Mercurial > p > roundup > code

comparison doc/announcement.txt @ 6695:b3ba03d2b214 2.2.0b1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
2.2.0b1 release changes
author John Rouillard <rouilj@ieee.org>
date Wed, 15 Jun 2022 09:58:31 -0400
parents cbc18a8bc61f
children b56bd672ebbf
comparison
equal deleted inserted replaced
6694:51865a1ee765 6695:b3ba03d2b214
1 I'm proud to release version 2.1.0 of the Roundup issue tracker. 1 I'm proud to release version 2.2.0b1 of the Roundup issue tracker.
2 This 20th anniversary edition has been possible due to the help of 2 This release is a bugfix and minor feature
3 several contributors. This release is a bugfix and minor feature
4 release, so make sure to read `docs/upgrading.txt 3 release, so make sure to read `docs/upgrading.txt
5 <https://www.roundup-tracker.org/docs/upgrading.html>`_ to bring your 4 <https://www.roundup-tracker.org/docs/upgrading.html>`_ to bring your
6 tracker up to date. 5 tracker up to date.
7 6
8 2.1.0 builds on the 2.0.0 major release that introduced:
9
10 * Python 2 and Python 3 support
11 * a new REST interface
12 * updates to jinja2 templates including security improvements
13
14 The changes, as usual, include some new features and many bug fixes. 7 The changes, as usual, include some new features and many bug fixes.
15 8
16 Note that you should run ``roundup-admin ... migrate`` to update the 9 Note that you should run ``roundup-admin ... migrate`` to update the
17 database schema version. Do this before you use the web, command-line 10 database schema version. Do this before you use the web, command-line
18 or mail interface and before any users access the tracker. 11 or mail interface and before any users access the tracker.
21 14
22 pip download roundup 15 pip download roundup
23 16
24 then unpack and test/install the tarball. 17 then unpack and test/install the tarball.
25 18
26 Among the notable improvements from the 2.0.0 release are: 19 Among the notable improvements from the 2.1.0 release are:
27 20
28 Mysql backend now uses an index to make sure that key values are not 21 Roundup supports dynamic and static compression of http
29 duplicated when two roundup processes run in parallel. (Hence the 22 responses.
30 need for ``roundup-admin ... migrate``.) 23
31 24 Better support for range headers and HTTP 1.1 in
32 Postgres back end uses a server side cursor. This reduces the memory 25 roundup-server.
33 use of the roundup process on large queries. 26
34 27 New full text search methods. SQLite FTS and PostgreSQL
35 Fix sorting of multilinks in templating code. Sorting by a link 28 full text search are supported. These allow search
36 without a value no longer generates a traceback. Sorting now works 29 expressions in addition to simple word based
37 as documented by the spec. 30 searches.
38 31
39 If ``roundup-admin security`` finds an invalid property, it exits 32 Word size for Roundup's full text search increased to 50.
40 with a non-zero status. It can be used as part of a CI/CD pipeline 33
41 to validate schema security. 34 CORS support for the REST interface allowing Roundup to
42 35 be use by third party services. Includes ability to
43 Security fixes for jQuery, markdown handling. 36 list valid Origins in CSRF checks.
44 37
45 Fixes to markdown handling if using the jinja2 template. 38 Dockerfile support. Docker-compose for a mysql based
46 39 tracker.
47 Keyword editing in jinja2 template improved. 40
48 41 Secret values in config.ini can be stored in external
49 Fix a number of tracebacks. 42 files. This allows config.ini to be stored in a VCS
50 43 without exposing secrets.
51 Installation uses setuptools not distutils. 44
52 45 Improvements to REST: fix crashes, support JWT in url,
53 Valid class names are documented and enforced. All class names now 46 dynamic endpoint list, OpenAPI (Swagger) doc can be specified,
54 match ``[A-z][A-z0-9_]+[A-z_]``. 47 allowed methods reported on error.
55 48
56 Replace a number of deprecated/missing functions in newer pythons. 49 Define default cache times for js and css assets.
