I'm proud to release version 2.5.0b1 of the Roundup issue
tracker.  This release is a bugfix and feature release, so
make sure to read `docs/upgrading.txt
<https://www.roundup-tracker.org/docs/upgrading.html>`_ to
bring your tracker up to date.

The 41 changes, as usual, include some new features and many
bug fixes.

Version 2.5.0b1 does not support Python 2.

Note that you should run ``roundup-admin ... migrate`` to
update the database schema version. Do this before you use
the web, command-line or mail interface and before any users
access the tracker.

You can install it with::

   pip install roundup

(preferably in a virtual environment). To download it, use::

   pip download roundup

then unpack and test/install from the tarball.

Among the notable improvements in 2.5.0 from the 2.4.0
release are:

* detect more errors in RPN search expressions. Return more
  useful error messages. Documented (advanced) RPN search expressions
  in the user guide.

* change default password hash method to PBKDF2 with SHA512. You
  may need to reset password_pbkdf2_default_rounds to a lower
  value. See upgrading doc.

* add filter function to Permission objects. This pushes some
  permission checks down to the SQL database and speeds up display of
  index pages.

* fix crash bug on windows with Python 3.13

* update doc on required REST headers. Also other docs updates.

* detect error condition early when we can't respond with requested
  REST format response (e.g. xml is requested).

* do not generate an error if a PUT REST request sets the user's
  address to the current value.

* make ``roundup-gettext`` extract translatable strings from detectors
  and extensions.

* improve security of session cookies by marking them with the magic
  ``__Secure__`` prefix.

* make the rest endpoint return raw message or file content data. Use
  the ``binary_content`` endpoint and a suitable ``Accept``` header in
  the request.

* add support for the ``defusedxml`` Python module to improve security when
  using XML.

* add templating function: ``utils.set_http_response(integer)`` to set
  HTTP return code from your template.

* add generation of native HTML date and number/integer inputs. See
  Upgrading for caveats this is disabled by default.

* re-enable support for GPG/PGP signed emails. Requires installing
  from the test PyPi repository.

* remove XHTML support simplifying the code base

The file CHANGES.txt has a detailed list of feature
additions and bug fixes for each release. The most recent
changes from there are at the end of this announcement. Also
see the information in doc/upgrading.txt.

If you find bugs, please report them to issues AT
roundup-tracker.org or create an account at
https://issues.roundup-tracker.org and open a new ticket. If
you have patches to fix the issues they can be attached to
the email or uploaded to the tracker.

Upgrading
=========

If you're upgrading from an older version of Roundup you
*must* follow all the "Software Upgrade" guidelines given in
the doc/upgrading.txt documentation.

Note that you should run ``roundup-admin ... migrate`` for
all your trackers to update the database schema version. Do
this before you use the web, command-line or mail interface
and before any users access the tracker.

Roundup requires Python 3 newer than or equal to version 3.7 for
correct operation. (Python 3.4 or 3.5, or 3.6 may work, but are not
tested.) Note that Roundup 2.4.0 was the last release to support
Python 2. You should deploy new trackers with Python 3 and plan on
upgrading older trackers from Python 2 to Python 3. See the upgrade
guide.

To give Roundup a try, just download (directions above),
unpack and run::

    python demo.py

then open the url printed by the demo app.

Release info and download page:

     https://pypi.org/project/roundup/

Source and documentation is available at the website:

     https://www.roundup-tracker.org/

Mailing lists - the place to ask questions:

     https://sourceforge.net/p/roundup/mailman/


About Roundup
=============

Roundup is a simple-to-use and install issue-tracking system
with command-line, web and e-mail interfaces. It is based on
the winning design from Ka-Ping Yee in the Software
Carpentry "Track" design competition.

Roundup manages a number of issues (with flexible properties
such as "description", "priority", and so on) and provides
the ability to:

(a) submit new issues,
(b) find and edit existing issues, and
(c) discuss issues with other participants.

