Mercurial > p > roundup > code

diff doc/announcement.txt @ 8328:3bf6ad421347 2.5.0b1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
chore: update files for release 2.5.0b1.
author John Rouillard <rouilj@ieee.org>
date Wed, 11 Jun 2025 17:04:51 -0400
parents 3614cd64f4c4
children 2ed6fb7081c6
line wrap: on
line diff
--- a/doc/announcement.txt	Wed Jun 11 16:19:00 2025 -0400
+++ b/doc/announcement.txt	Wed Jun 11 17:04:51 2025 -0400
@@ -1,15 +1,13 @@
-I'm proud to release version 2.4.0 of the Roundup issue
+I'm proud to release version 2.5.0b1 of the Roundup issue
 tracker.  This release is a bugfix and feature release, so
 make sure to read `docs/upgrading.txt
 <https://www.roundup-tracker.org/docs/upgrading.html>`_ to
 bring your tracker up to date.
 
-The 79 changes, as usual, include some new features and many
+The 41 changes, as usual, include some new features and many
 bug fixes.
 
-Version 2.4.0 will be the last release to support Python
-2. The next minor release, planned for mid 2025, will occur
-5 years after Roundup started supporting Python 3.
+Version 2.5.0b1 does not support Python 2.
 
 Note that you should run ``roundup-admin ... migrate`` to
 update the database schema version. Do this before you use
@@ -26,73 +24,54 @@
 
 then unpack and test/install from the tarball.
 
-Among the notable improvements in 2.4.0 from the 2.3.0
+Among the notable improvements in 2.5.0 from the 2.4.0
 release are:
 
-* three CVE's have been fixed. One requires changes to your
-  tracker's home directory. The other two are fixed by
-  installing 2.4.0.  See
-  https://www.roundup-tracker.org/docs/security.html for
-  details and instructions on how to fix these in 2.4.0 and
-  earlier releases.
+* detect more errors in RPN search expressions. Return more
+  useful error messages. Documented (advanced) RPN search expressions
+  in the user guide.
 
-* new classhelper component thanks to a team of students
-  from CS682 at U-Mass Boston. This fixes many issues with
-  the old classhelper. It is implemented as a web-component
-  and needs REST interface access. It will fall back to the
-  classic classhelper if REST is not available or if the
-  browser does not support web-components.
+* change default password hash method to PBKDF2 with SHA512. You
+  may need to reset password_pbkdf2_default_rounds to a lower
+  value. See upgrading doc.
 
-* fix Windows Python installation using pip. It used to go
-  into an infinite loop during install or download. Also fix
-  installation of shared files (templates) so roundup-admin
-  can find them.
+* add filter function to Permission objects. This pushes some
+  permission checks down to the SQL database and speeds up display of
+  index pages.
+
+* fix crash bug on windows with Python 3.13
 
-* using ``@current_user`` as a value in a search URL for a
-  user property will use the current logged in user. Now you
-  can share searches like: "My issues" as "my" will become
-  the current logged in user.
+* update doc on required REST headers. Also other docs updates.
 
-* login failures to the REST/XML-RPC interfaces are now rate
-  limited to limit password guessing attacks.
+* detect error condition early when we can't respond with requested
+  REST format response (e.g. xml is requested).
 
-* utf8mb4 is the default charset for MySQL. This requires
-  migrating your database using the mysql client. You can
-  choose to keep the older character set in config.ini.
+* do not generate an error if a PUT REST request sets the user's
+  address to the current value.
 
-* PostgreSQL services defined in pg_service.conf can be
-  used.  PostgreSQL schemas are supported to eliminate the
-  need for the roundup user to have database
-  creation/deletion privileges.
-
-* fix out of memory issue when importing larger trackers
-  into PostgreSQL.
+* make ``roundup-gettext`` extract translatable strings from detectors
+  and extensions.
 
-* multiple roundup-admin improvements: display protected
-  properties (like creation date), better formatting of
-  output, command history. Also on windows, pyreadline3 is
-  supported to provide an editable interactive command line.
+* improve security of session cookies by marking them with the magic
+  ``__Secure__`` prefix.
 
