roundup 2.6.0b1

A simple-to-use and -install issue-tracking system with command-line, web and e-mail interfaces. Highly customisable.

I’m proud to release version 2.6.0b1 of the Roundup issue tracker. This release is a bugfix and feature release, so make sure to read docs/upgrading.txt to bring your tracker up to date.

The 48 changes, as usual, include some new features and many bug fixes.

Version 2.6.0 does not support Python 2. The minimum Python version is 3.10.

Note that you should run roundup-admin ... migrate to update the database schema version. Do this before you use the web, command-line or mail interface and before any users access the tracker.

You can install it with:

pip install roundup

(preferably in a virtual environment). To download it, use:

pip download roundup

then unpack and test/install from the tarball.

Among the significant enhancements in version 2.6.0 compared to the 2.5.0 release are:

• Filter history entries where permissions are handled by check function When a property’s permission uses a check command, the history of changes for that property were shown. The permissions are now properly checked using the check function.

• Fix old CSRF prevention for PATCH method

  The PATCH method was not covered by the old CSRF protection method.

• Modern CSRF prevention method available This release implements CSRF protection using Cross-Site Request Forgery by Filippo Valsorda. This is an effective method for CSRF protection and is much simpler as well. There are no configurable options unlike the 8 options for the older method. This can be opted into using config.ini.

• Require reauthentication when making changes to sensitive fields

  You can trigger a reauthentication when the user changes particular fields. For example you can rquire a password be entered before the user changes their password.

• Classic UI interface modernization.

  The classic tracker has basic responsive support for mobile. The table based layout was removed and HTML 5 landmarks (main, nav …) are used along with flex and grid layouts. The left hand menu now collapses to a grid layout in a single column when on a smaller display. This can be retrofitted to existing classic trackers.

  When you moved from one page to the next on an index, the query/search name was lost. This release now preserves the search name.

  Queries triggered from the query edit page now include the query name in the index view.

  The web UI now allows users to log in without a password. Before the password field was required which prevented completing the login action.

  The user.item.html template now generates valid javascript.

  The jinja2 template got an updated copy of bootstrap.

Other miscellaneous fixes include:

• Multiple internal cleanups: * remove some Python2 support code * reformat * refactor code replacing with faster/pythonic code * restructuring exception handling to stop ignoring important exceptions

• Documentation wsgi updates replacing uwsgi (abandoned) with waitress (which also works on windows).

• rest updates with a null value no longer cause update failures.

The file CHANGES.txt has a detailed list of feature additions and bug fixes for each release. The most recent changes from there are at the end of this announcement. Also see the information in doc/upgrading.txt.

If you find bugs, please report them to issues AT roundup-tracker.org or create an account at https://issues.roundup-tracker.org and open a new ticket. If you have patches to fix the issues they can be attached to the email or uploaded to the tracker.

Upgrading

If you’re upgrading from an older version of Roundup you must follow all the “Software Upgrade” guidelines given in the doc/upgrading.txt documentation.

Note that you should run roundup-admin ... migrate for all your trackers to update the database schema version. Do this before you use the web, command-line or mail interface and before any users access the tracker.

Roundup requires Python 3 newer than or equal to version 3.10 for correct operation. (Python 3.8 or 3.9 may work, but are not tested.) Note that Roundup 2.4.0 was the last release to support Python 2. You should deploy new trackers with Python 3 and plan on upgrading older trackers from Python 2 to Python 3. See the upgrade guide.

To give Roundup a try, just download (directions above), unpack and run:

python demo.py

then open the url printed by the demo app.

Release info and download page:

https://pypi.org/project/roundup/

Source and documentation is available at the website:

https://www.roundup-tracker.org/

Mailing lists - the place to ask questions:

https://sourceforge.net/p/roundup/mailman/

About Roundup

Roundup is a simple-to-use and install issue-tracking system with command-line, web and e-mail interfaces. It is based on the winning design from Ka-Ping Yee in the Software Carpentry “Track” design competition.

Roundup manages a number of issues (with flexible properties such as “description”, “priority”, and so on) and provides the ability to:

1. submit new issues,

2. find and edit existing issues, and

3. discuss issues with other participants.

