We are pleased to announce Kallithea 0.7.0, with a potential security fix, improvements and fixes in many areas and some changes that might require configuration changes when upgrading.
Please note: this release of Kallithea fixes an issue that would be a security
issue for Kallithea instances that have configured a specific list of allowed IP
addresses. The issue is one of "automatic" trust in HTTP headers that only
should be trusted in setups where a trusted proxy server is known to have set
This issue could not be fixed in a minor update without configuration changes. In Kallithea 0.7, these headers are now by default ignored. If necessary, Kallithea must be explicitly configured with the headers to use. Please refer to the security page for more details about the security implications, and the upgrade notes below for more details about the configuration aspect.
The installation instructions in the documentation have been improved and extended, for example in following areas:
- Horizontal scaling and web/wsgi servers
- Overview of the various relevant locations in the file system
mod_wsgidispatch script and configuration
- Configuration in combination with proxy servers
The API method
get_pullrequest has been extended and a new API method
In case Kallithea is placed behind another (proxy) server, you will need to
configure two additional settings:
https_fixup configuration setting has been removed and is to be replaced
by a suitable value of
The extension system
rcextensions has now been renamed to
User-provided customizations are now expected in
extensions.py rather than
rcextensions/__init__.py. Compatibility with the old approach is still
retained, but will be removed in a future major release.
create-pullrequest hook in this extension mechanism has been added,
which makes it possible to e.g. trigger jobs in a CI server when pull requests
are created. Such CI jobs could then use the
comment_pullrequest API to post
the result of the CI job as a comment.
Users of Git repositories can now add their own
post-receive hooks by creating
.git/hooks/post-receive-custom which will automatically be called by the
Autocompletion of users in pull requests and comments now also search for the combinations 'firstname lastname' and 'lastname firstname', which is interesting in cases where there are many users with the same firstname or lastname and where the autocomplete display limit would normally be reached. A specific example is with common Chinese surnames like 'Cheng' or 'Wang'. Additionally, user autocompletion based on email address has been added.
The rendering of diffs has been improved in several ways. For example, trailing tabs are now showed just like trailing spaces already were. It is now also possible to comment on 'meta' lines, e.g. chunk headers. In particular, this makes it possible to comment on empty added files.
MySQL/MariaDB handling has been improved to get full UTF-8 support. Note that this requires a change in your configuration file.
SSH keys of type
ed448 are now supported.
Celery has been updated to version 5.
Support for Mercurial 5.8 has been added.
hgsubversion has been removed. It was no longer working in Python
3 and seems no longer maintained upstream.
Please note: this version of Kallithea works with Python version up to (and including) 3.9.x, but will probably not work with 3.10.x.
See 'Changes' below for a more detailed list of changes most relevant to users.
Upgrading from 0.6.x
Please refer to the upgrade instructions in the documentation for detailed steps: https://kallithea.readthedocs.io/en/stable/upgrade.html. Below are just some specific notes.
As mentioned in the upgrade instructions, generate a new configuration file and apply the necessary changes to fit your installation. There have been changes in the configuration file; starting from the old one would be a source of errors or confusion. Specifically, pay attention to:
a number of changes in the celery settings
charsetvalue for the MySQL/MariaDB
url_scheme_variablewhich you may need to modify in setups with other servers in front of Kallithea. See https://kallithea.readthedocs.io/en/stable/setup.html#proxy-setups.
https_fixuphas been removed. If you had this set to
truein your configuration, you'll need to set
url_scheme_variablecorrectly. See https://kallithea.readthedocs.io/en/stable/setup.html#proxy-setups.
if you are using the Paste Deploy Prefix Middleware (
egg:PasteDeploy#prefix), make sure to set
translate_forwarded_server = Falsein the same section.
There are also some minor database migration steps.
If you had a file
rcextensions/__init__.py (at the same level as your
configuration file), then move and rename it as
extensions.py next to the
configuration file (without subdirectory as before). So basically:
mv rcextensions/__init__.py extensions.py
The old file path
rcextensions/__init__.py is currently still respected if no
extensions.py file is found, but this compatibility will be removed in a
future major release.
