merge in default branch to see if ti clears a travis-ci build error o…

…n 2.7 python; default branch builds fine

.github/workflows/anchore.yml

@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the code
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
     - name: Build the Docker image
       run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
     - name: List the Docker image

.github/workflows/ci-test.yml

@@ -32,10 +32,6 @@ jobs:
   test:
     name: CI build test
 
-    # run the finalizer for coveralls even if one or more
-    # experimental matrix runs fail.
-    # continue-on-error: ${{ matrix.experimental }}
-
     #runs-on: ubuntu-latest
     # use below if running on multiple OS's.
     runs-on: ${{ matrix.os }}
@@ -61,13 +57,14 @@ jobs:
         os: [ubuntu-latest, ubuntu-20.04]
 
         # if the ones above fail. fail the build
-        experimental: [false]
+        experimental: [ false ]
 
         include:
             # example: if 3.12 fails the jobs still succeeds
-            - python-version: 3.12
+            - python-version: 3.12 
               os: ubuntu-22.04
-              experimental: [true]
+              experimental: true
+
             # 3.6 not available on new 22.04 runners, so run on 20.04 ubuntu
             - python-version: 3.6
               os: ubuntu-20.04
@@ -76,6 +73,12 @@ jobs:
             # skip all python versions on 20.04 except explicitly included
             - os: ubuntu-20.04
 
+    # run the finalizer for coveralls even if one or more
+    # experimental matrix runs fail.
+    # moving it above strategy produces unexpected value false
+    # moving it below (here) produces unexpected value ''.
+    # continue-on-error: ${{ matrix.experimental }}
+
     env:
       # get colorized pytest output even without a controlling tty
       PYTEST_ADDOPTS: "--color=yes"
@@ -90,11 +93,11 @@ jobs:
         # if: {{ false }}
           # continue running if step fails
         # continue-on-error: true
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
 
       # Setup version of Python to use
       - name: Set Up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
         with:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true
@@ -254,7 +257,7 @@ jobs:
       - name: Upload coverage to Coveralls
         # python 2.7 and 3.6 versions of coverage can't produce lcov files.
         if: matrix.python-version != '2.7' && matrix.python-version != '3.6'
-        uses: coverallsapp/github-action@c7885c00cb7ec0b8f9f5ff3f53cddb980f7a4412 # master
+        uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # master
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           path-to-lcov: coverage.lcov
@@ -290,7 +293,7 @@ jobs:
 
     steps:
       - name: Coveralls Finished
-        uses: coverallsapp/github-action@c7885c00cb7ec0b8f9f5ff3f53cddb980f7a4412 # master
+        uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # master
         with:
           github-token: ${{ secrets.github_token }}
           parallel-finished: true

.github/workflows/codeql-analysis.yml

@@ -49,7 +49,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v2.6.0
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v2.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/ossf-scorecard.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.1.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3.1.0
         with:
           persist-credentials: false
 
@@ -62,7 +62,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif

.hgtags

@@ -142,3 +142,4 @@ c90104abe508e3886917243e4acd069c8ef7a1a4 2.2.0
 0000000000000000000000000000000000000000 2.2.0
 239d9542b02062c56f88fd1de8b87c4d88d700ad 2.2.0
 51fc06fabcee043db116e2fbdcdcf5e86b67ed3d 2.3.0b2
+913a73b9fab58e9c7e43e1fad379b68cae6ee3ae 2.3.0

CHANGES.txt

@@ -12,7 +12,55 @@ v2.7.2 or later are required to run newer releases of Roundup.
 Roundup 2.0 supports Python 3.4 and later. Roundup 2.1.0 supports
 python 3.6 or newer (3.4/3.5 might work, but they are not tested).
 
