From d9a7dc34c2686f8eca4b8850400942d7c30f4214 Mon Sep 17 00:00:00 2001 From: David Lord Date: Sun, 29 Dec 2024 14:43:50 -0800 Subject: [PATCH] some markdown formatting --- content/blog/jinja-2-10-1-released.md | 10 +++--- content/blog/werkzeug-0-15-0-released.md | 4 +-- content/blog/werkzeug-0-15-3-released.md | 2 +- content/blog/werkzeug-0-15-5-released.md | 2 +- content/donate.md | 9 +++--- content/ecosystem.md | 6 ++-- content/funding.md | 10 +++--- content/releases.md | 6 ++-- content/security.md | 39 ++++++++++++------------ content/versions.md | 32 +++++++++---------- 10 files changed, 61 insertions(+), 59 deletions(-) diff --git a/content/blog/jinja-2-10-1-released.md b/content/blog/jinja-2-10-1-released.md index 045281d..d8f8cec 100644 --- a/content/blog/jinja-2-10-1-released.md +++ b/content/blog/jinja-2-10-1-released.md @@ -6,13 +6,13 @@ tags = ["releases", "security"] ~~~~ Jinja 2.10.1 has been released and includes a security-related fix. If -you are using the Jinja [sandboxed environment][] you are encouraged to +you are using the Jinja [sandboxed environment] you are encouraged to upgrade. -MITRE has assigned [CVE-2019-10906][] to this issue. +MITRE has assigned [CVE-2019-10906] to this issue. -Thank you to [Brian Welch][] for responsibly reporting the issue, and to -[Armin Ronacher][] for writing the fix. +Thank you to [Brian Welch] for responsibly reporting the issue, and to +[Armin Ronacher] for writing the fix. The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string @@ -20,7 +20,7 @@ formatting works in Python, the `str.format_map` method could be used to escape the sandbox. This issue was previously addressed for the `str.format` method in -[Jinja 2.8.1][], which discusses the issue in detail. However, the +[Jinja 2.8.1], which discusses the issue in detail. However, the less-common `str.format_map` method was overlooked. This release applies the same sandboxing to both methods. diff --git a/content/blog/werkzeug-0-15-0-released.md b/content/blog/werkzeug-0-15-0-released.md index 066aa60..038e679 100644 --- a/content/blog/werkzeug-0-15-0-released.md +++ b/content/blog/werkzeug-0-15-0-released.md @@ -29,8 +29,8 @@ to understand what changes may affect your code when upgrading. URL is logged by the dev server rather than showing percent escapes. * Deprecation warnings have been added throughout the code in preparation for version 1.0. -* Werkzeug now uses [pre-commit][], [black][], [reorder-python-imports][], - and [flake8][] to provide consistent code formatting. The code also +* Werkzeug now uses [pre-commit], [black], [reorder-python-imports], + and [flake8] to provide consistent code formatting. The code also moved to a `src` directory layout. * And much more! diff --git a/content/blog/werkzeug-0-15-3-released.md b/content/blog/werkzeug-0-15-3-released.md index eea2e15..1315c2b 100644 --- a/content/blog/werkzeug-0-15-3-released.md +++ b/content/blog/werkzeug-0-15-3-released.md @@ -6,7 +6,7 @@ tags = ["releases", "security"] ~~~~ Werkzeug 0.15.3 has been released, followed closely by 0.15.4. Both fix -bugs and compatibility issues. The [changelog][] lists the changes in +bugs and compatibility issues. The [changelog] lists the changes in detail, which include: * The debugger pin is unique per Docker container. diff --git a/content/blog/werkzeug-0-15-5-released.md b/content/blog/werkzeug-0-15-5-released.md index b5ce2eb..83a56ab 100644 --- a/content/blog/werkzeug-0-15-5-released.md +++ b/content/blog/werkzeug-0-15-5-released.md @@ -6,7 +6,7 @@ tags = ["releases", "security"] ~~~~ Werkzeug 0.15.5 has been released, containing bug and security fixes. -The [changelog][] lists the changes in detail, which include: +The [changelog] lists the changes in detail, which include: * `SharedDataMiddleware` safely handles drive names in paths on Windows. * The reloader no longer causes an `Exec format error` in many common diff --git a/content/donate.md b/content/donate.md index acfd372..b16f337 100644 --- a/content/donate.md +++ b/content/donate.md @@ -8,10 +8,11 @@ managers can help us stay focused and productive. The Pallets teams does what they do because they love the frameworks and they love to code, and we are grateful to the community support that helps that continue. Thank you! -* Donate through GitHub Sponsors: -* Donate through the Python Software Foundation (PSF): -* Subscribe through thanks.dev: -* Subscribe through Tidelift: +- Donate through GitHub Sponsors: +- Donate through the Python Software Foundation (PSF): + +- Subscribe through thanks.dev: +- Subscribe through Tidelift: See the [Funding Sources](funding.md) page for details about all our funding sources. diff --git a/content/ecosystem.md b/content/ecosystem.md index 