Upstream changes:
0.009 2018-03-24 14:12:47-07:00 America/Los_Angeles
- Built using current Dist::Zilla, so various things
are better, e.g. includes a LICENSE.
- A couple of things that are only used in xt tests
used to be test requirements, now their develop
requirements.
- No longer includes explicit dependencies on a handful
of modules (e.g. indirect) that Moo's use of strictures
used to require.
- Now only includes a Makefile.PL.
- The build now includes a cpanfile in the repo.
- The minimum perl version is now consistent between the
Makefile.PL and the META.{yml,json} files.
* Fix some security bugs
Changelog:
0.26.3
This is a bugfix release. It includes the following non-exclusive list of
improvements, which have been backported from the master branch:
Fix cloning of the libgit2 project with git clone --recursive by removing an
invalid submodule from our testing data.
Fix endianness of the port in p_getaddrinfo().
Fix handling of negative gitignore rules with wildcards.
Fix handling of case-insensitive negative gitignore rules.
Fix resolving references to a tag if the reference is stored with its fully
resolved OID in the packed-refs file.
Fix checkout not treating worktree files as modified when only their mode has
changed.
Fix rename detection with GIT_DIFF_FIND_RENAMES_FROM_REWRITES.
Enable Windows 7 and earlier to use TLS 1.2.
0.26.2
This is a security release fixing memory handling issues when reading crafted
repository index files. The issues allow for possible denial of service due to
allocation of large memory and out-of-bound reads.
As the index is never transferred via the network, exploitation requires an
attacker to have access to the local repository.
0.26.1
This is a security release that includes an update to the bundled zlib
to update it to 1.2.11. Users who build the bundled zlib are vulnerable
to security issues in the prior version.
This does not affect you if you rely on a system-installed version of zlib.
All users of v0.26.0 who use the bundled zlib should upgrade to this release.
Mercurial 4.5.1 / 4.5.2 (2018-03-06)
(4.5.2 was released immediately after 4.5.1 to fix a release
oversight.)
This is a regularly-scheduled bugfix release.
1.1. Security Fixes
All versions of Mercurial prior to 4.5.2 have vulnerabilities in
the HTTP server that allow permissions bypass to:
Perform writes on repositories that should be read-only
Perform reads on repositories that shouldn't allow read access
The nature of the vulnerabilities is:
Wire protocol commands that didn't explicitly declare their
permissions had no permissions checking done. The web.{allow-pull,
allow-push, deny_read, etc} config options governing access
control were never consulted when running these commands. This
allowed permissions bypass for impacted commands.
The batch wire protocol command did not list its permission
requirements nor did it enforce permissions on individual
sub-commands.
The implication of these vulnerabilities is that no permissions
checking was performed on commands and this could lead to accessing
data that web.* config options were supposed to prevent access to
or modifying data (via wire protocol commands that can mutate data)
without authorization. A Mercurial HTTP server in its default
configuration is supposed to be read-only. However, a well-crafted
batch command could invoke commands that perform writes.
The batch write permissions bypass has been present since Mercurial
1.9. The flaw of not checking permissions for wire protocol commands
that don't declare their needed permissions has been present since
Mercurial 1.0.
Assuming you are running a server without any custom commands
provided by extensions, your exposure is unauthorized data access
(if relying on the web.* config options to limit access) and
unauthorized data mutation via the batch command.
Server operators can detect unauthorized use of the batch command
by looking for requests to URLs of the form repo?cmd=batch with
arguments containing pushkey or unbundle. This may produce false
positives. A more comprehensive check would decode the argument
string and verify that pushkey or unbundle are command names (not
values). The arguments specified via x-hgarg-<N> request headers
can span multiple headers. So advanced attackers could hide the
vulnerability by splitting a pushkey or unbundle string across
multiple headers. So the only reliable way to detect if this
vulnerability is being exploited is to decode these headers like
Mercurial does. The format for specifying arguments is documented
at
https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/help/internals/wireprotocol.txt#l26.
Python code for decoding headers is at
https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/hgweb/protocol.py#l70.
Mercurial 4.5.2 fixes these vulnerabilities by:
Performing permissions checking on all wire protocol commands,
not just commands that list their permissions.
Checking permissions on sub-commands issued to the batch command.
Wire protocol commands not declaring wire protocol permissions will
be assumed to be read-write commands and a server in its default
configuration (which only allows read-only access), will refuse to
execute these commands.
