Kallithea 0.7.0 released

We are pleased to announce Kallithea 0.7.0, with a potential security fix, improvements and fixes in many areas and some changes that might require configuration changes when upgrading.

Please note: this release of Kallithea fixes an issue that would be a security issue for Kallithea instances that have configured a specific list of allowed IP addresses. The issue is one of "automatic" trust in HTTP headers that only should be trusted in setups where a trusted proxy server is known to have set these headers.
This issue could not be fixed in a minor update without configuration changes. In Kallithea 0.7, these headers are now by default ignored. If necessary, Kallithea must be explicitly configured with the headers to use. Please refer to the security page for more details about the security implications, and the upgrade notes below for more details about the configuration aspect.

The installation instructions in the documentation have been improved and extended, for example in following areas:

  • Horizontal scaling and web/wsgi servers
  • Hooks
  • Overview of the various relevant locations in the file system
  • Apache mod_wsgi dispatch script and configuration
  • Configuration in combination with proxy servers

The API method get_pullrequest has been extended and a new API method edit_reviewers added.

In case Kallithea is placed behind another (proxy) server, you will need to configure two additional settings: url_scheme_header and remote_addr_header.

The https_fixup configuration setting has been removed and is to be replaced by a suitable value of url_scheme_header.

The extension system rcextensions has now been renamed to extensions. User-provided customizations are now expected in extensions.py rather than rcextensions/__init__.py. Compatibility with the old approach is still retained, but will be removed in a future major release.

A new create-pullrequest hook in this extension mechanism has been added, which makes it possible to e.g. trigger jobs in a CI server when pull requests are created. Such CI jobs could then use the comment_pullrequest API to post the result of the CI job as a comment.

Users of Git repositories can now add their own post-receive hooks by creating .git/hooks/post-receive-custom which will automatically be called by the Kallithea post-receive hook.

Autocompletion of users in pull requests and comments now also search for the combinations 'firstname lastname' and 'lastname firstname', which is interesting in cases where there are many users with the same firstname or lastname and where the autocomplete display limit would normally be reached. A specific example is with common Chinese surnames like 'Cheng' or 'Wang'. Additionally, user autocompletion based on email address has been added.

The rendering of diffs has been improved in several ways. For example, trailing tabs are now showed just like trailing spaces already were. It is now also possible to comment on 'meta' lines, e.g. chunk headers. In particular, this makes it possible to comment on empty added files.

MySQL/MariaDB handling has been improved to get full UTF-8 support. Note that this requires a change in your configuration file.

SSH keys of type ed448 are now supported.

Celery has been updated to version 5.

Support for Mercurial 5.8 has been added.

Support for hgsubversion has been removed. It was no longer working in Python 3 and seems no longer maintained upstream.

Please note: this version of Kallithea works with Python version up to (and including) 3.9.x, but will probably not work with 3.10.x.

See 'Changes' below for a more detailed list of changes most relevant to users.

Upgrading from 0.6.x

Please refer to the upgrade instructions in the documentation for detailed steps: https://kallithea.readthedocs.io/en/stable/upgrade.html. Below are just some specific notes.

As mentioned in the upgrade instructions, generate a new configuration file and apply the necessary changes to fit your installation. There have been changes in the configuration file; starting from the old one would be a source of errors or confusion. Specifically, pay attention to:

  • a number of changes in the celery settings

  • the charset value for the MySQL/MariaDB sqlalchemy.url setting

  • new settings remote_addr_variable and url_scheme_variable which you may need to modify in setups with other servers in front of Kallithea. See https://kallithea.readthedocs.io/en/stable/setup.html#proxy-setups.

  • the setting https_fixup has been removed. If you had this set to true in your configuration, you'll need to set url_scheme_variable correctly. See https://kallithea.readthedocs.io/en/stable/setup.html#proxy-setups.

  • if you are using the Paste Deploy Prefix Middleware (egg:PasteDeploy#prefix), make sure to set translate_forwarded_server = False in the same section.

There are also some minor database migration steps.

If you had a file rcextensions/__init__.py (at the same level as your configuration file), then move and rename it as extensions.py next to the configuration file (without subdirectory as before). So basically:

mv rcextensions/__init__.py extensions.py

The old file path rcextensions/__init__.py is currently still respected if no extensions.py file is found, but this compatibility will be removed in a future major release.

If you have git repositories, make sure to reinstall the hooks (refer to the upgrade documentation for instructions).

If you are using mod_wsgi, you may want to compare your WSGI dispatch script with the current example, which has been simplified. See https://kallithea.readthedocs.io/en/stable/setup.html#apache-with-mod-wsgi.


Below are the most relevant changes between 0.6.3 and 0.7.0. Note that it is not a complete list: many changes are purely internal refactoring. Please refer to the source repository if you are interested in full details.


