2.x release notes

This document contains release notes for the old 2.x release series.



  • Positive karma on stable updates no longer sends them back to batched (#1881).

  • Push to batched buttons now appear on pushed updates when appropriate (#1875).

Release contributors

The following developers contributed to Bodhi 2.12.2:

  • Randy Barlow



  • Use separate directories to clone the comps repositories (PR#1885).

Release contributors

The following developers contributed to Bodhi 2.12.1:

  • Patrick Uiterwijk

  • Randy Barlow



  • Bodhi now asks Pagure to expand group membership when Pagure is used for ACLs (#1810).

  • Bodhi now displays Atomic CI pipeline results (PR#1847).


  • Use generic superclass models where possible (#1793).

Release contributors

The following developers contributed to Bodhi 2.12.0:

  • Pierre-Yves Chibon

  • Randy Barlow



  • Bodhi now batches non-urgent updates together for less frequent churn. There is a new bodhi-dequeue-stable CLI that is intended be added to cron that looks for batched updates and moves them to stable (#1157).


  • Improved bugtracker linking in markdown input (#1406).

  • Don’t disable autopush when the update is already requested for stable (#1570).

  • There is now a timeout on fetching results from ResultsDB in the backend (#1597).

  • Critical path updates now have positive days_to_stable and will only comment about pushing to stable when appropriate (#1708).

Development improvements

  • More docblocks have been written.

Release contributors

The following developers contributed to Bodhi 2.11.0:

  • Caleigh Runge-Hottman

  • Ryan Lerch

  • Rimsha Khan

  • Randy Barlow


Bug fixes

  • Adjust the Greenwave subject query to include the original NVR of the builds (PR#1765).

Release contributors

The following developers contributed to Bodhi 2.10.1:

  • Ralph Bean


Compatibility changes

This release of Bodhi has a few changes that are technically backward incompatible in some senses, but it was determined that each of these changes are justified without raising Bodhi’s major version, often due to features not working at all or being unused. Justifications for each are given inline.

  • dnf and iniparse are now required dependencies for the Python bindings. Justification: Technically, these were needed before for some of the functionality, and the bindings would traceback if that functionality was used without these dependencies being present. With this change, the module will fail to import without them, and they are now formal dependencies.

  • Support for EL 5 has been removed in this release. Justification: EL 5 has become end of life.

  • The pkgtags feature has been removed. Justification: It did not work correctly and enabling it was devastating (#1634).

  • Some bindings code that could log into Koji with TLS certificates was removed. Justification: It was unused (b4474676).

  • Bodhi’s short-lived ci_gating feature has been removed, in favor of the new Greenwave integration feature. Thus, the ci.required and ci.url settings no longer function in Bodhi. The bodhi-babysit-ci utility has also been removed. Justification: The feature was never completed and thus no functionality is lost (PR#1733).


  • There are new search endpoints in the REST API that perform ilike queries to support case insensitive searching. Bodhi’s web interface now uses these endpoints (#997).

  • It is now possible to search by update alias in the web interface (#1258).

  • Exact matches are now sorted first in search results (#692).

  • The CLI now has a --mine flag when searching for updates or overrides (#811, #1382).

  • The CLI now has more search parameters when querying overrides (#1679).

  • The new case insensitive search is also used when hitting enter in the search box in the web UI (#870).

  • Bodhi is now able to query Pagure for FAS groups for ACL info (f9414601).

  • The Python bindings’ candidates() method now automatically initializes the username (6e8679b6).

  • CLI errors are now printed in red text (431b9078).

  • The graphs on the metrics page now have mouse hovers to indicate numerical values (#209).

  • Bodhi now has support for using Greenwave to gate updates based on test results. See the new test_gating.required, test_gating.url, and greenwave_api_url settings in production.ini for details on how to enable it. Note also that this feature introduces a new server CLI tool, bodhi-check-policies, which is intended to be run via cron on a regular interval. This CLI tool communicates with Greenwave to determine if updates are passing required tests or not (PR#1733).

Bug fixes

  • The autokarma check box’s value now persists when editing updates (#1692, #1482, and #1308).

  • The CLI now catches a variety of Exceptions and prints user readable errors instead of tracebacks (#1126, #1626).

  • The Python bindings’ get_releases() method now uses a GET request (#784).

  • The HTML sanitization code has been refactored, which fixed a couple of issues where Bodhi didn’t correctly escape things like e-mail addresses (#1656, #1721).

  • The bindings’ docstring for the comment() method was corrected to state that the email parameter is used to make anonymous comments, rather than to enable or disable sending of e-mails (#289).

  • The web interface now links directly to libravatar’s login page instead of POSTing to it (#1674).

