = json.load(f)
+                for pkg in data["packages"]:
+                    if pkg["name"] == "xz":
+                        pkg["versionInfo"] = version
+                        pkg["downloadLocation"] = url
+                        pkg["checksums"][0]["checksumValue"] = sha256
+                        pkg["externalRefs"][0]["referenceLocator"] = ref_loc
+            with open(str(spdx_json), "w") as f:
+                json.dump(data, f, indent=2)
 
     arch_to_plat = {
         "amd64": "x64",
@@ -146,7 +162,6 @@ def build_python(env, dirs, logfp):
         "-p",
         plat,
         "--no-tkinter",
-        "-vv",
     ]
 
     log.info("Start PCbuild")

From 2e41882e131ee0e0bfa5b9247bd47e798e6d82ba Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Mon, 27 Oct 2025 14:32:09 -0600
Subject: [PATCH 3/8] Gate XZ update to python 3.10 & 3.11

---
 relenv/build/windows.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/relenv/build/windows.py b/relenv/build/windows.py
index dd8fb9fb..16861c8b 100644
--- a/relenv/build/windows.py
+++ b/relenv/build/windows.py
@@ -107,7 +107,11 @@ def build_python(env, dirs, logfp):
     externals_dir.mkdir(parents=True, exist_ok=True)
 
     # SQLITE
-    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12"]:
+    # TODO: Python 3.12 started creating an SBOM. We're doing something wrong
+    # TODO: updating sqlite so SBOM creation is failing. Gating here until we
+    # TODO: fix this. Here's the original gate:
+    # TODO: if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12"]:
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
         version = "3.50.4.0"
         target_dir = externals_dir / f"sqlite-{version}"
         if not target_dir.exists():
@@ -119,7 +123,11 @@ def build_python(env, dirs, logfp):
             shutil.move(str(extracted_dir), str(target_dir))
 
     # XZ-Utils
-    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
+    # TODO: Python 3.12 started creating an SBOM. We're doing something wrong
+    # TODO: updating XZ so SBOM creation is failing. Gating here until we fix
+    # TODO: this. Here's the original gate:
+    # TODO: if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
         version = "5.6.2"
         url = f"https://github.com/tukaani-project/xz/releases/download/v{version}/xz-{version}.tar.xz"
         sha256 = "8bfd20c0e1d86f0402f2497cfa71c6ab62d4cd35fd704276e3140bfb71414519"

From ddab7dad9eb3695ae50b84dc384f978bd75012b4 Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Mon, 27 Oct 2025 14:49:25 -0600
Subject: [PATCH 4/8] Try adding SBOM infor for sqlite

---
 relenv/build/windows.py | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/relenv/build/windows.py b/relenv/build/windows.py
index 16861c8b..2aee0a38 100644
--- a/relenv/build/windows.py
+++ b/relenv/build/windows.py
@@ -110,24 +110,40 @@ def build_python(env, dirs, logfp):
     # TODO: Python 3.12 started creating an SBOM. We're doing something wrong
     # TODO: updating sqlite so SBOM creation is failing. Gating here until we
     # TODO: fix this. Here's the original gate:
-    # TODO: if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12"]:
-    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
+    # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12"]:
         version = "3.50.4.0"
+        url = "https://sqlite.org/2025/sqlite-autoconf-3500400.tar.gz"
+        sha256 = "a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18"
+        ref_loc = f"cpe:2.3:a:sqlite:sqlite:{version}:*:*:*:*:*:*:*"
         target_dir = externals_dir / f"sqlite-{version}"
         if not target_dir.exists():
             update_props(dirs.source, r"sqlite-\d+.\d+.\d+.\d+", f"sqlite-{version}")
-            url = "https://sqlite.org/2025/sqlite-autoconf-3500400.tar.gz"
             get_externals_source(externals_dir=externals_dir, url=url)
             # # we need to fix the name of the extracted directory
             extracted_dir = externals_dir / "sqlite-autoconf-3500400"
             shutil.move(str(extracted_dir), str(target_dir))
+        # Update externals.spdx.json with the correct version, url, and hash
+        # This became a thing in 3.12
+        if env["RELENV_PY_MAJOR_VERSION"] in ["3.12"]:
+            spdx_json = dirs.source / "Misc" / "externals.spdx.json"
+            with open(str(spdx_json), "r") as f:
+                data = json.load(f)
+                for pkg in data["packages"]:
+                    if pkg["name"] == "sqlite":
+                        pkg["versionInfo"] = version
+                        pkg["downloadLocation"] = url
+                        pkg["checksums"][0]["checksumValue"] = sha256
+                        pkg["externalRefs"][0]["referenceLocator"] = ref_loc
+            with open(str(spdx_json), "w") as f:
+                json.dump(data, f, indent=2)
 