99a9097..d2849f5 100644 --- a/content/ecosystem.md +++ b/content/ecosystem.md @@ -1,6 +1,6 @@ # Pallets Community Ecosystem -The [Pallets-Eco][] organization is a collaborative community to share the +The [Pallets-Eco] organization is a collaborative community to share the responsibility of maintaining libraries that work with and extend Pallets libraries. @@ -19,7 +19,7 @@ everything themselves. ## Help Us Grow -The Pallets-Eco organization is based on the successful [JazzBand][] +The Pallets-Eco organization is based on the successful [JazzBand] organization. We're still in the early days of setting up the community, and still need to set up guidelines, automation, and other resources for contributors and maintainers. If you would like to help with that, please join @@ -40,7 +40,7 @@ A trusted user will invite you to the GitHub organization. If you maintain a well-known extension that of a Pallets library, and need assistance with that effort, you can transfer the project to Pallets-Eco. -After joining the organization, you can use [GitHub's transfer feature][] to +After joining the organization, you can use [GitHub's transfer feature] to transfer the repository to the Pallets-Eco organization. You'll retain access, and the other organization members will gain access. Only trusted users can make releases, so you don't have to worry about security issues. diff --git a/content/funding.md b/content/funding.md index 98319b5..1a6a031 100644 --- a/content/funding.md +++ b/content/funding.md @@ -1,7 +1,7 @@ # Funding Sources Pallets is an open source community organization. We are a part of the Python -Software Foundation (PSF) as a [fiscal sponsoree][], who help manage our funds +Software Foundation (PSF) as a [fiscal sponsoree], who help manage our funds and provide administrative assistance. [fiscal sponsoree]: https://www.python.org/psf/fiscal-sponsorees/ @@ -14,7 +14,7 @@ Donate to Pallets through GitHub Sponsors here: If you or your company already uses GitHub, the easiest way to donate to us may -be through [GitHub Sponsors][]. You may donate any amount, either one time or on +be through [GitHub Sponsors]. You may donate any amount, either one time or on a schedule. [GitHub Sponsors]: https://github.com/sponsors @@ -37,8 +37,8 @@ budget, and then distributes your donation to your dependencies. ## EthicalAds and Read the Docs -Our documentation is hosted by [Read the Docs][], which shows relevant and -non-intrusive ads through [EthicalAds][]. Both projects are run by trusted +Our documentation is hosted by [Read the Docs], which shows relevant and +non-intrusive ads through [EthicalAds]. Both projects are run by trusted members of the Python community. We receive a portion of advertising revenue on our documentation pages. @@ -50,7 +50,7 @@ Please consider disabling ad blocking for EthicalAds: ## Tidelift Enterprise Subscription -[Tidelift][] provides tools, data, and strategies that help organizations +[Tidelift] provides tools, data, and strategies that help organizations assess risk and improve the health, security, and resilience of the open source used in their applications. diff --git a/content/releases.md b/content/releases.md index a86dd90..b08c21d 100644 --- a/content/releases.md +++ b/content/releases.md @@ -9,7 +9,7 @@ See our [Version Support Policy](versions.md) as well. ## Notifications -PyPI provides an RSS feed of [release notifications][] for each project. You can +PyPI provides an RSS feed of [release notifications] for each project. You can find it at the top of the "Release history" tab on the project's page. [release notifications]: https://pypi.org/help/#project-release-notifications @@ -33,7 +33,7 @@ are being reported. ## Security Building and publishing releases is automated with GitHub workflows and PyPI's -[Trusted Publisher][] authentication. Team members on GitHub and PyPI are +[Trusted Publisher] authentication. Team members on GitHub and PyPI are required to have 2FA enabled. [Trusted Publisher]: https://docs.pypi.org/trusted-publishers/ @@ -48,6 +48,6 @@ The context of each build is recorded and signed as SLSA provenance. The provenance file can be found on the GitHub release page, usually called `multiple.intoto.jsonl`. Eventually, PyPI will support uploading and displaying verification for these files. For now, they can be verified manually using -[slsa-verifier][]. +[slsa-verifier]. [slsa-verifier]: https://github.com/slsa-framework/slsa-verifier diff --git a/content/security.md b/content/security.md index 848a53b..555378a 100644 --- a/content/security.md +++ b/content/security.md @@ -31,22 +31,23 @@ The following categories will generally not be considered security issues. You may still err on the side of caution