|
1 | | -I'm proud to release version 1.5.0 of Roundup which has been possible |
2 | | -due to the help of several contributors. This release introduces some |
3 | | -new features, most notably modular web templating with Jinja2 as a |
4 | | -templating engine (the old templating engine is still the recommended |
5 | | -one) and, as usual, fixes some bugs: |
| 1 | +I'm proud to release version 1.5.1 of Roundup which has been possible |
| 2 | +due to the help of several contributors. This release contains |
| 3 | +important security enhancements, so make sure to read |
| 4 | +`doc/upgrading.txt <http://www.roundup-tracker.org/docs/upgrading.html>`_ |
| 5 | +to bring your tracker up to date. Other changes, as usual, include some |
| 6 | +new features and many bug fixes. |
| 7 | + |
6 | 8 |
|
7 | 9 | Features: |
8 | 10 |
|
9 | | -- issue2550775 Added rel=nofollow to links in the journal linking to |
10 | | - attachments to allow the admin to delete attachment spam and prevent |
11 | | - search engines from increasing the rankings. (John Rouillard) |
12 | | -- issue2550808 Enhanced the boolean field template function. Now by |
13 | | - default the labels generated can be clicked on and select the |
14 | | - corresponding radio button. Also can create a trivalued radiobutton |
15 | | - (yes/no/unknown) as well as customize the labels for the |
16 | | - yes/no/unknown radio buttons. (John Rouillard) |
17 | | -- issue2550807 enhance classhelp method with ability to set html |
18 | | - properties on the generated link. (John Rouillard) |
19 | | -- Support for tx_Source property on database handle. Can be used by |
20 | | - detectors to find out the source of a change in an auditor to block |
21 | | - changes arriving by unauthenticated mechanisms (e.g. plain email |
22 | | - where headers can be faked). The property db.tx_Source has the |
23 | | - following values: |
24 | | - * None - Default value set to None. May be valid if it's a script |
25 | | - that is created by the user. Otherwise it's an error and indicates |
26 | | - that some code path is not properly setting the tx_Source property. |
27 | | - * "cli" - this string value is set when using roundup-admin and |
28 | | - supplied scripts. |
29 | | - * "web" - this string value is set when using any web based |
30 | | - technique: html interface, xmlrpc .... |
31 | | - * "email" - this string value is set when using an unauthenticated |
32 | | - email based technique. |
33 | | - * "email-sig-openpgp" - this string value is set when email with a |
34 | | - valid pgp signature is used. (*NOTE* the testing for this mode |
35 | | - is incomplete. If you have a pgp infrastructure you should test |
36 | | - and verify that this is properly set.) (John Rouillard) |
37 | | -- Introducing Template Loader API (anatoly techtonik) |
38 | | -- Experimental support for Jinja2, try 'jinja2' for template_engine |
39 | | - in config (anatoly techtonik) |
40 | | -- A new jinja2 template based on Classic schema and using Twitter |
41 | | - bootstrap for responsive behaviour. Run as - |
42 | | - python demo.py -t jinja2 nuke (Pradip P Caulagi) |
43 | | -- roundup_admin.py and other scripts can now be run directly from the |
44 | | - sources dir as roundup\scripts\roundup_admin.py (anatoly techtonik) |
45 | | -- Renamed old Templates classes to Loader classes to clarify sources |
46 | | - for alternative templating engines, updated docs (anatoly techtonik) |
47 | | -- Template selection code is moved from Loader classes into cgi.client |
48 | | - limiting the responsibility of Loaders to compilation and rendering. |
49 | | - Internally, templating.find_template is replaced with |
50 | | - client.selectTemplate (anatoly techtonik) |
51 | | -- Increased generated password length to 12 symbols to slow down GPGPU |
52 | | - attacks (anatoly techtonik) |
53 | | -- Implement XMLRPC MultiCall (including test), see |
54 | | - http://docs.python.org/2/library/xmlrpclib.html#xmlrpclib.MultiCall |
