Debian Patches
Status for pagure/5.14.1+dfsg-8
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0027-dont-strip-None.patch | Check for None before using string methods, not after (wtforms now returns None instead of an empty string for no input) 83ad40b6 2889d1e9 dcb9b6a9 |
Michal Konečný, Dominik Wombacher | not-needed | upstream d269390c 77a3fbf5 7832b71a 4351d921 dbb90e2c | ||
| 0039-merge-pattern-seconds.patch | Accept merge message with seconds count See 5.14.1+dfsg-3 build log for failure examples |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0040-path-special-characters.patch | Allow building in paths with version-number characters werkzeug.secure_filename (called from add_attachment) strips out most special characters, including some allowed in Debian version numbers |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0009-security.patch | Fix (probably minor) security issues - Quote non-escaping in HTML highlightjs/highlight.js#1475, highlightjs/highlight.js#2235 Only quotes, not other characters, were left unescaped. - JavaScript prototype pollution lodash/lodash#4336 = CVE-2019-10744, lodash CVE-2018-16487, chartjs/Chart.js#7920, chartjs/Chart.js#7918 These are probably not exploitable from pagure, as the vulnerable merge functions are used for merging configuration objects with their defaults, and pagure only calls chartjs (from static/issues_stats.js) and diff2html (from templates/commit.html) with fixed configs, not configs depending on content supplied by other users (e.g. the commit or pull request being viewed). - Leaks existence/metadata of files outside the repository Zip archiving a repository containing symlinks uses the metadata of the pointed-to file (which may be outside the repository), not the symlink itself, and fails if that file does not exist. (It used to include the file's content as well, CVE-2024-47515, but that has already been fixed by upstream.) |
Kirill Efimov, John-David Dalton, Jukka Kurkela, Evert Timberg, Josh Goebel, Ivan Sagalaev, Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | mostly upstreams of these Javascript libraries | ||
| 0003-Adjust-path-of-aclchecker.py.patch | Adjust path of aclchecker.py Pagure's default_config.py file contains a hardcoded path for the aclchecker.py script which doesn't work for us (/usr/libexec, Fedora-specific). This patch adjusts the path to where we actually install the script (/usr/share/pagure). pagure-ev/pagure_ev.service is not similarly patched because we don't install that (we use our pagure-ev-server.service instead) |
Sergio Durigan Junior <sergiodj@sergiodj.net> | not-needed | |||
| 0004-Adjust-flask_app.py-to-locate-template-static-and-th.patch | Adjust flask_app.py to locate template, static and theme files On Debian, we install template, static and theme files under /usr/share/pagure (instead of /usr/lib/python3/dist-packages/pagure, which is upstream's default). For that reason, we have to adjust flask_app.py in order to make it properly locate these files. |
Sergio Durigan Junior <sergiodj@debian.org> | not-needed | |||
| 0018-optional-test-depends.patch | Skip tests with dependencies we don't have | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0038-remove-mock.patch | Replace mock with unittest.mock #Generated by shopt -s globstar dpkg-source --before-build . for f0 in pagure/**/*.py tests/**/*.py dev-data.py ; do sed -i -E -e 's/import mock$/import unittest.mock as mock/g' -e 's/from mock import/from unittest.mock import/g' ${f0} ; done |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | debian | ||
| 0002-Fix-Python-shebang-for-various-scripts.patch | Fix Python shebang for various scripts Pagure ships with the "/usr/bin/env python" shebang, which doesn't work on Debian because "python" refers to Python 2. This patch replaces every occurrence of this by "/usr/bin/python3". |