-* an experimental wsgi performance improvement in 2.3.0 is
-  now now the default and is opt-out.
+* make the rest endpoint return raw message or file content data. Use
+  the ``binary_content`` endpoint and a suitable ``Accept``` header in
+  the request.
 
-* new template functions: utils.readfile and
-  utils.expandfile. Javascript that is included in the
-  Python core will be moved to external files and be able to
-  have values from Roundup substituted in the Javascript.
+* add support for the ``defusedxml`` Python module to improve security when
+  using XML.
 
-* allow content-type of a template to be set from inside the
-  template.  This allows returning json or xml from a
-  template without a .json or .xml extention.
+* add templating function: ``utils.set_http_response(integer)`` to set
+  HTTP return code from your template.
 
-* fix import/export on windows to use Unix style line
-  endings fixing export/import on Windows and making exports
-  portable across platforms.
+* add generation of native HTML date and number/integer inputs. See
+  Upgrading for caveats this is disabled by default.
 
-* various other Windows platform fixes including test suite
-  fixes.
+* re-enable support for GPG/PGP signed emails. Requires installing
+  from the test PyPi repository.
 
-* sqlite version 1 and StructuredText support removed.
+* remove XHTML support simplifying the code base
 
 The file CHANGES.txt has a detailed list of feature
 additions and bug fixes for each release. The most recent
@@ -182,270 +161,146 @@
 Recent Changes
 ==============
 
-From 2.3.0 to 2.4.0
+From 2.4.0 to 2.5.0
 
 Fixed:
 