If you have
git repositories, make sure to reinstall the hooks (refer to the
If you are using
mod_wsgi, you may want to compare your WSGI dispatch script
with the current example, which has been simplified. See
Below are the most relevant changes between 0.6.3 and 0.7.0. Note that it is not a complete list: many changes are purely internal refactoring. Please refer to the source repository if you are interested in full details.
- new method:
- fix repo creation when using Celery cs
- fix repo creation inside repo groups when using Celery cs
- fix repo group permission check for repo creation cs
update_repocheck for permission to create top level repos cs
- don't trust clients too much - only trust the last IP in the
- only use
X-headers instead of
REMOTE_ADDRif explicitly told so in
- only use
X-headers instead of
wsgi.url_schemeif explicitly told so in
- drop pre-Celery 4 compatibility cs
- upgrade to Celery 5.0 cs
- celery-run should only initialize app and sqlalchemy after workers have been forked cs
Command-line interface (kallithea-cli)
repo-scan: introduce options
repo-scan: log error and continue after failure creating a scanned repo cs
Configuration file (ini)
archive_cache_dirto the data directory cs
celery: default to more than 1 task per worker cs
sqlalchemy.urlfor MariaDB/MySQL charset to
utf8mb4to get full UTF-8 support cs
translate_forwarded_server = Falsewhen using Paste Deploy Prefix Middleware cs
- better support for databases with "odd" characters in the name, such as
mysql: bump charset to
utf8mb4to get full UTF-8 support cs
mysql: create database with explicit UTF-8 character set and collation cs
- various improvements to the installation overview, setup and upgrade instructions
- refer to
EXTRA_MAPPINGSin extensions instead of hacking
- describe, visualize, and verify internal code structure and layering cs
- explicitly add author of pull request in invitation mail cs
- add changeset author in subject of comment emails cs
- drop unused (and thus misleading) return values cs
- rename default hook stubs cs
extensionsbut provide compatibility cs
SSH repository access support
authorized_keysafter deleting a user with SSH keys cs
- verify SSH keys haven't been truncated cs
- fix crash on display of empty commit messages cs
- also query 'firstname lastname' and 'lastname firstname' combinations cs
- also match on email address cs
- mark trailing tabs similar to trailing spaces cs cs2
- fix per file display of "Raw diff" and others cs
- consistently clarify in title text which icon links are for "this file" and not global cs
- fix "Show inline comments" cs
- drop per file "Ignore whitespace" and "Increase context lines" buttons - it didn't work and had conceptual issue (Issue #344) cs
- allow commenting on meta lines (Issue #329) cs
- slightly better error message for "diff not recognized as valid" cs
- improved handling of Git diffs with
- handle some escaped characters in Git diffs cs
- fix comment bubble appearance upon zoom cs
- mark failed comment submissions with red panel heading cs
Version control support
- add extensible
.kallithea_hooks namespace for internal use cs
- drop UI display of internal hooks - these hooks are just an implementation detail cs
- when overwriting non-Kallithea hooks, move the old hook to
- clarify in UI and documentation how the hook control essentially is Mercurial only cs
- git: drop using Git
pre-receivehooks - we don't need them cs
- git: invoke
- git: detect existing symlink hooks before overwriting - only update plain files cs
- git: don't force exact mode on Git hooks when making them executable - use umask cs
- support Mercurial 5.8 cs
- read repo-specific
.hg/hgrcfile in more places cs cs2
- drop it -
Python3 and seems dead upstream cs
- setup: bump version numbers of external dependencies cs
- setup: make
chardeta mandatory dependency cs
- i18n: update translations for French, German, Greek, Polish, Portuguese, Russian
- introduce configuration for running pytype cs
We would like to thank everyone that contributed to the Kallithea repository (directly or by updating translations in Weblate) since release 0.6.3 (the numbers are the amount of commits)...
309 Mads Kiilerich 45 Thomas De Schampheleire 2 ssantos 2 J. Lavoie 2 fresh 2 Michalis 1 Tim Ooms 1 Artem 1 robertus 1 Александр 1 Private 1 vs 1 Eugenia Russell 1 Étienne Gilli
... as well as everyone contributing in other ways, e.g. by testing, reporting issues, discussing via mail or IRC, etc.