SUSE-SU-2024:2961-1

This update for osc fixes the following issues:

• 1.9.0

  • Security:
    • Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911) Source files are now stored in the 'sources' subdirectory which prevents name collisons. This requires changing version of '.osc' store to 2.0.
  • Command-line:
    • Introduce build --checks parameter
  • Library:
    • OscConfigParser: Remove automatic name option

• 1.8.3

  • Command-line:
    • Change 'repairwc' command to always run all repair steps
  • Library:
    • Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional
    • Fix colorize() to avoid wrapping empty string into color escape sequences
    • Provide default values for kwargs.get/pop in get_results() function

• 1.8.2

  • Library:
    • Change 'repairwc' command to fix missing .osc/osclibversion
    • Make error message in checkstoreversion() more generic to work for both projects and packages
    • Fix checkstoreversion in project store

• 1.8.1

  • Command-line:
    • Fix 'linkpac' command crash when used with '--disable-build' or '--disable-publish' option

• 1.8.0

  • Command-line:
    • Improve 'submitrequest' command to inherit description from superseded request
    • Fix 'mv' command when renaming a file multiple times
    • Improve 'info' command to support projects
    • Improve 'getbinaries' command by accepting '-M' / '--multibuild-package' option outside checkouts
    • Add architecture filtering to 'release' command
    • Change 'results' command so the normal and multibuild packages have the same output
    • Change 'results' command to use csv writer instead of formatting csv as string
    • Add couple mutually exclusive options errors to 'results' command
    • Set a default value for 'results --format' only for the csv output
    • Add support for 'results --format' for the default text mode
    • Update help text for '--format' option in 'results' command
    • Add 'results --fail-on-error/-F' flag
    • Redirect venv warnings from stderr to debug output
  • Configuration:
    • Fix config parser to throw an exception on duplicate sections or options
    • Modify conf.get_config() to print permissions warning to stderr rather than stdout
  • Library:
    • Run checkstoreversion() in obsscm.Store and fix related code in Project and Package
    • Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683)
    • Forbid extracting files with absolute path from 'ar' archives (bsc#1122683)
    • Remove no longer valid warning from core.unpacksrcrpm()
    • Make obsapi.KeyinfoSslcert keyid and fingerprint fields optional
    • Fix return value in build build.createbuilddescrdata()
    • Fix core.getpackageresults() to obey 'multibuild_packages' argument
  • Tests:
    • Fix tests so they don't modify fixtures

• 1.7.0

  • Command-line:
    • Add 'person search' command
    • Add 'person register' command
    • Add '-M/--multibuild-package' option to '[what]dependson' commands
    • Update '-U/--user' option in 'maintainer' command to accept also an email address
    • Fix 'branch' command to allow using '--new-package' option on packages that do not exist
    • Fix 'buildinfo' command to include obs:clidebugpackages by default
    • Fix 'buildinfo' command to send complete local build environment as the 'build' command does
    • Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments
    • Fix handling arguments in 'service remoterun prj/pac'
    • Fix 'rebuild' command so the '--all' option conflicts with the 'package' argument
    • Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command
    • Fix crash when reading dst package meta in 'linkpac' command
    • Allow osc rpmlint to infer prj/pkg from CWD
    • Propagate exit code from the run() and do() commandline methods
    • Give a hint where a scmsync git is hosted
    • Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
    • Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data
    • Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340)
    • Improve 'service' command by printing names of running services
    • Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified
    • Change 'build' command to pass '--jobs' option to 'build' tool only if 'buildjobs' > 0
    • Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums
    • Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output
    • Allow setlinkrev to set a specific vrev
    • Document '--buildtool-opt=--noclean' example in 'build' command's help
    • Fix handling the default package argument on the command-line
  • Configuration:
    • Document loading configuration from env variables
  • Connection:
    • Don't retry on error 400
    • Remove now unused 'retryon400' httprequest() option from XmlModel
    • Revert 'Don't retry on 400 HTTP status code in core.serverdiff()'
    • Revert 'connection: Allow disabling retry on 400 HTTP status code'
  • Authentication:
    • Update SignatureAuthHandler to support specifying ssh key by its fingerprint
    • Use ssh key from ssh agent that contains comment 'obs=<apiurl-hostname>'
    • Use strings instead of bytes in SignatureAuthHandler
    • Cache password from SecretService to avoid spamming user with an accept dialog
    • Never ask for credentials when displaying help
    • Remove unused SignatureAuthHandler.get_fingerprint()
  • Library:
    • Add rootless build support for 'qemu' VM type
    • Support package linking of packages from scmsync projects
    • Fix docreaterequest() function to return None instead of request id
    • Replace invalid 'if' with 'elif' in BaseModel.dict()
    • Fix crash when no prefered packages are defined
    • Add XmlModel class that encapsulates manipulation with XML
    • Add obsapi.Person.cmdregister() for registering new users
    • Fix conf.getconfig() to ignore file type bits when comparing oscrc perms
    • Fix conf.getconfig() to correctly handle overrides when env variables are set
    • Fix output.tty.ISINTERACTIVE when os.isatty() throws OSError
    • Improve cmdln.HelpFormatter to obey newline characters
    • Update list of color codes in 'output.tty' module
    • Remove core.setDevelProject() in favor of core.setdevelproject()
    • Move removing control characters to output.sanitizetext()
    • Improve sanitizetext() to keep selected CSI escape sequences
    • Add output.pipetopager() that pipes lines to a pager without creating an intermediate temporary file
    • Fix output.safewrite() in connection with NamedTemporaryFile
    • Modernize output.runpager()
    • Extend output.printmsg() to accept 'error' and 'warning' values of 'toprint' argument
    • Add XPathQuery class for translating keyword arguments to an xpath query
    • Add obsapi.Keyinfo class
    • Add obsapi.Package class
    • Add Package.getrevisionlist() for listing commit log
    • Add obsapi.PackageSources class for handling OBS SCM sources
    • Add obsapi.Person class
    • Add obsapi.Project class
    • Add obsapi.Request class
    • Add obs_api.Token class
    • Allow storing apiurl in the XmlModel instances
    • Allow retrieving default field value from top-level model
    • Fix BaseModel to convert dictionaries to objects on retrieving a model list
    • Fix BaseModel to always deepcopy mutable defaults on first use
    • Implement dosnapshot() and haschanged() methods to determine changes in BaseModel
    • Implement total ordering on BaseModel
    • Add comments with available attributes/elements to edited XML
  • Refactoring:
    • Migrate repo {list,add,remove} commands to obsapi.Project
    • Migrate core.showpackagedisabledrepos() to obsapi.Package
    • Migrate core.Package.updatepackagemeta() to obsapi.Package
    • Migrate core.getreposofproject() to obsapi.Project
    • Migrate core.getrepositoriesofproject() to obsapi.Project
    • Migrate core.showscmsync() to obsapi.{Package,Project}
    • Migrate core.setdevelproject() to obsapi.Package
    • Migrate core.showdevelproject() to obsapi.Package
    • Migrate Fetcher.run() to obsapi.Keyinfo
    • Migrate core.createsubmitrequest() to obsapi.Request
    • Migrate 'token' command to obsapi.Token
    • Migrate 'whois/user' command to obsapi.Person
    • Migrate 'signkey' command to obsapi.Keyinfo
    • Move printmsg() to the 'osc.output' module
    • Move runpager() and getdefaultpager() from 'core' to 'output' module
    • Move core.Package to obsscm.Package
    • Move core.Project to obsscm.Project
    • Move functions manipulating store from core to obsscm.store
    • Move store.Store to obsscm.Store
    • Move core.Linkinfo to obsscm.Linkinfo
    • Move core.Serviceinfo to obsscm.Serviceinfo
    • Move core.File to obsscm.File
    • Merge private.project.ProjectMeta into obsapi.Project
  • Spec:
    • Remove dependency on /usr/bin/python3 using %python3fixshebang macro (bsc#1212476)

