Hi! I released devpi-server 4.2.0. This is a security and functional update. Please read the full changelog below for details. The following changes are the most important: - We use different password hashing. - By default the replication protocol is now disabled. - Pushing releases to PyPI has been fixed for the recent changes made to the upload API. - Server state is now only created when using the new --init option. - We now support IPv6 by using waitress >= 1.0.1. If you need support, training, adjustments wrt packaging and professional testing you may contact us through http://merlinux.eu. Regards, Florian Schulze Full changelog: SECURITY NOTE: Before devpi-server 4.2.0 passwords were hashed with a very weak algorithm. It’s strongly recommended to change any passwords created before 4.2.0 after upgrading! The password salt and hashes are exposed via the /+changelog URL used for replication. If you use replication you should use client side certificates or https with basic authentication to secure /+changelog. UPGRADE NOTE: Starting with devpi-server 4.2.0 the replication protocol is disabled by default to prevent accidental information leaks, like password hashes. To enable the replication protocol, you have to use --role master when starting the master devpi-server instance. fix issue378: the replication protocol is now disabled by default. fix push to PyPI by skipping failing “register” step and adding additional fields in POST data on “file_upload”. fix issue372: correctly set isolation_level for sqlite3 connections. This also fixes Python 3.6 compatibility. fix issue334: The event handler for the simple page cache failed when an index was deleted and a new replica tried to run the event hooks. fix issue314: Fetch external file on replica from original source if master is down. fix issue363: Replace weak password hashing with argon2 using passlib. Existing logins will be migrated on login. fix issue377: Add new --init option required to initialize a server directory. This prevents accidental use of wrong or empty --serverdir. fix issue285: require waitress >= 1.0.1 to enable IPv6 support.