diff --git a/AUTHORS b/AUTHORS index da210692ae..b7eb1b8853 100644 --- a/AUTHORS +++ b/AUTHORS @@ -30,6 +30,7 @@ Active contributors: * Jiri Kuncar * Jocelyne Jerdelet * Joe MacMahon +* Jochen Klein * Johnny Mariéthoz * Kenneth Hole * Kirsten Sachs @@ -41,7 +42,7 @@ Active contributors: * Marios Kogias * Mateusz Susik * Miguel Martín -* Mike Sullivan +* Nicolas Harraudeau * Nikolaos Kasioumis * Øystein Blixhavn * Pedro Gaudencio @@ -140,6 +141,7 @@ Past contributors: * Mikael Karlsson * Mikael Vik * Mike Marino +* Mike Sullivan * Minn Soe * Nicholas Robinson * Nikola Yolov diff --git a/MANIFEST.in b/MANIFEST.in index 6c3dc9e604..9ade313429 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -65,5 +65,7 @@ recursive-include invenio/modules/*/translations *.mo *.po *.pot recursive-include invenio/testsuite * +recursive-include scripts *.sh + recursive-exclude * *.py[co] recursive-exclude * *.php diff --git a/NEWS b/NEWS index 08cef5be08..de0f9b029b 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,85 @@ releases. For more information about the current release, please consult RELEASE-NOTES. For more information about changes, please consult ChangeLog. +Invenio v2.0.3 -- released 2015-05-15 +------------------------------------- + +Security fixes +~~~~~~~~~~~~~~ + ++ script: + + - Switches from insecure standard random number generator to secure + OS-driven entropy source (/dev/urandom on linux) for secret key + generation. + +New features +~~~~~~~~~~~~ + ++ formatter: + + - Adds html_class and link_label attributes to bfe_edit_record. + (#3020) + ++ script: + + - Adds `SERVER_BIND_ADDRESS` and `SERVER_BIND_PORT` to overwrite + bind address and port independently from the public URL. This + gives control over the used network interface as well as the + ability to bind Invenio to a protected port and use a reverse + proxy for access. Priority of the config is (1) runserver command + arguments, (2) `SERVER_BIND_ADDRESS` and `SERVER_BIND_PORT` + configuration, (3) data from `CFG_SITE_URL`, (4) defaults + (`127.0.0.1:80`). + +Improved features +~~~~~~~~~~~~~~~~~ + ++ docker: + + - Slims down docker image by building on top of less bloated base + image and only install what is really required. Also purges + unneeded packages, flushes caches and clean temporary files. All + these parts should not be in a production image and are also not + required by developers. You can still install components when + extending the Invenio base image. + ++ docs: + + - Adds missing 'libffi' library and howto start redis server. + Causing an exception when running `pip install --process- + dependency-links -e .[development]`: 'ffi.h' file not found and + 'sudo: service: command not found' when starting redis server (OS + X Yosemite, 10.10). + + - Adds a step describing how to install MySQL on CentOS 7 because it + does not have 'mysql-server' package by default. + +Bug fixes +~~~~~~~~~ + ++ email: + + - Fixes 'send_email' to expect an 'EmailMessage' object from the + 'forge_email' method rather than a string-like object. (#3076) + + - Fixes reference to CFG_SITE_ADMIN_EMAIL (not a global). + ++ legacy: + + - Makes lazy loading of `stopwords_kb` variable to avoid file + parsing during script loading. (#1462) + ++ logging: + + - Fixes Sentry proxy definition pointing to a wrong application + attribute. + ++ matcher: + + - Fixes Unicode conversion required to use the levenshtein_distance + function. (#3047) + Invenio v2.0.2 -- released 2015-04-17 ------------------------------------- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 153a926144..3035198951 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,8 +1,8 @@ ============================ - Invenio v2.0.2 is released + Invenio v2.0.3 is released ============================ -Invenio v2.0.2 was released on April 17, 2015. +Invenio v2.0.3 was released on May 15, 2015. About ----- @@ -13,190 +13,78 @@ digital library or document repository on the web. Security fixes -------------- -+ celery: ++ script: - - Forces Celery to only accept msgpack content when using standard - configuration. This disallows pickle messages which can be used - for remote code execution. (#3003) - -+ global: - - - Disables all attempts to serve directory listings for directories - found under static root. - -Incompatible changes --------------------- - -+ celery: - - - If you use any Celery serializer other than msgpack, you must - update configuration variable CELERY_ACCEPT_CONTENT to include - that serializer. - -+ pidstore: - - - Refactors DataCite provider to use the new external DataCite API - client. - - - Removes DataCite API client from Invenio. + - Switches from insecure standard random number generator to secure + OS-driven entropy source (/dev/urandom on linux) for secret key + generation. New features ------------ -+ docs: - - - Adds "Code of Conduct" to the "Community" documentation. - - - Adds new fast track deprecation policy. - - - Documents commit message labels used by developers (such as NEW, - SECURITY, FIX, etc.) used in automatic generation of structured - release notes. (#2856) ++ formatter: -+ global: + - Adds html_class and link_label attributes to bfe_edit_record. + (#3020) - - Adds a `inveniomanage config locate` command to request the - location of the instance config file. ++ script: - - Adds new configurable variable `INVENIO_APP_CONFIG_ENVS` that can - be set both from `invenio.cfg` and OS environment. Application - factory iterates over comma separated list of configuration - variable names and updates application config with equivalent OS - environment value. (#2858) - -+ template: - - - Adds 'u' filter that converts str to unicode in Jinja2 templates - since support for str has been deprecated. Example: `{{ mystr|u - }}`. (#2862) + - Adds `SERVER_BIND_ADDRESS` and `SERVER_BIND_PORT` to overwrite + bind address and port independently from the public URL. This + gives control over the used network interface as well as the + ability to bind Invenio to a protected port and use a reverse + proxy for access. Priority of the config is (1) runserver command + arguments, (2) `SERVER_BIND_ADDRESS` and `SERVER_BIND_PORT` + configuration, (3) data from `CFG_SITE_URL`, (4) defaults + (`127.0.0.1:80`). Improved features ----------------- -+ docs: - - - Adds example of how to deprecate a feature and includes - deprecation policy in documentation. - -+ global: - - - Moves datacite API wrapper to external package. ++ docker: - - Escapes all unicode characters in Jinja2 templates. + - Slims down docker image by building on top of less bloated base + image and only install what is really required. Also purges + unneeded packages, flushes caches and clean temporary files. All + these parts should not be in a production image and are also not + required by developers. You can still install components when + extending the Invenio base image. -+ installation: - - - Apache virtual environments are now created with appropriate - `WSGIDaemonProcess` user value, taken from the configuration - variable `CFG_BIBSCHED_PROCESS_USER`, provided it is set. This - change makes it easier to run Invenio under non-Apache user - identity. - - - Apache virtual environments are now created with appropriate - `WSGIPythonHome` directive so that it would be easier to run - Invenio from within Python virtual environments. ++ docs: -+ jsonalchemy: + - Adds missing 'libffi' library and howto start redis server. + Causing an exception when running `pip install --process- + dependency-links -e .[development]`: 'ffi.h' file not found and + 'sudo: service: command not found' when starting redis server (OS + X Yosemite, 10.10). - - Introduces support for accepting MARC fields having any - indicator. (#1722 #2075) + - Adds a step describing how to install MySQL on CentOS 7 because it + does not have 'mysql-server' package by default. Bug fixes --------- -+ admin: - - - Adds `admin.js` bundle that loads `select2.js` library on `/admin` - pages. (#2690 #2781) - -+ assets: - - - Implements `__deepcopy__` method for `webassets.filter.option` in - order to fix unexpected behavior of the `option` class contructor. - (#2777 #2864 #2921) - -+ documents: - - - Flask-Login import in field definition. (#2905) - - - Safer upgrade recipe for migrations from the old document storage - model (used in v1.1) to the new document storage model (used in - v1.2). - -+ global: - - - Drops support for serving directories in Apache site configuration - to avoid problems with loading '/admin' url without trailing slash - that attempts to serve the static directory of the same - name. (#2470 #2943) - -+ installation: - - - Adds Babel as setup requirements for installing compile_catalog - command. - -+ jsonalchemy: - - - Fixes the definition of time_and_place_of_event_note, - series_statement and source_of_description fields. - -+ oairepository: - - - Switches keys in CFG_OAI_METADATA_FORMATS configuration mapping. - (#2962) - - - Amends bfe_oai_marcxml element since get_preformatted_record does - not return a tuple anymore. - -+ search: - - - Fixes portalbox text overflow and and syntax error in CSS. - (#3023) - - - Collection names containing slashes are now supported again. - However we recommend not to use slashes in collection names; if - slashes were wanted for aesthetic reasons, they can be added in - visible collection translations. (#2902) - -+ sorter: - - - Comparison function of record tags uses space concatened string - from list of all tags values. (#2750) - -Notes ------ - -+ assets: - - - Adds deprecation warning when LESS_RUN_IN_DEBUG is used. (#2923) - -+ global: - - - Deprecates use of invenio.utils.datacite:DataCite (to be removed - in Invenio 2.2). ++ email: - - External authentication methods are being deprecated. Please use - `invenio.modules.oauthclient` or Flask-SSO instead. (#1083) + - Fixes 'send_email' to expect an 'EmailMessage' object from the + 'forge_email' method rather than a string-like object. (#3076) - - Recreate Apache site configurations using new template. Run - following command: `inveniomanage apache create-config`. + - Fixes reference to CFG_SITE_ADMIN_EMAIL (not a global). - - Deprecates custom remote debuggers. Please use native Werkzeug - debugger or other (*)pdb equivalents. (#2945) ++ legacy: - - Adds deprecation warning for `invenio.ext.jinja2hacks` and all - detected non-ascii strings usage in templates mainly coming from - legacy (1.x) modules. (#2862) + - Makes lazy loading of `stopwords_kb` variable to avoid file + parsing during script loading. (#1462) -+ installation: ++ logging: - - Limits version of SQLAlchemy<=1.0 and SQLAlchemy-Utils<=0.30. + - Fixes Sentry proxy definition pointing to a wrong application + attribute. -+ oairepository: ++ matcher: - - Changes current behavior of OAI-PMH server for logged in users to - take into account all records a user can view and not only public - records. + - Fixes Unicode conversion required to use the levenshtein_distance + function. (#3047) Installation ------------ @@ -206,7 +94,7 @@ Installation Documentation ------------- - http://invenio.readthedocs.org/en/v2.0.2 + http://invenio.readthedocs.org/en/v2.0.3 Homepage -------- diff --git a/RELEASE-NOTES.rst b/RELEASE-NOTES.rst index 153a926144..3035198951 100644 --- a/RELEASE-NOTES.rst +++ b/RELEASE-NOTES.rst @@ -1,8 +1,8 @@ ============================ - Invenio v2.0.2 is released + Invenio v2.0.3 is released ============================ -Invenio v2.0.2 was released on April 17, 2015. +Invenio v2.0.3 was released on May 15, 2015. About ----- @@ -13,190 +13,78 @@ digital library or document repository on the web. Security fixes -------------- -+ celery: ++ script: - - Forces Celery to only accept msgpack content when using standard - configuration. This disallows pickle messages which can be used - for remote code execution. (#3003) - -+ global: - - - Disables all attempts to serve directory listings for directories - found under static root. - -Incompatible changes --------------------- - -+ celery: - - - If you use any Celery serializer other than msgpack, you must - update configuration variable CELERY_ACCEPT_CONTENT to include - that serializer. - -+ pidstore: - - - Refactors DataCite provider to use the new external DataCite API - client. - - - Removes DataCite API client from Invenio. + - Switches from insecure standard random number generator to secure + OS-driven entropy source (/dev/urandom on linux) for secret key + generation. New features ------------ -+ docs: - - - Adds "Code of Conduct" to the "Community" documentation. - - - Adds new fast track deprecation policy. - - - Documents commit message labels used by developers (such as NEW, - SECURITY, FIX, etc.) used in automatic generation of structured - release notes. (#2856) ++ formatter: -+ global: + - Adds html_class and link_label attributes to bfe_edit_record. + (#3020) - - Adds a `inveniomanage config locate` command to request the - location of the instance config file. ++ script: - - Adds new configurable variable `INVENIO_APP_CONFIG_ENVS` that can - be set both from `invenio.cfg` and OS environment. Application - factory iterates over comma separated list of configuration - variable names and updates application config with equivalent OS - environment value. (#2858) - -+ template: - - - Adds 'u' filter that converts str to unicode in Jinja2 templates - since support for str has been deprecated. Example: `{{ mystr|u - }}`. (#2862) + - Adds `SERVER_BIND_ADDRESS` and `SERVER_BIND_PORT` to overwrite + bind address and port independently from the public URL. This + gives control over the used network interface as well as the + ability to bind Invenio to a protected port and use a reverse + proxy for access. Priority of the config is (1) runserver command + arguments, (2) `SERVER_BIND_ADDRESS` and `SERVER_BIND_PORT` + configuration, (3) data from `CFG_SITE_URL`, (4) defaults + (`127.0.0.1:80`). Improved features ----------------- -+ docs: - - - Adds example of how to deprecate a feature and includes - deprecation policy in documentation. - -+ global: - - - Moves datacite API wrapper to external package. ++ docker: - - Escapes all unicode characters in Jinja2 templates. + - Slims down docker image by building on top of less bloated base + image and only install what is really required. Also purges + unneeded packages, flushes caches and clean temporary files. All + these