merge 3.5

5 files changed, 150 insertions, 142 deletions

diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
index c76c4f1a26..8dfd092d08 100755
--- a/Mac/BuildScript/build-installer.py
+++ b/Mac/BuildScript/build-installer.py
@@ -101,6 +101,7 @@ def getFullVersion():
 
 FW_PREFIX = ["Library", "Frameworks", "Python.framework"]
 FW_VERSION_PREFIX = "--undefined--" # initialized in parseOptions
+FW_SSL_DIRECTORY = "--undefined--" # initialized in parseOptions
 
 # The directory we'll use to create the build (will be erased and recreated)
 WORKDIR = "/tmp/_py"
@@ -206,41 +207,11 @@ def library_recipes():
 
     LT_10_5 = bool(getDeptargetTuple() < (10, 5))
 
-    if not (10, 5) < getDeptargetTuple() < (10, 10):
-        # The OpenSSL libs shipped with OS X 10.5 and earlier are
-        # hopelessly out-of-date and do not include Apple's tie-in to
-        # the root certificates in the user and system keychains via TEA
-        # that was introduced in OS X 10.6.  Note that this applies to
-        # programs built and linked with a 10.5 SDK even when run on
-        # newer versions of OS X.
-        #
-        # Dealing with CAs is messy.  For now, just supply a
-        # local libssl and libcrypto for the older installer variants
-        # (e.g. the python.org 10.5+ 32-bit-only installer) that use the
-        # same default ssl certfile location as the system libs do:
-        #   /System/Library/OpenSSL/cert.pem
-        # Then at least TLS connections can be negotiated with sites that
-        # use sha-256 certs like python.org, assuming the proper CA certs
-        # have been supplied.  The default CA cert management issues for
-        # 10.5 and earlier builds are the same as before, other than it is
-        # now more obvious with cert checking enabled by default in the
-        # standard library.
-        #
-        # For builds with 10.6 through 10.9 SDKs,
-        # continue to use the deprecated but
-        # less out-of-date Apple 0.9.8 libs for now.  While they are less
-        # secure than using an up-to-date 1.0.1 version, doing so
-        # avoids the big problems of forcing users to have to manage
-        # default CAs themselves, thanks to the Apple libs using private TEA
-        # APIs for cert validation from keychains if validation using the
-        # standard OpenSSL locations (/System/Library/OpenSSL, normally empty)
-        # fails.
-        #
-        # Since Apple removed the header files for the deprecated system
-        # OpenSSL as of the Xcode 7 release (for OS X 10.10+), we do not
-        # have much choice but to build our own copy here, too.
+    # Since Apple removed the header files for the deprecated system
+    # OpenSSL as of the Xcode 7 release (for OS X 10.10+), we do not
+    # have much choice but to build our own copy here, too.
 
-        result.extend([
+    result.extend([
           dict(
               name="OpenSSL 1.0.2j",
               url="https://www.openssl.org/source/openssl-1.0.2j.tar.gz",
@@ -252,7 +223,7 @@ def library_recipes():
               configure=None,
               install=None,
           ),
-        ])
+    ])
 