| 11 | +- The example local_replace.py has been updated to show how to link to |
| 12 | + modern revision systems using hex revision identifiers. |
| 13 | + This extension is used to expand shortcuts in msgs. (Bernhard Reiter) |
| 14 | +- Drop comment in user settings about numeric hour offsets instead of using |
| 15 | + pytz timezone names. Due to DST these are wrong half of the year, it is |
| 16 | + much better to use timezone names. (Thomas Arendsen Hein) |
| 17 | +- issue2550793: Wrap messages with very long lines in the web interface. |
| 18 | + (Thomas Arendsen Hein) |
| 19 | +- New Link / Multilink option "try_id_parsing": Sometimes the key of a |
| 20 | + class can be numeric -- in that case roundup will try to parse the |
| 21 | + value as an ID when evaluating form values -- not as a key. Specifying |
| 22 | + try_id_parsing='no' for these Link/Multilink will skip the ID step, |
| 23 | + default is 'yes'. (Ralf Schlatterbeck) |
| 24 | +- New configuration option 'isolation_level' in rdbms section. Currently |
| 25 | + supported for Postgres and mysql, sets the transaction isolation level. |
| 26 | + Wrong history entries for concurrent database updates observed in |
| 27 | + issue2550806 can be prevented by setting this to 'repeatable read' if |
| 28 | + you want to pay the performance penalty. We test this behaviour in the |
| 29 | + regression tests for Postgres but not currently for mysql. |
| 30 | + See http://www.postgresql.org/docs/9.1/static/transaction-iso.html |
| 31 | + (Ralf Schlatterbeck) |
| 32 | +- /xmlrpc endpoint now shows link to XML-RPC documentation if accessed |
| 33 | + through browser, without text/xml Content-Type (anatoly techtonik) |
| 34 | +- docs: New dedicated chapter for extensions in ``doc/customizing.txt`` |
| 35 | + (anatoly techtonik) |
| 36 | +- Increase default height of classhelp windows from 400 to 600. |
| 37 | + (Thomas Arendsen Hein) |
| 38 | +- Date properties now can specify (on input) an explicit timezone suffix |
| 39 | + (similar to RFC 2822), e.g. +0200 for CEST or -0500 for EST. This also |
| 40 | + works in the XMLRPC interface. For examples see roundup.date.Date. |
55 | 41 | (Ralf Schlatterbeck) |
| 42 | +- Add RejectRaw exception to allow unescaped HTML error messages to be |
| 43 | + displayed to the user (thanks Ezio Melotti for the initial patch) |
| 44 | + (John Kristensen) |
56 | 45 |
|
57 | 46 | Fixed: |
58 | 47 |
|
59 | | -- issue2550789: add documentation on how to initialise a tracker |
60 | | - without exposing the admin password. |
61 | | -- issue2550805: Postgres should search title attribute case insensitive |
62 | | - like sqlite. Reported and fixed by Tom Ekberg. (Bernhard Reiter) |
63 | | -- Removed some old left over "rlog" references in documentation and code. |
64 | | - Makes the debugging.txt advise for the database unit tests work again. |
65 | | -- Fixed OpenPGP support for modern versions of libgpgme. (Bernhard Reiter) |
66 | | -- Restored compatibility with old style trackers (anatoly techtonik) |
67 | | -- Make roundup play nice with setup tools (for using with virtualenv) |
68 | | - (Pradip Caulagi) |
69 | | -- [minor] Template responsive: make demo.py work out of the box with it, |
70 | | - by setting the static_files config.ini setting to "static". |
71 | | - Footer: link fixed and hardcoded last modified date removed. (Bernhard Reiter) |
72 | | -- demo.py print location of tracker home and fully erase its directory |
73 | | - when nuking (anatoly techtonik) |
74 | | -- demo.py changing hostname in config.ini actually changes the address |
75 | | - where demo.py listens. (John Rouillard) |
76 | | -- issue2550802: Fixed date so second fraction can't cause rounding to |
77 | | - 60.000 when serialising. Report and fix by Erik Hanspers. (Bernhard Reiter) |
78 | | -- issue2550595: Allow migrating from roundup 0.x to 1.4 (Thomas Arendsen Hein) |
