From e004fd2773fe316cacd666c34e7299a709f3583f Mon Sep 17 00:00:00 2001 From: Kim Davies Date: Wed, 22 Nov 2023 19:40:48 -0800 Subject: [PATCH 1/9] Improve security text grammar; wrap text --- SECURITY.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 3d53a4a..9009ae9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,19 @@ # Security Policy ## Supported Versions + Security updates are applied only to the latest release. ## Reporting a Vulnerability -If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. -Please disclose it at our [security advisory](https://github.com/kjd/idna/security/advisories/new). +If you have discovered a security vulnerability in this project, please +report it privately. **Do not disclose it as a public issue.** This gives +us time to work with you to fix the issue before public exposure, reducing +the chance that the exploit will be used before a patch is released. + +Please disclose your issue through Github's +[security advisory facility](https://github.com/kjd/idna/security/advisories/new). -This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be disclosed in a best effort base. +We will endeavor to prioritize review, remediation and disclosure of +vulnerabilites. However, be mindful that this project is maintained by a +team of volunteers who work on a best effort basis. \ No newline at end of file From aa97abe1d9f0d3601ef340f4e66758e23d72a958 Mon Sep 17 00:00:00 2001 From: Kim Davies Date: Wed, 22 Nov 2023 20:02:56 -0800 Subject: [PATCH 2/9] Update history for 3.5 changes --- HISTORY.rst | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/HISTORY.rst b/HISTORY.rst index 28516d3..e3fabfc 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -3,12 +3,17 @@ History ------- -3.5 (XXXX-XX-XX) +3.5 (2023-11-XX) ++++++++++++++++ -- String codec name is now 'idna2008' as overriding the system - codec 'idna' was not working. + +- String codec name is now "idna2008" as overriding the system codec + "idna" was not working. - Fix typing error for codec encoding -- Remove 'setup.py' to complete migration to pyproject.toml +- "setup.py" has been restored for this release due to some downstream + lack of adherence to PEP 517. Should be removed in a future release + so please prepare accordingly. +- Removed reliance on a symlink for the "idna-data" tool to comport + with PEP 517 and the Python Packaging User Guide for sdist archives. - Added security reporting protocol for project Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions From 0166089a2e4ef3c4d26c9eff08f48d5276afd798 Mon Sep 17 00:00:00 2001 From: Kim Davies Date: Wed, 22 Nov 2023 20:04:40 -0800 Subject: [PATCH 3/9] Reflect Unicode 15.1 in history --- HISTORY.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/HISTORY.rst b/HISTORY.rst index e3fabfc..bde07fe 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -6,6 +6,7 @@ History 3.5 (2023-11-XX) ++++++++++++++++ +- Update to Unicode 15.1.0 - String codec name is now "idna2008" as overriding the system codec "idna" was not working. - Fix typing error for codec encoding From 354a41241b3b8dc80a36a5ffad34c54fd19e1307 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Thu, 23 Nov 2023 14:45:47 -0300 Subject: [PATCH 4/9] Add Scorecard GitHub Action --- .github/workflows/scorecard.yml | 60 +++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..cdc605e --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,60 @@ +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '37 3 * * 4' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check without using the new GitHub Repos(which are public by default): https://github.blog/2023-07-24-github-repository-rules-are-now-generally-available/ + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif From adca101fdc4a3a1f2a4b40091756b0accc40f6c2 Mon Sep 17 00:00:00 2001 From: Christian Clauss Date: Fri, 24 Nov 2023 13:15:09 +0100 Subject: [PATCH 5/9] README.rst: Fix typos --- README.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.rst b/README.rst index 82c0eff..a4f1f71 100644 --- a/README.rst +++ b/README.rst @@ -112,7 +112,7 @@ IDNA specification this conversion is not performed. >>> idna.encode('Königsgäßchen', uts46=True, transitional=True) 'xn--knigsgsschen-lcb0w' -Implementors should use transitional processing with caution, only in +Implementers should use transitional processing with caution, only in rare cases where conversion from legacy labels to current labels must be performed (i.e. IDNA implementations that pre-date 2008). For typical applications that just need to convert labels, transitional processing @@ -155,8 +155,8 @@ and perform the required calculations to identify eligibility. There are