-- CVE-2024-39124 - The classhelpers (_generic.help.html) are
-  vulnerable to an XSS attack. A specially crafted URL that used
-  that endpoint would result in running a script embedded in the
-  URL. (Found/reported by Alec Romano (4rdr), fix/tests John
-  Rouillard)
-- CVE-2024-39125 - If the Referer header is set to a script tag,
-  it will be executed when the error in the Referer header is
-  reported. (Found/reported by Alec Romano (4rdr), fix/tests John
-  Rouillard)
-- CVE-2024-39126 - PDF, XML and SVG files attached to an issue can contain
-  embedded JavaScript. This JavaScript was executed when the file was
-  accessed. PDF files are now downloaded and not displayed in the
-  browser. A content security policy is added for all download files
-  which prevents code execution in SVG files.  (Found/reported by Alec
-  Romano (4rdr), fix/tests John Rouillard)
-- issue2551282 - MySQL utf8mb4 issues and
-  issue2551115 - Use utf8mb4 as a default for MySQL instead of utf8
-  The default database type and collations have been set to:
-  utf8mb4, utf8mb4_unicode_ci and utf8mb4_0900_bin. They are (sadly)
-  configurable from config.ini. Require directions on upgrading the
-  MySQL db have been documented in upgrading.txt.
-- issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
-  Failed API login rate limiting with expiring lockout added. (John
-  Rouillard)
-- issue2551184 - improve i18n handling. Patch to test to make sure it
-  uses the test tracker's locale files and not other locale
-  files. (Marcus Priesch)
-- issue2551283 - fail if version 2.4.9 of markdown2 is used, it broke
-  [issue1](issue1) style links. Support markdown2 2.4.8 and earlier
-  and 2.4.10 with its new schema filtering method. (John Rouillard)
-- multiple flake8 fixes (John Rouillard)
-- rename loop variable in 'for sendto in sendto:' (John Rouillard)
-- issue2551193 - Fix roundup for removal of cgi and cgitb standard
-  python modules (and FieldStorage/MiniFieldStorage). Replaced imports
-  from cgi to use roundup.anypy.cgi\_ which will load the system cgi
-  unless it is missing. Then it will load roundup.anypy.vendored.cgi
-  and make \*FieldStorage symbols available. Roundup uses its own
-  cgitb.py and not the system cgitb.py. It looks like it's the
-  precursor to the system cgitb.py. (John Rouillard)
-- issue2551278 - datetime.datetime.utcnow deprecation. Replace
-  calls with equivalent that produces timezone aware dates rather than
-  naive dates. (John Rouillard)
-- when using "roundup-admin display" indent the listing only if
-  headers or protected fields are requested. This makes the output
-  look like it did previously to 2.3.0 if the new features aren't
-  used.  Roundup-admin output was never meant to be machine parsed, but
-  don't break it unless required. (John Rouillard)
-- issue2551290 - pip install roundup Hangs on Windows 10
-  The install under windows goes into an infinite loop using pip or
-  source install. (John Rouillard)
-- Document use of pyreadline3 to allow roundup-admin to have CLI editing
-  on windows. (John Rouillard)
-- issue2551293 - remove schema_hook from Tracker instance. Looks like
-  it was an obsolete hook used for testing. Never documented and not
-  accessible from schema.py.
-- Fix roundup-admin security command. Lowercase its optional
-  argument. Roles are indexed by lower case role name. So 'security
-  User' and 'security user' should generate the same output. (John
-  Rouillard from issue on mailing list by Chuck Cunningham)
-- make roundup-server exit more quickly on ^C. This seems to be
-  limited to windows. (John Rouillard)
-- Fix error handling so failure during import of a non-user item
-  doesn't cause a second traceback. (Found by Norbert Schlemmer, fix
-  John Rouillard)
-- Handle out of memory error when importing large trackers in
-  PostgreSQL. (Found by Norbert Schlemmer, extensive testing by
-  Norbert, fix John Rouillard)
-- use unittest.mock rather than mock for
-  test/test_hyperdbvals.py. (found by Ralf Schlatterbeck. Fix John
-  Rouillard)
-- disable proxy with wget in roundup_healthcheck. (Norbert Schlemmer
-  Noschvie on github.com)
-- support dicttoxml2.py for Roundup running on 3.7 and
-  newer. dicttoxml uses a type alias: collection.Iterator that is
-  dropped in Python 3.10. (found by Norbert Schlemmer, fix John
+- issue2551343 - Remove support for PySQLite. It is unmaintained
+  and sqlite3 is used which is the default for a Python
+  distribution.  (John Rouillard)
+- replace use of os.listdir with os.scandir. Performance
+  improvement.  Using with Python 2 requires 'pip install
+  scandir'. (John Rouillard)
+- issue2551131 - Return accept-patch if patch body not accepted
+  (415 code). Accept-Patch returned with acceptable values. (John
   Rouillard)
-- fix duplicate html id 'password' in user.item.html in all templates except
-  jinja2. (John Rouillard)
-- fix unclosed file when saving index in indexer_dbm.py. (John Rouillard)
-- fix task index in devel tracker so it doesn't cause a crash if all
