diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..cdc605e --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,60 @@ +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '37 3 * * 4' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check without using the new GitHub Repos(which are public by default): https://github.blog/2023-07-24-github-repository-rules-are-now-generally-available/ + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/HISTORY.rst b/HISTORY.rst index 28516d3..eea8a70 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -3,12 +3,23 @@ History ------- -3.5 (XXXX-XX-XX) +3.6 (2023-11-25) ++++++++++++++++ -- String codec name is now 'idna2008' as overriding the system - codec 'idna' was not working. + +- Fix regression to include tests in source distribution. + +3.5 (2023-11-24) +++++++++++++++++ + +- Update to Unicode 15.1.0 +- String codec name is now "idna2008" as overriding the system codec + "idna" was not working. - Fix typing error for codec encoding -- Remove 'setup.py' to complete migration to pyproject.toml +- "setup.cfg" has been added for this release due to some downstream + lack of adherence to PEP 517. Should be removed in a future release + so please prepare accordingly. +- Removed reliance on a symlink for the "idna-data" tool to comport + with PEP 517 and the Python Packaging User Guide for sdist archives. - Added security reporting protocol for project Thanks Jon Ribbens, Diogo Teles Sant'Anna, Wu Tingfeng for contributions diff --git a/LICENSE.md b/LICENSE.md index cc7d6ba..ce36701 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,6 @@ BSD 3-Clause License -Copyright (c) 2013-2022, Kim Davies and contributors. +Copyright (c) 2013-2023, Kim Davies and contributors. All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/README.rst b/README.rst index 82c0eff..a4f1f71 100644 --- a/README.rst +++ b/README.rst @@ -112,7 +112,7 @@ IDNA specification this conversion is not performed. >>> idna.encode('Königsgäßchen', uts46=True, transitional=True) 'xn--knigsgsschen-lcb0w' -Implementors should use transitional processing with caution, only in +Implementers should use transitional processing with caution, only in rare cases where conversion from legacy labels to current labels must be performed (i.e. IDNA implementations that pre-date 2008). For typical applications that just need to convert labels, transitional processing @@ -155,8 +155,8 @@ and perform the required calculations to identify eligibility. There are three main modes: * ``idna-data make-libdata``. Generates ``idnadata.py`` and - ``uts46data.py``, the pre-calculated lookup tables using for IDNA and - UTS 46 conversions. Implementors who wish to track this library against + ``uts46data.py``, the pre-calculated lookup tables used for IDNA and + UTS 46 conversions. Implementers who wish to track this library against a different Unicode version may use this tool to manually generate a different version of the ``idnadata.py`` and ``uts46data.py`` files. @@ -172,7 +172,7 @@ three main modes: The tool accepts a number of arguments, described using ``idna-data -h``. Most notably, the ``--version`` argument allows the specification -of the version of Unicode to use in computing the table data. For +of the version of Unicode to be used in computing the table data. For example, ``idna-data --version 9.0.0 make-libdata`` will generate library data against Unicode 9.0.0. @@ -186,7 +186,7 @@ Additional Notes * **Version support**. This library supports Python 3.5 and higher. As this library serves as a low-level toolkit for a variety of applications, many of which strive for broad compatibility with older - Python versions, there is no rush to remove older intepreter support. + Python versions, there is no rush to remove older interpreter support. Removing support for older versions should be well justified in that the maintenance burden has become too high. diff --git a/SECURITY.md b/SECURITY.md index 3d53a4a..9009ae9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,19 @@ # Security Policy ## Supported Versions + Security updates are applied only to the latest release. ## Reporting a Vulnerability -If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. -Please disclose it at our [security advisory](https://github.com/kjd/idna/security/advisories/new). +If you have discovered a security vulnerability in this project, please +report it privately. **Do not disclose it as a public issue.** This gives +us time to work with you to fix the issue before public exposure, reducing +the chance that the exploit will be used before a patch is released. + +Please disclose your issue through Github's +[security advisory facility](https://github.com/kjd/idna/security/advisories/new). -This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be disclosed in a best effort base. +We will endeavor to prioritize review, remediation and disclosure of +vulnerabilites. However, be mindful that this project is maintained by a +team of volunteers who work on a best effort basis. \ No newline at end of file diff --git a/idna/package_data.py b/idna/package_data.py index 8501893..c5b7220 100644 --- a/idna/package_data.py +++ b/idna/package_data.py @@ -1,2 +1,2 @@ -__version__ = '3.4' +__version__ = '3.6' diff --git a/pyproject.toml b/pyproject.toml index 5082f47..53d89af 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -43,3 +43,4 @@ dynamic = ["version"] [tool.flit.sdist] exclude = [".gitignore", ".github/"] +include = ["tests", "tools", "HISTORY.rst"]