  • The new/edit update form in the web interface now works with the new typeahead library (#1731).

Development improvements

  • Several more modules have been documented with PEP-257 compliant docblocks.

  • Several new tests have been added to cover various portions of the code base, and Bodhi now has 89% line test coverage. The goal is to reach 100% line coverage within the next 12 months, and then begin to work towards 100% branch coverage.

Release contributors

The following developers contributed to Bodhi 2.10.0:

  • Ryan Lerch

  • Matt Jia

  • Matt Prahl

  • Jeremy Cline

  • Ralph Bean

  • Caleigh Runge-Hottman

  • Randy Barlow


2.9.1 is a security release for CVE-2017-1002152.

Release contributors

Thanks to Marcel for reporting the issue. Randy Barlow wrote the fix.



  • It is now possible to set required Taskotron tests with the --requirements CLI flag (#1319).

  • The CLI now has tab completion in bash (#1188).

  • Updates that are pending testing now go straight to stable if they reach required karma (#632).

  • The automated tests tab now shows a count on info results (1de12f6a).

  • The UI now displays a spinner while a search is in progress (#436).

  • It is now possible to middle click on search results in the web UI (#461).

  • Pending releases are now displayed on the home page (#1619).

  • Links without an explicit scheme can now be detected as links (#1721).


  • Wiki test cases are no longer duplicated (#780).

  • The server bodhi-manage-releases script now uses the new Bodhi bindings (#1338).

  • The server bodhi-manage-releases script now supports the --url flag (0181a344).

  • The --help output from the Bodhi CLI is cleaner and more informative (#1457).

  • The CLI now provides more informative error messages when creating duplicate overrides (#1377).

  • E-mail subjects now include build versions again (#1635).

  • Taskotron results with the same scenario key are now all displayed (d5b0bfa3).

  • The front page UI elements now line up (#1659).

  • The UI now properly urlencodes search URLs to properly escape characters such as “+” (#1015).

  • e-mail addresses are now properly processed by the markdown system (#1656).

Development improvements

  • The bundled typeahead JavaScript library is rebased to version 1.1.1 from the maintained fork at https://github.com/corejavascript/typeahead.js . The main typeahead repo appears to be unmaintained and contained a bug that we were hitting: https://github.com/twitter/typeahead.js/issues/1381

  • Docblocks were written for several more modules.

  • Bodhi now hard depends on rpm instead of conditionally importing it (#1166).

  • Bodhi now has CI provided by CentOS that is able to test pull requests. Thanks to Brian Stinson and CentOS for providing this service to the Bodhi project!

  • Some ground work has been done in order to enable batched updates, so that medium and low priority updates can be pushed on a less frequent interval than high priority (security or urgent) updates.

  • Bodhi now uses py.test as the test runner instead of nose.

  • Tox is now used to run the style tests.

  • There is now a unified test base class that creates a single TestApp for the tests to use. The TestApp was the source of a significant memory leak in Bodhi’s tests. As a result of this refactor, Bodhi’s tests now consume about 450 MB instead of about 4.5 GB. As a result, the example Vagrantfile now uses 2 GB of RAM instead of 5 GB. It is likely possible to squeeze it down to 1 GB or so, if desired.

  • Bodhi now supports both the bleach 1 and bleach 2 APIs (#1718).

Release contributors

The following developers contributed to Bodhi 2.9.0:

  • Ryan Lerch

  • Jeremy Cline

  • Clement Verna

  • Caleigh Runge-Hottman

  • Kamil Páral

  • Brian Stinson

  • Martin Curlej

  • Trishna Guha

  • Brandon Gray

  • Randy Barlow



  • Restore defaults for three settings back to the values they had in Bodhi 2.7.0 ( PR#1633, PR#1640, and PR#1641).

Release contributors

The following contributors submitted patches for Bodhi 2.8.1:

  • Patrick Uiterwijk (the true 2.8.1 hero)

  • Randy Barlow


Special instructions

  • There is a new setting, ci.required that defaults to False. If you wish to use CI, you must add a cron task to call the new bodhi-babysit-ci CLI periodically.


The /search/packages API call has been deprecated.

New Dependencies

  • Bodhi now uses Bleach to sanitize markdown input from the user. python-bleach 1.x is a new dependency in this release of Bodhi.


  • The API, fedmsg messages, bindings, and CLI now support non-RPM content ( #1325, #1326, #1327, and #1328). Bodhi now knows about Fedora’s new module format, and is able to handle everything they need except publishing (which will appear in a later release). This release is also the first Bodhi release that is able to handle multiple content types.

  • Improved OpenQA support in the web UI (#1471).

  • The type icons are now aligned in the web UI (4b6b7597 and d0940323).

  • There is now a man page for bodhi-approve-testing (cf8d897f).