57 50
58 Fix history showing invalid data when an update is rejected. 51 Login with empty passwords is disabled by default.
59 52
60 The filter command in roundup-admin works transitively and handles 53 ETag value changes depending on content-encoding
61 empty values properly. 54
62 55 Fix crash when importing legacy Roundup tracker with long
63 Password reset documented in user guide. 56 integers.
64 57
65 Admins can set the language used for stemming in the xapian indexer. 58 Workaround lock contention by adding jitter to access of
66 59 one time key and sessions anydbm databases.
67 Devel and responsive template strings now extracted for translation. 60
61 Fixes for deprecated calls/libraries in newer Pythons:
62 distutils, crypt, socket.sslserver....
63
64 Additional strings marked for translation.
65
66 Multiple crash fixes.
67
68 Improvements to tracker templates.
69
70 Translation object added to internal database
71 handle. This allows auditors and extensions to
72 provide efficient translations.
68 73
69 The file CHANGES.txt has a detailed list of feature additions and 74 The file CHANGES.txt has a detailed list of feature additions and
70 bug fixes (58) for each release. The most recent changes from 75 bug fixes (50) for each release. The most recent changes from
71 there are at the end of this announcement. Also see the 76 there are at the end of this announcement. Also see the
72 information in doc/upgrading.txt. 77 information in doc/upgrading.txt.
73 78
74 If you find bugs, please report them to issues AT roundup-tracker.org 79 If you find bugs, please report them to issues AT roundup-tracker.org
75 or create an account at https://issues.roundup-tracker.org and open a 80 or create an account at https://issues.roundup-tracker.org and open a
142 and supports four database back-ends (anydbm, sqlite, mysql and postgresql). 147 and supports four database back-ends (anydbm, sqlite, mysql and postgresql).
143 148
144 Recent Changes 149 Recent Changes
145 ============== 150 ==============
146 151
147 From 2.0.0 to 2.1.0. 152 From 2.1.0 to 2.2.0b1.
148 153
149 Fixed: 154 Fixed:
150 155
151 - Reverse multilink to *the same class* would trigger a traceback about 156 - issue2551161 - Fix ResourceWarnings when running with -W default.
152 a modified dictionary on iteration (Ralf Schlatterbeck) 157 Cleaned up leaking file descriptors from zopetal pre-compile, python
153 - issue2551086 - Valid class names not documented. Should follow 158 module compile and loading localization file. (John Rouillard)
154 ``[A-z][A-z0-9_]+[A-z_]``. This was never documented or enforced, but 159 - When using roundup-server with native SSL, only accept TLS v1.2.
155 we get obscure errors if the rules are not followed. (Tom 160 Previously it used to accept only TLS v1.1. 1.1 is deprecated by
156 Ekberg tests by John Rouilard) 161 chrome. I don't expect this to be a major problem since a front
157 - issue2550564 - Roundup sets "Precedence: bulk" on all outgoing mail, 162 end server (apache, Nginx...) is usually customer facing and
158 which seems wrong. Handle Auto-Submitted header on *inbound* email 163 terminates SSL. (John Rouillard)
159 like we do precedence bulk. This is part of this issue. 164 - Fix hang when valid user without authorization for REST tries to use
160 - roundup-admin filter calls find() not filter when using -s -c -S 165 the rest interface. (John Rouillard)
166 - Remove Content-Type and make sure no content is returned by OPTIONS
167 request in REST interface. (John Rouillard)
168 - In write_html set the Content-Length when response is not
169 encoded/compressed. (John Rouillard)
170 - In REST interface do not raise UsageError for invalid api version.
171 Return json error with proper message. Fixes crash. (John Rouillard)
172 - In REST interface, allow extensions on URI less than 6 characters in
173 length. All other paths with a . in then will be passed through
174 without change. This allows items like a JWT to be passed as a path
175 element. (John Rouillard)
176 - issue2551167 - pip install in containerized environments puts
177 template and locale files under site-packages where roundup can't find
178 them. Change code to find them under site-packages.
179 - REST replace hard coded list of child endpoints for /rest/ with list
180 pulled from registered endpoints. So newly added endpoints are
181 shown. (John Rouillard)
182 - issue2551107 - Handle representation of long int in history params
183 for python3. Causes SyntaxError crash when showing history due to
184 long int e.g. 2345L. This is not a problem for roundup trackers
185 created using 1.2.0 or newer. The fix may have predated the 1.2.0
186 release but where the fix actually landed (representing id as a
187 string and not as an int) is unknown.