The system facilitates communication among the participants by managing discussions and notifying interested parties when issues are edited. One of the major design goals for Roundup that it be simple to get going. Roundup is therefore usable “out of the box” with any Python 3.10+ installation. It doesn’t even need to be “installed” to be operational, though an install script is provided.

It comes with five basic issue tracker templates

• a classic bug/feature tracker

• a more extensive devel tracker for bug/features etc.

• a responsive version of the devel tracker

• a jinja2 version of the devel template (work in progress)

• a minimal skeleton

and supports four database back-ends (anydbm, sqlite, mysql and postgresql).

Recent Changes

From 2.5.0 to 2.6.0

Fixed:

• performance improvement to session_dbm.py:clean(). Also add warning log message if clean takes longer than 3 seconds. (John Rouillard)

• move RateLimitExceeded exception from roundup.exceptions to roundup.cgi.exceptions. Also it now inherits from HTTPException rather than Exception since it is an HTTP exception. (John Rouillard)

• cleaned up repo. Close obsolete branches and close a split head due to an identical merge in two different working copies. (John Rouillard)

• in roundup-admin, using ‘pragma history_length interactively now sets readline history length. Using -P history_length=10 on the command line always worked. (John Rouillard)

• enhanced error reporting for errors in ini style logging configuration. (John Rouillard)

• fix bogus javascript emitted by user_src_input macro. (John Rouillard)

• replaced hostname localhost with 127.0.0.1 in docker healthcheck script. Found/patch by Norbert Schlemmer. (John Rouillard)

• change some internal classes to use __slots__ for hopefully a small performance improvement. (John Rouillard)

• issue2551413 - Broken MultiLink columns in CSV export. CSV export of a multilink link “messages” that does not have a ‘name’ property causes a crash. (found/fix by cmeerw; commit and better handling of non-labeled multilink by John Rouillard)

• in cgi/client.py, set self.language attribute when translator passed into Client(). (John Rouillard)

• issue2551393 - Named searches lose their name in title when next page is selected. (John Rouillard)

• code cleanup replace bare except: with except Exception:. (patch by Sense_wang (haosenwang1018) applied by John Rouillard)

• handle “null” values in json objects sent to a rest endpoint by filtering them from the object before processing. A “null” value will not unset an attribute. The ‘remove’ action using the PATCH verb can unset the value. Before this change “null” values retrieved from the REST interface would cause errors when sent using POST or PUT verbs. Also guard against password being set to None. (John Rouillard)

• change the html templates so that the password is not required if the login_empty_passwords setting is enabled in config.ini. Directions for your tracker are in upgrading.txt. (John Rouillard)

• fix traceback displayed when roundup-admin install was used with invalid settings for config.ini. It now reports the error and provides the usage output. Also usage output starts with a newline to provide a blank line between the command and the output to improve readability. (John Rouillard)

• fix bug in 2.5.0 where roundup-admin import (or importtable) fails to properly set the next available id for the class. (John Rouillard broke it and fixed it 8-))

• refactor mime detection/handling in the rest interface. Better supports some mime types, ads default mime type for files without a mime type (e.g. message contents). Cleaner code. (John Rouillard)

• run hexora and mitigate/fix some medium sev and above. (John Rouillard)

• Return 400 if environment or header variables have values with characters outside of the printable ascii range (32-127). Applies to roundup-server and roundup-cgi. wsgi and Zope depend on the hosting server for sanitizing. Se waitress wsgi server bug: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 (John Rouillard)

• Cleanups/minor enhancements to roundup.cgi script. (John Rouillard)

• fix back_anydm::Class::get() method to properly return default value if requested property is set to None. This should fix missing text indexing for the anydbm backend. (John Rouillard)

• ruff driven cleanups/refactor of indexer* files. (John Rouillard)

• remove roundup.anypy.scandir_ which was needed for python 2 support. (John Rouillard)

• roundup-server no longer logs connection aborted when a client disconnects and is using HTTP 1.1 or newer. (John Rouillard)

• replace isinstance(…, type(X)) where X is an instance of a type (1, {}, [], ‘’, u””) with the type itself (int, dict, list, str, str). This is a leftover construct from early Python 2. Replacing them speeds up code (e.g. type({}) vs dict). (John Rouillard)

