From metatracker at psf.upfronthosting.co.za Tue Dec 3 07:25:52 2013 From: metatracker at psf.upfronthosting.co.za (Florian Pilz) Date: Tue, 03 Dec 2013 06:25:52 +0000 Subject: [Tracker-discuss] [issue458] editing "homepage" field is not possible In-Reply-To: <1334485569.34.0.217371137544.issue458@psf.upfronthosting.co.za> Message-ID: <1386051952.07.0.0904555500927.issue458@psf.upfronthosting.co.za> Florian Pilz added the comment: This bug is here for over a year now and still not fixed. Requires some more attention. ---------- assignedto: loewis -> nosy: +florianpilz status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Wed Dec 11 22:10:48 2013 From: metatracker at psf.upfronthosting.co.za (Ned Deily) Date: Wed, 11 Dec 2013 21:10:48 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions Message-ID: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> New submission from Ned Deily: With the transition of Python 2.6 to retired state, we should remove 2.6 from the versions list available on tracker issues. ---------- messages: 2804 nosy: ned.deily priority: bug status: unread title: Remove 2.6 from list of versions _______________________________________________________ PSF Meta Tracker _______________________________________________________ From stephen at xemacs.org Thu Dec 12 07:22:14 2013 From: stephen at xemacs.org (Stephen J. Turnbull) Date: Thu, 12 Dec 2013 15:22:14 +0900 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> References: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> Message-ID: <87k3fa1td5.fsf@uwakimon.sk.tsukuba.ac.jp> Ned Deily writes: > > New submission from Ned Deily: > > With the transition of Python 2.6 to retired state, we should > remove 2.6 from the versions list available on tracker issues. Urk. Most of the Macs within arm's reach have a default Python of 2.6. I'm sure it's in common use "out there," and where else can people go to research issues for old versions? How about a reactor that automatically closes issues that only apply to retired versions, and returns a page notifying the submitter of that fact? Optionally, change "2.6" to "retired" in the UI versions list? Unfortunately, I can't volunteer to look into creating such a reactor and documenting it for at least 8 weeks (it's been well over a year since I've looked at roundup, it's not going to be a one-day project for me), so I won't take it amiss if this suggestion is summarily dismissed. From metatracker at psf.upfronthosting.co.za Thu Dec 12 07:22:20 2013 From: metatracker at psf.upfronthosting.co.za (Stephen Turnbull) Date: Thu, 12 Dec 2013 06:22:20 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> Message-ID: <87k3fa1td5.fsf@uwakimon.sk.tsukuba.ac.jp> Stephen Turnbull added the comment: Ned Deily writes: > > New submission from Ned Deily: > > With the transition of Python 2.6 to retired state, we should > remove 2.6 from the versions list available on tracker issues. Urk. Most of the Macs within arm's reach have a default Python of 2.6. I'm sure it's in common use "out there," and where else can people go to research issues for old versions? How about a reactor that automatically closes issues that only apply to retired versions, and returns a page notifying the submitter of that fact? Optionally, change "2.6" to "retired" in the UI versions list? Unfortunately, I can't volunteer to look into creating such a reactor and documenting it for at least 8 weeks (it's been well over a year since I've looked at roundup, it's not going to be a one-day project for me), so I won't take it amiss if this suggestion is summarily dismissed. ---------- nosy: +stephen status: unread -> chatting _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Thu Dec 12 08:37:13 2013 From: metatracker at psf.upfronthosting.co.za (Ned Deily) Date: Thu, 12 Dec 2013 07:37:13 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> Message-ID: <1386833833.66.0.201370332381.issue532@psf.upfronthosting.co.za> Ned Deily added the comment: You could make similar arguments about 2.5 or earlier releases (or 3.0), all of which have already been removed. More importantly, python-dev uses the version field to indicate "the known versions of Python that the issue affects and should be fixed for" (http://docs.python.org/devguide/triaging.html#versions), not all versions (supported or otherwise) that might be affected by the issue. Since at least the time 2.6 entered security-fix mode, we have routinely deselected 2.6 from those issues where is was set, so, even if we didn't remove 2.6 from the version list, you could not depend on searching the version field for 2.6. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Thu Dec 12 11:31:14 2013 From: metatracker at psf.upfronthosting.co.za (Stephen Turnbull) Date: Thu, 12 Dec 2013 10:31:14 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386833833.66.0.201370332381.issue532@psf.upfronthosting.co.za> Message-ID: <87fvpy1hua.fsf@uwakimon.sk.tsukuba.ac.jp> Stephen Turnbull added the comment: Ned Deily writes: > You could make similar arguments about 2.5 or earlier releases (or > 3.0), all of which have already been removed. Indeed, I would. > Since at least the time 2.6 entered security-fix mode, we have > routinely deselected 2.6 from those issues where is was set, so, > even if we didn't remove 2.6 from the version list, you could not > depend on searching the version field for 2.6. That kinda sucks, but it's certainly not worth fixing. I withdraw the suggestion. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Thu Dec 12 15:53:29 2013 From: metatracker at psf.upfronthosting.co.za (R David Murray) Date: Thu, 12 Dec 2013 14:53:29 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> Message-ID: <1386860009.69.0.405376209109.issue532@psf.upfronthosting.co.za> R David Murray added the comment: Technically it is possible to search for retired version, and the search form could even be changed to support it. I'm not sure that it is worth it, though...I don't know what purpose would be served by searching based on version as opposed to searching for a particular problem. So it sounds like your real issue is the fact that we don't really accept bug reports for non-supported versions...which I think is just a fact of life in a community with limited resources. We're OK with people posting patches "if you want to fix this yourself", but those you would discover by searching for the problem, rather than the version. ---------- nosy: +r.david.murray _______________________________________________________ PSF Meta Tracker _______________________________________________________ From barry at python.org Thu Dec 12 15:56:43 2013 From: barry at python.org (Barry Warsaw) Date: Thu, 12 Dec 2013 09:56:43 -0500 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386860009.69.0.405376209109.issue532@psf.upfronthosting.co.za> References: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> <1386860009.69.0.405376209109.issue532@psf.upfronthosting.co.za> Message-ID: <20131212095643.2105978e@anarchist.wooz.org> I have no problem keeping 2.6 (or any other retired version) as an explicit version in the tracker. It will never get fixed officially, but that doesn't mean it's not helpful for 3rd parties to still discuss bugs and share patches. From metatracker at psf.upfronthosting.co.za Thu Dec 12 15:56:45 2013 From: metatracker at psf.upfronthosting.co.za (Barry Warsaw) Date: Thu, 12 Dec 2013 14:56:45 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386860009.69.0.405376209109.issue532@psf.upfronthosting.co.za> Message-ID: <20131212095643.2105978e@anarchist.wooz.org> Barry Warsaw added the comment: I have no problem keeping 2.6 (or any other retired version) as an explicit version in the tracker. It will never get fixed officially, but that doesn't mean it's not helpful for 3rd parties to still discuss bugs and share patches. ---------- nosy: +barry _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Thu Dec 12 16:12:31 2013 From: metatracker at psf.upfronthosting.co.za (R David Murray) Date: Thu, 12 Dec 2013 15:12:31 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> Message-ID: <1386861151.89.0.176565317479.issue532@psf.upfronthosting.co.za> R David Murray added the comment: Before I saw Barry's message, I removed 2.6 from the list of versions via the web interface (which retires it). It can be re-added (un-retired) though, if we have consensus on that. (It is id '1', which someone will need to know if they do this.) But, our past policy has been to retire the version when it leaves security maintenance mode. _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Dec 13 12:18:02 2013 From: metatracker at psf.upfronthosting.co.za (=?utf-8?q?Martin_v=2E_L=C3=B6wis?