 #   Disable for now
     if False:   # if getDeptargetTuple() > (10, 5):
@@ -299,9 +270,9 @@ def library_recipes():
     if PYTHON_3:
         result.extend([
           dict(
-              name="XZ 5.0.5",
-              url="http://tukaani.org/xz/xz-5.0.5.tar.gz",
-              checksum='19d924e066b6fff0bc9d1981b4e53196',
+              name="XZ 5.2.2",
+              url="http://tukaani.org/xz/xz-5.2.2.tar.gz",
+              checksum='7cf6a8544a7dae8e8106fdf7addfa28c',
               configure_pre=[
                     '--disable-dependency-tracking',
               ]
@@ -344,10 +315,11 @@ def library_recipes():
                   ),
           ),
           dict(
-              name="SQLite 3.8.11",
-              url="https://www.sqlite.org/2015/sqlite-autoconf-3081100.tar.gz",
-              checksum='77b451925121028befbddbf45ea2bc49',
+              name="SQLite 3.14.2",
+              url="https://www.sqlite.org/2016/sqlite-autoconf-3140200.tar.gz",
+              checksum='90c53cacb811db27f990b8292bd96159',
               extra_cflags=('-Os '
+                            '-DSQLITE_ENABLE_FTS5 '
                             '-DSQLITE_ENABLE_FTS4 '
                             '-DSQLITE_ENABLE_FTS3_PARENTHESIS '
                             '-DSQLITE_ENABLE_RTREE '
@@ -675,6 +647,7 @@ def parseOptions(args=None):
     global WORKDIR, DEPSRC, SDKPATH, SRCDIR, DEPTARGET
     global UNIVERSALOPTS, UNIVERSALARCHS, ARCHLIST, CC, CXX
     global FW_VERSION_PREFIX
+    global FW_SSL_DIRECTORY
 
     if args is None:
         args = sys.argv[1:]
@@ -735,6 +708,7 @@ def parseOptions(args=None):
     CC, CXX = getTargetCompilers()
 
     FW_VERSION_PREFIX = FW_PREFIX[:] + ["Versions", getVersion()]
+    FW_SSL_DIRECTORY = FW_VERSION_PREFIX[:] + ["etc", "openssl"]
 
     print("-- Settings:")
     print("   * Source directory:    %s" % SRCDIR)
@@ -876,7 +850,7 @@ def build_universal_openssl(basedir, archList):
             "shared",
             "--install_prefix=%s"%shellQuote(archbase),
             "--prefix=%s"%os.path.join("/", *FW_VERSION_PREFIX),
-            "--openssldir=/System/Library/OpenSSL",
+            "--openssldir=%s"%os.path.join("/", *FW_SSL_DIRECTORY),
         ]
         if no_asm:
             configure_opts.append("no-asm")
@@ -1194,12 +1168,14 @@ def buildPython():
                 'Python.framework', 'Versions', getVersion(),
                 'lib'))))
 
-    path_to_lib = os.path.join(rootDir, 'Library', 'Frameworks',
-                                'Python.framework', 'Versions',
-                                version, 'lib', 'python%s'%(version,))
+    frmDir = os.path.join(rootDir, 'Library', 'Frameworks', 'Python.framework')
+    frmDirVersioned = os.path.join(frmDir, 'Versions', version)
+    path_to_lib = os.path.join(frmDirVersioned, 'lib', 'python%s'%(version,))
+    # create directory for OpenSSL certificates
+    sslDir = os.path.join(frmDirVersioned, 'etc', 'openssl')
+    os.makedirs(sslDir)
 
     print("Fix file modes")
-    frmDir = os.path.join(rootDir, 'Library', 'Frameworks', 'Python.framework')
     gid = grp.getgrnam('admin').gr_gid
 
     shared_lib_error = False
@@ -1249,6 +1225,8 @@ def buildPython():
         LDVERSION = LDVERSION.replace('$(VERSION)', VERSION)
         LDVERSION = LDVERSION.replace('$(ABIFLAGS)', ABIFLAGS)
         config_suffix = '-' + LDVERSION
+        if getVersionMajorMinor() >= (3, 6):
+            config_suffix = config_suffix + '-darwin'
     else:
         config_suffix = ''      # Python 2.x
 
@@ -1274,7 +1252,7 @@ def buildPython():
     fp.write(data)
     fp.close()
 
-    # fix _sysconfigdata if it exists
+    # fix _sysconfigdata
     #
     # TODO: make this more robust!  test_sysconfig_module of
     # distutils.tests.test_sysconfig.SysconfigTestCase tests that
@@ -1288,28 +1266,31 @@ def buildPython():
     # _sysconfigdata.py).
 