188 - issue2551175 - Make ETag content-encoding aware. HTTP ETag headers
189 now include a suffix indicating the content-encoding used to send
190 the data per rfc7232. Properly validate any form of ETag suffixed or
191 non-suffixed for If-Match.
192 - issue2551178 - fix Traceback in Apache WSGI - during file upload
193 - issue2551179 - make roundup-demo initialize templates using
194 config_ini.ini overrides. Needed for jinja to set template lang etc.
195 Recognize minimal template when presented with a full
196 path. (John Kristensen (jerrykan) and John Rouillard)
197 - handle configparser.InterpolationSyntaxError raised if value
198 has a single %. Seems to afect python 3 only. Reported by
199 nomicon on IRC. (John Rouillard)
200 - add random delay to session database retry code between 0 and .125
201 seconds. This seems to help reduce stalled connections when a
202 number of connections are made at the same time. Log remaining
203 retries once 5 of them have been used. (John Rouillard)
204 - issue2551169 - setup.py enters endless loop on gentoo linux python2
205 installation. Fixed.
206 - issue2551185 - must set PYTHONPATH=... python2 setup.py install
207 --prefix=/tmp/r2. Force insert --old-and-unmangable to get it
208 to use a classic installer and not an easy install. This only
209 affects python2.
210 - issue2551186 - Python versions >= 3.3 no longer use socket.sslerror.
211 Andrew (kragacles) patched uses of socket.sslerror in mailgy.py.
212 Patch adapted to allow trapping sslerror under both python2 and 3.
161 (John Rouillard) 213 (John Rouillard)
162 - When requesting transitive properties via ``@fields`` in the REST-API, 214 - issue2551142 - postgresql reworked to use savepoint/"rollback to"
163 an empty link in the transitive property (e.g. author.username when 215 rather than commit()/rollback(). Using savepoint should be faster.
164 requesting message properties) would result in a 404 error. Now we're 216 - issue2551196 - Unset labelprop of a Multilink can lead to Python
165 returning a JSON 'null' value. for an empty link (e.g. empty author in 217 error when using context/history. (reported and initial patch: Nagy
166 the example). (John Rouillard) 218 Gabor, John Rouillard)
167 - sphinxcontrib.cheeseshop is unmaintained and using old http 219 - Fix roundup-server to pass If-Range http header so Ranges work
168 url. Attempts to override cheeseshop_url failed. Replace call to 220 better. (John Rouillard)
169 cheeseshop in docs with raw html and remove references to 221 - issue2551183 - Replace references to distutils in
170 cheeseshop. (John Rouillard) 222 roundup/dist/command (John Rouillard)
171 - issue2551093 - return plain text if markdown formatter throws exception 223 - Fix hang if Range request was not able to be satified or a HEAD
172 (reported by Cedric Krier, fix by John Rouillard) 224 request was done.
173 - issue2551094 - make simplemde handle line breaks the same as the 225 - Mark strings involved with password reset and registration for
174 backend markdown formatters. (report: Cedric Krier, patch: Christof 226 translation. (reported: Thomas Arendsen Hein, John Rouillard)
175 Meerwald) 227 - issue2551159 - cl.filter fails if filterspec is None (also
176 - issue2551092 - fix crash bug by aligning 228 group and sort). Passing a sort, group or filterprop param
177 ``roundup.anypy.email_.decode_header`` with stdlib ``email.header`` and 229 set to None to any filter() call should not cause a
178 convert string to bytes for python 3. (Cedric Krier) 230 traceback. It will pretend as though no filter, sort or
179 - issue2551097 - fix underlying bug in use of fenced codeblocks with 231 group was specified. (John Rouillard)
180 markdown2. Fix for issue2551093 to prevent exception trigger. 232 - issue2551205 - Add support for specifying valid origins
181 (patch: Cedric Krier) 233 for api: xmlrpc/rest. Allows CORS to work with roundup
182 - issue2551099 - disable processing of data url's in markdown. Display 234 backend. (John Rouillard)
183 as plain text. (John Rouillard) 235 - new option added to config.ini: login_empty_passwords set to
184 - issue2551100 - old jquery has security issues, upgrade it and fix 236 no by default. Setting this to yes allows a user with an
185 user.help.html (John Rouillard) 237 empty password to login.