-  fields are selected. (John Rouillard)
-- fix windows install. When using pip share directory is installed in
-  a directory tree under the lib directory. Fix it so that Lib/share
-  is used to install the share tree. The lets Roundup find tracker
-  templates and translation files. (Found by Simon Eigeldinger, fix
-  John Rouillard)
-- fix roundup-demo, interactive mode would nuke an existing tracker.
-  (Found Tonu Mikk, fix John Rouillard)
-- fix detection/reporting when using a SQLite3 library without FTS5
-  support. Install docs updated to state that FTS5 support is required
-  when using SQLite for back end. (Found Tonu Mikk, fix John
+- issue2551074 - In "responsive" template: click on hide comment leads
+  to a red error msg. (Report by Ludwig Reiter; fix John Rouillard)
+- issue2550698 - added documentation on filtering using RPN property
+  expressions. (John Rouillard)
+- issue2551372 - Better document necessary headers for REST and fix
+  logging to log missing Origin header (Ralf Schlatterbeck with
+  suggestions on documentation by John Rouillard)
+- issue2551289 - Invalid REST Accept header with post/put performs
+  change before returning 406. Error before making any changes to the
+  db if we can't respond with requested format. (John Rouillard)
+- issue2551356 - Add etag header when If-Modified-Since GET request
+  returns not-modified (304). Breaking change to function signature
+  for client.py-Client::_serve_file(). (John Rouillard)
+- issue2551381 - roundup-server parses URI's with multiple '?"
+  incorrectly. (John Rouillard)
+- issue2551382 - invalid @verbose, @page_* values in rest uri's
+  generate 409 not 400 error. (John Rouillard)
+- fix issues with rest doc and use of PUT on a property item. Response
+  is similar to use of PUT on the item, not a GET on the
+  item. Discovered while fuzz testing. (John Rouillard)
+- issue2551383 - Setting same address via REST PUT command results in
+  an error. Now the userauditor does not trigger an error if a user
+  sets the primary address to the existing value. (John Rouillard)
+- issue2551253 - Modify password PBKDF2 method to use SHA512. The
+  default password hashing algorithm has been upgraded to
+  PBKDF2-SHA512 from PBKDF2-SHA1. The default pbkdf2 rounds in the
+  config file has been changed to 250000. The admin should change it
+  manually if it is at 2 million. PBKDF2-SHA512 (PBKDF2S5) has been
+  available since release 2.3, but it required a manual step to make
+  it the default. (John Rouillard)
+- fixed a crash with roundup-admin perftest password when rounds not set
+  on command line. (John Rouillard)
+- issue2551374 - Add error handling for filter expressions. Filter
+  expression errors are now reported. (John Rouillard)
+- issue2551384: Modify flow in client.py's REST handler to verify
+  authorization earlier. The validation order for REST requests
+  has been changed. Checking user authorization to use the REST
+  interface is done before validating the Origin header. As a
+  result, incorrectly formatted CORS preflight requests
+  (e.g. missing Origin header) can now return HTTP status 403 as
+  well as status 400. (John Rouillard)
+- issue2551387 - TypeError: not indexable. Fix crash due to
+  uninitialized list element on a (Mini)FieldStorage when unexpected
+  input is posted via wsgi. (Reported and debugged by Christof
+  Meerwald; fix John Rouillard)
+- close http socket and send a 408 status when a timeout exception
+  is handed in roundup-server. This prevents another exception
+  caused by using a timed out socket. (John Rouillard)
+- issue2551391, partial fix for issue1513369. input fields were
+  not getting id's assigned. Fixed automatic id assignment to
+  input fields. Thinko in the code. (John Rouillard)
+- issue1895197 - translated help texts in admin.py not displayed
+  correctly. (Initial patch tobias-herp, John Rouillard)
+- issue2551238 - roundup-server should exit with error if -d
+  <pidfile> is used without -l <logfile>. Added code to report
+  the issue. Added issue with relative paths for log file whn
+  using -L and -d with roundup-server. (John Rouillard)
+- Allow the specification of a "form" parameter for Date fields to make
+  the popup calendar work when the enclosing form has a name different
+  from "itemSynopsis". (Ralf Schlatterbeck)
+- issue2551376: Fix tracebacks in item templates (Ralf Schlatterbeck)
+- issue2551396: Use of os.path.stat.ST_MTIME in python 3.13 crashes
+  roundup on windows. Replaced with equivalent stat.ST_MTIME. (Randy
+  on IRC, fix: John Rouillard and R. David Murray (bitdancer))
+- issue2551323: remove functions used for XHTML template
+  support. XHTML was deprecated in Roundup 2.3.0 and an invalid value
+  in 2.4.0. (John Rouillard)
+- issue2551406: 'Templating Error: too many values to unpack' crash
+  fixed. (reported by and patch Christof Meerwald, commit/test John
   Rouillard)
-- issue2551320: user.help-search.html doesn't respect
-  properties. Setting url parameter properties when using the