=) Date: Fri, 13 Dec 2013 11:18:02 +0000 Subject: [Tracker-discuss] [issue532] Remove 2.6 from list of versions In-Reply-To: <1386796248.8.0.813249162753.issue532@psf.upfronthosting.co.za> Message-ID: <1386933482.99.0.765731773723.issue532@psf.upfronthosting.co.za> Martin v. L?wis added the comment: I think that the version should stay retired. If it was available, people would continue to report issues specifically against this version, and it would take maintenance time to clarify that the issues will not get fixed. I believe this avoidable overhead outweighs any advantages that simpler access to issues of retired versions might have. ---------- nosy: +loewis _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Fri Dec 20 18:40:23 2013 From: metatracker at psf.upfronthosting.co.za (Ralf Schlatterbeck) Date: Fri, 20 Dec 2013 17:40:23 +0000 Subject: [Tracker-discuss] [issue519] XSS issues In-Reply-To: <1373832538.8.0.202892203202.issue519@psf.upfronthosting.co.za> Message-ID: <1387561223.67.0.961679383749.issue519@psf.upfronthosting.co.za> Ralf Schlatterbeck added the comment: I've finally fixed this in roundup core, changeset is 24b8011cd2dc Note that the bug as reported doesn't currently occur in roundup (even before my fix) as we currently don't issue error messages for non-existing properties used in sort/group clauses (they're simply ignored as we have search permissions for some time so it can always occur that a user may not search for a certain property in which case this property is ignored in sort/group and filter clauses). On the other hand it *is* asking for trouble to not escape error/ok messages so I've changed this in the templates and reworked the core code to not escape messages. This *needs* a change to the template. So if you apply only the patch to roundup core you're *more vulnerable than before*. Be sure to apply the patch to the template, see doc/upgrading.txt. I've committed the necessary changes to roundups own tracker but didn't dare to upgrade the whole install at bugs.python.org (although I do have access). I certainly am willing to help when someone else takes this job and needs/wants help. See roundups bug-report for this issue: http://issues.roundup-tracker.org/issue2550817 Ralf ---------- nosy: +runtux _______________________________________________________ PSF Meta Tracker _______________________________________________________ From metatracker at psf.upfronthosting.co.za Thu Dec 26 14:44:52 2013 From: metatracker at psf.upfronthosting.co.za (=?utf-8?q?Martin_v=2E_L=C3=B6wis?=) Date: Thu, 26 Dec 2013 13:44:52 +0000 Subject: [Tracker-discuss] [issue527] HTTPS / SSL / Secure access In-Reply-To: <1380348162.36.0.964046648568.issue527@psf.upfronthosting.co.za> Message-ID: <1388065492.14.0.933701509399.issue527@psf.upfronthosting.co.za> Martin v. L?wis added the comment: I have now installed a CACert certificate, so https is available for bugs.python.org _______________________________________________________ PSF Meta Tracker _______________________________________________________ From benjamin at python.org Fri Dec 20 18:04:05 2013 From: benjamin at python.org (Benjamin Peterson) Date: Fri, 20 Dec 2013 17:04:05 -0000 Subject: [Tracker-discuss] Fwd: [PSRT] Cross-Site Scripting(XSS) vulnerability found on your website In-Reply-To: References: Message-ID: Not sure if this is interesting. ---------- Forwarded message ---------- From: Gaurav Mishra Date: 2013/12/19 Subject: [PSRT] Cross-Site Scripting(XSS) vulnerability found on your website To: security at python.org Hello Sir, I have found a vulnerability in your http://bugs.python.org/ domain. And the type of vulnerability found is called Cross-Site Scripting (XSS). Mentioned below is the URL of the page where the bug has been found: http://bugs.python.org/issue?%40columns=status&message_count=&%40action=search Parameters Impacted: message_count Following are the steps used in finding this vulnerability (PoC): 1. I posted the following script : on the message_count parameter. 2. As soon as we submit the crafted URL, we get an alert box saying XSS. URL: http://bugs.python.org/issue?%40columns=status&message_count=">