-2023-xx-yy 2.3.0
+2024-XX-YY 2.4.0
+
+Fixed:
+
+- issue2551063 - Rest/Xmlrpc interfaces needs failed login protection.
+  Failed API login rate limiting with expiring lockout added. (John
+  Rouillard)
+- issue2551184 - improve i18n handling. Patch to test to make sure it
+  uses the test tracker's locale files and not other locale
+  files. (Marcus Priesch)
+- issue2551283 - fail if version 2.4.9 of markdown2 is used, it broke
+  [issue1](issue1) style links. Support markdown2 2.4.8 and earlier
+  and 2.4.10 with its new schema filtering method. (John Rouillard)
+- multiple flake8 fixes (John Rouillard)
+- rename loop variable in 'for sendto in sendto:' (John Rouillard)
+- issue2551193 - Fix roundup for removal of cgi and cgitb standard
+  python modules (and FieldStorage/MiniFieldStorage). Replaced imports
+  from cgi to use roundup.anypy.cgi_ which will load the system cgi
+  unless it is missing. Then it will load roundup.anypy.vendored.cgi
+  and make *FieldStroage symbols available. Roundp uses its own
+  cgitb.py and not the system cgitb.py. It looks like it's the
+  precursor to the system cgitb.py. (John Rouillard)
+- issue2551278 - datetime.datetime.utcnow deprecation. Replace
+  calls with equivalent that produces timezone aware dates rather than
+  naive dates. (John Rouillard)
+- when using "roundup-admin display" indent the listing only if
+  headers or protected fields are requested. This makes the output
+  look like it did previously to 2.3.0 if the new features aren't
+  used.  Roundup-admin output was never meant to be machine parsed, but
+  don't break it unless required. (John Rouillard)
+- issue2551290 - pip install roundup Hangs on Windows 10
+  The install under windows goes into an infinite loop using pip or
+  source install. (John Rouillard)
+- Document use of pyreadline3 to allow roundup-admin to have CLI editing
+  on windows. (John Rouillard)
+
+Features:
+
+- issue2551103 - add pragma 'display_protected' to roundup-admin. If
+  true, print protected attributes like id, activity, actor...
+  when using display or specification subcommands. (John Rouillard)
+- add -P pragma=value command line option to roundup-admin. Allows
+  setting pragmas when using non-interactive mode. (John Rouillard)
+- issue685275 - add pragma show_retired to control display of retired
+  items when using list/table. Add pragma display_header to print
+  headers for display command. Header displays designator and
+  retired/active status.
+
+2023-07-13 2.3.0
 
 Fixed:
 

COPYING.txt

@@ -113,3 +113,59 @@ accompanying credits file.
 
 
 Note link for http://www.zope.com/Marks is dead.
+
+Vendored cgi.py module
+----------------------
+
+This module is licensed under the Python Software Foundation License
+Version 2 as it was extracted from the 3.12 Python distribution.
+
+PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
+--------------------------------------------
+
+1. This LICENSE AGREEMENT is between the Python Software Foundation
+   ("PSF"), and the Individual or Organization ("Licensee") accessing
+   and otherwise using this software ("Python") in source or binary
+   form and its associated documentation.
+
+2. Subject to the terms and conditions of this License Agreement, PSF
+   hereby grants Licensee a nonexclusive, royalty-free, world-wide
+   license to reproduce, analyze, test, perform and/or display
+   publicly, prepare derivative works, distribute, and otherwise use
+   Python alone or in any derivative version, provided, however, that
+   PSF's License Agreement and PSF's notice of copyright, i.e.,
+   "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
+   2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019,
+   2020, 2021, 2022 Python Software Foundation; All Rights Reserved"
+   are retained in Python alone or in any derivative version prepared
+   by Licensee.
+
+3. In the event Licensee prepares a derivative work that is based on
+   or incorporates Python or any part thereof, and wants to make the
+   derivative work available to others as provided herein, then
+   Licensee hereby agrees to include in any such work a brief summary
+   of the changes made to Python.
+
+4. PSF is making Python available to Licensee on an "AS IS" basis.
+   PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED.  BY
+   WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY
+   REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY
+   PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY
+   THIRD PARTY RIGHTS.
+
+5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON
+   FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A
+   RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR
+   ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
+
+6. This License Agreement will automatically terminate upon a material
+   breach of its terms and conditions.
+
+7. Nothing in this License Agreement shall be deemed to create any
+   relationship of agency, partnership, or joint venture between PSF
+   and Licensee.  This License Agreement does not grant permission to
+   use PSF trademarks or trade name in a trademark sense to endorse or
+   promote products or services of Licensee, or any third party.
+
+8. By copying, installing or otherwise using Python, Licensee agrees
+   to be bound by the terms and conditions of this License Agreement.

RELEASE.txt

@@ -33,8 +33,10 @@ Roundup release checklist:
       CHANGES.txt (set date for version as well) 
       roundup/__init__.py
       website/www/index.txt (current stable version, release highlights)
-      website/www/conf.py  (update copyright, version from __init__.py)
-      scripts/Docker/Docker update value of org.opencontainers.image.version
+      website/www/conf.py  (update copyright, version auto-set from
+          roundup/__init__.py)
+      scripts/Docker/Dockerfile update value of
+          org.opencontainers.image.version
 3a. Update license end date in COPYING.txt
 3b. Update doc/acknowledgements.txt (add section for
     release, churn contributers etc.). (Use hg churn -c -r ####..####)
@@ -101,7 +103,7 @@ Roundup release checklist:
     added and removed files. Last release e.g. 1.5.1 where tip is what would
     become 1.6) E.G.
 
-      hg status --rev 2.0.0:tip | sed -ne 's/^A //p' | while read i ; \
+      hg status --rev 2.2.0:tip | sed -ne 's/^A //p' | while read i ; \
       do echo $i; grep "$i" roundup.egg-info/SOURCES.txt; done | \
       uniq -c | sort -rn
 
@@ -112,7 +114,7 @@ Roundup release checklist:
     (Note: files under website/ shouldn't be in the manifest.)
 10a: Check for removed files still in manifest:
 
-      hg status --rev 2.0.0:tip | sed -ne 's/^R //p' | while read i ; \
+      hg status --rev 2.2.0:tip | sed -ne 's/^R //p' | while read i ; \
       do echo $i; grep "$i" roundup.egg-info/SOURCES.txt; done | \
       uniq -c | sort -n
 
@@ -128,6 +130,26 @@ Roundup release checklist:
     with all available Python versions.
 11a. (TBD how to test wheel binary distribution before uploading.)
 