-  classhelp for users now shows the requested properties. (Found by
-  Patel Malav and Nikunj Thakkar of the UMass-Boston CS682 Spring
-  2024 class; fix John Rouillard)
-- use ast.eval_literal() rather than eval() to turn CSV exported
-  string values into Python object/values.
-- use template's guess at Content-Type in headers only if Content-Type
-  is not already set. This allows a template to set its own content
-  type. For example: _generic.translate can set content type (via
-  request.client.additional_headers) to application/json and return
-  json from the template. This json could access the 1i18n functions
-  for a javascript helper. (John Rouillard)
-- when template processing raises an exception the line number is
-  sometimes missing. This causes cgitb to raise a second exception
-  which clobbers the info about the template issue. As a stop-gap set
-  the line number to -1 so the original traceback can be seen. This
-  could be a bug in ZopeTAL. (John Rouillard)
-- issue2551328 - REST results show next link if number of results is a
-  multiple of page size. There should be no next link. (Found by Patel
-  Malav and Bharath Kanama of the UMass-Boston CS682 Spring 2024
-  class; fix John Rouillard)
-- issue2551264 - REST X-Total-Count header and @total_size count
-  incorrect when paginated - correct values are now returned.
-  (John Rouillard)
-- issue2551331 - Fix repeat first/last methods. (John Rouillard)
-- Fix import/export on windows. Use unix line terminating characters.
-  (John Rouillard)
-- Fix anydbm session/otks clear() method on windows when backed by
-  dumbdbm. Also make anydbm detect the initialized database when
-  using dumbdbm. (John Rouillard)
-- Use of '-' directory in static_files config option under windows
-  Python fixed. (John Rouillard)
-- issue2551334 - number of test bugs that prevented test suite from
-  running under Windows Python are fixed. WIP. (John Rouillard)
-- issue2551302 - Remove support for sqlite version 1 from
-  back_sqlite.py. We have been using sqlite3 for over a decade. (John
-  Rouillard)
-- issue2551285 - Remove StructuredText support. reStructuredText is
-  still supported. (John Rouillard)
-- Use roundup-demo -p option to set listening port. Was ignored
-  before. (John Rouillard)
-- issue2551346 - Classic tracker's statusauditor raises error if
-  detectors/config.ini missing
-  STATUSAUDITOR_CHATTING_REQUIRES_TWO_USERS.  The statusauditor.py for
-  jinja2 and classic templates has been changed to assume that this
-  option is off when the setting is missing from
-  detectors/config.ini. Other templates do not implement this option.
-  (John Rouillard)
-- issue2551350 - Python changes for 3.12 with roundup 2.3.0. Fixes for
-  cgitb.py crash due to pydoc.html.header() signature change. (Patch
-  by Andrew (kragacles), applied John Rouillard)
-- issue2551350 - Python changes for 3.12 with roundup 2.3.0. Fixes for
-  mailer.py crash due to change in starttls signature change. (Patch
-  by Andrew (kragacles), modified and applied John Rouillard)
-- make classhelper link open in a new window by setting
-  target="_blank". This prevents overwriting of current page with the
-  classhelper if javascript is disabled. (John Rouillard)
-- issue2551341 - if @columns missing from an index url, the
-  group headers colspan property = 0. Add "or 100" in
-  stanza's so headers span all rows (up to 100).
-- fix roundup-server response requiring a 301 redirect. Did
-  not set content length leading to hang/error. (John
-  Rouillard)
-- report basename of filename when template file is invalid
-  rather than reporting a TypeError. (John Rouillard)
-- Make Last-Modified header use GMT not -0000 timezone. Fix error
-  reported by redbot testing. (John Rouillard)
-- Send Vary: Accept-Encoding on any file that could be compressed
-  even if the file is not encoded/compressed. Found by Redbot
-  testing. (John Rouillard)
-- make If-None-Match work for static file (@@file) case. Found by
-  Redbot testing (John Rouillard)
-- Send vary: accept-encoding for if-modified-since conditional
-  requests where the file is not modified. (John Rouillard)
-- Update JWT example in rest.py to use replacement for
-  datetime.datetime.utcnow(). (John Rouillard)
-- issue2551219 - document requirements of PEM file when using
-  roundup-server in SSL/TLS mode. Report better error messages
-  when PEM file is missing certificate or private key. (John
-  Rouillard)
-- Cleanup tracker index generation by roundup-server. Send
-  correct Content-Length headers so HTTP/1.1 connections don't
-  hang. (John Rouillard)
-- Fix delay when using csv export actions. The CSV file is written
-  incrementally, so we can't determine the Content-Length. When using
-  HTTP/1.1, this causes a delay while the browser waits for a timeout.
-  Forcing the connection to close after the CSV file is written
-  removes the delay. (John Rouillard)
+- fix potential HTTP Response Splitting issue in
+  roundup-server. Discovered by CodeQL in CI. (John Rouillard)
 
