Bodhi

======
This is a bugfix release.


Bug fixes
=======
Fix two reflected XSS vulnerabilities - CVE: CVE-2020-15855


Contributors
=========

The following developers contributed to this release of Bodhi:

* Patrick Uiterwijk

====
This is a feature release.


Dependency changes
================

* Drop support for bleach 1.0 api (:pr:`3875`).
* Markdown >= 3.0 is now required (:pr:`4134`).

Server upgrade instructions
=====================

This release contains database migrations. To apply them, run::

$ sudo -u apache /usr/bin/alembic -c /etc/bodhi/alembic.ini upgrade head


Features
=======

* Added a `from_side_tag` bool search parameter for Updates and allow searching
for that and for gating status from WebUI (:pr:`4119`).
* Allow overriding `critpath.stable_after_days_without_negative_karma` based on
release status (:pr:`4135`).
* Users which owns a side-tag can now create updates from that side-tag even if
it contains builds for which they haven't commit access (:issue:`4014`).

Bug fixes
=======

* Fix encoding of package and user names in search results (:pr:`4104`).
* Fix autotime display on update page (:pr:`4110`).
* Set update.stable_days to 0 for Releases not composed by Bodhi itself
(:pr:`4111`).
* Ignore builds in Unpushed updates when checking for duplicate builds
(:issue:`1809`).
* Make automatic updates obsolete older updates stuck in testing due to failing
gating tests (:issue:`3916`).
* Fix 404 pages for bot users with nonstandard characters in usernames
(:issue:`3993`).
* Fixed documentation build with Sphinx3 (:issue:`4020`).
* Serve the documentation directly from the WSGI application using WhiteNoise.
(:issue:`4066`).
* Updates from side-tag for non-rawhide releases were not pushed to testing
(:issue:`4087`).
* Side-tag updates builds were not editable in the WebUI (:issue:`4122`).
* Fixed "re-trigger tests" button not showed on update page (:issue:`4144`).
* Fixed a crash in automatic_updates handler due to `get_changelog()` returning
an unhandled exception (:issue:`4146`).
* Fixed a crash in automatic_updates handler due to trying access update.alias
after the session was closed (:issue:`4147`).
* Some comments orphaned from their update where causing internal server
errors. We now enforce a not null check so that a comment cannot be created
without associating it to an update. The orphaned comments are removed from
the database by the migration script. (:issue:`4155`).
* Dockerfile for pip CI tests has been fixed (:issue:`4158`).

Development improvements
=====================

* Rename `Release.get_testing_side_tag()` to `get_pending_testing_side_tag()`
to avoid confusion (:pr:`4109`).
* Added F33 to tests pipeline (:pr:`4132`).

Contributors
=========

The following developers contributed to this release of Bodhi:

* Adam Saleh
* Clement Verna
* Justin Caratzas
* Jonathan Wakely
* Karma Dolkar
* Mattia Verga
* Pierre-Yves Chibon
* Rayan Das
* Sebastian Wojciechowski

====
This is a bugfix release.
Features

* Added metrics endpoint for scraping by Prometheus.
* Allowed querying releases and updates using graphql endpoint.

Bug fixes

* Disable manual creation of updates for releases not composed by Bodhi and add
some bits in the docs on how to handle automatic updates not being created
(:issue:`4058`).
* Fix TestCase validation upon feedback submission (:issue:`4088`).
* Do not let update through when bodhi fails to talk to greenwave.
(:issue:`4089`).
* Fix package name encoding in URLs (:issue:`4095`).
* bodhi can't be installed from pypi (:issue:`3919`).

Contributors

The following developers contributed to this release of Bodhi:

* Adam Saleh
* Clement Verna
* Karma Dolkar
* Mattia Verga
* Pierre-Yves Chibon

This is a minor release.


Server upgrade instructions

This release contains database migrations. To apply them, run::

$ sudo -u apache /usr/bin/alembic -c /etc/bodhi/alembic.ini upgrade head


Summary of the migrations:

* Migrate relationship between TestCase and Package to TestCase and Build. The migration script will take care of migrate existing data to the new relation.
* The user_id column in comments table has been set to be not nullable.
* The notes column in buildroot_overrides table has been converted to UnicodeText (from Unicode).

Bug fixes


* Associate TestCase to Build instead of Package, allowing to remove old
testcases from updates (:issue:`1794`).
* Replace koji krb_login with gssapi_login. (:issue:`4029`).
* Making sure that builds of side tag update for normal releases are marked as
signed. (:issue:`4032`).
* Handle Cornice 5.0 JSON error handling. (:issue:`4033`).
* Cap buildroot overrides notes to a maximum of 2k characters and convert the
database field to UnicodeText (:issue:`4044`).

Development improvements


* The user_id field in the comments table has been made not nullable. Some
database joins have been tweaked to get better performance (:pr:`4046`).
* Always use koji.multiCall for untag/unpush for better handle updates with a
lot of builds (:pr:`4052`).

Contributors


The following developers contributed to this release of Bodhi:

* Clement Verna
* Karma Dolkar
* Mattia Verga
* Miro Hrončok
* Sebastian Wojciechowski