79 | | -- issue2550634: New German orthography corrections (Thomas Arendsen Hein) |
| 48 | +- issue2550869 Duplicate mail headers (Reply-To, Message-ID, In-Reply-To) |
| 49 | + when sending out email. Reported with first fix by Mathias Behrle. |
| 50 | + (Bernhard Reiter) |
| 51 | +- issue2550830 An empty LinkHTMLProperty cannot be compared successfully. |
| 52 | + Improves the query editing page. Reported and fixed by R David Murray |
| 53 | + (Bernhard Reiter). |
| 54 | +- Fix Release-date of 1.5.0 in this file (thanks to Bernhard for |
| 55 | + discovery) (Ralf Schlatterbeck) |
| 56 | +- Pythons cgi form code can return a TypeError, we now guard for this |
| 57 | + condition. (Ralf Schlatterbeck) |
| 58 | +- Small bug-fix in SQL backends: A query (e.g. in a html menu) with a |
| 59 | + where-clause that always evaluates to false now will not raise a |
| 60 | + traceback. (Ralf Schlatterbeck) |
| 61 | +- Remove Python 2.3 compatibility code for i18n (anatoly techtonik) |
| 62 | +- If documentation 'sphinx-build' tool is not found in system PATH, |
| 63 | + 'setup.py build_doc' command now tries to detect it from PYTHONPATH |
| 64 | + (anatoly techtonik) |
| 65 | +- Read version and release for generated documentation from |
| 66 | + roundup/__init__.py. (Thomas Arendsen Hein) |
| 67 | +- Do not throw an internal error if a .mo file can not be read |
| 68 | + (Thomas Arendsen Hein) |
| 69 | +- issue2550673 Make the "Make a copy" link work by fixing copy_url to properly |
| 70 | + handle multilink properties. (John Rouillard) |
| 71 | +- issue2550583, issue2550635 Do not limit results with Xapian indexer |
| 72 | + (Thomas Arendsen Hein) |
| 73 | +- Allow using plain() on unsaved dates in HTML forms |
| 74 | + (Thomas Arendsen Hein) |
| 75 | +- setup.py now installs static files of the HTML documentation (stylesheets, |
| 76 | + images, etc.) (Thomas Arendsen Hein) |
| 77 | +- executable .py scripts need "#!/usr/bin/env python", add this to demo.py, |
| 78 | + remove exec bits from website/wiki/wiki/data/plugin/theme/roundup.py |
| 79 | + (Thomas Arendsen Hein) |
| 80 | +- issue2550822: Fix showing more than one additional property in class menu. |
| 81 | + Report and fix by James Mack (Thomas Arendsen Hein) |
| 82 | +- Fix String search with special SQL wildcard characters in LIKE/ILIKE |
| 83 | + clause and add testcase (Ralf Schlatterbeck) |
| 84 | +- Fix subtle bug when sorting by a Link that contains a Multilink from |
| 85 | + which we also search for an attribute. In that case the LEFT OUTER |
| 86 | + JOIN clause was missing in generated SQL. (Ralf Schlatterbeck) |
| 87 | +- Fix another XSS issue2550817. Note that the code that triggers that |
| 88 | + particular bug is no longer in roundup core. But the change to the |
| 89 | + templates we suggest is a *lot* safer as it by default escapes the |
| 90 | + error and ok messages now. Thanks to Thibault Fevry for the original |
| 91 | + bug-report. (Ralf Schlatterbeck) |
| 92 | +- issue2117897: Fixed two more places in date.py where seconds can be |
| 93 | + rounded to 60.0 and causing exceptions. Change them to 59.999 as was |
| 94 | + done in the fix for issue2550802. (Thomas Arendsen Hein) |
| 95 | +- Fix batch.propchanged for transitive id properties (would result in a |
| 96 | + backtrace when trying to group by property.id) (Ralf Schlatterbeck) |
| 97 | +- Fix issue2550835, the test checks for date-range queries with an |
| 98 | + interval that depends on the local time. Put the queried date a little |
| 99 | + later to avoid a race condition where the queried interval doesn't |
| 100 | + match the date because the clock has advanced. (Ralf Schlatterbeck) |
| 101 | +- Apply german translation fixes from Debian team in issue2550761, |
| 102 | + thanks to Kai Storbeck for taking the time to report these. |
| 103 | + (Ralf Schlatterbeck) |
| 104 | +- Fix issue2550843 Pass text of Unauthorised and Login exceptions instead |
| 105 | + of the exception instance to avoid traceback with string operations. |