The system facilitates communication among the participants
by managing discussions and notifying interested parties
when issues are edited. One of the major design goals for
Roundup that it be simple to get going. Roundup is therefore
usable "out of the box" with any Python 3.7+
installation. It doesn't even need to be "installed" to be
operational, though an install script is provided.

It comes with five basic issue tracker templates

* a classic bug/feature tracker
* a more extensive devel tracker for bug/features etc.
* a responsive version of the devel tracker
* a jinja2 version of the devel template (work in progress)
* a minimal skeleton

and supports four database back-ends (anydbm, sqlite, mysql
and postgresql).

Recent Changes
==============

From 2.4.0 to 2.5.0

Fixed:

- issue2551343 - Remove support for PySQLite. It is unmaintained
  and sqlite3 is used which is the default for a Python
  distribution.  (John Rouillard)
- replace use of os.listdir with os.scandir. Performance
  improvement.  Using with Python 2 requires 'pip install
  scandir'. (John Rouillard)
- issue2551131 - Return accept-patch if patch body not accepted
  (415 code). Accept-Patch returned with acceptable values. (John
  Rouillard)
- issue2551074 - In "responsive" template: click on hide comment leads
  to a red error msg. (Report by Ludwig Reiter; fix John Rouillard)
- issue2550698 - added documentation on filtering using RPN property
  expressions. (John Rouillard)
- issue2551372 - Better document necessary headers for REST and fix
  logging to log missing Origin header (Ralf Schlatterbeck with
  suggestions on documentation by John Rouillard)
- issue2551289 - Invalid REST Accept header with post/put performs
  change before returning 406. Error before making any changes to the
  db if we can't respond with requested format. (John Rouillard)
- issue2551356 - Add etag header when If-Modified-Since GET request
  returns not-modified (304). Breaking change to function signature
  for client.py-Client::_serve_file(). (John Rouillard)
- issue2551381 - roundup-server parses URI's with multiple '?"
  incorrectly. (John Rouillard)
- issue2551382 - invalid @verbose, @page_* values in rest uri's
  generate 409 not 400 error. (John Rouillard)
- fix issues with rest doc and use of PUT on a property item. Response
  is similar to use of PUT on the item, not a GET on the
  item. Discovered while fuzz testing. (John Rouillard)
- issue2551383 - Setting same address via REST PUT command results in
  an error. Now the userauditor does not trigger an error if a user
  sets the primary address to the existing value. (John Rouillard)
- issue2551253 - Modify password PBKDF2 method to use SHA512. The
  default password hashing algorithm has been upgraded to
  PBKDF2-SHA512 from PBKDF2-SHA1. The default pbkdf2 rounds in the
  config file has been changed to 250000. The admin should change it
  manually if it is at 2 million. PBKDF2-SHA512 (PBKDF2S5) has been
  available since release 2.3, but it required a manual step to make
  it the default. (John Rouillard)
- fixed a crash with roundup-admin perftest password when rounds not set
  on command line. (John Rouillard)
- issue2551374 - Add error handling for filter expressions. Filter
  expression errors are now reported. (John Rouillard)
- issue2551384: Modify flow in client.py's REST handler to verify
  authorization earlier. The validation order for REST requests
  has been changed. Checking user authorization to use the REST
  interface is done before validating the Origin header. As a
  result, incorrectly formatted CORS preflight requests
  (e.g. missing Origin header) can now return HTTP status 403 as
  well as status 400. (John Rouillard)
- issue2551387 - TypeError: not indexable. Fix crash due to
  uninitialized list element on a (Mini)FieldStorage when unexpected
  input is posted via wsgi. (Reported and debugged by Christof
  Meerwald; fix John Rouillard)
- close http socket and send a 408 status when a timeout exception
  is handed in roundup-server. This prevents another exception
  caused by using a timed out socket. (John Rouillard)
- issue2551391, partial fix for issue1513369. input fields were
  not getting id's assigned. Fixed automatic id assignment to
  input fields. Thinko in the code. (John Rouillard)
- issue1895197 - translated help texts in admin.py not displayed
  correctly. (Initial patch tobias-herp, John Rouillard)
- issue2551238 - roundup-server should exit with error if -d
  <pidfile> is used without -l <logfile>. Added code to report
  the issue. Added issue with relative paths for log file whn
  using -L and -d with roundup-server. (John Rouillard)
- Allow the specification of a "form" parameter for Date fields to make
  the popup calendar work when the enclosing form has a name different
  from "itemSynopsis". (Ralf Schlatterbeck)
- issue2551376: Fix tracebacks in item templates (Ralf Schlatterbeck)
- issue2551396: Use of os.path.stat.ST_MTIME in python 3.13 crashes
  roundup on windows. Replaced with equivalent stat.ST_MTIME. (Randy
  on IRC, fix: John Rouillard and R. David Murray (bitdancer))
- issue2551323: remove functions used for XHTML template
  support. XHTML was deprecated in Roundup 2.3.0 and an invalid value
  in 2.4.0. (John Rouillard)
- issue2551406: 'Templating Error: too many values to unpack' crash
  fixed. (reported by and patch Christof Meerwald, commit/test John
  Rouillard)
- fix potential HTTP Response Splitting issue in
  roundup-server. Discovered by CodeQL in CI. (John Rouillard)