three main modes: * ``idna-data make-libdata``. Generates ``idnadata.py`` and - ``uts46data.py``, the pre-calculated lookup tables using for IDNA and - UTS 46 conversions. Implementors who wish to track this library against + ``uts46data.py``, the pre-calculated lookup tables used for IDNA and + UTS 46 conversions. Implementers who wish to track this library against a different Unicode version may use this tool to manually generate a different version of the ``idnadata.py`` and ``uts46data.py`` files. @@ -172,7 +172,7 @@ three main modes: The tool accepts a number of arguments, described using ``idna-data -h``. Most notably, the ``--version`` argument allows the specification -of the version of Unicode to use in computing the table data. For +of the version of Unicode to be used in computing the table data. For example, ``idna-data --version 9.0.0 make-libdata`` will generate library data against Unicode 9.0.0. @@ -186,7 +186,7 @@ Additional Notes * **Version support**. This library supports Python 3.5 and higher. As this library serves as a low-level toolkit for a variety of applications, many of which strive for broad compatibility with older - Python versions, there is no rush to remove older intepreter support. + Python versions, there is no rush to remove older interpreter support. Removing support for older versions should be well justified in that the maintenance burden has become too high. From 89cd0612146a50a720e5aef8f040ca8ed4c6274b Mon Sep 17 00:00:00 2001 From: Kim Davies Date: Fri, 24 Nov 2023 09:39:45 -0800 Subject: [PATCH 6/9] Release v3.5 --- HISTORY.rst | 2 +- LICENSE.md | 2 +- idna/package_data.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/HISTORY.rst b/HISTORY.rst index bde07fe..9888aa6 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -3,7 +3,7 @@ History ------- -3.5 (2023-11-XX) +3.5 (2023-11-24) ++++++++++++++++ - Update to Unicode 15.1.0 diff --git a/LICENSE.md b/LICENSE.md index cc7d6ba..ce36701 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,6 @@ BSD 3-Clause License -Copyright (c) 2013-2022, Kim Davies and contributors. +Copyright (c) 2013-2023, Kim Davies and contributors. All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/idna/package_data.py b/idna/package_data.py index 8501893..2d2d651 100644 --- a/idna/package_data.py +++ b/idna/package_data.py @@ -1,2 +1,2 @@ -__version__ = '3.4' +__version__ = '3.5' From c5ba76a772c4d3ef749dcd28b858396c4b9bbc2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Date: Sat, 25 Nov 2023 07:11:01 +0100 Subject: [PATCH 7/9] Include tests in sdist Explicitly include tests in sdist archives, as they are used by packagers to test the package. Tests disappeared in the 3.5 release. --- pyproject.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/pyproject.toml b/pyproject.toml index 5082f47..c38756a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -43,3 +43,4 @@ dynamic = ["version"] [tool.flit.sdist] exclude = [".gitignore", ".github/"] +include = ["tests"] From 4ae74cf4b9c8a947185b5e93769dcf3fa1dee47f Mon Sep 17 00:00:00 2001 From: Kim Davies Date: Sat, 25 Nov 2023 07:39:14 -0800 Subject: [PATCH 8/9] Release v3.6 --- HISTORY.rst | 7 ++++++- idna/package_data.py | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/HISTORY.rst b/HISTORY.rst index 9888aa6..eea8a70 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -3,6 +3,11 @@ History ------- +3.6 (2023-11-25) +++++++++++++++++ + +- Fix regression to include tests in source distribution. + 3.5 (2023-11-24) ++++++++++++++++ @@ -10,7 +15,7 @@ History - String codec name is now "idna2008" as overriding the system codec "idna" was not working. - Fix typing error for codec encoding -- "setup.py" has been restored for this release due to some downstream +- "setup.cfg" has been added for this release due to some downstream lack of adherence to PEP 517. Should be removed in a future release so please prepare accordingly. - Removed reliance on a symlink for the "idna-data" tool to comport diff --git a/idna/package_data.py b/idna/package_data.py index 2d2d651..c5b7220 100644 --- a/idna/package_data.py +++ b/idna/package_data.py @@ -1,2 +1,2 @@ -__version__ = '3.5' +__version__ = '3.6' From e96ba044f67ebad7eece627beb145f6adcf53993 Mon Sep 17 00:00:00 2001 From: Kim Davies Date: Mon, 27 Nov 2023 17:56:42 -0800 Subject: [PATCH 9/9] Restore tools/ and HISTORY.rst to sdist (fixes #166) --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index c38756a..53d89af 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -43,4 +43,4 @@ dynamic = ["version"] [tool.flit.sdist] exclude = [".gitignore", ".github/"] -include = ["tests"] +include = ["tests", "tools", "HISTORY.rst"]