Fri, 12 Apr 2019 12:31:14 +0200 Use secure hash algorithm in WebConfiguration.sign_text
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 12:31:14 +0200] rev 12584
Use secure hash algorithm in WebConfiguration.sign_text Fix: PendingDeprecationWarning: HMAC() without an explicit digestmod argument is deprecated. The default hash algorithm used by hmac.new is md5. As of today, md5 is so weak that it's the equivalent of plaintext and can't be considered to be secured at all. Therefor, we switch to a secure hash algorithm. The rational for choosing sha3_512 is: * the recommended algorithm is at least sha_256 * the stronger, the more secured and sha3_512 is the stronger available * thinking about the future this should keep this part of the code safe long enough before people think about checking it again You can read more about choosing a secure hash algorithm in the NIST recommendations https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions This code modification should normally be transparent since check_text_sign is exactly this code 'self.sign_text(text) == signature' and that sign_text is only used in combination with it. The only impact is that the hash is going to move from 32 char to 128 which might make html page a bit bigger and that sha3_512 is slow to compute (which is a good thing for security)
Tue, 23 Apr 2019 09:33:52 +0200 [enh] don't catch all exceptions in notification hooks during tests
Laurent Peuch <cortex@worlddomination.be> [Tue, 23 Apr 2019 09:33:52 +0200] rev 12583
[enh] don't catch all exceptions in notification hooks during tests
Thu, 18 Apr 2019 15:09:36 +0200 [doc] add a reference to static-messages.pot usage
Noe Gaumont <ngaumont@logilab.fr> [Thu, 18 Apr 2019 15:09:36 +0200] rev 12582
[doc] add a reference to static-messages.pot usage
Thu, 18 Apr 2019 15:10:35 +0200 [doc] Clarify sentences
Noe Gaumont <ngaumont@logilab.fr> [Thu, 18 Apr 2019 15:10:35 +0200] rev 12581
[doc] Clarify sentences
Thu, 18 Apr 2019 15:05:13 +0200 [doc] Fix format and typo
Noe Gaumont <ngaumont@logilab.fr> [Thu, 18 Apr 2019 15:05:13 +0200] rev 12580
[doc] Fix format and typo
Thu, 18 Apr 2019 04:40:23 +0000 Fix DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated
Nsukami Patrick <ndkpatt at gmail dot com> [Thu, 18 Apr 2019 04:40:23 +0000] rev 12579
Fix DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated
Thu, 18 Apr 2019 04:34:34 +0000 Fix DeprecationWarning: invalid escape sequence
Nsukami Patrick <ndkpatt at gmail dot com> [Thu, 18 Apr 2019 04:34:34 +0000] rev 12578
Fix DeprecationWarning: invalid escape sequence
Tue, 16 Apr 2019 15:49:03 +0200 [devtools/testlib] avoid hidding AttributeError in create_user() 3.26
Philippe Pepiot <philippe.pepiot@logilab.fr> [Tue, 16 Apr 2019 15:49:03 +0200] rev 12577
[devtools/testlib] avoid hidding AttributeError in create_user() commit() might raise a AttributeError too. Use getattr(req, 'cnx', req) instead, which is a form already used to get the real cnx in some code: cubicweb/rset.py:577: cnx = getattr(self.req, 'cnx', self.req) cubicweb/schema.py:353: with getattr(_cw, 'cnx', _cw).security_enabled(read=False): We could use if hasattr(req, 'commit') here too but it lead to 3 additionals lines. Maybe we should have commit() and rollback() on cubicweb.web.request.ConnectionCubicWebRequestBase too ?
Wed, 10 Apr 2019 17:59:17 +0000 Fix DeprecationWarning: invalid escape sequence \
Nsukami Patrick <ndkpatt at gmail dot com> [Wed, 10 Apr 2019 17:59:17 +0000] rev 12576
Fix DeprecationWarning: invalid escape sequence \
Fri, 12 Apr 2019 11:56:13 +0200 DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 11:56:13 +0200] rev 12575
DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
Fri, 12 Apr 2019 13:52:17 +0200 [mod] remove backward compatible code for passlib and force modern version
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 13:52:17 +0200] rev 12574
[mod] remove backward compatible code for passlib and force modern version
Fri, 12 Apr 2019 11:54:42 +0200 DeprecationWarning: Please use assertEqual instead.
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 11:54:42 +0200] rev 12573
DeprecationWarning: Please use assertEqual instead.
Fri, 12 Apr 2019 17:25:40 +0200 DeprecationWarning: Please use assertRaisesRegex instead.
Laurent Peuch <cortex@worlddomination.be> [Fri, 12 Apr 2019 17:25:40 +0200] rev 12572
DeprecationWarning: Please use assertRaisesRegex instead.
