- SEC: mitigate potential CRLF injection attacks from malicious URLs (thanks @samwcyo, #237)
- FIX: bcrypt is now installed into the Docker image, which allows passlib to work like it should (thanks @Diftraku, #224)
- MAINT: integration tests with
twinehave been updated to use the command-line interface rather than the internal API, which should make them more resilient over time (#226)
- FIX: the command to download new versions of available packages now
works with
pip>= 10.0 (thanks @elboerto, #215)
- MAINT: Remove broken downloads badge (thanks @hugovk, #209)
- ENH: Improved Dockerfile and
docker-composeexample, docs for using the docker image, automatic docker builds
- FIX: update fallback URL to https://pypi.org/simple since pypi.python.org has shut down
- FIX: updated tests to use
Popenrather thanpip.main()given its removal in pip version 10.0 - DOC: scrubbed docs of links to pypi.python.org
- DEPRECATION: Drop support for Python 3.3 (thanks @hugovk, #198)
- FIX propagation of certain
pypiserversettings via apaste.iniconfig file (thanks @luismsgomes, #156) - FIX update default fallback URL to be https for compliance with PyPI (thanks @uSpike, #182)
- FIX resolved a regression preventing spinning up multiple pypiservers via a paste config (thanks @bertjwregeer, #173)
- FIX cmdline parsing of stray comparison consuming many flags (e.g.
--help), and docs aboutauther- (thanks to @sakurai-youhei, #162). - Travis CI testing for Python 3.6 and pypy3 (#183)
- Several documentation improvements (thanks @tescalada, #166, #161, #172 and @axnsan12, #190)
"Brexit": Normalize and stop legacy support.
Less rigorous support for
python-2 < 2.7andpython-3 < 3.3.Package normalizations and PEP 503 updates: - Package names are normalized: convert all characters to lower-case
and replace any of
[-_.]with a dash('-').- The simple index only lists normalized package names.
- Any request for a non-normalized package name is redirected to the normalized name.
- URLs are redirected unless they end in
'/'(expect packages themselves). - (thanks to @dpkp, #38, #139, #140)
Added
pip searchsupport. - (thanks to @blade2005, #80, #114)FIX startup regressions for other WSGI-servers, introduced by previous
v1.1.10. - (thanks to @virtuald, @Oneplus, @michaelkuty, @harcher81, @8u1a,#117, #122, #124/#127/#128)
FIX over-writing of packages even when without
--overwriteflag. - (thanks to @blade2005, #113)Fixes for paste, gunicorn and other WSGI servers. - (thanks to @corywright, @virtuald, @montefra, #112, #118, #119)
Updates and fixes needed due to changes in dependent libraries. - (thanks @dpkp, #120/#121, #129, #141/#142)
Add cache for speeding up GPG signatures. - sthanks to @virtuald, #116)
Other minor fixes and improvements. - (thanks to @bibby, @Oneplus, @8u1a, #129, #131)
TravisCI-test against python-3.5. - (#107, #108, #110)
docs:
- Provide samples for Automated Startup (
systemd&hypervisor). (thanks to @ssbarnea, #137, #146) - Add usage instructions for related project
pypi-uploader. (thanks to @ssbarnea & @bibby, #147) - doc: Provide sample-code to authenticate using
/etc/passwdsfile via pam modules in Unix. - (thanks to @blade2005, #149, #151-#153) - Improved API usage instructions.
- Detailed changes recorded in Github's milestone 1.2.0.
- Provide samples for Automated Startup (
Serve 1000s of packages, PGP-Sigs, skip versions starting with 'v'.
- #101: Speed-up server by (optionally) using the watchdog package to cache results, serve packages directly from proxying-server (Apache , nginx), and pre-compile regexes (thanks @virtuald).
- #106: Support uploading PGP-signatures (thanks @mplanchard).
- Package-versions parsing modifications:
- #104: Stopped parsing invalid package-versions prefixed with v; they are invalid according to PEP 0440 (thanks @virtuald & @stevejefferiesIDBS).
- Support versions with epochs separated by ! like package-1!1.1.0.
- #102: FIX regression on uploading packages with + char in their version caused by recent bottle-upgrade.
- #103: Minor doc fixes (thanks @MichaelSchneeberger).
"Ssss-elections" bug-fix & maintenance release.
- Upgrade bottle 1.11.6-->1.13-dev.
- Fixes MAX_PARAM limiting dependencies(#82)
- Rework main startup and standalone:
- New standalone generation based on ZIPed wheel archive.
- Replace all sys.module mechanics with relative imports.
- Fix gevent monkeypatching (#49).
- Simplify definition of config-options on startup.
- TODO: Move startup-options validations out of main() and into pypiserver.core package, to validate also start-up from API-clients.
- #53: Like PyPI, HREF-links now contain package's md5-hashes in their fragment. Add --hash_algo cmd-line option to turn-off or specify other hashlib message-digest algorithms (e.g. sha256 is a safer choice, set it to off to avoid any performance penalty if hosting a lot of packages).