  • extend get_pullrequest data with created_on and updated_on fields cs
  • new method: edit_reviewers cs
  • fix repo creation when using Celery cs
  • fix repo creation inside repo groups when using Celery cs
  • fix repo group permission check for repo creation cs
  • fix update_repo check for permission to create top level repos cs


  • don't trust clients too much - only trust the last IP in the X-Forwarded-For header cs
  • only use X- headers instead of REMOTE_ADDR if explicitly told so in remote_addr_header cs
  • only use X- headers instead of wsgi.url_scheme if explicitly told so in url_scheme_header - drop https_fixup setting cs


  • drop pre-Celery 4 compatibility cs
  • upgrade to Celery 5.0 cs
  • celery-run should only initialize app and sqlalchemy after workers have been forked cs

Command-line interface (kallithea-cli)

  • db-create: introduce --reuse option cs
  • repo-scan: introduce options --install-git-hooks and --overwrite-git-hooks cs
  • repo-scan: log error and continue after failure creating a scanned repo cs

Configuration file (ini)

  • move archive_cache_dir to the data directory cs
  • celery: default to more than 1 task per worker cs
  • mysql: bump sqlalchemy.url for MariaDB/MySQL charset to utf8mb4 to get full UTF-8 support cs
  • suggest translate_forwarded_server = False when using Paste Deploy Prefix Middleware cs


  • better support for databases with "odd" characters in the name, such as - cs
  • mysql: bump charset to utf8mb4 to get full UTF-8 support cs
  • mysql: create database with explicit UTF-8 character set and collation cs


  • various improvements to the installation overview, setup and upgrade instructions
  • refer to EXTRA_MAPPINGS in extensions instead of hacking LANGUAGES_EXTENSIONS_MAP directly cs
  • describe, visualize, and verify internal code structure and layering cs

Email notifications

  • explicitly add author of pull request in invitation mail cs
  • add changeset author in subject of comment emails cs

Extensions (rcextensions)

  • drop unused (and thus misleading) return values cs
  • rename default hook stubs cs
  • rename rcextensions into extensions but provide compatibility cs


  • drop sentry support cs
  • drop unused appenlight integration cs

SSH repository access support

  • update authorized_keys after deleting a user with SSH keys cs
  • support ssh-ed448 keys cs
  • verify SSH keys haven't been truncated cs

User interface


  • fix crash on display of empty commit messages cs

User autocompletion

  • also query 'firstname lastname' and 'lastname firstname' combinations cs
  • also match on email address cs

Diff rendering

  • mark trailing tabs similar to trailing spaces cs cs2
  • fix per file display of "Raw diff" and others cs
  • consistently clarify in title text which icon links are for "this file" and not global cs
  • fix "Show inline comments" cs
  • drop per file "Ignore whitespace" and "Increase context lines" buttons - it didn't work and had conceptual issue (Issue #344) cs
  • allow commenting on meta lines (Issue #329) cs
  • slightly better error message for "diff not recognized as valid" cs
  • improved handling of Git diffs with " quoting cs
  • handle some escaped characters in Git diffs cs


  • fix comment bubble appearance upon zoom cs
  • mark failed comment submissions with red panel heading cs

Version control support


  • add extensible create-pullrequest hook cs
  • reserve .kallithea_ hooks namespace for internal use cs
  • drop UI display of internal hooks - these hooks are just an implementation detail cs
  • when overwriting non-Kallithea hooks, move the old hook to .bak cs
  • clarify in UI and documentation how the hook control essentially is Mercurial only cs
  • git: drop using Git pre-receive hooks - we don't need them cs
  • git: invoke hooks/post-receive-custom from hooks/post-receive cs
  • git: detect existing symlink hooks before overwriting - only update plain files cs
  • git: don't force exact mode on Git hooks when making them executable - use umask cs


  • support Mercurial 5.8 cs
  • restore make_ui reading of .hg/hgrc cs
  • read repo-specific .hg/hgrc file in more places cs cs2


  • drop it - hgsubversion doesn't support Python 3 and seems dead upstream cs

Other changes

  • setup: bump version numbers of external dependencies cs
  • setup: make chardet a mandatory dependency cs
  • i18n: update translations for French, German, Greek, Polish, Portuguese, Russian
  • introduce configuration for running pytype cs


We would like to thank everyone that contributed to the Kallithea repository (directly or by updating translations in Weblate) since release 0.6.3 (the numbers are the amount of commits)...

309 Mads Kiilerich
 45 Thomas De Schampheleire
  2 ssantos
  2 J. Lavoie
  2 fresh
  2 Michalis
  1 Tim Ooms
  1 Artem
  1 robertus
  1 Александр
  1 Private
  1 vs
  1 Eugenia Russell
  1 Étienne Gilli

... as well as everyone contributing in other ways, e.g. by testing, reporting issues, discussing via mail or IRC, etc.