Features:

- issue2551287 - Enhance roundup_gettext.py to extract strings from
  detectors/extensions. If the polib module is available,
  roundup-gettext will extract translatable strings from the tracker's
  Python code. If polib is missing, it will print a warning. (Patch
  Marcus Priesch, cleanup to remove python 2 issues, John Rouillard.)
- issue2551315 - Document use of
  RestfulInstance.max_response_row_size to limit data returned
  from rest request. (John Rouillard)
- issue2551330 - Add an optional 'filter' function to the Permission
  objects and the addPermission method. This is used to optimize search
  performance by not checking items returned from a database query
  one-by-one (using the check function) but instead offload the
  permission checks to the database. For SQL backends this performs the
  filtering in the database.  (Ralf Schlatterbeck)
- issue2551370 - mark roundup session cookie with __Secure-
  prefix. (John Rouillard)
- add -P flag to roundup-server to log client address from
  X-Forwarded-For reverse proxy header rather than connecting
  address. This logs the actual client address when
  roundup-server is run behind a reverse proxy. It also appends a
  + sign to the logged address/name. (John Rouillard)
- issue2551068 - Provide way to retrieve file/msg data via rest
  endpoint. Raw file/msg data can be retrieved using the
  /binary_content attribute and an Accept header to select the mime
  type for the data (e.g. image/png for a png file). The existing html
  interface method still works and is supported, but is legacy. (John
  Rouillard) 
- added fuzz testing for some code. Found issue2551382 and
  others. (John Rouillard)
- issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
  Added support for defusedxml to better secure the xmlrpc
  endpoint. (John Rouillard)
- Added new instance.registerUtilMethod() method to make using complex
  templating easier as it provides a default Client instance to the
  templating method. (John Rouillard)
- Added new templating utils.set_http_response(integer) method to
  allow reporting an error to the user from a template. (John
  Rouillard)
- issue2551390 - Replace text input/calendar popup with native
  date input. Also add double-click and exit keyboard handlers to
  allow copy/paste/editing the text version of the date. Configurable
  via the use_browser_date_input setting in the [web] section of
  config.ini. By default browser native dates are turned off.
  (John Rouillard, Ralf Schlatterbeck)
- Use native number type input for Number() and Integer()
  properties. Integer() uses step=1 as well. Configurable via the
  use_browser_number_input setting in the [web] section of config.ini.
  Set off by default. See
  https://issues.roundup-tracker.org/issue2551398 for discussion of
  issues with native number inputs.  (John Rouillard, Ralf
  Schlatterbeck)
- issue2551231 - template.py-HTMLClass::classhelp doesn't merge
  user defined classes. It now merges them in. (John Rouillard)
- re-enable support for GPG/PGP encrypted emails using new python gpg
  package on the test pypi instance. (Paul Schwabauer)