  • Bodhi can now automatically detect whether to use DDL table locks if BDR is present during migrations (059b5ab7).

  • Locked updates now grey out the edit buttons with a tooltip to make the lock more obvious to the user (#1492).

  • Users can now do multi-line literal code blocks in comments (#1509).

  • The web UI now has more descriptive placeholder text (1a7122cd).

  • All icons now have consistent width in the web UI (6dfe6ff3).

  • The front page has a new layout (6afb6b07).

  • Bodhi is now able to use Pagure and PDC as sources for ACL and package information (59551861).

  • Bodhi’s configuration loader now validates all values and centralizes defaults. Thus, it is now possible to comment most of Bodhi’s settings file and achieve sane defaults. Some settings are still required, see the default production.ini file for documentation of all settings and their defaults. A few unused settings were removed (#1488, #1489, and 263b7b7f).

  • The web UI now displays the content type of the update (#1329).

  • Bodhi now has a new ci.required setting that defaults to False. If enabled. updates will gate based on Continuous Integration test results and will not proceed to updates-testing unless the tests pass (0fcb73f8).

  • Update builds are now sorted by NVR (#1441).

  • The backend code is reworked to allow gating on resultsdb data and requirement validation performance is improved (#1550).

  • Bodhi is now able to map distgit commits to Builds, which helps map CI results to Builds. There is a new bodhi-babysit-ci CLI that must be run periodically in cron if ci.required is True (ae01e5d1).


  • A half-hidden button is now fully visible on mobile devices (#1467).

  • The signing status is again visible on the update page (#1469).

  • The edit update form will not be presented to users who are not auth’d (#1521).

  • The CLI --autokarma flag now works correctly (#1378).

  • E-mail subjects are now shortened like the web UI titles (#882).

  • The override editing form is no longer displayed unless the user is logged in (#1541).

Development improvements

  • Several more modules now pass pydocstyle PEP-257 tests.

  • The development environment has a new bshell alias that sets up a usable Python shell, initialized for Bodhi.

  • Lots of warnings from the unit tests have been fixed.

  • The dev environment cds to the source folder upon vagrant ssh.

  • There is now a bfedmsg development alias to see fedmsgs.

  • A new bresetdb development alias will reset the database to the same state as when vagrant up completed.

  • Some unused code was removed (afe5bd8c).

  • Test coverage was raised significantly, from 85% to 88%.

  • The development environment now has httpie by default.

  • The default Vagrant memory was raised (#1588).

  • Bodhi now has a Jenkins Job Builder template for use with CentOS CI.

  • A new bdiff-cover development alias helps compare test coverage in current branch to the develop branch, and will alert the developer if there are any lines missing coverage.

Release contributors

The following developers contributed to Bodhi 2.8.0:

  • Ryan Lerch

  • Ralph Bean

  • Pierre-Yves Chibon

  • Matt Prahl

  • Martin Curlej

  • Adam Williamson

  • Kamil Páral

  • Clement Verna

  • Jeremy Cline

  • Matthew Miller

  • Randy Barlow



  • The bodhi CLI now supports editing an override. (#1049).

  • The Update model is now capable of being associated with different Build types (#1394).

  • The bodhi CLI now supports editing an update using the update alias. (#1409).

  • The web UI now uses Fedora 26 in its example text instead of Fedora 20 (ec0c619a).

  • The Build model is now polymorphic to support non-RPM content (#1393).


  • Correctly calculate days to stable for critical path updates (#1386).

  • Bodhi now logs some messages at info instead of error (#1412).

  • Only show openQA results since last update modification (#1435).

Development improvements

  • SQL queries are no longer logged by default.

  • fedmsgs are now viewable in the development environment.

  • There is a new test to ensure there is only one Alembic head.

  • There is a new bash alias, bteststyle, that runs the code style tests.

  • The BuildrootOverride model is now documented.

Release contributors

The following contributors submitted patches for Bodhi 2.7.0:

  • Clement Verna

  • Jeremy Cline

  • Bianca Nenciu

  • Caleigh Runge-Hottman

  • Adam Williamson

  • Robert Scheck

  • Ryan Lerch

  • Randy Barlow


This release focused on CLI authentication issues. One of the issues requires users to also update their python-fedora installation to at least 0.9.0.


  • The CLI is now able to appropriately handle expiring sessions (#1474).

  • The CLI now only prompts for a password when needed (PR#1500).

  • Don’t traceback if the user doesn’t use the --user flag (PR#1505).

Release contributors

The following contributors submitted patches for Bodhi 2.6.2:

  • Randy Barlow


This release fixes 4 issues with three commits.


  • Web requests now use the correct session for transactions (#1470, #1473).

