Mercurial > p > roundup > code

comparison doc/announcement.txt @ 6137:eb9d00db0923

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Forgot to check in changed doc files for 2.0.0beta0
author John Rouillard <rouilj@ieee.org>
date Mon, 06 Apr 2020 10:06:08 -0400
parents d7ff9cb70f34
children 043a8ffd79ad
comparison
equal deleted inserted replaced
6136:4006c6e5e7ef 6137:eb9d00db0923
1 I'm proud to release version 2.0.0alpha0 of the Roundup issue tracker 1 I'm proud to release version 2.0.0beta0 of the Roundup issue tracker
2 which has been possible due to the help of several contributors. This 2 which has been possible due to the help of several contributors. This
3 release contains some major changes, so make sure to read 3 release contains some major changes, so make sure to read
4 `docs/upgrading.txt 4 `docs/upgrading.txt
5 <http://www.roundup-tracker.org/dev-docs/upgrading.html>`_ to bring 5 <http://www.roundup-tracker.org/dev-docs/upgrading.html>`_ to bring
6 your tracker up to date. The changes, as usual, include some new 6 your tracker up to date. The changes, as usual, include some new
7 features and many bug fixes. 7 features and many bug fixes.
8 8
9 You can download it with: 9 You can download it with:
10 10
11 pip download roundup==2.0.0alpha0 11 pip download roundup==2.0.0beta0
12 12
13 then unpack and test/install the tarball. 13 then unpack and test/install the tarball.
14 14
15 Among the notable improvements are: 15 Among the notable improvements from the 1.6.1 release are:
16 16
17 Roundup is multilingual and will run under either Python 3 or 17 Roundup is multilingual and will run under either Python 3 or
18 Python 2. If you want to use Python 3, you *must read* the Python 3 18 Python 2. If you want to use Python 3, you *must read* the Python 3
19 Support section in the upgrading doc. Depending on the database 19 Support section in the upgrading doc. Depending on the database
20 backend you may have to export/import the tracker. Also you will 20 backend you may have to export/import the tracker. Also you will
30 obsolete pyme library. Thanks to Christof Meerwald. 30 obsolete pyme library. Thanks to Christof Meerwald.
31 31
32 Use of mod_python is deprecated. Apache mod_wsgi documentation 32 Use of mod_python is deprecated. Apache mod_wsgi documentation
33 has been updated along with gunicorn and uwsgi and is the 33 has been updated along with gunicorn and uwsgi and is the
34 preferred mechanism. 34 preferred mechanism.
35 35
36 jinja templates updated to bootstrap 4.4.1. Templates use
37 autoescape and translation library. Support for messages
38 written in markdown added. SimpleMDE used as markdown editor to
39 provide preview features. Thanks to Christof Meerwald.
40
36 The file CHANGES.txt has a detailed list of feature additions and bug 41 The file CHANGES.txt has a detailed list of feature additions and bug
37 fixes. The most recent changes from there are at the end of this 42 fixes for each release. The most recent changes from there are at the
38 announcement. Also see the information in doc/upgrading.txt. 43 end of this announcement. Also see the information in
44 doc/upgrading.txt.
39 45
40 How You Can Help 46 How You Can Help
41 ================ 47 ================
42 48
43 We are looking for one or two front end developers to kick the tires 49 We are looking for one or two front end developers to kick the tires
128 Recent Changes 134 Recent Changes
129 ============== 135 ==============
130 136
131 Features: 137 Features:
132 138
133 - issue2550901: add search page to jinja2 template (Christof Meerwald) 139 - Allow to pass additional headers to nosymessage, nice if a message
134 - issue2550982: use PBKDF2 in Python's hashlib, if available (Python 140 needs to be marked as urgent or similar, e.g., Outlook uses an
135 2.7.8+), to improve performance over bundled pure Python 141 "Importance" header, when set to "high" it highlights the message.
136 version. Note that acceleration via m2crypto is no longer supported 142 (Ralf Schlatterbeck)
137 (Christof Meerwald) 143 - issue2550926 - Original author adding a second message shouldn't set
138 - issue2550989: PGP encryption is now done using the gpg module 144 status to 'chatting'. See upgrading.txt for details. (John Rouillard)
139 instead of pyme. (Christof Meerwald) 145 - issue2550919 - Anti-bot signup using 4 second delay. New config.ini
140 - issue2550987: Use updated MySQL client module that supports Python 146 param [web] registration_delay must be set to 0 if template
141 3. (Christof Meerwald) 147 user.register.html is not modified. See upgrading.txt for details.
