Koji 1.17.0 Release notes

Migrating from Koji 1.16

For details on migrating see :doc:`../migrations/migrating_to_1.17`

Security Fixes

**CVE-2018-1002161 - SQL injection in multiple remote calls**

| PR: https://pagure.io/koji/pull-request/1274

This release includes the fix for :doc:`../CVEs/CVE-2018-1002161`

Client Changes

**Volume id option for livemedia and livecd tasks**

| PR: https://pagure.io/koji/pull-request/1227

The ``spin-livecd`` and ``spin-livemedia`` commands now accept a ``--volid``
argument to specify the volume id for the media. If unspecified, the
volume id is chosen via the same heuristic as before.

Volume ids must be 32 characters or less.

**Build order preserved by clone-tag**

| PR: https://pagure.io/koji/pull-request/1014

This is an improvement to the ``clone-tag`` command. Previously, when the
command was used without the ``--latest-only`` option, it could get the
ordering of builds wrong in the destination tag. Now, the order will
match the source tag.

**Configurable authentication timeout**

| PR: https://pagure.io/koji/pull-request/1172

Previously, the network timeout during authentication was hard coded to
60 seconds. It is now configurable via the ``auth_timeout`` configuration

**Additional information from list-channels command**

| PR: https://pagure.io/koji/pull-request/940

The ``list-channels`` command now shows three separate host counts for
each channel:

- the number of enabled hosts in the channel
- the number of ready hosts in the channel
- the number of disabled hosts in the channel

**The free-task command requires at least one task-id**

| PR: https://pagure.io/koji/pull-request/1045

Previously this command was a no-op when given no arguments. Now it will return an

Library Changes

**Drop encode_int function**

| PR: https://pagure.io/koji/pull-request/852

This is a follow up to the large integer support that we added in version 1.14

See also: :doc:`release_notes_1.14`

The ``encode_int`` function is no longer used
and has been dropped from the library.

Because we no longer call ``encode_int``, the hub will now always use i8 tags
when returning large integers, rather than returning them as strings in some

**Use custom Kerberos context with krb_login**

| PR: https://pagure.io/koji/pull-request/1187

Clients can now pass in their own Kerberos context to
``ClientSession.krb_login()`` using
the ``ctx`` parameter. This is intended for multi-threaded clients.

**Custom keyboard interrupt handling in watch_tasks**

| PR: https://pagure.io/koji/pull-request/981

The new ``ki_handler`` option for the ``koji_cli.lib.watch_tasks()`` function
allows other cli tools to set their own handler for keyboard interrupts.
If specified, the value should be callable and will be called when a
keyboard interrupt is encountered.
If unspecified, the original behavior is retained.

**_unique_path() -> unique_path**

| PR: https://pagure.io/koji/pull-request/980

The ``_unique_path`` function is deprecated. It has been replaced
by ``unique_path``.

Web UI Changes

**Additional info on builders in channelinfo page**

| PR: https://pagure.io/koji/pull-request/989

The channelinfo page now shows enabled/ready status for each host and a count
for each.

Builder Changes

**Builder task_avail_delay check**

| PR: https://pagure.io/koji/pull-request/1176

This delay works around a deficiency in task scheduling. The default
delay is 300 seconds and can be adjusted with the ``task_avail_delay``
option to kojid. However, it is unlikely that admins will need to
adjust this setting.

Despite the name, this does not introduce any new delay compared to the
old behavior. The setting controls how long a host will wait before taking
a task in a given channel-arch "bin" when that host has an available
capacity lower than the median for that bin. Previously, such hosts
could wait forever.

System Changes

**Python 3 Support**

| PR: https://pagure.io/koji/pull-request/1117
| PR: https://pagure.io/koji/pull-request/891
| PR: https://pagure.io/koji/pull-request/921
| PR: https://pagure.io/koji/pull-request/1184
| PR: https://pagure.io/koji/pull-request/1019
| PR: https://pagure.io/koji/pull-request/685
| ...and many fixes

Support for Python 3 has been extended to all components of Koji. Including:

- Hub
- Builder
- Web UI
- Utils

**No more messagebus plugin**

| PR: https://pagure.io/koji/pull-request/1043

The messagebus plugin has been dropped. The protonmsg plugin is still

**Simple mode for mergerepos**

| PR: https://pagure.io/koji/pull-request/1066

External repos now have a ``merge_mode`` option. Valid values are
either ``koji`` (the old way) or ``simple`` (a new alternative). This
option can be set with the ``--mode`` option to the ``add-external-repo``
or ``edit-external-repo`` commands.

When an external repo is merged with simple mode, a number of the complex
filters that Koji normally applies are skipped. This mode still honors
the block list from Koji and ignores duplicate NVRAs, but otherwise
it simply merges the repo in.

Multiple merge modes cannot be combined in a single tag. If a tag
has two external repos with different modes, then the repo will
fail to generate.

**Avoid "unknown task" errors in Kojira**

| PR: https://pagure.io/koji/pull-request/1175

This is a bug fix for a minor race condition in Kojira that could cause
errors in the log and redundant repo regens.

**Full filename display for kojifiles directory indexes**

| PR: https://pagure.io/koji/pull-request/1156

This is simply a change to the default httpd configuration for serving
/mnt/koji. It adds ``NameWidth=*`` to ``IndexOptions`` so that long filenames
are fully displayed.

**Broader support for target/source/scratch tests in channel policy**

| PR: https://pagure.io/koji/pull-request/962

It is now possible to write channel policy rules based on
build target, source, and scratch options for task types other
than ``build``.

**Longer Build Target names**

| PR: https://pagure.io/koji/pull-request/925

Build target names can now be up to 256 characters, the same length
restriction as for tag names.