Kallithea 0.3 released

Since 0.2, we have had two stable releases fixing important security and stability issues. This release, 0.3, brings more changes, new functionality, improvements and bugfixes. Thanks to our translators, we've made significant progress in localisation Kallithea, and our French-speaking users can enjoy the complete French translation. The process of transition from YUI to jQuery continues, less and less code depends on the no longer supported YUI toolkit. We have cleaned up our dependencies and bumped the required Mercurial version to 3.5 and Pylons to 1.0.2. The support for IE 8 and hacks for older browsers have been removed, as keeping them proved not worth the effort.

This release also brings numerous security-related changes, including a fix for CVE-2015-5285, an issue reported by Gjoko Krstic of Zero Science Lab. As always, all of our security notices are available on our dedicated Security Notices page.

One more thing that's got significantly improved is our documentation, available at docs.kallithea-scm.org.

The summary of the changes since 0.2 release is below.


(something is added, new functionality, major change with high risk of breakage)


  • Secure password reset based on verification of token sent to the registered email address.


  • Added date tooltip to changelog, just as it is on the short changelog on the summary page.

  • Improved UI for selection of ranges.

    Show an extra checkbox next to the first selected checkbox to be able to specify single revision ranges (which is different from the start of an open range).

    When two revisions are selected, hide all other checkboxes to make it impossible to select more. Changesets outside the selected range are shown as semi-opaque.


  • Better display of status changes. Don't create an automatic 'No comments' comment, but make it clear that it is an empty comment when showing it.

  • Following URLs to specific inline comments will no longer show the comment at the very top of the screen, but instead include some diff context above.

  • Links to previous and next comment are now updated as soon as the comment is submitted.

  • More JavaScript has been migrated from YUI to jQuery.


  • Documentation for setup with puppet.

  • Documentation of email configuration settings in text and .ini file comments.

  • General copy-editing of documentation, improving spelling, grammar, content and typography.

  • Improve documentation of beaker session configuration.

  • New installation overview section.

  • Update list of contributors and copyright holders from repository history.

  • use example.com for tests and examples

    example.com is explicitly reserved for this purpose. Using that means we won't accidentally hammer a real server or real email address if an example value escapes into the wild, e.g. in an automated test.

    The domain "kallithea.example.com" has been used throughout to refer to the example Kallithea server.


  • Better logging of email configuration issues and better logging of email handling when debug logging is enabled.

  • Send email notifications of comments and pull requests with a From header of: "Author's Name" (no-reply) <kallithea-noreply@example.com>.


  • In select2 filters (primarily used for branch names), show lines matching from the beginning of the line before lines matching inside the line.


  • Add option for forcing overwrite of Git hooks when remapping and rescanning the repositories. (Issue #153)

  • Allow server side cloning and pulling from git:// URLs.


  • Full French translation.

  • Translation updates for several languages.


  • Add .ini file comments with improved explanations, default values and some examples.

  • Consistent formatting of generated .ini files.


  • Consistent logging of Flash messages shown to users when debug is enabled.


  • Always issue secure cookies when the user is connecting over a secure connection.


  • Cleanup of menu naming. Get rid of confusing 'Default Permissions', 'Repository Defaults', and 'Delegated Admin'.

Pull Requests

  • Make it possible to make a "pull request" for an arbitrary range by selecting two changesets in the changelog. Such "pull requests" will have the ancestor as target. This can be used for reviews of graft candidates.

  • Make it possible to override the internal nice_id method to create custom pull request naming schemes.

  • Show semi-stable "line numbers" on pull request changesets to clarify the order and give a simple unambiguous reference when discussing the pull request.


  • Show the path to the current .ini file in Settings > System Info.


  • Support Mercurial 3.5.

  • Support Pylons 1.0.2.


  • Add tox.ini for automating tests with tox 1.8+.

  • Support testing with the pytest framework.


(not backward compatible change, something is dropped, might require changes and education, high risk of breakage)


  • Editable user profile fields are only editable if self registration is enabled. If an admin created the account, the admin probably wants to keep control.

  • Let the editable user profile fields depend on which authentication module is used. For example, password change is only possible for local users.


  • Show merges as semi-opaque — they are usually not interesting.


  • Set review status to "rejected" if any reviewer rejected.


  • Previous/next comment links have been reworked and will now link between comment threads and allow for easier navigation through the whole document.

  • Show status changes as a part of the comment but with special layout to make it clear that this is a very important part of what the user said.

  • The inline comment handling has been rewritten and might have differently in some corner cases.


  • Add NOT NULL constraint to repositories created_on and updated_on. (Issue #134)

  • Constraints for status changes having a comment.

  • More consistently set primary keys to be unique, not nullable and without default.


  • Show function name in hg diffs, like diff --show-function.


  • Don't include the originating user in the subject of emails — it is now in the From header instead.