 Features:
 
-- issue2551323 - Remove XHTML support. Disabled option to set
-  html_version to xhtml. Running roundup commands with html_version
-  set to xhtml will result in an "Invalid value for HTML_VERSION:
-  'xhtml'" error. (John Rouillard)
-- issue2551103 - add pragma 'display_protected' to roundup-admin. If
-  true, print protected attributes like id, activity, actor...
-  when using display or specification subcommands. (John Rouillard)
-- add -P pragma=value command line option to roundup-admin. Allows
-  setting pragmas when using non-interactive mode. (John Rouillard)
-- issue685275 - add pragma show_retired to control display of retired
-  items when using list/table. Add pragma display_header to print
-  headers for display command. Header displays designator and
-  retired/active status. (John Rouillard)
-- issue2551299 - support config.ini rdbms option 'service'. Allow use
-  of a PostgreSQL connection service file (pg_service.conf) for
-  configuring database on a per-tracker basis. Also replaces use of
-  PGSERVICE env variable for single instance trackers. (From ML
-  question by ivanov. John Rouillard)
-- issue2550852 - support for specifying a PostgreSQL schema to use for
-  the Roundup database. (Patch by Stuart McGraw; slight modifications,
-  tests, docs: John Rouillard).
-- issue2551274: add configurable logging for REST API when something
-  fails, we now log status code and error message.
-  (Ralf Schlatterbeck)
-- issue2551317 - add some Jinja2 examples to customizing.txt
-  document. (John Rouillard)
-- multiple scripts/... updates - Python3, linting, enhancements:
-  weekly-report,schema-dump.py, roundup-reminder, copy-user.py,
-  dump_dbm_sessions_db.py, contributors.py (John Rouillard)
-- roundup/msgfile.py can now be called as 'python msgfmt.py de.po de.mo'
-  or 'python msgfmt.py -o de.mo de.po' to compile a translation file if
-  GNU msgfmt is missing. (John Rouillard)
-- save roundup-admin history between sessions. Load
-  ~/.roundup_admin_rlrc file to set history-size persistently. Add
-  pragma history_length to override for a session. (John Rouillard)
-- the roundup-admin history command now dumps the journal entries
-  in a more human readable format. Use the raw option to get the older
-  machine parsible output. (John Rouillard)
-- Multiple JWT secrets are supported to allow key rotation. See
-  an updated config.ini for details. (John Rouillard)
-- issue2551212 - wsgi performance improvement feature added in 2.2.0
-  is active by default. Can be turned off if needed. See upgrading.txt
-  for info. (John Rouillard)
-- issue2551270 - Better templating support for JavaScript. Add
-  utils.readfile(file, optional=False) and utils.expandfile(file,
-  token_dict=None, optional=False). Allows reading an external file
-  (e.g. JavaScript) and inserting it using tal:contents or equivalent
-  jinja function. expandfile allows setting a dictionary and tokens in
-  the file of the form "%(token_name)s" will be replaced in the file
-  with the values from the dict. (John Rouillard)
-- add @group to rest interface collection queries. Useful when using
-  optgroup in select elements. (John Rouillard)
-- roundup-demo can set the hostname in the URL using the -H
-  parameter. So you can start a demo tracker that is available from
-  your network using 'roundup-demo ... -B hostname -H hostname'. (John
+- issue2551287 - Enhance roundup_gettext.py to extract strings from
+  detectors/extensions. If the polib module is available,
+  roundup-gettext will extract translatable strings from the tracker's
+  Python code. If polib is missing, it will print a warning. (Patch
+  Marcus Priesch, cleanup to remove python 2 issues, John Rouillard.)
+- issue2551315 - Document use of
+  RestfulInstance.max_response_row_size to limit data returned
+  from rest request. (John Rouillard)
+- issue2551330 - Add an optional 'filter' function to the Permission
+  objects and the addPermission method. This is used to optimize search