     # XZ-Utils
     # TODO: Python 3.12 started creating an SBOM. We're doing something wrong
     # TODO: updating XZ so SBOM creation is failing. Gating here until we fix
     # TODO: this. Here's the original gate:
-    # TODO: if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
-    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
+    # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
         version = "5.6.2"
         url = f"https://github.com/tukaani-project/xz/releases/download/v{version}/xz-{version}.tar.xz"
         sha256 = "8bfd20c0e1d86f0402f2497cfa71c6ab62d4cd35fd704276e3140bfb71414519"

From 442ea7467fbf02a6ca21a13c43a4b5649d0ea1be Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Tue, 28 Oct 2025 09:08:32 -0600
Subject: [PATCH 5/8] Let's try updating expat manually

---
 relenv/build/windows.py | 283 ++++++++++++++++++++++++++++++++--------
 relenv/common.py        |   2 +-
 2 files changed, 229 insertions(+), 56 deletions(-)

diff --git a/relenv/build/windows.py b/relenv/build/windows.py
index 2aee0a38..0a729e68 100644
--- a/relenv/build/windows.py
+++ b/relenv/build/windows.py
@@ -11,6 +11,7 @@
 import shutil
 import sys
 import tarfile
+
 from .common import (
     builds,
     create_archive,
@@ -22,7 +23,7 @@
     runcmd,
     update_ensurepip,
 )
-from ..common import arches, WIN32
+from ..common import arches, WIN32, Version
 
 log = logging.getLogger(__name__)
 