- #97: Add --auther non cmd-line startup-option to allow for alternative authentication methods (non HtPasswdFile-based one) to be defined by API-clients (thanks @Tythos).
- #91: Attempt to fix register http failures (thanks to @Tythos and @petri).
- Test actual clients (ie pip, Twine, setuptools).
- Test spurious setuptools failures.
- NOT FIXED! Still getting spurious failures.
- Various other fixes:
- #96: Fix program's requirement (i.e. add passlib as extra-requirement). provide requirements files also for developers.
- logging: Send also bottle _stderr to logger; fix logger names.
- #95: Add missing loop-terminators in bottle-templates (thanks to @bmflynn).
"Finikounda" release.
- Allow un-authenticated uploads (no htpasswd file) (#55).
- Fixes on package-name handling (#85 and #88, #89).
- Respect logging cmd-line options (#81).
- Add TCs for standalone script and other build-issues (#92)
- See milestone:M1.1.8 on github for all fixes included.
1st release under cooperative ownership:
- #65, #66: Improve Auth for private repos by supporting i password protected package listings and downloads, in addition to uploads (use the -a, --authenticate option to specify which to protect).
- #67: Add cache-control http-header, reqed by pip.
- #56, #70: Ignore non-packages when serving.
- #58, #62: Log all http-requests.
- #61: Possible to change welcome-msg.
- #77, #78: Avoid XSS by generating web-content with SimpleTemplate instead of python's string-substs.
- #38, #79: Instruct to use --extra-index-url for misspelled dependencies to work, reorganize README instructions.
- remove --index-url cli parameter introduced in 1.1.5
- only list devpi-server and proxypypi as alternatives
- fix wheel file handling for certain wheels
- serve wheel files as application/octet-stream
- make pypiserver executable from wheel file
- build universal wheel
- remove scripts subdirectory
- add --index-url cli parameter
- make pypiserver compatible with pip 1.5 (pypiserver#42)
- make guessing of package name and version more robust
- fix "pypi-server -U" stable/unstable detection, i.e. do not accidentally update to unstable packages
- add 'overwrite' option to allow overwriting existing package files (default: false)
- show names with hyphens instead of underscores on the "/simple" listing
- make the standalone version work with jython 2.5.3
- upgrade waitress to 0.8.5 in the standalone version
- workaround broken xmlrpc api on pypi.python.org by using HTTPS
- implement multi-root support (one can now specify multiple package roots)
- normalize pkgnames, handle underscore like minus
- sort files by their version, not alphabetically
- upgrade embedded bottle to 0.11.6
- upgrade waitress to 0.8.2 in the standalone script
- merge vsajip's support for verify, doc_upload and remove_pkg
- make 'pypi-server -Ux' work on windows ('module' object has no attribute 'spawnlp', pypiserver#26)
- use absolute paths in hrefs for root view (pypiserver#25)
- add description of uploads to the documentation
- make the test suite work on python 3
- make pypi-server-standalone work with python 2.5
- add passlib and waitress to pypi-server-standalone
- upgrade bottle to 0.11.3
- Update scripts/opensuse/pypiserver.init
- Refuse to re upload existing file
- Add 'console_scripts' section to 'entry_points', so 'pypi-server.exe' will be created on Windows.
- paste_app_factory now use the the password_file option to create the app. Without this the package upload was not working.
- Add --fallback-url argument to pypi-server script to make it configurable.
- make 'python setup.py register' work
- added init scripts to start pypiserver on ubuntu/opensuse
- make pypiserver work with pip on windows
- add support for password protected uploads
- make pypiserver work with non-root paths
- make pypiserver 'paste compatible'
- allow to serve multiple package directories using paste
- provide a way to get the WSGI app
- improved package name and version guessing
- use case insensitive matching when removing archive suffixes
- fix pytz issue #6
- make 'pypi-server -U' compatible with pip 1.1
- make setup.py install without calling 2to3 by changing source code to be compatible with both python 2 and python 3. We now ship a slightly patched version of bottle. The upcoming bottle 0.11 also contains these changes.
- make the single-file pypi-server-standalone.py work with python 3
- upgrade bottle to 0.9.7, fixes possible installation issues with python 3
- remove dependency on pkg_resources module when running 'pypi-server -U'
- add functionality to manage package updates
- updated documentation
- python 3 support has been added
- pypiserver now scans the given root directory and it's subdirectories recursively for packages. Files and directories starting with a dot are now being ignored.
- /favicon.ico now returns a "404 Not Found" error
- pypiserver now contains some unit tests to be run with tox
- better matching of package names (i.e. don't install package if only a prefix matches)
- redirect to the real pypi.python.org server if a package is not found.
- add some documentation about configuring easy_install/pip
- provide single file script pypi-server-standalone.py
- better documentation
- prefix comparison is now case insensitive
- added usage message
- show minimal information for root url
- don't require external dependencies
- initial release