+  performance by not checking items returned from a database query
+  one-by-one (using the check function) but instead offload the
+  permission checks to the database. For SQL backends this performs the
+  filtering in the database.  (Ralf Schlatterbeck)
+- issue2551370 - mark roundup session cookie with __Secure-
+  prefix. (John Rouillard)
+- add -P flag to roundup-server to log client address from
+  X-Forwarded-For reverse proxy header rather than connecting
+  address. This logs the actual client address when
+  roundup-server is run behind a reverse proxy. It also appends a
+  + sign to the logged address/name. (John Rouillard)
+- issue2551068 - Provide way to retrieve file/msg data via rest
+  endpoint. Raw file/msg data can be retrieved using the
+  /binary_content attribute and an Accept header to select the mime
+  type for the data (e.g. image/png for a png file). The existing html
+  interface method still works and is supported, but is legacy. (John
+  Rouillard) 
+- added fuzz testing for some code. Found issue2551382 and
+  others. (John Rouillard)
+- issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
+  Added support for defusedxml to better secure the xmlrpc
+  endpoint. (John Rouillard)
+- Added new instance.registerUtilMethod() method to make using complex
+  templating easier as it provides a default Client instance to the
+  templating method. (John Rouillard)
+- Added new templating utils.set_http_response(integer) method to
+  allow reporting an error to the user from a template. (John
   Rouillard)
-- issue2551347 - make _generic.help.html work without property
-  settings. THis applies to classic or minimal trackers. It allows use
-  of classhelp without the property seting for informtion only
-  (e.g. description of what a priority or status means) without being
-  able to select the property in the classhelper.  Good for adding help
-  for Link properties. (John Rouilllard)
-- issue1525113 - notation to filter by logged-in user. Use
-  @current_user with properties that are a Link to the 'user' class to
-  match the currently logged in user. Allows sharing of queries like
-  "Issues I created" or "Issues I am assigned to" by removing the
-  hard coded user id number and replacing it with the current user's
-  id. Tracker templates updated to use it. (John Rouillard from a
-  patch by Jon C. Thomason)
-- Add a /rest/data/user/roles REST endpoint. (John Rouillard)
-- issue2551353 - Add roundup-classhelper for 2.4.0
-  release. Integrate new classhelper web component to wrap
-  existing classhelper link. This fixes a number of
-  outstanding bugs against the current classhelper using
-  current web features. (Patel Malav, Nikunj Thakkar,
-  Bharath Kanama with integration by John Rouillard)
-- disable spellcheck on all password fields to try to prevent
-  browser from exposing passwords to external servers. (John
-  Rouillard)
+- issue2551390 - Replace text input/calendar popup with native
+  date input. Also add double-click and exit keyboard handlers to
+  allow copy/paste/editing the text version of the date. Configurable
+  via the use_browser_date_input setting in the [web] section of
+  config.ini. By default browser native dates are turned off.
+  (John Rouillard, Ralf Schlatterbeck)
+- Use native number type input for Number() and Integer()
+  properties. Integer() uses step=1 as well. Configurable via the
+  use_browser_number_input setting in the [web] section of config.ini.
+  Set off by default. See
+  https://issues.roundup-tracker.org/issue2551398 for discussion of
+  issues with native number inputs.  (John Rouillard, Ralf
+  Schlatterbeck)
+- issue2551231 - template.py-HTMLClass::classhelp doesn't merge
+  user defined classes. It now merges them in. (John Rouillard)
+- re-enable support for GPG/PGP encrypted emails using new python gpg
+  package on the test pypi instance. (Paul Schwabauer)
Roundup Issue Tracker: http://roundup-tracker.org/