Add python3.14 package (side-by-side with python3)

[ihvo]

Merge Checklist

• The toolchain has been rebuilt successfully (or no changes were made to it) — no toolchain changes
• The toolchain/worker package manifests are up-to-date — python3.14 is a new user-facing package, not a toolchain component
• Any updated packages successfully build — awaiting source-server upload of Python-3.14.4.tar.xz (see Follow-ups)
• Packages depending on static components modified in this PR have had their Release tag incremented — N/A
• Package tests (%check section) — %check section present (python3.14 -m test --exclude test_socket)
• All package sources are available — Python-3.14.4.tar.xz needs to be uploaded to the source server by an Azure Linux maintainer
• cgmanifest files are up-to-date and sorted — new entry added under ./cgmanifest.json in alphabetical position
• LICENSE-MAP files are up-to-date — python3.14 added to Source project group in both licenses.json and LICENSES-MAP.md
• All source files have up-to-date hashes in the *.signatures.json files — SHA-256 for Python-3.14.4.tar.xz verified against python.org release page
• sudo make go-tidy-all and sudo make go-test-coverage pass — no Go changes
• Documentation has been updated to match any changes to the build system — N/A

---

Summary

Ship Python 3.14.4 as a new side-by-side package under SPECS/python3.14/, following the SPECS/nodejs24/ precedent for parallel major-version packages. The default python3 (3.12) package is not modified; it continues to receive upstream-backed security patches until Python 3.12 EOL (2028-10). Consumers opt in to 3.14 explicitly via Requires: python3.14 or /usr/bin/python3.14.

Change Log

• New SPECS/python3.14/python3.14.spec — Version 3.14.4, Release 1.

• Strictly versioned filesystem layout. %install removes the unversioned /usr/bin/python3, python3-config, pydoc3, idle3, libpython3.so, python3.pc, python3-embed.pc and man1/python3.1* so the package has zero file-level collision with python3 (3.12) — no Conflicts: line needed (unlike nodejs24, which has to conflict with nodejs on /usr/bin/node).

• Only versioned Provides: (python(abi) = 3.14, python314, python3.14-docs). No Provides: python, python-sqlite, /bin/python, /bin/python3 — those remain owned by the default python3 package.

• Drops the lib2to3-based tools subpackage (lib2to3 / /usr/bin/2to3 removed in Python 3.13, PEP 594).

• No CVE patches carried. Every patch on the current SPECS/python3/ (3.12) fork has a 3.14-branch backport that merged in python/cpython before 3.14.4's release on 2026-04-07:

  CVE	gh-issue	3.14 backport PR	Merged
  CVE-2026-0672	gh-143919	[3.14] gh-143919: Reject control characters in http cookies python/cpython#144089	2026-01-23
  CVE-2026-0865	gh-143916	[3.14] gh-143916: Reject control characters in wsgiref.headers.Headers (GH-143917) python/cpython#143972, #144761	2026-01-17, 02-21
  CVE-2026-1299	gh-144125	[3.14] gh-144125: email: verify headers are sound in BytesGenerator python/cpython#144182	2026-01-25
  CVE-2026-4519	gh-143930	[3.14] gh-143930: Reject leading dashes in webbrowser URLs python/cpython#146214, #148042	2026-03-23, 04-03

  All CVE-2025-* patches on the 3.12 fork are older still and were already in 3.14.0 (GA 2025-10). cgi3.patch is dropped because the cgi module was removed in 3.13 (PEP 594).

• cgmanifest.json: adds python3.14 / 3.14.4 entry (alphabetically sorted; python3-* sorts before python3.14 in ASCII).

• LICENSES-AND-NOTICES/SPECS/data/licenses.json and LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md: adds python3.14 under the Source project group (License: PSF, same as upstream CPython; %changelog boilerplate uses the "Initial Azure Linux import from the source project" phrasing that the spec_source_attributions classifier expects).

Does this affect the toolchain?

NO. Toolchain still ships python3-3.12.9-10 — unchanged. python3.14 is a new user-facing package.

Associated issues

None. Per CONTRIBUTING.md, a GitHub issue is only required when graduating a package from SPECS-EXTENDED to SPECS; this is a brand-new addition directly to SPECS/, following the nodejs24 precedent.

Links to CVEs

N/A for this PR — no CVE patches carried. See Change Log for the upstream verification table.

Follow-ups

1. Source server upload (blocking) — Python-3.14.4.tar.xz (sha256 d923c51303e38e249136fc1bdf3568d56ecb03214efdef48516176d3d7faaef8) and the existing pathfix.py (sha256 7a2ff222346d3c95b08814e3372975823e099c17dddaa73a459a3d840e6e9c1b, identical to the SPECS/python3/ one) need to be in azurelinuxsrcstorage. Requesting an Azure Linux maintainer's help per CONTRIBUTING.md.
2. Sequential PR#2 — golden container — follow-up PR will add .pipelines/containerSourceData/python3.14/ for the mcr.microsoft.com/azurelinux/base/python:3.14 golden container. Tag-policy decision for that PR: the floating :3 tag stays frozen at 3.12 until Python 3.12 EOL (2028-10). Opens once PR#1 merges and python3.14 RPMs are available in packages.microsoft.com/azurelinux/3.0/prod/base/.

Test Methodology

Local build not yet run (awaiting source-server upload of Python-3.14.4.tar.xz). Will update with pipeline build ID / local artifact path once CI kicks in or the source is available. toolkit/scripts/license_map.py verified to pass locally after the license-attribution changelog fix.

Directory-naming note: went with python3.14 (dot-separated, mirrors /usr/bin/python3.14 and Fedora/RHEL SxS convention) rather than python314 (nodejs24 style). Happy to rename if the team prefers — mechanical find-replace.

[ihvo]

Updated — a few follow-up commits cleaned the PR up:

• 15ccce43c — %changelog boilerplate switched to "Initial Azure Linux import from the source project (license: same as "License" tag)." so it matches the "Source project" origin regex in spec_source_attributions.py; Spec License Map Check now passes locally.
• 10ed2bc0c — dropped all four carried CVE patches. Verified every one has a 3.14-branch backport PR that merged in python/cpython before 3.14.4's release on 2026-04-07 (CVE-2026-0672 → #144089, CVE-2026-0865 → #143972+#144761, CVE-2026-1299 → #144182, CVE-2026-4519 → #146214+#148042). Full table in the PR description.
• 06cf8ea61 — dropped the pathfix.py Source1 along with the file, %install copy, and devel-subpackage entry. Nothing in Azure Linux's build pipeline invokes a versioned pathfixN.N.py, so it was vestigial.

Blocking source-server upload request — only one file left: Python-3.14.4.tar.xz (sha256 d923c51303e38e249136fc1bdf3568d56ecb03214efdef48516176d3d7faaef8, verified against python.org's release page). Per CONTRIBUTING.md, only an Azure Linux maintainer can push to azurelinuxsrcstorage. Could someone with source-server access help upload, or point me at the right internal channel? Happy to re-trigger CI once it's available.