I'm proud to release version 2.5.0 of the Roundup issue
tracker.  This release is a bugfix and feature release, so
make sure to read `docs/upgrading.txt
<https://www.roundup-tracker.org/docs/upgrading.html>`_ to
bring your tracker up to date.

The 41 changes, as usual, include some new features and many
bug fixes.

Version 2.5.0 does not support Python 2. The minimum Python
version is 3.7.

Note that you should run ``roundup-admin ... migrate`` to
update the database schema version. Do this before you use
the web, command-line or mail interface and before any users
access the tracker.

You can install it with::

   pip install roundup

(preferably in a virtual environment). To download it, use::

   pip download roundup

then unpack and test/install from the tarball.

Among the significant enhancements in version 2.5.0 compared to
the 2.4.0 release are:

The property/field advanced search expression feature has been
enhanced. The RPN search expression format was previously
undocumented. Search expressions are usually built using the
expression editor on the search page. They can be built manually
by modifying the search URL. However errors in expressions could
return results that didn't match the user's intent. This release
documents the RPN expression syntax, adds expression error
detection, and improves error reporting.

To boost security, Roundup updated the default hash method for
password storage. Now, we're using PBKDF2 with SHA512. Because of
this change, you should change (lower) the value of
password_pbkdf2_default_rounds in your tracker's config.ini. Check
the upgrading documentation for more info. (Note this may cause
longer authentication times, the upgrade doc describes how to
downgrade the hash method.)

For better security, Roundup's session token is now prefixed with
the magic ``__Secure__`` tag when using HTTPS. This adds to the
existing ``Secure`` property that comes with the session cookie.

Roundup verifies the user's authorization for the data fetched
from the database.  A new optional ``filter`` argument has been
added to Permission objects. When the administrator supplies a
filter function, it can boosts performance with SQL server
databases. This function should provide selection criteria to
offload permission checks to the database. Consequently, less data
is retrieved from the database, leading to quicker display of
index pages with reduced CPU and network traffic.

Requsting binary data from a REST endpoint has been a
hassle. Since JSON can't handle binary data, images (and other
binary data) need to be encoded. This makes them significantly
larger. The workaround was to use a non-REST endpoint for fetching
non-text attachments. This update lets the REST endpoint return
raw message or file content data. You can utilize the
``binary_content`` endpoint along with an appropriate ``Accept``
header (e.g. ``image/jpeg``) in your request.

The ``roundup-gettext`` tool has been enhanced to extract
translatable strings from detectors and extensions. This will
simplify the process of translating your trackers.

Other miscellaneous fixes include:

* Fixed a crash bug on Windows with Python 3.13.

* Updated documentation on required REST headers, along with other
  documentation updates.

* Early detection of error conditions when we can't provide the
  requested REST format response (like when XML is requested).

* An error is not generated if a PUT REST request sets the user's address
  to its current value.

* Added support for the ``defusedxml`` Python module to enhance
  security when using XML.

* Introduced a templating function:
  ``utils.set_http_response(integer)`` to set the HTTP return code
  directly from your template.

* Added the ability to generate native HTML date and
  number/integer inputs. Check Upgrading for caveats, as this
  feature is disabled by default.

* Re-enabled support for GPG/PGP signed emails, which requires
  installation from the test PyPi repository.

* Removed XHTML support to simplify the code base.

The file CHANGES.txt has a detailed list of feature
additions and bug fixes for each release. The most recent
changes from there are at the end of this announcement. Also
see the information in doc/upgrading.txt.

If you find bugs, please report them to issues AT
roundup-tracker.org or create an account at
https://issues.roundup-tracker.org and open a new ticket. If
you have patches to fix the issues they can be attached to
the email or uploaded to the tracker.

Upgrading
=========

If you're upgrading from an older version of Roundup you
*must* follow all the "Software Upgrade" guidelines given in
the doc/upgrading.txt documentation.

Note that you should run ``roundup-admin ... migrate`` for
all your trackers to update the database schema version. Do
this before you use the web, command-line or mail interface
and before any users access the tracker.

Roundup requires Python 3 newer than or equal to version 3.7 for
correct operation. (Python 3.4 or 3.5, or 3.6 may work, but are not
tested.) Note that Roundup 2.4.0 was the last release to support
Python 2. You should deploy new trackers with Python 3 and plan on
upgrading older trackers from Python 2 to Python 3. See the upgrade
guide.