@@ -89,6 +90,227 @@ def get_externals_bin(source_root, url):
     pass
 
 
+def update_sqlite(dirs, env):
+    """
+    Update the SQLITE library.
+    """
+    version = "3.50.4.0"
+    url = "https://sqlite.org/2025/sqlite-autoconf-3500400.tar.gz"
+    sha256 = "a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18"
+    ref_loc = f"cpe:2.3:a:sqlite:sqlite:{version}:*:*:*:*:*:*:*"
+    target_dir = dirs.source / "externals" / f"sqlite-{version}"
+    target_dir.parent.mkdir(parents=True, exist_ok=True)
+    if not target_dir.exists():
+        update_props(dirs.source, r"sqlite-\d+.\d+.\d+.\d+", f"sqlite-{version}")
+        get_externals_source(externals_dir=dirs.source / "externals", url=url)
+        # # we need to fix the name of the extracted directory
+        extracted_dir = dirs.source / "externals" / "sqlite-autoconf-3500400"
+        shutil.move(str(extracted_dir), str(target_dir))
+    # Update externals.spdx.json with the correct version, url, and hash
+    # This became a thing in 3.12
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.12"]:
+        spdx_json = dirs.source / "Misc" / "externals.spdx.json"
+        with open(str(spdx_json), "r") as f:
+            data = json.load(f)
+            for pkg in data["packages"]:
+                if pkg["name"] == "sqlite":
+                    pkg["versionInfo"] = version
+                    pkg["downloadLocation"] = url
+                    pkg["checksums"][0]["checksumValue"] = sha256
+                    pkg["externalRefs"][0]["referenceLocator"] = ref_loc
+        with open(str(spdx_json), "w") as f:
+            json.dump(data, f, indent=2)
+
+
+def update_xz(dirs, env):
+    """
+    Update the XZ library.
+    """
+    version = "5.6.2"
+    url = f"https://github.com/tukaani-project/xz/releases/download/v{version}/xz-{version}.tar.xz"
+    sha256 = "8bfd20c0e1d86f0402f2497cfa71c6ab62d4cd35fd704276e3140bfb71414519"
+    ref_loc = f"cpe:2.3:a:tukaani:xz:{version}:*:*:*:*:*:*:*"
+    target_dir = dirs.source / "externals" / f"xz-{version}"
+    target_dir.parent.mkdir(parents=True, exist_ok=True)
+    if not target_dir.exists():
+        update_props(dirs.source, r"xz-\d+.\d+.\d+", f"xz-{version}")
+        get_externals_source(externals_dir=dirs.source / "externals", url=url)
+    # Starting with version v5.5.0, XZ-Utils removed the ability to compile
+    # with MSBuild. We are bringing the config.h from the last version that
+    # had it, 5.4.7
+    config_file = target_dir / "src" / "common" / "config.h"
+    config_file_source = dirs.root / "_resources" / "xz" / "config.h"
+    if not config_file.exists():
+        shutil.copy(str(config_file_source), str(config_file))
+    # Update externals.spdx.json with the correct version, url, and hash
+    # This became a thing in 3.12
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.12", "3.13", "3.14"]:
+        spdx_json = dirs.source / "Misc" / "externals.spdx.json"
+        with open(str(spdx_json), "r") as f:
+            data = json.load(f)
+            for pkg in data["packages"]:
+                if pkg["name"] == "xz":
+                    pkg["versionInfo"] = version
+                    pkg["downloadLocation"] = url
+                    pkg["checksums"][0]["checksumValue"] = sha256
+                    pkg["externalRefs"][0]["referenceLocator"] = ref_loc
+        with open(str(spdx_json), "w") as f:
+            json.dump(data, f, indent=2)
+
+
+def update_expat(dirs, env):
+    """
+    Update the EXPAT library.
+    """
+    # Patch <src>/Modules/expat/refresh.sh. When the SBOM is created, refresh.sh
+    # is scanned for the expat version, even though it doesn't run on Windows.
+    version = "2.7.3"
+    hash = "821ac9710d2c073eaf13e1b1895a9c9aa66c1157a99635c639fbff65cdbdd732"
+    url = f'https://github.com/libexpat/libexpat/releases/download/R_{version.replace(".", "_")}/expat-{version}.tar.xz'
+    bash_refresh = dirs.source / "Modules" / "expat" / "refresh.sh"
+    old = r'expected_libexpat_tag="R_\d+_\d+_\d"'
+    new = f'expected_libexpat_tag="R_{version.replace(".", "_")}"'
+    patch_file(bash_refresh, old=old, new=new)
+    old = r'expected_libexpat_version="\d+.\d+.\d"'
+    new = f'expected_libexpat_version="{version}"'
+    patch_file(bash_refresh, old=old, new=new)
+    old = 'expected_libexpat_sha256=".*"'
+    new = f'expected_libexpat_sha256="{hash}"'
+    patch_file(bash_refresh, old=old, new=new)
+    get_externals_source(externals_dir=dirs.source / "Modules" / "expat", url=url)
+    # Copy *.h and *.c to expat directory
+    expat_lib_dir = dirs.source / "Modules" / "expat" / f"expat-{version}" / "lib"
+    expat_dir = dirs.source / "Modules" / "expat"
+    for file in glob.glob(str(expat_lib_dir / "*.h")):
+        if expat_dir / os.path.basename(file):
+            (expat_dir / os.path.basename(file)).unlink()
+        shutil.move(file, str(expat_dir))
+    for file in glob.glob(str(expat_lib_dir / "*.c")):
+        if expat_dir / os.path.basename(file):
+            (expat_dir / os.path.basename(file)).unlink()
+        shutil.move(file, str(expat_dir))
+    # Update sbom.spdx.json with the correct hashes. This became a thing in 3.12
+    # python Tools/build/generate_sbom.py doesn't work because it requires a git
+    # repository, so we have to do it manually.
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.12", "3.13", "3.14"]:
+        checksums = {