     import pprint
-    path = os.path.join(path_to_lib, '_sysconfigdata.py')
-    if os.path.exists(path):
-        fp = open(path, 'r')
-        data = fp.read()
-        fp.close()
-        # create build_time_vars dict
-        exec(data)
-        vars = {}
-        for k, v in build_time_vars.items():
-            if type(v) == type(''):
-                for p in (include_path, lib_path):
-                    v = v.replace(' ' + p, '')
-                    v = v.replace(p + ' ', '')
-            vars[k] = v
-
-        fp = open(path, 'w')
-        # duplicated from sysconfig._generate_posix_vars()
-        fp.write('# system configuration generated and used by'
-                    ' the sysconfig module\n')
-        fp.write('build_time_vars = ')
-        pprint.pprint(vars, stream=fp)
-        fp.close()
+    if getVersionMajorMinor() >= (3, 6):
+        # XXX this is extra-fragile
+        path = os.path.join(path_to_lib, '_sysconfigdata_m_darwin_darwin.py')
+    else:
+        path = os.path.join(path_to_lib, '_sysconfigdata.py')
+    fp = open(path, 'r')
+    data = fp.read()
+    fp.close()
+    # create build_time_vars dict
+    exec(data)
+    vars = {}
+    for k, v in build_time_vars.items():
+        if type(v) == type(''):
+            for p in (include_path, lib_path):
+                v = v.replace(' ' + p, '')
+                v = v.replace(p + ' ', '')
+        vars[k] = v
+
+    fp = open(path, 'w')
+    # duplicated from sysconfig._generate_posix_vars()
+    fp.write('# system configuration generated and used by'
+                ' the sysconfig module\n')
+    fp.write('build_time_vars = ')
+    pprint.pprint(vars, stream=fp)
+    fp.close()
 
     # Add symlinks in /usr/local/bin, using relative links
     usr_local_bin = os.path.join(rootDir, 'usr', 'local', 'bin')
@@ -1636,6 +1617,8 @@ def main():
     patchFile("resources/ReadMe.rtf",  fn)
     fn = os.path.join(folder, "Update Shell Profile.command")
     patchScript("scripts/postflight.patch-profile",  fn)
+    fn = os.path.join(folder, "Install Certificates.command")
+    patchScript("resources/install_certificates.command",  fn)
     os.chmod(folder, STAT_0o755)
     setIcon(folder, "../Icons/Python Folder.icns")
 
diff --git a/Mac/BuildScript/resources/ReadMe.rtf b/Mac/BuildScript/resources/ReadMe.rtf
index 65e3f14cd3..ac68786999 100644
--- a/Mac/BuildScript/resources/ReadMe.rtf
+++ b/Mac/BuildScript/resources/ReadMe.rtf
@@ -1,106 +1,76 @@
-{\rtf1\ansi\ansicpg1252\cocoartf1348\cocoasubrtf170
+{\rtf1\ansi\ansicpg1252\cocoartf1504\cocoasubrtf750
 {\fonttbl\f0\fswiss\fcharset0 Helvetica;\f1\fmodern\fcharset0 CourierNewPSMT;}
 {\colortbl;\red255\green255\blue255;}
+{\*\expandedcolortbl;;}
 \margl1440\margr1440\vieww13380\viewh14600\viewkind0
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
 
 \f0\fs24 \cf0 This package will install Python $FULL_VERSION for Mac OS X $MACOSX_DEPLOYMENT_TARGET for the following architecture(s): $ARCHITECTURES.\
 \
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
 
