Roundup 1.4.20 released

Ralf Schlatterbeck rsc at
Tue May 15 12:55:49 CEST 2012

I'm proud to release version 1.4.20 of Roundup which can be seen as a
security release. We've fixed several security issues, in particular
some XSS issues. We've also dropped support for python 2.4 with this
release. This release also introduces some minor features and, as usual,
fixes some bugs:


- Experimental support for the new Chameleon templating engine.
  We now have two configurable templating engines, the old Zope TAL
  templates (called zopetal in the config) and the new Chameleon (called
  chameleon in the config). A new config-option "template_engine" under
  [main] can take these config-options, the default is zopetal.
  Thanks to Cheer Xiao for the idea of making this configurable *and*
  for the actual implementation! (Ralf)
  WARNING: Chameleon support is highly experimental and *not* recommended for
  production use. It has known performance issues and i18n is not yet
  functioning. It's still under active development. Only use this feature if
  you want to experiment with Chameleon and/or help with Roundup
  developement. If you found a bug in Chameleon support, please report after
  testing against latest Roundup source from the Mercurial repository.
- issue2550678: Allow pagesize=-1 which returns all results.
  Suggested and implemented by John Kristensen. 
  Tested by Satchidanand Haridas. (Bernhard)
- Allow to turn off translation of generated html options in menu method
  of LinkHTMLProperty and MultilinkHTMLProperty -- default is
  translation as it used to be (Ralf)
- Sending of OpenPGP encrypted mail to all users or selected users (via
  roles) is now working. (Ralf)
- Add config-option "nosy" to messages_to_author setting in [nosy]
  section of config: This will send a message to the author only
  in the case where the author is on the nosy-list (either added
  earlier or via the add_author setting). Current config-options
  for this setting will send / not send to author without considering
  the nosy list. (Ralf)


- issue2550730: FAQ has broken link to Zope book. Reported and fixed by
  John Rouillard.(Bernhard)
- issue2550728: remove buggy parentheses in TAL/
  Reported and fixed by Ralf Hemmecke. (Bernhard)
- issue2550715: IndexError when requesting non-existing file via http.
  Reported and fixed by Cedric Krier. (Bernhard)
- issue2550712: exportcsvaction errors poorly when given invalid columns.
  Reported by Will Kahn-Greene, fixed by Cedric Krier. (Bernhard)
- issue2550695: 'No sort or group' settings not retained when editing queries.
  Reported and fixed by John Kristensen. Tested by Satchidanand Haridas. 
- Fix matching of incoming email addresses to the alternate_addresses
  field of a user -- this would match substrings, e.g. if the user has
  discuss-support at as an alternate email and an incoming mail
  is addressed to support at this would (wrongly) match. (Ralf)
- issue2550729: Fix password history display for anydbm backend, thanks
  to Ralf Hemmecke for reporting. (Ralf)
- OpenPGP support is again working (pyme API has changed significantly) and
  we now have a regression test. We now take care that bounce-messages
  for incoming encrypted mails or mails where the policy dictates that
  outgoing traffic should be encrypted is actually OpenPGP encrypted. (Ralf)
- Ignore confirm set() fields by themselves in the absence of non-"confirm"
  values; otherwise a bare confirm field can be used to change the a
  password. Reported by Cam Blackwood. (Ralf)
- Updated version of simplified Chinese message file by Cheer Xiao:
  Corrected some mistakes, added a few more items and did some
  formating. (Ralf)
- Fix xmlrpc URL parsing so that passwords may contain a ':' character
- Be more tolerant when parsing RFC2047 encoded mail headers. Use
  backported version of my proposed changes to
  email.header.decode_header in
- issue2550684 Fix XSS vulnerability when username contains HTML code,
  thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)
- issue2550711 Fix XSS vulnerability in @action parameter,
  thanks to "om" for reporting. (Ralf)
- issue2550535 In some cases even when keep_quoted_text=yes is
  configured we would strip quoted sections. This hit the python
  bug-tracker especially for python interpreter examples with leading
  '>>>' strings. The fix is slightly different compared to the proposal
  as this broke keep_quoted_text=no in certain cases. We also fix a bug
  where keep_quoted_text=no would drop the last line of a non-quoted
  section if there wasn't an empty line between the next quotes. (Ralf)
- issue2431638 wrong registration link in bounce mail for non-registered
  users reported *years* ago by anonymous (Ralf)
- Fix doc/upgrading.txt which produces errors with latest docutils about
  wrong block structure. Fix .gitignore in doc directory. Thanks to
  Cheer Xiao for the patches. (Ralf)
- Fix wrong execute permissions on some files, thanks to Cheer Xiao for
  the patch. (Ralf)
- Fix override of TemplatingUtils in, thanks to Cheer Xiao
  for the patch. (Ralf)
- Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
  reporting. (Ralf)
- Mark cookies HttpOnly and -- if https is used -- secure. Fixes
  issue2550689, but is untested if this really works in browsers.
  Thanks to Joseph Myers for reporting. (Ralf)
- Fix another XSS with the ok- and error message, see issue2550724. We
  solve this differently from the proposals in the bug-report by not
  allowing *any* html-tags in ok/error messages anymore. Thanks to 
  David Benjamin for the bug-report and to Ezio Melotti for several
  proposed fixes. (Ralf)

If you're upgrading from an older version of Roundup you *must* follow
the "Software Upgrade" guidelines given in the maintenance documentation.

Roundup requires python 2.5 or later (but not 3+) for correct operation.

To give Roundup a try, just download (see below), unpack and run::


Release info and download page:
Source and documentation is available at the website:
Mailing lists - the place to ask questions:

About Roundup

Roundup is a simple-to-use and -install issue-tracking system with
command-line, web and e-mail interfaces. It is based on the winning design
from Ka-Ping Yee in the Software Carpentry "Track" design competition.

Note: Ping is not responsible for this project. The contact for this
project is richard at

Roundup manages a number of issues (with flexible properties such as
"description", "priority", and so on) and provides the ability to:

(a) submit new issues,
(b) find and edit existing issues, and
(c) discuss issues with other participants.

The system will facilitate communication among the participants by managing
discussions and notifying interested parties when issues are edited. One of
the major design goals for Roundup that it be simple to get going. Roundup
is therefore usable "out of the box" with any python 2.5+ (but not 3+)
installation. It doesn't even need to be "installed" to be operational,
though an install script is provided.

It comes with two issue tracker templates (a classic bug/feature tracker and
a minimal skeleton) and four database back-ends (anydbm, sqlite, mysql
and postgresql).

Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:
Reichergasse 131, A-3411 Weidling       email: office at
osAlliance member                       email: rsc at

More information about the Python-announce-list mailing list