142 - issue2550967: the jinja2 loader has been extended to look for .xml 148 - Reimplement -u <login>[:<password>]. This opens the database as the
143 files as well as .html files similar to the TAL loader. (Christof 149 user and applies expected permissions. It also creates history
144 Meerwald) 150 entries for the user. Note that the password is unused, no mention
145 - Support for Python 3 (3.4 and later). See doc/upgrading.txt for 151 of it is in the spec that I can find, so not sure what it was
146 details of what is required to move an existing tracker from Python 152 supposed to be used for as the CLI has full access to the files so a
147 2 to Python 3 (Joseph Myers, Christof Meerwald) 153 password check is not useful. An edge case is when the login has a :
148 - Merge the Google Summer of Code Project of 2015, the implementation of 154 in it. In this case it may not work as expected. So don't do that.
149 a REST-API for Roundup. This was implemented by Chau Nguyen under the 155 - Implement Cache-Control headers for static files. Allows tracker
150 supervision of Ezio Melotti. Some additions were made, most notably we 156 admin to control caching for css, js and other static files. See
151 never destroy an object in the database but retire them with the 157 customizing.html. The use is documented in the section describing
152 DELETE method. We also don't allow to DELETE a whole class. Python3 158 how to use interfaces.py.
153 support was also fixed and we have cherry-picked two patches from the 159 - issue2551071 Update jinja template to bootstrap 4. Updated to 4.4.1.
154 bugs.python.org branch in the files affected by the REST-API changes. 160 The pull request has been around for a while. (Patch: Paul Spooren;
155 - Patch to client.py and roundup-server needed by REST-API 161 templates merged and additional changes by Christof Meerwald; other
156 code. Support OPTIONS verb and prevent hangs when processing a verb 162 merged by John Rouillard)
157 other than GET that doesn't have a payload. E.G. DELETE, PATCH or 163 - Add config option 'http_auth_convert_realm_to_lowercase'
158 OPTIONS. Verbs like PUT and POST usually have payloads, so this 164 If usernames consist of a name and a domain/realm part of the form
159 patch doesn't touch processing of these methods. (John Rouillard) 165 user@realm and we're using REMOTE_USER for authentication (e.g. via
160 - Patches to new rest code: 166 Kerberos), convert the realm part of the incoming REMOTE_USER to
161 - Generated links in responses should use the base url specified 167 lowercase before matching against the roundup username. This allows
162 in config.ini. 168 roundup usernames to be lowercase (including the realm) and still
163 - allow user (e.g. in browser) to override response type/Accept 169 follow the Kerberos convention of using an uppercase realm. In
164 header using extension in url. E.G. .../issues.json. This fixes 170 addition this is compatible with Active Directory which stores the
165 the existing code so it works. 171 username with realm as UserPrincipalName in lowercase.
166 - fix SECURITY issue. Retrieving the item of a class 172 - Cleaned up the WSGI interface implementation by separating the
167 (e.g. /rest/data/user/2) would display properties the user wasn't 173 request handler from the request displatcher. Also allow
168 allowed to access. Note that unlike the web interface, passwords 174 customisation of tracker instance creation via an overridable
169 and roles for users are still retreivable if the user has access 175 "get_tracker" context manager.
170 rights to the properties. 176 - Allow transitive properties in @fields in REST API. These transitive
171 - ETags are sent by GET operations and required for DELETE, PUT and 177 properties may not cross Multilinks, e.g., when querying 'issue' the
172 PATCH operations. ETag can be supplied by HTTP header or in the 178 property 'messages.author' is not allowed (because 'messages' is a
173 payload by adding the field @etag to the form with the value of 179 multilink). A multilink at the end (e.g. messages in the example) is
174 the etag. 180 fine.
175 - If dict2xml.py is installed, the rest interface can produce an XML 181 - Added markdown rendering using markdown, markdown2 or mistune; use
176 format response if the accept header is set to text/xml. 182 SimpleMDE markdown editor in jinja2 template (Christof Meerwald)
177 (See: https://pypi.org/project/dict2xml/) 183 - Allow filtering by multiple date ranges or empty date. Date ranges are
178 - When retrieving collection move list of collection elements to 184 separated by comma, an empty date is represented by '-'
179 collection property. Add @links property with self, next and prev 185 - issue2551083 - Replace BaseException and Exception as base classes
180 links (where needed). Add @total_size with size of entire 186 with new RoundupException (inheriting from Exception) for most
181 collection (unpaginated). Pagination index starts at 1 not 0. 187 roundup exceptions. (John Rouillard and Ralf Schlatterbeck on
182 - accept content-type application/json payload for PUT, PATCH, POST 188 request from Robert Klonner.)
183 requests in addition to application/x-www-form-urlencoded.