+            "Modules/expat/expat.h": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "a4395dd0589a97aab0904f7a5f5dc5781a086aa2",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "610b844bbfa3ec955772cc825db4d4db470827d57adcb214ad372d0eaf00e591",
+                },
+            ],
+            "Modules/expat/expat_external.h": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "8fdf2e79a7ab46a3c76c74ed7e5fe641cbef308d",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "ffb960af48b80935f3856a16e87023524b104f7fc1e58104f01db88ba7bfbcc9",
+                },
+            ],
+            "Modules/expat/internal.h": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "7dce7d98943c5db33ae05e54801dcafb4547b9dd",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "6bfe307d52e7e4c71dbc30d3bd902a4905cdd83bbe4226a7e8dfa8e4c462a157",
+                },
+            ],
+            "Modules/expat/refresh.sh": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "71812ca27328697a8dcae1949cd638717538321a",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "64fd1368de41e4ebc14593c65f5a676558aed44bd7d71c43ae05d06f9086d3b0",
+                },
+            ],
+            "Modules/expat/xmlparse.c": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "4c81a1f04fc653877c63c834145c18f93cd95f3e",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "04a379615f476d55f95ca1853107e20627b48ca4afe8d0fd5981ac77188bf0a6",
+                },
+            ],
+            "Modules/expat/xmlrole.h": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "ac2964cca107f62dd133bfd4736a9a17defbc401",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "92e41f373b67f6e0dcd7735faef3c3f1e2c17fe59e007e6b74beef6a2e70fa88",
+                },
+            ],
+            "Modules/expat/xmltok.c": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "1e2d35d90a1c269217f83d3bdf3c71cc22cb4c3f",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "98d0fc735041956cc2e7bbbe2fb8f03130859410e0aee5e8015f406a37c02a3c",
+                },
+            ],
+            "Modules/expat/xmltok.h": [
+                {
+                    "algorithm": "SHA1",
+                    "checksumValue": "d126831eaa5158cff187a8c93f4bc1c8118f3b17",
+                },
+                {
+                    "algorithm": "SHA256",
+                    "checksumValue": "91bf003a725a675761ea8d92cebc299a76fd28c3a950572f41bc7ce5327ee7b5",
+                },
+            ],
+        }
+        spdx_json = dirs.source / "Misc" / "sbom.spdx.json"
+        with open(str(spdx_json), "r") as f:
+            data = json.load(f)
+            for file in data["files"]:
+                if file["fileName"] in checksums.keys():
+                    print(file["fileName"])
+                    file["checksums"] = checksums[file["fileName"]]
+        with open(str(spdx_json), "w") as f:
+            json.dump(data, f, indent=2)
+
+
+def update_expat_check(env):
+    """
+    Check if the given python version should get an updated libexpat.
+
+    Patch libexpat on these versions and below:
+      - 3.9.23
+      - 3.10.18
+      - 3.11.13
+      - 3.12.11
+      - 3.13.7
+    """
+    relenv_version = Version(env["RELENV_PY_VERSION"])
+    if relenv_version.minor == 9 and relenv_version.micro <= 23:
+        return True
+    elif relenv_version.minor == 10 and relenv_version.micro <= 18:
+        return True
+    elif relenv_version.minor == 11 and relenv_version.micro <= 13:
+        return True
+    elif relenv_version.minor == 12 and relenv_version.micro <= 11:
+        return True
+    elif relenv_version.minor == 13 and relenv_version.micro <= 7:
+        return True
+    return False
+
+
 def build_python(env, dirs, logfp):
     """
     Run the commands to build Python.
@@ -112,31 +334,7 @@ def build_python(env, dirs, logfp):
     # TODO: fix this. Here's the original gate:
     # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
     if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12"]:
-        version = "3.50.4.0"
-        url = "https://sqlite.org/2025/sqlite-autoconf-3500400.tar.gz"
-        sha256 = "a3db587a1b92ee5ddac2f66b3edb41b26f9c867275782d46c3a088977d6a5b18"
-        ref_loc = f"cpe:2.3:a:sqlite:sqlite:{version}:*:*:*:*:*:*:*"
-        target_dir = externals_dir / f"sqlite-{version}"
-        if not target_dir.exists():
-            update_props(dirs.source, r"sqlite-\d+.\d+.\d+.\d+", f"sqlite-{version}")
-            get_externals_source(externals_dir=externals_dir, url=url)
-            # # we need to fix the name of the extracted directory
-            extracted_dir = externals_dir / "sqlite-autoconf-3500400"
-            shutil.move(str(extracted_dir), str(target_dir))
-        # Update externals.spdx.json with the correct version, url, and hash
-        # This became a thing in 3.12
-        if env["RELENV_PY_MAJOR_VERSION"] in ["3.12"]:
-            spdx_json = dirs.source / "Misc" / "externals.spdx.json"
-            with open(str(spdx_json), "r") as f:
-                data = json.load(f)
-                for pkg in data["packages"]:
-                    if pkg["name"] == "sqlite":
-                        pkg["versionInfo"] = version
-                        pkg["downloadLocation"] = url
-                        pkg["checksums"][0]["checksumValue"] = sha256
-                        pkg["externalRefs"][0]["referenceLocator"] = ref_loc
-            with open(str(spdx_json), "w") as f:
-                json.dump(data, f, indent=2)
+        update_sqlite(dirs=dirs, env=env)
 