 \b \cf0 \ul \ulc0 Which installer variant should I use?
 \b0 \ulnone \
 \
-Python.org provides two installer variants for download: one that installs a 
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
+
+\b \cf0 **NEW**
+\b0  For Python 3.6, the python.org website now provides only one installer variant for download: one that installs a 
 \i 64-bit/32-bit Intel
 \i0  Python capable of running on 
 \i Mac OS X 10.6 (Snow Leopard)
-\i0  or later; and one that installs a 
-\i 32-bit-only (Intel and PPC)
-\i0  Python capable of running on 
-\i Mac OS X 10.5 (Leopard)
 \i0  or later.  This ReadMe was installed with the 
 \i $MACOSX_DEPLOYMENT_TARGET
-\i0  variant.  Unless you are installing to an 10.5 system or you need to build applications that can run on 10.5 systems, use the 10.6 variant if possible.  There are some additional operating system functions that are supported starting with 10.6 and you may see better performance using 64-bit mode.  By default, Python will automatically run in 64-bit mode if your system supports it.  Also see 
-\i Certificate verification and OpenSSL
-\i0  below.  The Pythons installed by these installers are built with private copies of some third-party libraries not included with or newer than those in OS X itself.  The list of these libraries varies by installer variant and is included at the end of the License.rtf file.
+\i0  variant.  By default, Python will automatically run in 64-bit mode if your system supports it.  The Python installed by this installer is built with private copies of some third-party libraries not included with or newer than those in OS X itself.  The list of these libraries is included at the end of the License.rtf file.
 \b \ul \
 \
-Update your version of Tcl/Tk to use IDLE or other Tk applications
-\b0 \ulnone \
-\
-To use IDLE or other programs that use the Tkinter graphical user interface toolkit, you need to install a newer third-party version of the 
-\i Tcl/Tk
-\i0  frameworks.  Visit {\field{\*\fldinst{HYPERLINK "https://www.python.org/download/mac/tcltk/"}}{\fldrslt https://www.python.org/download/mac/tcltk/}} for current information about supported and recommended versions of 
-\i Tcl/Tk
-\i0  for this version of Python and of Mac OS X.\
-
-\b \ul \
 Certificate verification and OpenSSL\
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
 