For package maintainers needing to backport the fixes, the relevant
changesets from 4.5.2 are 2c647da851ed::2ecb0fc535b1. These can be
viewed online at e.g.
https://www.mercurial-scm.org/repo/hg/rev/2ecb0fc535b1. The author
of these commits has backports to 4.4 and 4.3 on a personal fork
at https://hg.mozilla.org/users/gszorc_mozilla.com/hg. The backports
for 4.4 are a4843835c835::7cf827e5f8af and for 4.3 are
db527ae12671::86f9a022ccb8. To obtain these changesets, run e.g.
hg pull -r 7cf827e5f8af https://hg.mozilla.org/users/gszorc_mozilla.com/hg.
1.2. Backwards Compatibility Changes
The "batch" wire protocol command now enforces permissions of
each invoked sub-command. Wire protocol commands must define
their operation type or the "batch" command will assume they
can write data and will prevent their execution on HTTP servers
unless the HTTP request method is POST, the server is configured
to allow pushes, and the (possibly authenticated) HTTP user is
authorized to perform a push.
Wire protocol commands not defining their operation type in
"wireproto.PERMISSIONS" are now assumed to be used for "push"
operations and access control to run those commands is now
enforced accordingly.
1.3. Bug Fixes
fileset: don't abort when running copied() on a revision with a removed file
date: fix parsing months
setup: only allow Python 3 from a source checkout (issue5804)
annotate: do not poorly split lines at CR (issue5798)
subrepo: don't attempt to share remote sources (issue5793)
subrepo: activate clone pooling to enable sharing with remote URLs
changegroup: do not delta lfs revisions
revlog: do not use delta for lfs revisions
revlog: resolve lfs rawtext to vanilla rawtext before applying delta
v1.17.0:
fix regression in git support - use a function to ensure it works in egg isntalled mode
actually fail if file finding fails in order to see broken setups instead of generating broken dists
v1.16.2:
fix regression in handling git export ignores
v1.16.1
fix regression in support for old setuptools versions
v1.16.0
drop support for eol python versions
fix missuse in surogate-escape api
add the node-and-timestamp local version sheme
respect git export ignores
avoid shlex.split on windows
fix#218 - better handling of mercurial edge-cases with tag commits being considered as the tagged commit
fix#223 - remove the dependency on the interal SetupttoolsVersion as it was removed after long-standing deprecation
v2.9.1
Add itervalues() and iteritems() methods to SessionManager.
Allow unicode strings passed to redirect().
Fix handling of __future__ import statements in PTL.
v2.9
There was a packaging error for 2.8. It included files not intended
to be released which broke the 'ptl' package. This release repairs
that error and includes a small change to random session tokens.
Use 128-bit random tokens for session keys and form tokens.
Our previous 64-bit values should still be more than secure
for web applications but recommended best practice is currently
128-bit. We use URL-safe base64 encoding so the length of
the tokens is only a bit longer.
Use base64 instead of hex encoding for util.randbytes()
v2.8
Don't set duplicate ID attributes on radio inputs.
ptl_import recompiles ptl files
Since stat.st_mtime is a float in linux, _load_pyc will almost always
recompile the ptl files. Here's a patch to make the logic follow
compile.c in python.
Git v2.16.3 Release Notes
* "git status" after moving a path in the working tree (hence making
it appear "removed") and then adding with the -N option (hence
making that appear "added") detected it as a rename, but did not
report the old and new pathnames correctly.
* "git commit --fixup" did not allow "-m<message>" option to be used
at the same time; allow it to annotate resulting commit with more
text.
* When resetting the working tree files recursively, the working tree
of submodules are now also reset to match.
* Fix for a commented-out code to adjust it to a rather old API change
around object ID.
* When there are too many changed paths, "git diff" showed a warning
message but in the middle of a line.
* The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its output
so that it can be more safely sharable.
* Crash fix for a corner case where an error codepath tried to unlock
what it did not acquire lock on.
* The split-index mode had a few corner case bugs fixed.
* Assorted fixes to "git daemon".
* Completion of "git merge -s<strategy>" (in contrib/) did not work
well in non-C locale.
* Workaround for segfault with more recent versions of SVN.
* Recently introduced leaks in fsck have been plugged.
* Travis CI integration now builds the executable in 'script' phase
to follow the established practice, rather than during
'before_script' phase. This allows the CI categorize the failures
better ('failed' is project's fault, 'errored' is build
environment's).
9.0.3:
Fix an error where the vendored requests was not correctly containing itself to only the internal vendored prefix.
Restore compatability with 2.6.
v39.0.1
Restore Unicode handling for Maintainer fields in metadata.
v39.0.0:
Setuptools now vendors its own direct dependencies, no longer relying on the dependencies as vendored by pkg_resources.
Removed long-deprecated support for iteration on Version objects as returned by pkg_resources.parse_version. Removed the SetuptoolsVersion and SetuptoolsLegacyVersion names as well. They should not have been used, but if they were, replace with Version and LegacyVersion from packaging.version.
v38.7.0:
Add support for maintainer in PKG-INFO.