186 - replace deprecated base64.decodestring with base64.b64decode in 238 - issue2551207 - Fix sorting by order attribute if order attributes can
187 roundup_server.py and roundup_xlmrpc_server.py (reported by 239 be None. Add a test.
188 lmsteffan in irc) 240 - issue2551203 fix CORS requests by providing proper headers and allowing
189 - removed run_tests.py. Newer pytest doesn't support generating 241 unauthenticted CORS preflight requests.
190 stand alone testing bundles. Python 3.9 generates errors running 242
191 the current run_tests.py. (reported by lmsteffan in irc) 243 Features:
192 - issue2551104 - fix issue with markdown autolink next to punctuation (ced) 244
193 - removed support for old style trackers that use dbinit.py and 245 - issue2551147 - Enable compression of http responses in roundup.
194 config.py. Also remove all uses of deprecated imp module. (John Rouillard) 246 Allow roundup to return gzip, (br or zstd with added modules)
195 - removed support for setting database type using 247 Content-Encoded replies. Compression could be done in upstream
196 <database>/backend_name. (John Rouillard) 248 proxies/wsgi server but this allows it to occur natively. (John
197 - fixed some issues when generating translations. Use mappings and 249 Rouillard)
198 named format parameters so translators can move substituted tokens 250 - Change tracker templates adding required to login forms. Invokes
199 in translations. (John Rouillard) 251 browser error reporting if user forgets to fill in a field.
200 - in rest interface, fix uncaught exceptions when parsing invalid
201 Content-Type and Accept headers. Document response formats more
202 fully in doc/rest.txt. (John Rouillard)
203 - in filter, filter_iter and _materialize_multilinks, use named cursor
204 with postgresql. This turns of client-side cursor handling and avoids
205 *large* roundup process (or wsgi process) in case of large results.
206 Fixes issue2551114. (Ralf Schlatterbeck)
207 - issue2551108 - fix handling of designator links when formatted
208 as markdown links. (Reported by Cedric Krier; John Rouillard)
209 - Fix filename created from mail attachments, fixes issue2551118
210 - Call verifyPassword even if user does not exist. Address timing
211 attack to discover valid account names. Useful where anonymous user
212 is not allowed access. (John Rouillard)
213 - issue2551126 - AttributeError: 'str' object has no attribute
214 'local'. Fix traceback caused by DateHTMLProperty.pretty() called
215 on a string value due to error in some other field. (Reported by
216 reda, fix: John Rouillard)
217 - issue2550899 - Migrate setup.py to setuptools; fixes:
218 issue2550866 'pip install --editable .' fails; et al.
219 this now requires that setuptools be installed. (Patch by John
220 Kristensen (jerrykan); additional doc changes (upgrade.txt,
221 RELEASE.txt) John Rouillard)
222 - issue2551128 - Impossible to validate a user with unknown timezone
223 Raise KeyError when an unrecognized timezones is passed to
224 pytz. (patch Cedric Krier, test John Rouillard)
225 - issue2551129 - Template not found return 500
226 Handle traceback caused when requested @template is not found.
227 Return 400 error in this condition. (patch Cedric Krier,
228 additional change and test John Rouillard)
229 - issue2551062: roundup-admin security now exits status 1 when
230 it finds an invalid property. It no longer tries to print the rest
231 of the security properties. (John Rouillard)
232 - issue2551078 - Fix traceback caused when putting two id's into a
233 Link html field. A ValueError is raised. Handle exception and return
234 value. hyperdb.py now reports 'you may only enter ID values for
235 property ...' to the user. (John Rouillard)
236 - issue2551120 - The sorted method of MultilinkHTMLProperty crashes,
237 if the given property is unset for an element of the list. Crash
238 fixed. New feature NoneFirst added to method to make unset values
239 sort at start or end of sorted list. (John Rouillard)
240 - issue2550648 - keyword boolean search. Issue has multiple problems.