     # XZ-Utils
     # TODO: Python 3.12 started creating an SBOM. We're doing something wrong
@@ -144,35 +342,10 @@ def build_python(env, dirs, logfp):
     # TODO: this. Here's the original gate:
     # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
     if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
-        version = "5.6.2"
-        url = f"https://github.com/tukaani-project/xz/releases/download/v{version}/xz-{version}.tar.xz"
-        sha256 = "8bfd20c0e1d86f0402f2497cfa71c6ab62d4cd35fd704276e3140bfb71414519"
-        ref_loc = f"cpe:2.3:a:tukaani:xz:{version}:*:*:*:*:*:*:*"
-        target_dir = externals_dir / f"xz-{version}"
-        if not target_dir.exists():
-            update_props(dirs.source, r"xz-\d+.\d+.\d+", f"xz-{version}")
-            get_externals_source(externals_dir=externals_dir, url=url)
-        # Starting with version v5.5.0, XZ-Utils removed the ability to compile
-        # with MSBuild. We are bringing the config.h from the last version that
-        # had it, 5.4.7
-        config_file = target_dir / "src" / "common" / "config.h"
-        config_file_source = dirs.root / "_resources" / "xz" / "config.h"
-        if not config_file.exists():
-            shutil.copy(str(config_file_source), str(config_file))
-        # Update externals.spdx.json with the correct version, url, and hash
-        # This became a thing in 3.12
-        if env["RELENV_PY_MAJOR_VERSION"] in ["3.12", "3.13", "3.14"]:
-            spdx_json = dirs.source / "Misc" / "externals.spdx.json"
-            with open(str(spdx_json), "r") as f:
-                data = json.load(f)
-                for pkg in data["packages"]:
-                    if pkg["name"] == "xz":
-                        pkg["versionInfo"] = version
-                        pkg["downloadLocation"] = url
-                        pkg["checksums"][0]["checksumValue"] = sha256
-                        pkg["externalRefs"][0]["referenceLocator"] = ref_loc
-            with open(str(spdx_json), "w") as f:
-                json.dump(data, f, indent=2)
+        update_xz(dirs=dirs, env=env)
+
+    if update_expat_check(env=env):
+        update_expat(dirs=dirs, env=env)
 
