I released devpi-server 4.2.0.
This is a security and functional update. Please read the full changelog below for details. The following changes are the most important:
If you need support, training, adjustments wrt packaging and professional testing you may contact us through http://merlinux.eu.
Regards, Florian Schulze
Before devpi-server 4.2.0 passwords were hashed with a very weak algorithm. It’s strongly recommended to change any passwords created before 4.2.0 after upgrading! The password salt and hashes are exposed via the /+changelog URL used for replication. If you use replication you should use client side certificates or https with basic authentication to secure /+changelog.
Starting with devpi-server 4.2.0 the replication protocol is disabled by default to prevent accidental information leaks, like password hashes. To enable the replication protocol, you have to use --role master when starting the master devpi-server instance.
fix issue378: the replication protocol is now disabled by default. fix push to PyPI by skipping failing “register” step and adding additional fields in POST data on “file_upload”. fix issue372: correctly set isolation_level for sqlite3 connections. This also fixes Python 3.6 compatibility. fix issue334: The event handler for the simple page cache failed when an index was deleted and a new replica tried to run the event hooks. fix issue314: Fetch external file on replica from original source if master is down. fix issue363: Replace weak password hashing with argon2 using passlib. Existing logins will be migrated on login. fix issue377: Add new --init option required to initialize a server directory. This prevents accidental use of wrong or empty --serverdir. fix issue285: require waitress >= 1.0.1 to enable IPv6 support.