• 1.6.2

  • Command-line:
    • Fix 'branch' command to allow using '--new-package' option on packages that do not exist
    • Fix 'buildinfo' command to include obs:clidebugpackages by default
    • Fix 'buildinfo' command to send complete local build environment as the 'build' command does
    • Allow osc rpmlint to infer prj/pkg from CWD
    • Propagate exit code from the run() and do_() commandline methods
    • Give a hint where a scmsync git is hosted
    • Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
  • Authentication:
    • Cache password from SecretService to avoid spamming user with an accept dialog
    • Never ask for credentials when displaying help
  • Library:
    • Support package linking of packages from scmsync projects
    • Fix do_createrequest() function to return None instead of request id
    • Replace invalid 'if' with 'elif' in BaseModel.dict()
    • Fix crash when no prefered packages are defined

• 1.6.1

  • Command-line:
    • Use busybox compatible commands for completion
    • Change 'wipe' command to use the new getuserinput() function
    • Fix error 500 in running 'meta attribute <prj>'
  • Configuration:
    • Fix resolving config symlink to the actual config file
    • Honor XDGCONFIGHOME and XDGCACHEHOME env vars
    • Warn about ignoring XDGCONFIGHOME and ~/.config/osc/oscrc if ~/.oscrc exists
  • Library:
    • Error out when branching a scmsync package
    • New getuserinput() function for consistent handling of user input
    • Move xmlindent, xmlquote and xmlunquote to osc.util.xml module
    • Refactor makeurl(), deprecate query taking string or list arguments, drop oscurlencode()
    • Remove all path quoting, rely on makeurl()
    • Always use dict query in makeurl()
    • Fix core.slash_split() to strip both leading and trailing slashes

• 1.6.0

  • Command-line:
    • The 'token --trigger' command no longer sets '--operation=runservice' by default.
    • Change 'token --create' command to require '--operation'
    • Fix 'linkdiff' command error 400: prj/pac/md5 not in repository
    • Update 'build' command to support building 'productcompose' build type with updateinfo.xml data
    • Don't show meter in terminals that are not interactive
    • Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170)
  • Configuration:
    • Implement reading credentials from environmental variables
    • Allow starting with an empty config if --configfile is either empty or points to /dev/null
    • Implement 'quiet' conf option
    • Password can be an empty string (commonly used with ssh auth)
  • Connection:
    • Allow -X HEAD on osc api requests as well
  • Library:
    • Fix credentials managers to consistently return Password
    • Fix Password.encode() on python < 3.8
    • Refactor 'meter' module, use config settings to pick the right class
    • Convert to using f-strings
    • Use Field.getcallback to handle quiet/verbose and httpdebug/httpfulldebug options
    • Implement getcallback that allows modifying returned value to the Field class
    • Add support for List[BaseModel] type to Field class
    • Report class name when reporting an error during instantiating BaseModel object
    • Fix exporting an empty model field in BaseModel.dict()
    • Fix initializing a sub-model instance from a dictionary
    • Implement 'Enum' support in models
    • Fix Field.origintype for Optional types
    • Drop unused 'excludeunset' argument from BaseModel.dict() method
    • Store cached model defaults in self.defaults, avoid sharing references to mutable defaults
    • Limit model attributes to predefined fields by forbidding creating new attributes on fly
    • Store model values in self._values dict instead of private attributes
  • Spec:
    • Recommend openssh-clients for ssh-add that is required during ssh auth
    • Add 0%{?amzn} macro that wasn't usptreamed