Skip to main content

A simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

Project description

I’m proud to release version 1.4.20 of Roundup which can be seen as a security release. We’ve fixed several security issues, in particular some XSS issues. We’ve also dropped support for python 2.4 with this release. This release also introduces some minor features and, as usual, fixes some bugs:


  • Experimental support for the new Chameleon templating engine. We now have two configurable templating engines, the old Zope TAL templates (called zopetal in the config) and the new Chameleon (called chameleon in the config). A new config-option “template_engine” under [main] can take these config-options, the default is zopetal. Thanks to Cheer Xiao for the idea of making this configurable and for the actual implementation! (Ralf) WARNING: Chameleon support is highly experimental and not recommended for production use. It has known performance issues and i18n is not yet functioning. It’s still under active development. Only use this feature if you want to experiment with Chameleon and/or help with Roundup developement. If you found a bug in Chameleon support, please report after testing against latest Roundup source from the Mercurial repository.

  • issue2550678: Allow pagesize=-1 which returns all results. Suggested and implemented by John Kristensen. Tested by Satchidanand Haridas. (Bernhard)

  • Allow to turn off translation of generated html options in menu method of LinkHTMLProperty and MultilinkHTMLProperty – default is translation as it used to be (Ralf)

  • Sending of OpenPGP encrypted mail to all users or selected users (via roles) is now working. (Ralf)

  • Add config-option “nosy” to messages_to_author setting in [nosy] section of config: This will send a message to the author only in the case where the author is on the nosy-list (either added earlier or via the add_author setting). Current config-options for this setting will send / not send to author without considering the nosy list. (Ralf)


  • issue2550730: FAQ has broken link to Zope book. Reported and fixed by John Rouillard.(Bernhard)

  • issue2550728: remove buggy parentheses in TAL/ Reported and fixed by Ralf Hemmecke. (Bernhard)

  • issue2550715: IndexError when requesting non-existing file via http. Reported and fixed by Cedric Krier. (Bernhard)

  • issue2550712: exportcsvaction errors poorly when given invalid columns. Reported by Will Kahn-Greene, fixed by Cedric Krier. (Bernhard)

  • issue2550695: ‘No sort or group’ settings not retained when editing queries. Reported and fixed by John Kristensen. Tested by Satchidanand Haridas. (Bernhard)

  • Fix matching of incoming email addresses to the alternate_addresses field of a user – this would match substrings, e.g. if the user has as an alternate email and an incoming mail is addressed to this would (wrongly) match. (Ralf)

  • issue2550729: Fix password history display for anydbm backend, thanks to Ralf Hemmecke for reporting. (Ralf)

  • OpenPGP support is again working (pyme API has changed significantly) and we now have a regression test. We now take care that bounce-messages for incoming encrypted mails or mails where the policy dictates that outgoing traffic should be encrypted is actually OpenPGP encrypted. (Ralf)

  • Ignore confirm set() fields by themselves in the absence of non-“confirm” values; otherwise a bare confirm field can be used to change the a password. Reported by Cam Blackwood. (Ralf)

  • Updated version of simplified Chinese message file by Cheer Xiao: Corrected some mistakes, added a few more items and did some formating. (Ralf)

  • Fix xmlrpc URL parsing so that passwords may contain a ‘:’ character (Ralf)

  • Be more tolerant when parsing RFC2047 encoded mail headers. Use backported version of my proposed changes to email.header.decode_header in (Ralf)

  • issue2550684 Fix XSS vulnerability when username contains HTML code, thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)

  • issue2550711 Fix XSS vulnerability in @action parameter, thanks to “om” for reporting. (Ralf)

  • issue2550535 In some cases even when keep_quoted_text=yes is configured we would strip quoted sections. This hit the python bug-tracker especially for python interpreter examples with leading ‘>>>’ strings. The fix is slightly different compared to the proposal as this broke keep_quoted_text=no in certain cases. We also fix a bug where keep_quoted_text=no would drop the last line of a non-quoted section if there wasn’t an empty line between the next quotes. (Ralf)

  • issue2431638 wrong registration link in bounce mail for non-registered users reported years ago by anonymous (Ralf)

  • Fix doc/upgrading.txt which produces errors with latest docutils about wrong block structure. Fix .gitignore in doc directory. Thanks to Cheer Xiao for the patches. (Ralf)

  • Fix wrong execute permissions on some files, thanks to Cheer Xiao for the patch. (Ralf)

  • Fix override of TemplatingUtils in, thanks to Cheer Xiao for the patch. (Ralf)

  • Fix another XSS with the “otk” parameter, thanks to Jesse Ruderman for reporting. (Ralf)

  • Mark cookies HttpOnly and – if https is used – secure. Fixes issue2550689, but is untested if this really works in browsers. Thanks to Joseph Myers for reporting. (Ralf)

  • Fix another XSS with the ok- and error message, see issue2550724. We solve this differently from the proposals in the bug-report by not allowing any html-tags in ok/error messages anymore. Thanks to David Benjamin for the bug-report and to Ezio Melotti for several proposed fixes. (Ralf)

If you’re upgrading from an older version of Roundup you must follow the “Software Upgrade” guidelines given in the maintenance documentation.

Roundup requires python 2.5 or later (but not 3+) for correct operation.

To give Roundup a try, just download (see below), unpack and run:

Release info and download page:

Source and documentation is available at the website:

Mailing lists - the place to ask questions:

About Roundup

Roundup is a simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. It is based on the winning design from Ka-Ping Yee in the Software Carpentry “Track” design competition.

Note: Ping is not responsible for this project. The contact for this project is

Roundup manages a number of issues (with flexible properties such as “description”, “priority”, and so on) and provides the ability to:

  1. submit new issues,

  2. find and edit existing issues, and

  3. discuss issues with other participants.

The system will facilitate communication among the participants by managing discussions and notifying interested parties when issues are edited. One of the major design goals for Roundup that it be simple to get going. Roundup is therefore usable “out of the box” with any python 2.5+ (but not 3+) installation. It doesn’t even need to be “installed” to be operational, though an install script is provided.

It comes with two issue tracker templates (a classic bug/feature tracker and a minimal skeleton) and four database back-ends (anydbm, sqlite, mysql and postgresql).

Project details

Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

roundup-1.4.20.tar.gz (2.1 MB view hashes)

Uploaded Source

Built Distribution

roundup-1.4.20.win32.exe (1.2 MB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page