241 Fix issue where saving the keyword boolean search would remove the
242 link to open the editor. (John Rouillard)
243 - issue2551136 - timezone extention crash on Python 3.8. cgi.escape
244 is used in some template to provide a select box of timezones. It
245 uses cgi.escape that is deprecated and removed from 3.8 and newer.
246 Use html.escape with fallback to cgi.escape. (Cedric Krier)
247 - roundup-server can act as an SSL server. Usually SSL is provided by
248 a front-end server like nginx, hiawatha, apache. The SSL parameters
249 have been upgraded to TLS 1.1. Cert is RSA 2048 bytes with SHA512
250 signature. Without these upgrades, ssl mode won't start. Note this
251 exposes other issue with roundup-server operating as an SSL
252 endpoint. See issue2551138 and issue2551137. (John Rouillard)
253 - issue2551122 - sorted method of MultilinkHTMLProperty does a string
254 sort even if the property is an integer. Fixed so that the orderprop
255 for the linked class is used. (John Rouillard, reported by Nagy Gabor)
256 - issue2550964 - History can (temporarily) show incorrect value when a
257 change is rejected. Fix history function to always use the database
258 values and ignore the current setting in the form. (John Rouillard)
259 - Fix find() with anydbm. Using protected properties raised KeyError.
260 Add shortcut fast return. Both changes come from rdbms_common.py's
261 find(). (John Rouillard)
262 - Fix traceback caused by calling history() with arguments in a
263 non-item context. (John Rouillard)
264 - issue2551141 - roundup-admin returns no such class when restoring
265 item with duplicate key. Fix incorrect error message when using
266 roundup-admin to restore a user when the username is already in use.
267 (John Rouillard) 252 (John Rouillard)
268 - issue2551142 - Import of retired node with username after active 253 - issue1596345 - filtering user list (need
269 node is imported raises unique constraint failure. (Reported by Ganesh 254 user.search.hml). Incorporate user search features from
270 Sittampalam/Heffalump on irc. John Rouillard) 255 issues.roundup-tracker.org into classic template. Devel and
271 - *** Must run roundup-admin migrate *** 256 responsive templates already have this feature.
272 Increment rdbms version from 5 to 6. Mysql rdbms classes were 257 - issue2550917 - Add a: "Welcome user, you have logged in" ok_message
273 missing unique key constraint. Found during fix for issue2551142. 258 on login. (Ashley Burke)
274 See upgrading.txt. (John Rouillard) 259 - enable HTTP/1.1 for roundup-server. This enables keep-alive for
275 - ignore blank lines in CSV class editing. (John Rouillard) 260 faster response/loading. Also eliminates stalls when the front end web
276 - issue2551122 - fixing order by a link/multilink broke other props 261 server uses http 1.1 but the roundup-server uses 1.0. New option
277 should be final change for that ticket. (John Rouillard) 262 "-V HTTP/1.0" can turn it off. (John Rouillard)
278 263 - issue2551163 - add scripts/Docker/Dockerfile to provide basic support for
279 Features: 264 containerization. See installation.txt for details. (John Rouillard)
280 265 - issue2551163 - add scripts/Docker/docker-compose.yml to get a
281 - issue2550522 - Add 'filter' command to command-line 266 mysql/roundup deployment. (Norbert Schlemmer, modified by John
282 interface. Filter command was actually added in 2.0.0, but this 267 Rouilard)
283 issue requested transitive searching. So that:: 268 - REST add openapi_doc decorator to add openapi_doc to
284 269 endpoints. Decorate a couple of examples. (John Rouillard)
285 roundup-admin -i . filter issue assignedto.username=Admin 270 - REST when incorrect method is used, report allowed methods in error
286 271 message as well as in an Allow header. (John Rouillard)
287 will work. This also fixes a bug. If assignedto.username had no 272 - REST change response to invalid attribute specified in path. Return
288 matches, all issues would be returned. This is also fixed. 273 400 code not 405 code for this case and improve error. (John
289 (John Rouillard) 274 Rouillard)
290 - issue2550716 - Email address displayed after password reset request. 275 - REST correct values for some Access-Control-Allow-Methods and
291 This fix actually made it into 1.6 release. However this release 276 Access-Control-Allow-Headers headers. (John Rouillard)
292 documents how password reset works in user_guide.txt. (John Rouillard) 277 - issue2550991 - define default cache control settings for javascript
293 - issue2551094 - add new markdown config.ini setting to allow embedded 278 and css assets. (John Rouillard)
294 newlines to cause a linebreak same as GitHub Flavored Markdown. 279 - issue2551181 - fragments can be appended to designators. So
295 (Patch: Cedric Krier; Doc change/checkin John Rouillard) 280 issue23#msg24 could jump to the element with id msg24 in issue 23.