-\b0 \ulnone \
-Python 3.5 includes a number of network security enhancements that were released in Python 3.4.3 and Python 2.7.10.  {\field{\*\fldinst{HYPERLINK "https://www.python.org/dev/peps/pep-0476/"}}{\fldrslt PEP 476}} changes several standard library modules, like 
-\i httplib
-\i0 , 
-\i urllib
-\i0 , and 
-\i xmlrpclib
-\i0 , to by default verify certificates presented by servers over secure (TLS) connections.  The verification is performed by the OpenSSL libraries that Python is linked to.  Prior to 3.4.3, both python.org installers dynamically linked with Apple-supplied OpenSSL libraries shipped with OS X.  OS X provides a multiple level security framework that stores trust certificates in system and user keychains managed by the 
+\b0 \cf0 \ulnone \
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
+
+\b \cf0 **NEW**
+\b0  This variant of Python 3.6 now includes its own private copy of OpenSSL 1.0.2.  Unlike previous releases, the deprecated Apple-supplied OpenSSL libraries are no longer used.  This also means that the trust certificates in system and user keychains managed by the 
 \i Keychain Access 
 \i0 application and the 
 \i security
-\i0  command line utility.\
-\
-For OS X 10.5, Apple provides 
-\i OpenSSL 0.9.7
-\i0  libraries.  This version of Apple's OpenSSL 
-\b does not
-\b0  use the certificates from the system security framework, even when used on newer versions of OS X.  Instead it consults a traditional OpenSSL concatenated certificate file (
-\i cafile
-\i0 ) or certificate directory (
-\i capath
-\i0 ), located in 
-\f1 /System/Library/OpenSSL
-\f0 .  These directories are typically empty and not managed by OS X; you must manage them yourself or supply your own SSL contexts.  OpenSSL 0.9.7 is obsolete by current security standards, lacking a number of important features found in later versions.  Among the problems this causes is the inability to verify higher-security certificates now used by python.org services, including 
-\i t{\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi"}}{\fldrslt he Python Package Index, PyPI}}
-\i0 .  To solve this problem, the 
-\i 10.5+ 32-bit-only python.org variant
-\i0  is linked with a private copy of 
-\i OpenSSL 1.0.2
-\i0 ; it consults the same default certificate directory, 
-\f1 /System/Library/OpenSSL
-\f0 .   As before, it is still necessary to manage certificates yourself when you use this Python variant and, with certificate verification now enabled by default, you may now need to take additional steps to ensure your Python programs have access to CA certificates you trust.  If you use this Python variant to build standalone applications with third-party tools like {\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/py2app/"}}{\fldrslt 
-\f1 py2app}}, you may now need to bundle CA certificates in them or otherwise supply non-default SSL contexts.\
-\
-For OS X 10.6+, Apple also provides 
-\i OpenSSL
-\i0  
-\i 0.9.8 libraries
-\i0 .  Apple's 0.9.8 version includes an important additional feature: if a certificate cannot be verified using the manually administered certificates in 
-\f1 /System/Library/OpenSSL
-\f0 , the certificates managed by the system security framework In the user and system keychains are also consulted (using Apple private APIs).  For this reason, the 
-\i 64-bit/32-bit 10.6+ python.org variant
-\i0  continues to be dynamically linked with Apple's OpenSSL 0.9.8 since it was felt that the loss of the system-provided certificates and management tools outweighs the additional security features provided by newer versions of OpenSSL.  This will likely change in future releases of the python.org installers as Apple has deprecated use of the system-supplied OpenSSL libraries.  If you do need features from newer versions of OpenSSL, there are third-party OpenSSL wrapper packages available through 
-\i PyPI
-\i0 .\
+\i0  command line utility are no longer used as defaults by the Python 
+\f1 ssl
+\f0  module.  For 3.6.0, a sample command script is included in 
+\f1 /Applications/Python 3.6
+\f0  to install a curated bundle of default root certificates from the third-party 
+\f1 certifi
+\f0  package ({\field{\*\fldinst{HYPERLINK "https://pypi.python.org/pypi/certifi"}}{\fldrslt https://pypi.python.org/pypi/certifi}}).  If you choose to use 
+\f1 certifi
+\f0 , you should consider subscribing to the{\field{\*\fldinst{HYPERLINK "https://certifi.io/en/latest/"}}{\fldrslt  project's email update service}} to be notified when the certificate bundle is updated.\
 \
 The bundled 
 \f1 pip
-\f0  included with the Python 3.5 installers has its own default certificate store for verifying download connections.\
+\f0  included with the Python 3.6 installer has its own default certificate store for verifying download connections.\
 \
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural\partightenfactor0
 
-\b \ul Other changes\
+\b \cf0 \ul Update your version of Tcl/Tk to use IDLE or other Tk applications
+\b0 \ulnone \
+\
+To use IDLE or other programs that use the Tkinter graphical user interface toolkit, you need to install a newer third-party version of the 
+\i Tcl/Tk
+\i0  frameworks.  Visit {\field{\*\fldinst{HYPERLINK "https://www.python.org/download/mac/tcltk/"}}{\fldrslt https://www.python.org/download/mac/tcltk/}} for current information about supported and recommended versions of 
+\i Tcl/Tk
+\i0  for this version of Python and of Mac OS X.  For the initial release of Python 3.6, the installer is still linked with Tcl/Tk 8.5.\
+
+\b \ul \
+Other changes\
 
 \b0 \ulnone \
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
-\cf0 For other changes in this release, see the 
+For other changes in this release, see the 
 \i What's new
 \i0  section in the {\field{\*\fldinst{HYPERLINK "https://www.python.org/doc/"}}{\fldrslt Documentation Set}} for this release and its 
 \i Release Notes
 \i0  link at {\field{\*\fldinst{HYPERLINK "https://www.python.org/downloads/"}}{\fldrslt https://www.python.org/downloads/}}.\
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\pardirnatural
 