To give Roundup a try, just download (directions above),
unpack and run::

    python demo.py

then open the url printed by the demo app.

Release info and download page:

     https://pypi.org/project/roundup/

Source and documentation is available at the website:

     https://www.roundup-tracker.org/

Mailing lists - the place to ask questions:

     https://sourceforge.net/p/roundup/mailman/


About Roundup
=============

Roundup is a simple-to-use and install issue-tracking system
with command-line, web and e-mail interfaces. It is based on
the winning design from Ka-Ping Yee in the Software
Carpentry "Track" design competition.

Roundup manages a number of issues (with flexible properties
such as "description", "priority", and so on) and provides
the ability to:

(a) submit new issues,
(b) find and edit existing issues, and
(c) discuss issues with other participants.

The system facilitates communication among the participants
by managing discussions and notifying interested parties
when issues are edited. One of the major design goals for
Roundup that it be simple to get going. Roundup is therefore
usable "out of the box" with any Python 3.7+
installation. It doesn't even need to be "installed" to be
operational, though an install script is provided.

It comes with five basic issue tracker templates

* a classic bug/feature tracker
* a more extensive devel tracker for bug/features etc.
* a responsive version of the devel tracker
* a jinja2 version of the devel template (work in progress)
* a minimal skeleton

and supports four database back-ends (anydbm, sqlite, mysql
and postgresql).

Recent Changes
==============

From 2.4.0 to 2.5.0

Fixed:

- issue2551343 - Remove support for PySQLite. It is unmaintained
  and sqlite3 is used which is the default for a Python
  distribution.  (John Rouillard)
- replace use of os.listdir with os.scandir. Performance
  improvement.  Using with Python 2 requires 'pip install
  scandir'. (John Rouillard)
- issue2551131 - Return accept-patch if patch body not accepted
  (415 code). Accept-Patch returned with acceptable values. (John
  Rouillard)
- issue2551074 - In "responsive" template: click on hide comment leads
  to a red error msg. (Report by Ludwig Reiter; fix John Rouillard)
- issue2550698 - added documentation on filtering using RPN property
  expressions. (John Rouillard)
- issue2551372 - Better document necessary headers for REST and fix
  logging to log missing Origin header (Ralf Schlatterbeck with
  suggestions on documentation by John Rouillard)
- issue2551289 - Invalid REST Accept header with post/put performs
  change before returning 406. Error before making any changes to the
  db if we can't respond with requested format. (John Rouillard)
- issue2551356 - Add etag header when If-Modified-Since GET request
  returns not-modified (304). Breaking change to function signature
  for client.py-Client::_serve_file(). (John Rouillard)
- issue2551381 - roundup-server parses URI's with multiple '?"
  incorrectly. (John Rouillard)
- issue2551382 - invalid @verbose, @page_* values in rest uri's
  generate 409 not 400 error. (John Rouillard)
- fix issues with rest doc and use of PUT on a property item. Response
  is similar to use of PUT on the item, not a GET on the
  item. Discovered while fuzz testing. (John Rouillard)
- issue2551383 - Setting same address via REST PUT command results in
  an error. Now the userauditor does not trigger an error if a user
  sets the primary address to the existing value. (John Rouillard)
- issue2551253 - Modify password PBKDF2 method to use SHA512. The
  default password hashing algorithm has been upgraded to
  PBKDF2-SHA512 from PBKDF2-SHA1. The default pbkdf2 rounds in the
  config file has been changed to 250000. The admin should change it
  manually if it is at 2 million. PBKDF2-SHA512 (PBKDF2S5) has been
  available since release 2.3, but it required a manual step to make
  it the default. (John Rouillard)
- fixed a crash with roundup-admin perftest password when rounds not set
  on command line. (John Rouillard)
- issue2551374 - Add error handling for filter expressions. Filter
  expression errors are now reported. (John Rouillard)
- issue2551384: Modify flow in client.py's REST handler to verify
  authorization earlier. The validation order for REST requests
  has been changed. Checking user authorization to use the REST
  interface is done before validating the Origin header. As a
  result, incorrectly formatted CORS preflight requests
  (e.g. missing Origin header) can now return HTTP status 403 as
  well as status 400. (John Rouillard)
- issue2551387 - TypeError: not indexable. Fix crash due to
  uninitialized list element on a (Mini)FieldStorage when unexpected
  input is posted via wsgi. (Reported and debugged by Christof
  Meerwald; fix John Rouillard)
- close http socket and send a 408 status when a timeout exception
  is handed in roundup-server. This prevents another exception
  caused by using a timed out socket. (John Rouillard)
- issue2551391, partial fix for issue1513369. input fields were
  not getting id's assigned. Fixed automatic id assignment to
  input fields. Thinko in the code. (John Rouillard)
- issue1895197 - translated help texts in admin.py not displayed
  correctly. (Initial patch tobias-herp, John Rouillard)
- issue2551238 - roundup-server should exit with error if -d
  <pidfile> is used without -l <logfile>. Added code to report
  the issue. Added issue with relative paths for log file whn
  using -L and -d with roundup-server. (John Rouillard)
- Allow the specification of a "form" parameter for Date fields to make
  the popup calendar work when the enclosing form has a name different
  from "itemSynopsis". (Ralf Schlatterbeck)
- issue2551376: Fix tracebacks in item templates (Ralf Schlatterbeck)
- issue2551396: Use of os.path.stat.ST_MTIME in python 3.13 crashes
  roundup on windows. Replaced with equivalent stat.ST_MTIME. (Randy
  on IRC, fix: John Rouillard and R. David Murray (bitdancer))
- issue2551323: remove functions used for XHTML template
  support. XHTML was deprecated in Roundup 2.3.0 and an invalid value
  in 2.4.0. (John Rouillard)
- issue2551406: 'Templating Error: too many values to unpack' crash
  fixed. (reported by and patch Christof Meerwald, commit/test John
  Rouillard)
- fix potential HTTP Response Splitting issue in
  roundup-server. Discovered by CodeQL in CI. (John Rouillard)