and make a private report first, but we may close it or ask you to report a regular issue instead. -* The Werkzeug and Flask development server, debugger, and reloader. - Documentation and startup messages already clearly indicate that these are - intended for local development only. -* Use of Jinja and MarkupSafe HTML escaping in other contexts, such as JavaScript. -* Use of SHA-1 in ItsDangerous. SHA-1 is not vulnerable when used as an - intermediate step in HMAC, and ItsDangerous can be configured to use another - algorithm when needed. -* Insecure configuration or code in a project *using* our libraries. This should - be reported to the relevant project instead. -* Regular expression performance, often referred to as "ReDoS". Deployed - applications should use standard/recommended resource limits offered by their - server software and hosting service. You may report this as a regular - performance issue instead of a security issue. -* Automated reports from vulnerability scanners or "AI" tools. Please make it - clear that you understand what you are reporting and have put personal time - into crafting the report. -* Do not report something that has already been fixed and released; check the - project's change log. Getting a notification from your security scanner that - you need to update is not itself a new vulnerability to report. +- The Werkzeug and Flask development server, debugger, and reloader. + Documentation and startup messages already clearly indicate that these are + intended for local development only. +- Use of Jinja and MarkupSafe HTML escaping in other contexts, such as + JavaScript. +- Use of SHA-1 in ItsDangerous. SHA-1 is not vulnerable when used as an + intermediate step in HMAC, and ItsDangerous can be configured to use another + algorithm when needed. +- Insecure configuration or code in a project *using* our libraries. This + should be reported to the relevant project instead. +- Regular expression performance, often referred to as "ReDoS". Deployed + applications should use standard/recommended resource limits offered by + their server software and hosting service. You may report this as a regular + performance issue instead of a security issue. +- Automated reports from vulnerability scanners or "AI" tools. Please make it + clear that you understand what you are reporting and have put personal time + into crafting the report. +- Do not report something that has already been fixed and released; check the + project's change log. Getting a notification from your security scanner that + you need to update is not itself a new vulnerability to report. diff --git a/content/versions.md b/content/versions.md index 7abe218..9f2e72b 100644 --- a/content/versions.md +++ b/content/versions.md @@ -16,18 +16,18 @@ See our [Release Policy](releases.md) as well. ## Version Format -Each project uses versions that follow the [PEP 440][] format. Stable releases +Each project uses versions that follow the [PEP 440] format. Stable releases have three numbers, `A.B.C`. We follow a version scheme similar to Python itself. -* The `A` number is considered a "milestone" release. It increases rarely, and - indicates a significant change in the project's structure or capabilities. -* The `B` number is considered a "feature" release. Increasing this number - indicates adding new features, and may deprecate existing code or remove - previously deprecated code. -* The `C` number is considered a "fix" release. Increasing this number indicates - changes to fix bugs or security issues, and will not intentionally break - public APIs. +- The `A` number is considered a "milestone" release. It increases rarely, and + indicates a significant change in the project's structure or capabilities. +- The `B` number is considered a "feature" release. Increasing this number + indicates adding new features, and may deprecate existing code or remove + previously deprecated code. +- The `C` number is considered a "fix" release. Increasing this number + indicates changes to fix bugs or security issues, and will not intentionally + break public APIs. ## Public API, Deprecations, and Removals @@ -50,7 +50,7 @@ migrations. ## Pinning Versions and Constraints -When writing an application, you *must* use a tool like [pip-compile][] to pin +When writing an application, you *must* use a tool like [pip-compile] to pin your application's full dependency tree. This gives you reproducible deployments, allowing you to control when you get updates. @@ -75,11 +75,11 @@ versions as `major.major.patch` if you need to use SemVer in other contexts. Please see any of the following resources for more information: -* -* -* -* -* -* +- +- +- +- +- +- [PEP 440]: https://peps.python.org/pep-0440/