This library is a goodie-bag of Unix shell and environment management tools for
automated tests. A summary of the available functions is below, look at the
source for the full listing.
Create a Python virtual environment in your test that cleans up on teardown.
The fixture has utility methods to install packages and list what's installed.
0.12.2 2016/08/10
* Better proxy support
0.12.3 2017/01/31
* XLIFF and tokens support
0.12.4 2017/02/07
* Fixes to XLIFF support
0.12.5 2017/11/02
* Support for Basic Authentication when using the client behind a proxy
* Support for sourceastranslation and onlyreviewed modes when pulling files
* Return non-zero exit codes on errors
* $ tx --version now includes information about the Python version and
architecture you're running
* Some updates and minor fixes in logging/error messages
0.13.0 2018/01/08
* Rename set command to config while maintaining backwards compatibility.
* --auto-local, --auto-remote options have become mapping and mapping-remote
subcommands. Backwards compatibility has been maintained and the options
(and subcommands) are supported both when using tx set and tx config
commands.
* Introduce mapping-bulk subcommand to tx config command. mapping-bulk is
similar to mapping but configures a whole directory of files and not a
single file.
* Support branch specific push / pull using the --branch option.
* Add interactive wizard for tx config command. Interactive wizard is
triggered by default after tx init if --skipsetup option is not passed and
by the tx config if called without any options or subcommands.
0.13.1 2018/02/09
* Fix some python 3 compatibility issues
* Fix CI for python 3
* Add Python 3.6 in the supported versions
Note: For windows executables for more python version see:
https://ci.appveyor.com/project/transifex/transifex-client/build/1.0.445.
## 1.0.6 - 2017-12-05
### Improvements
* Added meta character support in package name.
[GitHub#8][Reported by Mamoru TASAKA]
### Fixes
* Removed needless ArchLinux fallback from PLD Linux.
[GitHub#7][Reported by Elan Ruusamäe]
### Thanks
* Elan Ruusamäe
* Mamoru TASAKA
## 1.0.5 - 2017-11-11
### Improvements
* Removed needless Packnga development dependency.
[GitHub#4][Patch by HIGUCHI Daisuke]
* Added PLD Linux support.
[GitHub#6][Patch by Elan Ruusamäe]
### Fixes
* Fixed a bug that `:redhat` package isn't used for Fedora platform.
[GitHub#5][Patch by HIGUCHI Daisuke]
### Thanks
* HIGUCHI Daisuke
* Elan Ruusamäe
1.4.0 (2018/03/20)
* Fix deprecation warning for assert_nil in ClassMethodTest (#308 & #309)
* Display file and line number in deprecation warning - thanks to @chrisarcand
(#310, #312 & #313)
* Rename mocha/mini_test.rb to mocha/minitest.rb - thanks to @grosser (#320 &
#322)
* Fix warning when delegating to mock in Ruby 2.4 - thanks to @tjvc (#321 &
#323)
* Updates to Travis CI configuration (73af600..9732726 & 0426e5e)
Version 1.2.15 - 2018-03-21
- made build on Solaris again
- made build on AIX
- bugfix: invalid handling of snprintf() return code
- bugfix: invalid assert predicate
- some code cleanup
- bugfix: error message on open error was truncated
1.4.2:
Use relative imports in pkginfo modules. Supports vendoring of the package into setuptools.
Add support for Provides-Extra and Description-Content-Type fields. Per https://packaging.python.org/specifications/. See: PEP 566.
Remove support for old setuptools leaving PKG-INFO in the root of the project directory.
3.5.0:
Deprecations and Removals
record_xml_property fixture is now deprecated in favor of the more generic record_property.
Defining pytest_plugins is now deprecated in non-top-level conftest.py files, because they “leak” to the entire directory tree.
Features
New --show-capture command-line option that allows to specify how to display captured output when tests fail: no, stdout, stderr, log or all
New --rootdir command-line option to override the rules for discovering the root directory. See customize in the documentation for details.
Fixtures are now instantiated based on their scopes, with higher-scoped fixtures
record_xml_property renamed to record_property and is now compatible with xdist, markers and any reporter. record_xml_property name is now deprecated.
New --nf, --new-first options: run new tests first followed by the rest of the tests, in both cases tests are also sorted by the file modified time, with more recent files coming first.
New --last-failed-no-failures command-line option that allows to specify the behavior of the cache plugin’s `--last-failed feature when no tests failed in the last run
New --doctest-continue-on-failure command-line option to enable doctests to show multiple failures for each snippet, instead of stopping at the first failure.