| 106 | + (Thomas Arendsen Hein) |
| 107 | +- Fix issue2550841 roundup-demo templates not found in virtualenv (John |
| 108 | + Kristensen) |
| 109 | +- Security: Default user permissions should not include all user |
| 110 | + attributes. We now limit this to the username, realname and some |
| 111 | + further attributes depending on the schema. Note that we no longer |
| 112 | + include the email addresses, depending on your installation you may |
| 113 | + want to further restrict this or add some attributes like ``address`` |
| 114 | + and ``alternate_addresses``. (Ralf Schlatterbeck) |
| 115 | +- Correctly recreate the database directory when re-initialising a tracker |
| 116 | + instance. (John Kristensen) |
| 117 | +- In case of an error, date fields would lose the calendar help, fixed. |
| 118 | + (Ralf Schlatterbeck) |
| 119 | +- demo.py usage message improved: explains "nuke" now. (Bernhard Reiter) |
| 120 | +- Fix issue2550735 Missing doc for xmlrpc schema. Thanks to Cédric Krier |
| 121 | + for the patch. (anatoly techtonik) |
| 122 | +- Fix two line-break accidents in devel and responsive milestone.item.html |
| 123 | + (Thomas Arendsen Hein) |
| 124 | +- Fix broken images in legacy spec.html and original_overview.html, and |
| 125 | + restore web presence for "Roundup's Design Document" (anatoly techtonik) |
| 126 | +- Template jinja2: Updated URL to point to http://www.roundup-tracker.org/, |
| 127 | + fixed a typo. (Bernhard Reiter) |
| 128 | +- Security: Add mime-type whitelist for attachmens that can be safely |
| 129 | + rendered from Roundup without trigerring security bugs in browser |
| 130 | + plugins, XSS issues and spam. The option ``allow_html_file`` didn't |
| 131 | + provide protection for invalid content-type, in which case browser |
| 132 | + tried to guess the best one. Thanks to Kay Hayen for reporting and |
| 133 | + helping debug this. issue2550848 (Ralf Schlatterbeck, anatoly techtonik) |
| 134 | +- Documentation: configuration messages_to_author value "nosy" now documented |
| 135 | + in chapter "customizing". (Bernhard Reiter) |
| 136 | +- issue2550877 Failures in test_mailgw.py because of duplicated headers |
| 137 | + and more precise comparision. Writing headers with the email module will use |
| 138 | + continuation_ws = ' ' now for python 2.5 and 2.6. (Bernhard Reiter) |
| 139 | +- issue2550870 migrate use of 'rfc822' module to the 'email' module |
| 140 | + (Bernhard Reiter/John Kristensen) |
| 141 | +- Doctests for roundup.date.Date are now really executable and don't |
| 142 | + fail. Bug-Fixes in range properties, open intervals with 'to' didn't |
| 143 | + always work. (Ralf Schlatterbeck) |
| 144 | +- issue2550881 demo.py: Add pointer how to access demo from remote host. |
| 145 | + Suggested by Karl-Philipp Richter. (Bernhard Reiter) |
| 146 | +- issue2550884 roundup-mailgw --help text improved to explain the allowed |
| 147 | + parameters better. Suggested by by Karl-Philipp Richter. (Bernhard Reiter) |
| 148 | +- Fix form-parsing: If multiple new items are added to a multilink |
| 149 | + property, the old version would create the new items but only link |
| 150 | + one. (Ralf Schlatterbeck) |
| 151 | +- issue2550892 (translation error of priority in locale de) Thanks |
| 152 | + Martin Thomas Swaton for reporting. (Bernhard Reiter) |
| 153 | +- Help-Window now gets focus, this prevents the case that help doesn't |
| 154 | + work because an old help-window is below the main window. |
| 155 | + (Ralf Schlatterbeck) |
| 156 | +- issue2550811 20% fix: jinja2 template engine now has an example |
| 157 | + how to use non-ascii unicode contents with a custom filter ('|u'). |
| 158 | + See updates on http://www.roundup-tracker.org/cgi-bin/moin.cgi/Jinja2 |
| 159 | + (Bernhard Reiter) |
80 | 160 |
|
81 | 161 |
|
82 | 162 | If you're upgrading from an older version of Roundup you *must* follow |
|
0 commit comments