parts should not be in a production image and are also not + required by developers. You can still install components when + extending the Invenio base image. -+ installation: - - - Apache virtual environments are now created with appropriate - `WSGIDaemonProcess` user value, taken from the configuration - variable `CFG_BIBSCHED_PROCESS_USER`, provided it is set. This - change makes it easier to run Invenio under non-Apache user - identity. - - - Apache virtual environments are now created with appropriate - `WSGIPythonHome` directive so that it would be easier to run - Invenio from within Python virtual environments. ++ docs: -+ jsonalchemy: + - Adds missing 'libffi' library and howto start redis server. + Causing an exception when running `pip install --process- + dependency-links -e .[development]`: 'ffi.h' file not found and + 'sudo: service: command not found' when starting redis server (OS + X Yosemite, 10.10). - - Introduces support for accepting MARC fields having any - indicator. (#1722 #2075) + - Adds a step describing how to install MySQL on CentOS 7 because it + does not have 'mysql-server' package by default. Bug fixes --------- -+ admin: - - - Adds `admin.js` bundle that loads `select2.js` library on `/admin` - pages. (#2690 #2781) - -+ assets: - - - Implements `__deepcopy__` method for `webassets.filter.option` in - order to fix unexpected behavior of the `option` class contructor. - (#2777 #2864 #2921) - -+ documents: - - - Flask-Login import in field definition. (#2905) - - - Safer upgrade recipe for migrations from the old document storage - model (used in v1.1) to the new document storage model (used in - v1.2). - -+ global: - - - Drops support for serving directories in Apache site configuration - to avoid problems with loading '/admin' url without trailing slash - that attempts to serve the static directory of the same - name. (#2470 #2943) - -+ installation: - - - Adds Babel as setup requirements for installing compile_catalog - command. - -+ jsonalchemy: - - - Fixes the definition of time_and_place_of_event_note, - series_statement and source_of_description fields. - -+ oairepository: - - - Switches keys in CFG_OAI_METADATA_FORMATS configuration mapping. - (#2962) - - - Amends bfe_oai_marcxml element since get_preformatted_record does - not return a tuple anymore. - -+ search: - - - Fixes portalbox text overflow and and syntax error in CSS. - (#3023) - - - Collection names containing slashes are now supported again. - However we recommend not to use slashes in collection names; if - slashes were wanted for aesthetic reasons, they can be added in - visible collection translations. (#2902) - -+ sorter: - - - Comparison function of record tags uses space concatened string - from list of all tags values. (#2750) - -Notes ------ - -+ assets: - - - Adds deprecation warning when LESS_RUN_IN_DEBUG is used. (#2923) - -+ global: - - - Deprecates use of invenio.utils.datacite:DataCite (to be removed - in Invenio 2.2). ++ email: - - External authentication methods are being deprecated. Please use - `invenio.modules.oauthclient` or Flask-SSO instead. (#1083) + - Fixes 'send_email' to expect an 'EmailMessage' object from the + 'forge_email' method rather than a string-like object. (#3076) - - Recreate Apache site configurations using new template. Run - following command: `inveniomanage apache create-config`. + - Fixes reference to CFG_SITE_ADMIN_EMAIL (not a global). - - Deprecates custom remote debuggers. Please use native Werkzeug - debugger or other (*)pdb equivalents. (#2945) ++ legacy: - - Adds deprecation warning for `invenio.ext.jinja2hacks` and all - detected non-ascii strings usage in templates mainly coming from - legacy (1.x) modules. (#2862) + - Makes lazy loading of `stopwords_kb` variable to avoid file + parsing during script loading. (#1462) -+ installation: ++ logging: - - Limits version of SQLAlchemy<=1.0 and SQLAlchemy-Utils<=0.30. + - Fixes Sentry proxy definition pointing to a wrong application + attribute. -+ oairepository: ++ matcher: - - Changes current behavior of OAI-PMH server for logged in users to - take into account all records a user can view and not only public - records. + - Fixes Unicode conversion required to use the levenshtein_distance + function. (#3047) Installation ------------ @@ -206,7 +94,7 @@ Installation Documentation ------------- - http://invenio.readthedocs.org/en/v2.0.2 + http://invenio.readthedocs.org/en/v2.0.3 Homepage -------- diff --git a/invenio/version.py b/invenio/version.py index dc42bdc40b..bc9fbd15d6 100644 --- a/invenio/version.py +++ b/invenio/version.py @@ -30,7 +30,7 @@ # - revision can be set if you want to override the date coming from git. # # See the doctest below. -version = (2, 0, 3, 'dev', 20150417) +version = (2, 0, 3) def build_version(*args):