  • Use mail subjects that gmail will thread in an almost useful way; the varying part is in [...] at the beginning of the subject so the rest is static and can be used to designate a thread.


  • Remove slow and point-less mime type column from file browser. (Issue #51)

Front End

  • Drop autocomplete="off" from password fields — these days it is ignored by browsers anyway.

  • Drop old hacks for supporting IE 8. IE 9 and later should still work.

  • Prefer Lucida Console font over Consolas.

  • Remove "gravatar" alt text from Gravatar images.

  • Remove old browser compatibility hacks — none of them should be necessary or important for any relevant browsers.


  • Drop the production.ini sample — everybody should create their own with unique and random secret keys using paster make-config or kallithea-config.


  • Include ';' in automatic mark-up of URLs.

Pull Requests

  • Change wording so pull requests no longer have an 'author' but an 'owner'.

  • Don't show '(Reviewer)' after each reviewer — the owner is however still tagged '(Owner)'.

  • Don't show the reviewer list during pull request creation; it will be shown later so the author is encouraged to make a self review before adding the relevant reviewers for the change.

  • In pull request overviews, drop the useless 'latest vote' column.

  • Make the pull request owner field editable so pull request ownership can be transferred to others.

  • Require extra confirmation before deleting a pull request with comments — it is usually valuable information but sometimes it is worthless and it is better to delete.

  • Show 100 pull requests when showing pull requests for a repository.


  • Simplify clone_uri admin interface.


  • Make sure a repository only can be forked to a repository group where the user has write permission if write_on_repogroup is enabled.


  • Don't show the the email settings from the .ini file in Settings > System Info.


  • Require Mercurial 2.9+.


  • Cleanup of handling of the extern_type and extern_name fields in html forms.

    Note: There is some controller support for editing extern_type and extern_name but no UI.

  • Generally show usernames as 'Firstname Lastname (username)'.

  • When editing user permissions, default to only show repositories and groups with access.


(bugfix, something now works as intended, users can (or can have to) drop workarounds, probably minor risk)


  • Disable password changing when not using internal authentication.

  • Fix auth setting validation after disabling an auth plugin — don't validate options for disabled plugins.

  • When using container authentication, make it work on all pages without visiting the login page.


  • Preserve just the right URL parameters when changing the changelog page size.


  • Fix status computation if no reviewers have review yet.


  • Make CodeMirror work when using a proxy prefix — set modeURL correctly. (Issue #160)


  • More efficient comment bubble handling, avoiding 'Maximum call stack size exceeded' when loading a huge diff in Chrome.

  • Only show the comment bubble in places where a comment actually can be added. (Issue #84)


  • Clean whitespace before using revision numbers entered by the user.

  • Fix errors caused by "undefined" showing up as compare parameter — a cache did not handle ref types correctly.


  • Fix diff markup interfering with whitespace markup.


  • Fix crash when sending error mails to admins without any email_to configured.

Front End

  • Fix autocompletion of repository owner.

  • Fix missing variable declaration which caused crashes when processing multi line selects for linking.

  • Fix statistics page so the graph fits on the page.


  • Ensure consistent and correct quoting when launching external git commands. (Issue #135)

  • Fix reposcan failure when encountering Git repositories on read-only filesystems.

  • Ignore invalid Git lock files when they are encountered while scanning for repos.


  • Hide graph canvas during load — avoid Chrome making it big and hiding everything while page was loading.


  • Fix fallback for LDAP configuration with the email field left empty.


  • Hide "Log out" link when not logged in through normal "Log in".

  • Preserve GET arguments throughout login redirection. (Issue #104)


  • Fix incorrect (double) html escaping in tool tips.


  • Fix page navigation links after "Mark All Read" has reloaded the notification list.

Pull Requests

  • Avoid unnecessary scroll bar in Chrome when showing short lists of available updates.

  • Don't silently ignore attempts at changing status without permission; report a real error.

  • Make it possible to make pull requests from the null revision or between unrelated branches. (Issue #149)

  • Show all comments for a pull request — filtering on repository will miss some slightly inconsistent repositories.

  • Use the actual user info instead of the pull request owner when sending notifications for an admin adding reviewers to other peoples pull requests.

  • Validate pull request reviewers — avoid garbage in the database.


  • Consistently refer to "remote repository" and "clone" in templates.


  • After creating a repository group, redirect to it.


  • Apply CSRF check to all non-GET requests — more safe than the previous POST protection.

  • Don't reveal the reason a login failed — that information could help an attacker.

  • Fix gist editing — it did not send the CSRF token and POSTs were thus rejected.


  • Update scripts and documentation to explicitly use python2 — don't assume the global Python is Python 2.


  • Show status description as full text — for example 'Under Review' instead of under_review.


  • Fix crash in user update error handling.


  • Fix failing cache invalidation — delay the invalidation to after a push really has finished.