+11b. Generate GPG signature file
+
+       cd dist
+       gpg --detach-sign --armor -u 1F2DD0CB756A76D8 <filename>.tar.gz
+
+     you should be prompted to use the roundup release key. If not you
+     can add  [email protected].
+     This will create a file by the name <filename>.tar.gz.asc.
+
+     Move file to website/www/signature directory
+
+       mv <filename>.tar.gz.asc ../webite/www/signatures/.
+       hg add ../website/www/signature/<filename>.tar.gz.asc
+       # commiting the file will be done in step 12
+       cd ..
+
+    Add a link to the signature to doc/security.txt. Add a new link
+    to the start of the signature list in doc/security.txt (look for
+    the word multicol).
+
 12. Assuming all is well commit and tag the release in the version-control
     system.
       a) hg commit ... # commit any edits from steps 1-5
@@ -137,32 +159,11 @@ Roundup release checklist:
 
 13. Upload source distribution to PyPI - requires you sign up for a
     pypi account and be added as a maintainer to roundup. Ask existing
-    maintainer for access. You can do this two ways:
-
-      python3 setup.py sdist upload --repository pypi
+    maintainer for access. Do this using twine (pip install twine).
 
-    which rebuilds the source distribution tarball and uploads it.
-    This means that you have uploaded something that is not tested,
-    also it does not have a gpg signature. It should be the same as
-    the tarball you tested but....
-
-    A better way to do this is to use twine (pip install twine).
-    You need to sign the tarball. This can be done with:
-
-      cd dist
-      gpg --detach-sign --armor -u 1F2DD0CB756A76D8 <filename>.tgz
-
-    you should be prompted to use the roundup release key. If not you
-    can add  [email protected].
-    This will create a file by the name <filename>.tgz.asc.
     The original directions used twine to upload the tarball and the
     signature, but as of May 2023, PyPI no longer accepts signature
-    files.
-
-    So we publish the signature as part of the website. Move the file
-    to the website/www/signatures directory. Commit the .asc signature
-    file to mercurial. Add a new list item at the start of the
-    signature list in doc/security.txt (look for the word multicol).
+    files. So we publish the signature as part of the website.
 
     Use twine to upload the distribution tarball. E.G.
 
@@ -178,6 +179,15 @@ Roundup release checklist:
     the gpg asc files and place the .whl.asc in the signature
     directory.
 
+    Another way to upload is to use:
+
+      python3 setup.py sdist upload --repository pypi
+
+    BUT this rebuilds the source distribution tarball and uploads it.
+    This means that you have uploaded something that is not tested.
+    Also the metadata in the file changes and will not match the GPG
+    signature you commited in step 12. So use twine.
+
 14. Refresh website.
       website/README.txt
       https://www.roundup-tracker.org/ should state that the stable
@@ -205,9 +215,10 @@ Roundup release checklist:
 17a. install docker
 17b. run: (issues, how to release a version e.g. to update alpine for
            security issues. Currently thinking that release tag is
-	   rounduptracker/roundup:2.2.0-1, -2 etc? Then add a tag
+	   rounduptracker/roundup:2.2.0-1, -2 etc. Then add a tag
 	   rounduptracker/roundup:2.2.0 that moves to always tag
-	   the latest -N release??)
+	   the latest -N release. Also roundup:latest points to the
+	   newest -N for the newest roundup version.)
 
         docker build -t rounduptracker/roundup:2.2.0 \
            --build-arg="source=pypi" -f scripts/Docker/Dockerfile .
@@ -303,13 +314,14 @@ $ gpg --edit-key 411E354B5D1AF26125D621221F2DD0CB756A76D8
   > save
   [ saves both keys, will need the private key and passphrase ]
 
-EXPORT NEW KEY
-==============
+EXPORT NEW PUBLIC KEY
+=====================
 
 $ gpg --export -a [email protected] >> \
    tools/roundup.public.pgp.key
 
-then edit roundup.public.pgp.key keeping only the last key stat starts
+then edit roundup.public.pgp.key keeping only the last key that starts
 with: -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-Commmit new key to mercurial.
+and add back the preamble that describes where to find doc for
+it. Commmit new key to mercurial.

doc/acknowledgements.txt

@@ -28,7 +28,7 @@ Release Manager: John Rouillard
 
 Developer activity by changesets::
 
-  [email protected]    636 *****************************************************
+  [email protected]    722 ****************************************************
   [email protected]      14 *
 
 Other contributers