184 (John Rouillard)
185 - issue2550833: the export_csv web action now returns labels/names
186 rather than id's. Replace calls to export_csv with the export_csv_id
187 action to return the same data as the old export_csv action. (Tom
188 Ekberg (tekberg), Andreas (anrounham14) edited/applied and tests
189 created by John Rouillard)
190 - issue2551018: Add new note_filter parameter to nosymessage. The
191 function supplied by this parameter can rewrite the body of the
192 nosymessage before it gets sent. See issue:
193 https://issues.roundup-tracker.org/issue2551018 for example
194 nosyreaction and generated email. (Tom Ekberg (tekberg))
195 - issue2550949: Rate limit password guesses/login attempts. Rate
196 limit mechanism added for web page logins. Default is 3 login
197 attempts/minute for a user. After which one login attempt every 20
198 seconds can be done. (John Rouillard)
199 - issue2551043: Add X-Roundup-issue-id email header. Add a new header
200 to make it easier to filter notification emails without having to
201 parse the subject line. (John Rouillard)
202 - The database filter method now can also do an exact string search.
203 - The database filter method now has limit and offset parameters that
204 map to the corresponding parameters of SQL.
205 - issue2551061: Add rudimentary experimental support for JSON Web
206 Tokens (jwt) to allow delegation of limited access rights to third
207 parties. See doc/rest.txt for details and intent. (John Rouillard)
208 - issue2551058: Add new permissions: 'Rest Access' and 'Xmlrpc Access'
209 to allow per-user access control to rest and xmlrpc interfaces using
210 roles. (John Rouillard)
211 - issue2551059: added new values for tx_Source to indicate when /rest
212 or /xmlrpc endpoint is being used rather than the normal web
213 endpoints. (John Rouillard)
214 - issue2551062: roundup-admin security now validates all properties in
215 permissions. It reports invalid properties. (John Rouillard)
216 - issue2551065: Reorder html entities generated by submit button so that
217 styles can be applied. Thanks to Garth Jensen for the patch against
218 release 1.6 that was ported to upcoming 2.0 release (Ralf
219 Schlatterbeck).
220 189
221 Fixed: 190 Fixed:
222 191
223 - issue2550811: work around Unicode encoding issues in jinja2 template 192 - issue2550996 - Give better error message when running with -c
224 by explicitly converting data to Unicode; also fixed pagination and 193 (install as windows service) and pywin32 is not importable. Could use
225 selecting columns to display in the issues list (Christof Meerwald) 194 better testing on a windows box. (John Rouillard)
226 - issue2550988: fixed fallback to pseudo random number generator in 195 - issue2550921 - Can create login name with , in it. Confuses nosy
227 case SystemRandom isn't available, prefer use of secrets module if 196 list editing. Also can embed html tags. Updated userauditor.py
228 available (Python 3.6+) (Christof Meerwald) 197 to prevent this. See updating.txt. (John Rouillard)
229 - issue2550993: fixed edit CSV action to update restored items to the 198 - issue1344046 - Search for "All text" can't find some Unicode words
230 new value instead of restoring with the previous value (Christof 199 (John Rouillard, Ezio Melotti)
231 Meerwald) 200 - issue1195739 - search in russian does not work (John Rouillard, Ezio
232 - issue2550994: avoid breakage caused by use of backports of Python 3 201 Melotti)
233 configparser module to Python 2. (Joseph Myers) 202 - issue2550920 - Registration with confirmation detects duplcate name
234 - Make non-existent items in history not cause a traceback (Ralf 203 when using validation. Added option to allow detection of duplicate
235 Schlatterbeck) 204 username when the user tries to register. Previously user was
236 - issue2550722: avoid errors from selecting "no selection" on 205 rejected when confirming registration. (John Rouillard)
237 multilink. (Joseph Myers) 206 - French translation gave errors with Python 3 because of ISO-8859-1
238 - issue2550992: avoid errors from invalid Authorization 207 character in .mo file header. (Joseph Myers)
239 headers. (Joseph Myers) 208 - Fix representation of boolean html attributes to be 'required'
240 - issue2551022: support non-ASCII prefixes in instance config for 209 rather than the xhtml form of 'required="required"'. Specify
241 finding static files. (Cedric Krier) 210 (reverted attribute value same as attribute name or) attribute
242 - issue2551023: Fix CSRF headers for use with wsgi and cgi. The 211 value of None, to output attribute as boolean. (John Rouillard)
243 env variable array used - separators rather than _. Compare: 212 Reverted (part of) this change. It breaks rendering of non-boolean
244 HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is 213 attributes (like name="name"). So only value of None renders
245 correct. Also fix roundup-server to produce the latter form. (Patch 214 attribute properly as boolean. (Ralf Schlatterbeck)
246 by Cedric Krier, reviewed/applied John Rouillard.) 215 - issue2551076 - in responsive template, default searches for bugs and
247 - issue2551035 - fix XSS issue in wsgi and cgi when handing url not 216 tasks sets status=new default should be "don't care". (Report:
248 found/404. Reported by hannob at 217 Ludwig Reiter; Fix: John Rouillard)
249 https://github.com/python/bugs.python.org/issues/34, issue opened by 218 - issue2551077 - In "jinja2" template: cannot login if German language
250 JulienPalard. 219 is used. Fixed three places where the value of a hidden @action
251 - issue2551026: template variable not defined even though it is. 220 input field was translated. (Reported by Ludwig Reiter. John
252 Fix issue where variables defined in TAL expression are not 221 Rouillard)
253 available in the scope of the definition. (Tom Ekberg (tekberg)) 222 - Document security issues in xmlrpc interface in doc/xmlrpc.txt.