Thu, 11 Apr 2019 20:15:09 +0200 DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()
Laurent Peuch <cortex@worlddomination.be> [Thu, 11 Apr 2019 20:15:09 +0200] rev 12571
DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()
Thu, 11 Apr 2019 16:47:27 +0200 [README] add testing instructions
Laurent Peuch <cortex@worlddomination.be> [Thu, 11 Apr 2019 16:47:27 +0200] rev 12570
[README] add testing instructions
Fri, 05 Apr 2019 12:19:03 +0200 Add pytest-subtests to dev requirements
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 12:19:03 +0200] rev 12569
Add pytest-subtests to dev requirements This pytest plugin adds support for unittest's TestCase.subTest (for Python >= 3.4). Since we we now only support python3 and since we use a fair amount of these, let's benefit of better reporting by using this plugin.
Tue, 26 Mar 2019 16:22:31 +0100 [test] use unittest.mock instead of mock library
Denis Laxalde <denis.laxalde@logilab.fr> [Tue, 26 Mar 2019 16:22:31 +0100] rev 12568
[test] use unittest.mock instead of mock library Now that we use Python 3 only, this is possible.
Fri, 05 Apr 2019 17:58:19 +0200 Drop python2 support
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:58:19 +0200] rev 12567
Drop python2 support This mostly consists in removing the dependency on "six" and updating the code to use only Python3 idioms. Notice that we previously used TemporaryDirectory from cubicweb.devtools.testlib for compatibility with Python2. We now directly import it from tempfile.
Fri, 05 Apr 2019 17:21:14 +0200 Merge with 3.26
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:21:14 +0200] rev 12566
Merge with 3.26
Fri, 05 Apr 2019 17:40:02 +0200 Remove unused imports in cubicweb.pyramid.config 3.26
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:40:02 +0200] rev 12565
Remove unused imports in cubicweb.pyramid.config
Fri, 05 Apr 2019 17:20:01 +0200 Added tag 3.26.9 for changeset 4d6909de765a 3.26
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:20:01 +0200] rev 12564
Added tag 3.26.9 for changeset 4d6909de765a
Fri, 05 Apr 2019 17:19:56 +0200 [pkg] Version 3.26.9 3.26 3.26.9
Denis Laxalde <denis.laxalde@logilab.fr> [Fri, 05 Apr 2019 17:19:56 +0200] rev 12563
[pkg] Version 3.26.9
Tue, 12 Feb 2019 17:00:55 +0100 [pyramid/security] use cryptographically secure random generator 3.26
Laurent Peuch <cortex@worlddomination.be> [Tue, 12 Feb 2019 17:00:55 +0100] rev 12562
[pyramid/security] use cryptographically secure random generator Based on django source code in case SystemRandom is not available. According to python documentation: https://docs.python.org/2/library/random.html > Warning > The pseudo-random generators of this module should not be used for security > purposes. Use os.urandom() or SystemRandom if you require a cryptographically > secure pseudo-random number generator.
Thu, 04 Apr 2019 14:11:40 +0200 Reclosing branch after merge tls-sprint
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 14:11:40 +0200] rev 12561
Reclosing branch after merge
Thu, 04 Apr 2019 13:49:34 +0200 Merging heads of old, closed branch tls-sprint
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 13:49:34 +0200] rev 12560
Merging heads of old, closed branch
Thu, 04 Apr 2019 14:08:10 +0200 Reclosing branch after merge 3.0
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 14:08:10 +0200] rev 12559
Reclosing branch after merge
Thu, 04 Apr 2019 13:45:23 +0200 Merging heads of old, closed branch 3.0
Arthur Lutz <arthur.lutz@logilab.fr> [Thu, 04 Apr 2019 13:45:23 +0200] rev 12558
Merging heads of old, closed branch
Thu, 28 Mar 2019 11:15:28 +0100 [doc/changes] document that legacy cube support has been dropped
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:15:28 +0100] rev 12557
[doc/changes] document that legacy cube support has been dropped
Thu, 28 Mar 2019 11:13:12 +0100 [doc] replace legacy import to new style cube import in various places
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:13:12 +0100] rev 12556
[doc] replace legacy import to new style cube import in various places
Thu, 28 Mar 2019 11:09:29 +0100 [web/views] drop deprecated module cubicweb.web.views.timeline
Philippe Pepiot <philippe.pepiot@logilab.fr> [Thu, 28 Mar 2019 11:09:29 +0100] rev 12555
[web/views] drop deprecated module cubicweb.web.views.timeline
(0) -10000 -3000 -1000 -300 -100 -50 -30 +30 +50 +100 +300 tip