Captured log messages are added to the <system-out> tag in the generated junit xml file if the junit_logging ini option is set to system-out. If the value of this ini option is system-err`, the logs are written to ``<system-err>. The default value for junit_logging is no, meaning captured logs are not written to the output file.
Allow the logging plugin to handle pytest_runtest_logstart and pytest_runtest_logfinish hooks when live logs are enabled.
Passing –log-cli-level in the command-line now automatically activates live logging.
Add command line option --deselect to allow deselection of individual tests at collection time.
Captured logs are printed before entering pdb.
Deselected item count is now shown before tests are run, e.g. collected X items / Y deselected.
The builtin module platform is now available for use in expressions in pytest.mark.
The short test summary info section now is displayed after tracebacks and warnings in the terminal.
New --verbosity flag to set verbosity level explicitly.
pytest.approx now accepts comparing a numpy array with a scalar.
Bug Fixes
Suppress IOError when closing the temporary file used for capturing streams in Python 2.7.
Fixed clear() method on caplog fixture which cleared records, but not the text property.
During test collection, when stdin is not allowed to be read, the DontReadFromStdin object still allow itself to be iterable and resolved to an iterator without crashing.
Improved Documentation
Added a reference page to the docs.
Trivial/Internal Changes
Change minimum requirement of attrs to 17.4.0.
Renamed example directories so all tests pass when ran from the base directory.
Internal mark.py module has been turned into a package.
pytest now depends on the more_itertools package.
Added warning when [pytest] section is used in a .cfg file passed with -c
nodeids can now be passed explicitly to FSCollector and Node constructors.
Internal refactoring of FormattedExcinfo to use attrs facilities and remove old support code for legacy Python versions.
Refactoring to unify how verbosity is handled internally.
Internal refactoring to better integrate with argparse.
Fix a python example when calling a fixture in doc/en/usage.rst
3.50.2:
This has no user-visible changes except one slight formatting change to one docstring, to avoid a deprecation warning.
3.50.1:
This patch fixes an internal error introduced in 3.48.0, where a check for the Django test runner would expose import-time errors in Django configuration.
3.50.0:
This release improves validation of numeric bounds for some strategies.
=== 3.17.0 / 2018-03-17
* 2 minor enhancements:
* Added task check_key to see if your signing cert is expired or not.
* Bump rdoc dependency to range from 4.x to 5.x.
* 1 bug fix:
* Fixed ridocs rake task.
- v0.7.1 Tue Mar 20 21:46:05 CDT 2018
"git tag --list" fails on some systems.
Replace "--list" with "-l" and see if that helps.
- v0.7.0 Mon Mar 19 21:34:25 CDT 2018
More test code pushed into KwikHaks.
More boilerplate.
Replaced execution of dynamic file generation with generated
MANIFEST that has all of the dynamic content in it. This
passes "make test" here on an extracted copy of the tarball.
This leaves me with a 1000+ line MANIFEST but lacking output
from the original Makfile.PL execution there is no way to
tell what is killing the make-*-dir execution on about half
of the systems.
- v0.6.1 Mon Mar 19 12:50:30 CDT 2018
One-time-hak of selecting STDERR in order to see output in failing tests
in CPAN testers.
Replaced skips with BAIL_OUT in setup for tests; remaining skip is not
finding git installed, which dodges running the git-based dynamic tests.
- v0.6.0 Sun Mar 18 22:20:49 CDT 2018
Add output to Makefile.PL, try to figure out why version directory
is not being produced.
Added boilerplate to t/bin/make-* without add'l output. Someday
these might even work...
Dir.pm uses search_bin then search_cwd to locate version & Git
dir's. Order makes more sense since Makefile.PL will be usual spot
for exection.
Push a bit more code into Util for re-use, push searches into
range of $Bin .. cwd if bin is below cwd. Avoids searching up
large paths that aren't going to have anything useful in most
cases.
- v0.5.8
Replace /bin/env with /usr/bin/env as possibly the only thing with a
more-or-less stable path across systems... Thanks to Thomas Klausner
for checking this across systems for me.
Ditto replacing #!/bin/bash with #!/usr/bin/env bash
7.34 Mon Mar 19 10:21:12 GMT 2018
No changes since v7.33_03
7.33_03 Sat Feb 24 20:17:04 GMT 2018
Core fixes:
- Properly silence warnings under core
Darwin/NeXT fixes:
- Recognise -F as framework flag too
7.33_02 Sat Feb 24 13:17:01 GMT 2018
Core fixes:
- Skip xsstatic test on Darwin
7.33_01 Tue Feb 20 10:39:43 GMT 2018
Core fixes:
- Silence errant README.pod warning when in perl core