     arch_to_plat = {
         "amd64": "x64",
diff --git a/relenv/common.py b/relenv/common.py
index 2162bf8e..d3f2c865 100644
--- a/relenv/common.py
+++ b/relenv/common.py
@@ -529,7 +529,7 @@ def download_url(url, dest, verbose=True, backoff=3, timeout=60):
         fetch_url(url, fout, backoff, timeout)
     except Exception as exc:
         if verbose:
-            log.error(f"Unable to download: {url} {exc}", file=sys.stderr, flush=True)
+            log.error("Unable to download: %s\n%s", url, exc)
         try:
             os.unlink(local)
         except OSError:

From 06a61323de138569a56aa1edd9163d7a0a44634e Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Tue, 28 Oct 2025 10:01:24 -0600
Subject: [PATCH 6/8] Don't update stuff on 3.12 & 3.13

---
 relenv/build/windows.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/relenv/build/windows.py b/relenv/build/windows.py
index 0a729e68..39d25361 100644
--- a/relenv/build/windows.py
+++ b/relenv/build/windows.py
@@ -332,20 +332,23 @@ def build_python(env, dirs, logfp):
     # TODO: Python 3.12 started creating an SBOM. We're doing something wrong
     # TODO: updating sqlite so SBOM creation is failing. Gating here until we
     # TODO: fix this. Here's the original gate:
-    # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
-    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12"]:
+    # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12"]:
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
         update_sqlite(dirs=dirs, env=env)
 
     # XZ-Utils
     # TODO: Python 3.12 started creating an SBOM. We're doing something wrong
     # TODO: updating XZ so SBOM creation is failing. Gating here until we fix
     # TODO: this. Here's the original gate:
-    # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
-    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
+    # if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11", "3.12", "3.13", "3.14"]:
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
         update_xz(dirs=dirs, env=env)
 
-    if update_expat_check(env=env):
-        update_expat(dirs=dirs, env=env)
+    # TODO: This was my attempt to fix the expat error during build... it failed
+    # TODO: so we're just skipping for now.
+    if env["RELENV_PY_MAJOR_VERSION"] in ["3.10", "3.11"]:
+        if update_expat_check(env=env):
+            update_expat(dirs=dirs, env=env)
 
     arch_to_plat = {
         "amd64": "x64",

From 857aabbdfbe7de589aebbef29224a38d9a57c186 Mon Sep 17 00:00:00 2001
From: "Daniel A. Wozniak" <daniel.wozniak@broadcom.com>
Date: Wed, 29 Oct 2025 15:16:23 -0700
Subject: [PATCH 7/8] Handle change to
 pip._internal.req.InstallRequirement.install signature

---
 relenv/runtime.py          | 37 +++++++++++++++++++++++++++++++++----
 tests/test_verify_build.py | 23 +++++++++++++++++++++++
 2 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/relenv/runtime.py b/relenv/runtime.py
index cfc3f50a..f4b25178 100644
--- a/relenv/runtime.py
+++ b/relenv/runtime.py
@@ -750,12 +750,39 @@ def wrap_req_install(name):
     mod = importlib.import_module(name)
 
     def wrap(func):
-        if mod.InstallRequirement.install.__code__.co_argcount == 9:
+        if mod.InstallRequirement.install.__code__.co_argcount == 7:
+
+            @functools.wraps(func)
+            def wrapper(
+                self,
+                root=None,
+                home=None,
+                prefix=None,
+                warn_script_location=True,
+                use_user_site=False,
+                pycompile=True,
+            ):
+                try:
+                    if TARGET.TARGET:
+                        TARGET.INSTALL = True
+                        home = TARGET.PATH
+                    return func(
+                        self,
+                        root,
+                        home,
+                        prefix,
+                        warn_script_location,
+                        use_user_site,
+                        pycompile,
+                    )
+                finally:
+                    TARGET.INSTALL = False
+
+        elif mod.InstallRequirement.install.__code__.co_argcount == 8:
 