-\b \cf0 \ul \
+\b \ul \
 Python 3 and Python 2 Co-existence\
 
 \b0 \ulnone \
diff --git a/Mac/BuildScript/resources/Welcome.rtf b/Mac/BuildScript/resources/Welcome.rtf
index dfb75d854d..3a9ab04454 100644
--- a/Mac/BuildScript/resources/Welcome.rtf
+++ b/Mac/BuildScript/resources/Welcome.rtf
@@ -1,8 +1,9 @@
-{\rtf1\ansi\ansicpg1252\cocoartf1343\cocoasubrtf160
+{\rtf1\ansi\ansicpg1252\cocoartf1504
 \cocoascreenfonts1{\fonttbl\f0\fswiss\fcharset0 Helvetica;}
 {\colortbl;\red255\green255\blue255;}
+{\*\expandedcolortbl;\csgray\c100000;}
 \paperw11905\paperh16837\margl1440\margr1440\vieww12200\viewh10880\viewkind0
-\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\partightenfactor0
 
 \f0\fs24 \cf0 This package will install 
 \b Python $FULL_VERSION
@@ -16,8 +17,14 @@
 \b IDLE
 \b0 .\
 \
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\partightenfactor0
 
-\b IMPORTANT:
+\b \cf0 NEW:
+\b0   There are important changes in this release regarding network security and trust certificates.  Please see the ReadMe for more details.\
+\
+\pard\tx720\tx1440\tx2160\tx2880\tx3600\tx4320\tx5040\tx5760\tx6480\tx7200\tx7920\tx8640\partightenfactor0
+
+\b \cf0 IMPORTANT:
 \b0  
 \b IDLE
 \b0  and other programs using the 
diff --git a/Mac/BuildScript/resources/install_certificates.command b/Mac/BuildScript/resources/install_certificates.command
new file mode 100755
index 0000000000..1d2e2d878c
--- /dev/null
+++ b/Mac/BuildScript/resources/install_certificates.command
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+/Library/Frameworks/Python.framework/Versions/@PYVER@/bin/python@PYVER@ << "EOF"
+
+# install_certifi.py
+#
+# sample script to install or update a set of default Root Certificates
+# for the ssl module.  Uses the certificates provided by the certifi package:
+#       https://pypi.python.org/pypi/certifi
+
+import os
+import os.path
+import ssl
+import stat
+import subprocess
+import sys
+
+STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
+             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
+             | stat.S_IROTH |                stat.S_IXOTH )
+
+def main():
+    openssl_dir, openssl_cafile = os.path.split(
+        ssl.get_default_verify_paths().openssl_cafile)
+
+    print(" -- pip install --upgrade certifi")
+    subprocess.check_call([sys.executable,
+        "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])
+
+    import certifi
+
+    # change working directory to the default SSL directory
+    os.chdir(openssl_dir)
+    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
+    print(" -- removing any existing file or link")
+    try:
+        os.remove(openssl_cafile)
+    except FileNotFoundError:
+        pass
+    print(" -- creating symlink to certifi certificate bundle")
+    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
+    print(" -- setting permissions")
+    os.chmod(openssl_cafile, STAT_0o775)
+    print(" -- update complete")
+
+if __name__ == '__main__':
+    main()
+EOF
diff --git a/Mac/IDLE/IDLE.app/Contents/Resources/idlemain.py b/Mac/IDLE/IDLE.app/Contents/Resources/idlemain.py
index 986760d314..5994c18ff8 100644
--- a/Mac/IDLE/IDLE.app/Contents/Resources/idlemain.py
+++ b/Mac/IDLE/IDLE.app/Contents/Resources/idlemain.py
@@ -68,6 +68,6 @@ for idx, value in enumerate(sys.argv):
         break
 
 # Now it is safe to import idlelib.
-from idlelib.PyShell import main
+from idlelib.pyshell import main
 if __name__ == '__main__':
     main()