Features:

- issue2551287 - Enhance roundup_gettext.py to extract strings from
  detectors/extensions. If the polib module is available,
  roundup-gettext will extract translatable strings from the tracker's
  Python code. If polib is missing, it will print a warning. (Patch
  Marcus Priesch, cleanup to remove python 2 issues, John Rouillard.)
- issue2551315 - Document use of
  RestfulInstance.max_response_row_size to limit data returned
  from rest request. (John Rouillard)
- issue2551330 - Add an optional 'filter' function to the Permission
  objects and the addPermission method. This is used to optimize search
  performance by not checking items returned from a database query
  one-by-one (using the check function) but instead offload the
  permission checks to the database. For SQL backends this performs the
  filtering in the database.  (Ralf Schlatterbeck)
- issue2551370 - mark roundup session cookie with __Secure-
  prefix. (John Rouillard)
- add -P flag to roundup-server to log client address from
  X-Forwarded-For reverse proxy header rather than connecting
  address. This logs the actual client address when
  roundup-server is run behind a reverse proxy. It also appends a
  + sign to the logged address/name. (John Rouillard)
- issue2551068 - Provide way to retrieve file/msg data via rest
  endpoint. Raw file/msg data can be retrieved using the
  /binary_content attribute and an Accept header to select the mime
  type for the data (e.g. image/png for a png file). The existing html
  interface method still works and is supported, but is legacy. (John
  Rouillard) 
- added fuzz testing for some code. Found issue2551382 and
  others. (John Rouillard)
- issue2551116 - Replace xmlrpclib (xmlrpc.client) with defusedxml.
  Added support for defusedxml to better secure the xmlrpc
  endpoint. (John Rouillard)
- Added new instance.registerUtilMethod() method to make using complex
  templating easier as it provides a default Client instance to the
  templating method. (John Rouillard)
- Added new templating utils.set_http_response(integer) method to
  allow reporting an error to the user from a template. (John
  Rouillard)
- issue2551390 - Replace text input/calendar popup with native
  date input. Also add double-click and exit keyboard handlers to
  allow copy/paste/editing the text version of the date. Configurable
  via the use_browser_date_input setting in the [web] section of
  config.ini. By default browser native dates are turned off.
  (John Rouillard, Ralf Schlatterbeck)
- Use native number type input for Number() and Integer()
  properties. Integer() uses step=1 as well. Configurable via the
  use_browser_number_input setting in the [web] section of config.ini.
  Set off by default. See
  https://issues.roundup-tracker.org/issue2551398 for discussion of
  issues with native number inputs.  (John Rouillard, Ralf
  Schlatterbeck)
- issue2551231 - template.py-HTMLClass::classhelp doesn't merge
  user defined classes. It now merges them in. (John Rouillard)
- re-enable support for GPG/PGP encrypted emails using new python gpg
  package on the test pypi instance. (Paul Schwabauer)