• issue2551405 - Missing locale .mo files create 500 error on uwsgi without further info. Added more specific ConnectionAbortedError and changed IOError handling. Case in issue now logs the exception for diagnosis. (Reported by Ralf Schlatterbeck; John Rouillard)

• Make queries selected from query edit screen include the query name/display name. This makes it work the same as invoking a query from the main “Your Queries” menu. (John Rouillard)

• Fix SearchAction to not clobber a saved search when a new search of the same name is created. Assume a search named “asearch” exists. Create a new search (not editing the existing “asearch”). Set new query params and name it “asearch”. Roundup will warn you that “asearch” already exists and you need to choose a new name. In the warning form, you rename it to “bsearch” and save/execute. Before this would overwrite “asearch” as it set the “@old-queryname” of the warning form to “asearch”. So it looked like you were trying to edit the existing query. This fix modifies the queryname before generating the error form. So when submitted it doesn’t overwrite “asearch”. (John Rouillard)

• update the classic tracker’s page.html to remove table based layout. It now uses html5 landmarks like header, main, search, nav. It also uses flexbox and grid layouts and includes a viewport meta tag for use on mobile devices. It can be navigated with the keyboard. Parts of the page that are too wide for the viewport can be scrolled horizontally with the keyboard or touch. Some other CSS changes make it easier to use. This is a first step to making the classic template more responsive. (John Rouillard)

• jinja2 template dependencies updated: bootstrap 4.4.1 -> 4.6.2. (John Rouillard)

• issue2551377 - Disabled submit button UI issues. When the submit button is clicked (triggering submit_once) but client side validation blocks the submission, the submit button no longer submits the form. Clicking it says the form has been submitted please wait. This change allows the submit button to submit the form again after 5 seconds. (John Rouillard)

• Fix developers.txt doc bug (discovered by Ross Boylan, change by John Rouillard)

• Handle ConfigurationErrors in demo.py cleanly. Used to dump a full traceback. Now prints error and exits. (John Rouillard)

• Do not display journal/history fields when user does not have access to the property being changed. (John Rouillard)

Features:

• add support for authorized changes. User can be prompted to enter their password to authorize a change. If the user’s password is properly entered, the change is committed. (John Rouillard)

• add support for dictConfig style logging configuration. Ini/File style configs will still be supported. (John Rouillard)

• add ‘q’ as alias for quit in roundup-admin interactive mode. (John Rouillard)

• add readline command to roundup-admin to list history, control input mode etc. Also support bang (!) commands to rerun commands in history or put them in the input buffer for editing. (John Rouillard)

• add format to logging section in config.ini. Used to set default logging format. (John Rouillard)

• the default logging format template includes an identifier unique for a request. This identifier (trace_id) can be use to identify logs for a specific transaction. Will use nanoid if installed, uses uuid.uuid4 otherwise. Logging also supports a trace_reason log token with the url for a web request. The logging format can be changed in config.ini. (John Rouillard)

• issue2551152 - added basic PGP setup/use info to admin_guide. (John Rouillard)

• add support for the ‘justhtml’ html 5 parser library for python >= 3.10. It is written in pure Python. Used to convert html emails into plain text. Faster then beautifulsoup4 and it passes the html 5 standard browser test suite. Beautifulsoup is still supported. (John Rouillard)

• add a new detector: immutable_file_contents.py that prevents changes to file contents. By default, the permissions assigned to FileClass based classes (files, msgs) do not prevent editing of file contents. While the usual HTML templates don’t provide a way to modify files, the REST interface allows changing file contents without an audit trail. Manually driving the HTML interface (via curl for example) also allows content changes. The new detector prevents changes to file contents via Roundup even by a user with admin rights. (John Rouillard)

• Added documentation on doing an in place database migration. This is faster for large databases. (John Rouillard)

• Added installation.txt docs on setting up SCGI support with the althttpd web server. (John Rouillard)

• add support for tokenless/nonceless CSRF prevention following https://words.filippo.io/csrf/. (John Rouillard)

• standardize use of roundup.anypy.urllib_. Replace urlparse() with urlsplit() (recommended) for some speedup. (John Rouillard)

• issue2551368 - version 2.0.0 of the pgp module was published by Bernhard Reiter. Updated documentation and tests. (Bernhard Reiter, John Rouillard)