Sergio Durigan Junior <sergiodj@sergiodj.net> | invalid | |||
| 0017-spelling.patch | Fix typos and grammar | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0022-pygit2-git_obj_commit-removed.patch | Stop trying to use (removed) pygit2.GIT_OBJ_COMMIT | Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | |||
| 0025-no-markdown-etree.patch | Be compatible with newer markdown | Michal Konečný, Dominik Wombacher | no | part of upstream ee9713375e857f054664dc82e14fa86bbd2fe1e6 | ||
| 0030-arrow-timestamp.patch | arrow 'timestamp' property removed in >=v1.0.0 | Dominik Wombacher, Michal Konečný, Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | based on 39b99cc5 + febbf04e + ce28af0f + 5a73e49e | ||
| investigate_test_failures.patch | debug output | Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | |||
| 0031-chardet-encoding-list.patch | expect newer chardet output | Dominik Wombacher | not-needed | upstream 50c49a5f + 86a42ecd | ||
| 0006-use-markupsafe-escape.patch | 'jinja2.escape' is deprecated and will be removed in Jinja 3.1. Import 'markupsafe.escape' instead. | Klaus Koder | not-needed | |||
| 0021-bleach-now-frozenset.patch | can't add list to frozenset | Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | |||
| 0044-missing-Location-header.patch | Allow missing Location header | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0045-flask-3p1p2.patch | Avoid view_file crash in Flask 3.1.2 | Rebecca N. Palmer <rebecca_palmer@zoho.com> based on Flask | no | debian upstream | ||
| 0042-plugins-flaskwtfcompat.patch | Avoid CSRF errors on plugins "csrf_enabled" is deprecated since flask-wtf v0.14, removed in v1.0, replaced by "meta={'csrf': }" |
Dominik Wombacher | not-needed | upstream 34faff4927b2427aae6a4b2efd06d87bd642209e | ||
| 0015-sqlalchemy-relation-renamed.patch | use new name | Dominik Wombacher, Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | upstream | ||
| 0016-use-markupsafe-markup.patch | flask.Markup no longer exists | Dominik Wombacher, Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | upstream | ||
| 0019-create_remote-removed.patch | stop using pygit2 Repository.create_remote Does not exist in 1.14+, replaced by Repository.remotes.create |
Dominik Wombacher | not-needed | upstream 1cf9ec5a298e04acc738f343b29c26b36ba273a3 | ||
| 0023-celery-no-empty-id.patch | Don't pass empty task_id to Celery fails in celery 5.3.0+ |
Klaus Koder | not-needed | upstream | ||
| 0024-unittest-renames.patch | 'assertEquals' removed, replaced by 'assertEqual' | Dominik Wombacher | not-needed | upstream 8c301083 + d7803cdd | ||
| 0026-error-messages.patch | expect new spelling/format of error messages 19d2b27b + f9185cd0 + 061d07ec + 2dfe6da4 + a2b3d943 |
Dominik Wombacher, Michal Konečný | not-needed | upstream 349fe5a9 + efc12ec5 + 1a5c449c + | ||
| 0035-avoid-415-emptyjson.patch | Don't require JSON to be marked as such (in particular, this allows requests where having *any* body data is optional) |
Dominik Wombacher | not-needed | upstream 7235ae9ab0adcbe9def07fe4b6397a8edebb5393 | ||
| 0028-alembic-no3suffix.patch | Rename 'alembic-3' to 'alembic' in unit tests | Dominik Wombacher | not-needed | upstream 49be21253ea7ce2e48019a492c44d3f2ff804ccc | ||
| 0037-emptystr-vs-None.patch | None is not the empty string | Dominik Wombacher | not-needed | upstream e830f17a + c719bf09 | ||
| 0005-update-wtform-validator-call.patch | Fix wtforms issue The Required validator is no longer available. This will use DataRequired instead of Required. |
zlopez, Michal Konečný | not-needed | |||
| 0007-cgi-escape-removed.patch | Python 3.13 removes cgi | Matthieu Moy, Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | debian | based on git-multimail ddc9a1c | |