             @functools.wraps(func)
             def wrapper(
                 self,
-                install_options,
                 global_options=None,
                 root=None,
                 home=None,
@@ -770,7 +797,6 @@ def wrapper(
                         home = TARGET.PATH
                     return func(
                         self,
-                        install_options,
                         global_options,
                         root,
                         home,
@@ -783,10 +809,12 @@ def wrapper(
                     TARGET.INSTALL = False
 
         else:
+            # Oldest version of this method sigature with 9 arguments.
 
             @functools.wraps(func)
             def wrapper(
                 self,
+                install_options,
                 global_options=None,
                 root=None,
                 home=None,
@@ -801,6 +829,7 @@ def wrapper(
                         home = TARGET.PATH
                     return func(
                         self,
+                        install_options,
                         global_options,
                         root,
                         home,
@@ -845,8 +874,8 @@ def install_cargo_config():
     # load the ssl module. Causing out setup_openssl method to fail to load
     # fips module.
     dirs = common().work_dirs()
-    triplet = common().get_triplet()
     cargo_home = dirs.data / "cargo"
+    triplet = common().get_triplet()
 
     toolchain = common().get_toolchain()
     if not toolchain:
diff --git a/tests/test_verify_build.py b/tests/test_verify_build.py
index 4995c56c..e3137605 100644
--- a/tests/test_verify_build.py
+++ b/tests/test_verify_build.py
@@ -1859,3 +1859,26 @@ def test_import_ssl_module(pyexec):
     assert proc.returncode == 0
     assert proc.stdout.decode() == ""
     assert proc.stderr.decode() == ""
+
+
+@pytest.mark.skip_unless_on_linux
+@pytest.mark.parametrize("pip_version", ["25.2", "25.3"])
+def test_install_setuptools_25_2_to_25_3(pipexec, build, minor_version):
+    """
+    Validate we handle the changes to pip._internal.req.InstallRequirement.install signature.
+    """
+    subprocess.run(
+        [str(pipexec), "install", "--upgrade", "pip==25.2"],
+        check=True,
+    )
+    subprocess.run(
+        [
+            str(pipexec),
+            "install",
+            "--upgrade",
+            "--no-binary=:all:",
+            "--no-cache-dir",
+            "setuptools",
+        ],
+        check=True,
+    )

From 69d0d327edfdb72b2ae4124effc9045a4a5225d4 Mon Sep 17 00:00:00 2001
From: "Daniel A. Wozniak" <daniel.wozniak@broadcom.com>
Date: Wed, 29 Oct 2025 15:22:35 -0700
Subject: [PATCH 8/8] Fix wart in test method

---
 tests/test_verify_build.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/test_verify_build.py b/tests/test_verify_build.py
index e3137605..d61644f6 100644
--- a/tests/test_verify_build.py
+++ b/tests/test_verify_build.py
@@ -1863,12 +1863,12 @@ def test_import_ssl_module(pyexec):
 
 @pytest.mark.skip_unless_on_linux
 @pytest.mark.parametrize("pip_version", ["25.2", "25.3"])
-def test_install_setuptools_25_2_to_25_3(pipexec, build, minor_version):
+def test_install_setuptools_25_2_to_25_3(pipexec, build, minor_version, pip_version):
     """
     Validate we handle the changes to pip._internal.req.InstallRequirement.install signature.
     """
     subprocess.run(
-        [str(pipexec), "install", "--upgrade", "pip==25.2"],
+        [str(pipexec), "install", "--upgrade", f"pip=={pip_version}"],
         check=True,
     )
     subprocess.run(