254 - Make all links created with rel=nofollow include noopener. Deals 223 - Enable autoescape in the jinja2 template and use the i18n extension
255 with possible hijack of original page due to malicious link target. 224 for translations. (Report: John Rouillard; Fix: Christof Meerwald)
256 https://mathiasbynens.github.io/rel-noopener/ (John Rouillard) 225 - Cleanup code by linting using flake8. (John Rouillard)
257 - Fix bug where some protected properties were not identified as such 226 - Cleanup code by security linting using bandit. (John Rouillard)
258 when using the anydbm backend (John Rouillard) 227 - issue2550912 - fixed missing query string in __came_from for jinja2
259 - issue2551041 - change permission check from "Create User" to "Register 228 template. (Christof Meerwald)
260 User" in page.html for the responsive and devel templates. (reporter 229 - issue2551019 - handle character set conversions for CSV export
261 Cedric Krier, John Rouillard) 230 action in Python 3. (Christof Meerwald)
262 - issue2550144 - fix use of undefined icing macro in devel 231 - issue2551051: Return a 403 on non-existing or non-searchable
263 template. Replace with frame macro. (Cedric Krier) 232 transitive properties when queried via REST-API (same behavior for
264 - handle UnicodeDecodeError in file class when file contents are 233 sorting and searching).
265 not text (e.g. jpg). (John Rouillard) 234 - Fixed ReStructuredText encoding with Python 3.
266 - issue2551033: prevent reverse engineering hidden data by using etags
267 as an oracle to identify when the right data has been
268 guessed. (Joseph Myers, John Rouillard)
269 - issue2551029: Jinja2 template install error. Update configuration
270 code to make sure valid backend database is set. Remove config.ini
271 from templates to make sure that roundup-admin install writes a new
272 default config.ini based on configuration.py.
273 - issue2551040: New release of psycopg2 drops support for psycopg1 -
274 need to rewrite. Now uses psycopg2 throughout. (John Rouillard)
275 - issue2551009: Flint not supported error during reindex. Upgrading
276 doc updates to discuss this when reindexing. (Reported by Gabi,
277 Change by John Rouillard)
278 - issue2551030: Roundup fails to start if pytz to access Olson
279 timezone database not installed. (John Rouillard)
280 - issue2551029: Jinja2 template install error. Handle issue with
281 template's config.ini not getting updated. Provide an alternate
282 file: config_ini.ini for required config settings that are merged
283 into the default values producing an up to date config.ini on
284 install.
285 - issue2551008: fix incorrect encoding handling in mailgw.py
286 (Ezio Melotti, John Rouillard)
287 - issue2551053: the routing dictionary in rest.py used compiled regular
288 expressions as dictionary keys. This worked most of the time because
289 the regex lib uses a cache but resulted in duplicate keys in the
290 dictionary in some cases where a single key should have been used.
291 Thanks to Robert Klonner for discovering the problem, debugging the
292 root cause and providing a first proposed fix.
293 - Make searching with a multiselect work for Link/Multilink properties
294 that may contain numeric *key* values. For these a menu would render
295 options with IDs and later look up the IDs as *key* of the
296 Link/Multilink. Now numeric IDs take precedence -- like they already
297 do in the menu method of Link and Multilink.
298 - issue2551013: Reversed sorting in hyperdb property wrapper object's
299 sorted() method. Patch by David Sowder, application and doc change
300 by John Rouillard.
301 - issue2550821 - patches for depricated mod_python apache.py interface
302 (John Rouillard)
303 - issue2551005 - deprecation of mod_python (John Rouillard)
304 - issue2551066: IMAP mail handling wasn't working and produced a
305 traceback.
306 - issue2550925 if deployed as CGI and client sends an http PROXY
307 header, the tainted HTTP_PROXY environment variable is created. It
308 can affect calls using requests package or curl. A roundup admin
309 would have to write detectors/extensions that use these mechanisms.
310 Not exploitable in default config. (John Rouillard)
311 - Add config option to keep/delete previous logging config. Needed to
312 make gunicorn --access-logfile work as it uses python logfile module
313 too.
Roundup Issue Tracker: http://roundup-tracker.org/