| 0008-fix-warning-1085764.patch | Avoid invalid escape SyntaxWarning | Ville Skyttä | yes | debian | git-multimail eb590c3 | |
| 0020-pygit2-hex-oid-removed.patch | Stop using pygit 2 .oid and .hex (they no longer exist) This generates approximately this patch (but isn't exactly what was used as some bugs were fixed afterwards) but needs some manual fixup shopt -s globstar dpkg-source --before-build . # the first one is where we can easily tell where the str( goes - note that ([ not ]) in (1) is intentional, (3) matches either nothing or one of [0], [-1], () # the __str__() form is used where we can't easily tell where the str( goes, and may be manually fixed up afterwards, or in jinja templates (where the builtins aren't available but method calls are) # ($|[^a-z]) is to avoid matching longer names that start with .oid or .hex # peel() is an object, .target and .tree_id are oids # assume the rest are objects (this way round as calling .id on already-an-oid will *immediately* fail) and see what complains for f0 in pagure/templates/**/*.html ; do sed -i -E -e 's/\.(oid|target|tree_id)\.hex($|[^a-z])/.\1.__str__()\2/g' -e 's/\.oid($|[^a-z])/.id\1/g' -e 's/\.hex($|[^a-z])/.id.__str__()\1/g' ${f0} ; done for f0 in pagure/**/*.py tests/**/*.py dev-data.py ; do sed -i -E -e 's/([ =\[\(\{])([0-9a-zA-Z_.]+?)(\[0\]|\[-1\]|\(\)|)\.(oid|target|tree_id)\.hex/\1str(\2\3.\4)/g' -e 's/\.(oid|target|tree_id)\.hex($|[^a-z])/.\1.__str__()\2/g' -e 's/\.oid($|[^a-z])/.id\1/g' -e 's/([ =\[\(\{])([0-9a-zA-Z_.]+?)(\[0\]|\[-1\]|\(\)|)\.hex($|[^a-z])/\1str(\2\3.id)\4/g' -e 's/\.hex($|[^a-z])/.id.__str__()\1/g' ${f0} ; done # this file uses uuid hex, undo whatever we did to that # other places that do were fixed manually git diff pagure/lib/query.py | patch -p1 -R grep -rniE -e "\.oid|\.hex" --exclude-dir=.pc --exclude-dir=debian . dpkg-source --commit . 0020-pygit2-hex-oid-removed.patch |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | |||
| 0029-tests-gitolite-path.patch | Don't try to write somewhere that doesn't exist | Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | |||
| 0032-plugin-name-in-error.patch | actually use the name argument Not using it raises an exception |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | |||
| 0033-error-messages2.patch | Accept new error messages | Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | |||
| 0012-chardet5.patch | Accept chardet 5 | Dominik Wombacher | not-needed | upstream eeb9acdc | ||
| 0014-imp-pygit2remote-renamed.patch | they are now called importlib and pygit2.remotes | Dominik Wombacher, Rebecca N. Palmer <rebecca_palmer@zoho.com> | not-needed | upstream | ||
| 0010-dont-crash-on-nameless-test.patch | Don't crash the test suite when _testMethodDoc is None | Rebecca N. Palmer <rebecca_palmer@zoho.com> | invalid | |||
| 0036-dont-assume-gitrepo.patch | Don't assume we're building from a git repo read_output used git rev-list on the pagure repo (not a small test repo) as an example of a large output |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | invalid | |||
| 0034-error-messages3.patch | Accept either werkzeug error __version__ is removed in werkzeug 3.1 |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | yes | |||
| 0041-tokentest-timezone.patch | Don't fail if run in non-UTC or over midnight The default token expiration is set when pagure.forms is loaded, not when the token is created (this is plausibly a bug, but given the risk of introducing other bugs while trying to fix it, I'm leaving it alone for now) It is also today() (local time) not utcnow(). |
Rebecca N. Palmer <rebecca_palmer@zoho.com> | no | |||
| 0043-pygit2-1p17.patch | parentless commits no longer allowed in nonempty repos | Rebecca N. Palmer <rebecca_palmer@zoho.com> | no |
All known versions for source package 'pagure'
- 5.14.1+dfsg-8 (sid)
- 5.14.1+dfsg-7 (trixie)