296 - issue2551096 - enable markdown autolink for email and bare url's. 281 Before this patch you would have two links issue23 and msg24
297 Modify raw markdown adding appropriate link markers on the fly. 282 separated by # (John Rouillard).
298 (Cedric Krier) 283 - added small utility script to dump dbm based tracker databases
299 - issue2551098 - add rel="nofollow" for links generated by markdown2 284 (e.g. db/sessions). (John Rouillard)
300 backend and rel="nofollow noopener" for mistune and markdown 285 - issue2551182 - Enhance configuration module to allow loading values
301 backends. Prevents link spam. noopener prevents security issue when 286 from an external file. Secrets (passwords, secrets) can specify
302 available. (John Rouillard) 287 file using file:// or file:///. The first line of the file is used
303 - Added explanation for modifying Fileclass content files to 288 as the secret. This allows committing config.ini to a VCS. (John
304 customizing.txt. Result of mailing list question. (John Rouillard) 289 Rouillard)
305 - issue2551109 - Improve keyword editing in jinja2 template. (Cedric Krier) 290 - Added xapian indexer to Docker container. (John Rouillard)
306 - issue2551117 - Add example systemd config 291 - Add support for indexer type native-fts to use FTS5 for sqlite
307 - Allow admin to configure language used for stemming in xapian 292 databases. (John Rouillard)
308 indexer. (John Rouillard request by Nagy Gabor) 293 - Add support for indexer type native-fts to use PostreSQL's full text
309 - Move memorydb from test to roundup/test to allow regression-testing in 294 search. (John Rouillard)
310 tracker instances without copying code. Also move the test-detectors in 295 - Add better error display to the user. Needed to expose errors in fts5
311 tx_Source_detector.py to roundup/test for two reasons: It's used in the 296 search syntax to the user while also displaying the template page
312 memorydb convenience functions and it may be useful in other tests. Make 297 structure. (John Rouillard)
313 the prefix a parameter of the convenience functions to be usable in other 298 - issue2551189 - increase size of words in full text index.
314 tests. (Ralf Schlatterbeck) 299 Many terms (like exception names or symbolic constants) are larger
315 - pytest suite now starts the server under wsgi and loads the home 300 than 25. Also German words are long. Since there is little chance of
316 page. This test is skipped if the requests module is not installed. 301 fixing German to shorten their words, change indexer maxlength to 50.
317 - extract translatable strings from devel and responsive templates. Merge 302 (Thomas Arendsen Hein provided patch; patch reworked John Rouillard)
318 translations from https://sourceforge.net/p/roundup/code/merge-requests/3/ 303 - issue2551184 - add an i18n object to the roundupdb. This makes it
319 (John Rouillard. DE translations by Tobias Herp.) 304 possible to translate error messages in detectors (or actions). The
320 - send_message now allows setting authid to set source of email. 305 i18n object is now also correctly set for the mail interface:
321 (John Rouillard) 306 previously the 'language' setting in the [mailgw] section seems to
322 - issue2550837 - New option for web auth (also http header passing). 307 have been ignored. Thanks to Marcus Priesch for the patch.
323 Allow admin to configure authentication header replacing the default
324 REMOTE_USER. Also allow arbitrary headers to be passed to the
325 tracker when using roundup-server behind a proxy. This code is
326 experimental see upgrading.txt admin_guide.txt. (John Rouillard)
327 - add image/svg-xml as valid mime type to serve. Was being served as
328 octet-stream. (John Rouillard)
329 - improve customizing.txt documentation on use of Special Form
330 Variables. Added example html inputs to illustrate the doc.
331 Fix position of designator in doc example. It occurs before
332 @link@ or other edit command. (John Rouillard)
Roundup Issue Tracker: http://roundup-tracker.org/