Files @ 57a733313e4f
Branch filter:

Location: kallithea/scripts/make-release

57a733313e4f 2.4 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
repos: introduce low level slug check of repo and group names

The high level web forms already slug-ify repo and repo group names. It might
thus not create the exact repo that was created, but the name will be "safe".

For API, we would rather have it fail than not doing exactly what was requested.

Thus, always verify at low level that the provided name wouldn't be modified by
slugification. This makes sure the API provide allow the same actual names as
the web UI.

This will only influence creation and renaming of repositories and repo groups.
Existing repositories will continue working as before.

This is a slight API change, but it makes the system more stable and can
prevent some security issues - especially XSS attacks.

This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/bin/bash
set -e
set -x

echo "Install/verify tools needed for building and uploading stuff"
pip install --upgrade -e .
pip install --upgrade -r dev_requirements.txt Sphinx Sphinx-PyPI-upload

echo "Cleanup and update copyrights ... and clean checkout"
scripts/run-all-cleanup
scripts/update-copyrights.py
hg up -cr .

echo "Make release build from clean checkout in build/"
rm -rf build dist
hg archive build
cd build

echo "Check MANIFEST.in"
sed -e 's/[^ ]*[ ]*\([^ ]*\).*/\1/g' MANIFEST.in | grep -v '^node_modules/bootstrap\|^kallithea/public/css/style.css' | xargs ls -lad

echo "Build dist"
python2 setup.py compile_catalog
python2 setup.py sdist

echo "Verify VERSION from kallithea/__init__.py"
namerel=$(cd dist && echo Kallithea-*.tar.gz)
namerel=${namerel%.tar.gz}
version=${namerel#Kallithea-}
ls -l $(pwd)/dist/$namerel.tar.gz
echo "Releasing Kallithea $version in directory $namerel"

echo "Verify dist file content"
diff -u <((hg mani | grep -v '^\.hg') | LANG=C sort) <(tar tf dist/Kallithea-$version.tar.gz | sed "s|^$namerel/||" | grep . | grep -v '^kallithea/i18n/.*/LC_MESSAGES/kallithea.mo$\|^Kallithea.egg-info/\|^PKG-INFO$\|/$' | LANG=C sort)
! tar tf dist/Kallithea-$version.tar.gz | grep "$namerel/node_modules/bootstrap/\$"

echo "Verify docs build"
python2 setup.py build_sphinx # not used yet ... but we want to make sure it builds

cat - << EOT

Now, make sure
* the copyright and contributor lists have been updated
* all tests are passing
* release note is ready
* announcement is ready
* source has been pushed to https://kallithea-scm.org/repos/kallithea

EOT

echo "Verify current revision is tagged for $version"
hg log -r "'$version'&." | grep .

echo -n "Enter \"pypi\" to upload Kallithea $version to pypi: "
read answer
[ "$answer" = "pypi" ]

echo "Upload docs to pypi"
# See https://wiki.python.org/moin/PyPiDocumentationHosting
python2 setup.py build_sphinx upload_sphinx
xdg-open https://pythonhosted.org/Kallithea/
xdg-open http://packages.python.org/Kallithea/installation.html

echo "Rebuild readthedocs for docs.kallithea-scm.org"
xdg-open https://readthedocs.org/projects/kallithea/
curl -X POST http://readthedocs.org/build/kallithea
xdg-open https://readthedocs.org/builds/kallithea/
xdg-open http://docs.kallithea-scm.org/en/latest/ # or whatever the branch is

extraargs=${EMAIL:+--identity=$EMAIL}
python2 setup.py sdist upload --sign $extraargs
xdg-open https://pypi.python.org/pypi/Kallithea
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.