  • fedmsgs are now converted to dictionaries before queuing (#1472).

  • Error messages are still logged if rolling back the transaction raises an Exception (#1475).

Release contributors

The following contributors submitted patches for Bodhi 2.6.1:

  • Jeremy Cline

  • Randy Barlow


Special instructions

  1. The database migrations have been trimmed in this release. To upgrade to this version of Bodhi from a version prior to 2.3, first upgrade to Bodhi 2.3, 2.4, or 2.5, run the database migrations, and then upgrade to this release.

  2. Bodhi cookies now expire, but cookies created before 2.6.0 will not automatically expire. To expire all existing cookies so that only expiring tickets exist, you will need to change authtkt.secret to a new value in your settings file.

Dependency adjustments

  • zope.sqlalchemy is no longer a required dependency (PR#1414).

  • WebOb is no longer a directly required dependency, though it is still indirectly required through pyramid.


  • The web UI footer has been restyled to fit better with the new theme (PR#1366).

  • A link to documentation has been added to the web UI footer (#1321).

  • The bodhi CLI now supports editing updates (#937).

  • The CLI’s USERNAME environment variable is now documented, and its --user flag is clarified (28dd380a).

  • The icons that we introduced in the new theme previously didn’t have titles. Consequently, a user might not have know what these icons meant. Now if a user hovers over these icons, they get a description of what they mean, for example: “This is a bugfix update” or “This update is in the critical path” (#1362).

  • Update pages with lots of updates look cleaner (#1351).

  • Update page titles are shorter now for large updates (#957).

  • Add support for alternate architectures to the MasherThread.wait_for_sync() (#1343).

  • Update lists now also include type icons next to the updates (5983d99c).

  • Testing updates use a consistent label color now (62330644).

  • openQA results are now displayed in the web ui (450dbafe).

  • Bodhi cookies now expire. There is a new authtkt.timeout setting that sets Bodhi’s session lifetime, defaulting to 1 day.


  • Comments that don’t carry karma don’t count as a user’s karma vote (#829).

  • The web UI now uses the update alias instead of the title so editors of large updates can click the edit button (#1161).

  • Initialize the bugtracker in main() instead of on import so that docs can be built without installing Bodhi (PR#1359).

  • Make the release graph easier to read when there are many datapoints (#1172).

  • Optimize the JavaScript that loads automated test results from ResultsDB (#983).

  • Bodhi’s testing approval comment now respects the karma reset event (#1310).

  • pop and copy now lazily load the configuration (#1423).

Development improvements

  • A new automated PEP-257 test has been introduced to enforce docblocks across the codebase. Converting the code will take some time, but the code will be expanded to fully support PEP-257 eventually. A few modules have now been documented.

  • Test coverage is now 84%.

  • The Vagrant environment now has vim with a simple vim config to make sure spaces are used instead of tabs (PR#1372).

  • The Package database model has been converted into a single-table inheritance model, which will aid in adding multi-type support to Bodhi. A new RpmPackage model has been added. (PR#1392).

  • The database initialization code is unified (e9a26042).

  • The base model class now has a helpful query property (8167f262).

  • .pyc files are now removed when running the tests in the dev environment (9e9adb61).

  • An unused inherited column has been dropped from the builds table (e8a95b12).

Release contributors

The following contributors submitted patches for Bodhi 2.6.0:

  • Jeremy Cline

  • Ryan Lerch

  • Clement Verna

  • Caleigh Runge-Hottman

  • Bianca Nenciu

  • Adam Williamson

  • Ankit Raj Ojha

  • Jason Taylor

  • Randy Barlow


Bodhi 2.5.0 is a feature and bugfix release.


  • The web interface now uses the Fedora Bootstrap theme. The layout of the update page has also been revamped to display the information about an update in a clearer manner. (#1313).

  • The bodhi CLI now has a --url flag that can be used to switch which Bodhi server it communicates with. The BODHI_URL environment can also be used to configure this flag.

  • The documentation has been reorganized.

  • The Python bindings are now documented.

  • Bodhi will now announce that karma has been reset to 0 when builds are added or removed from updates (6d6de4bc).

  • Bodhi will now announce that autokarma has been disabled when an update received negative karma (d3ccc579).

  • The docs theme is now Alabaster (57a80f42).

  • The Bodhi documentation now has a description of Bodhi on the landing page (#1322).

  • The REST API is now documented (#1323).

  • The client Python bindings can now accept a base_url that doesn’t end in a slash (1087939b).


  • The position of the Add Comment button is now the bottom right. (#902).

  • An unusuable --request flag has been removed from a CLI command (#1187).

  • The cursor is now a pointer when hovering over Releases button (#1296).

  • The number of days to stable is now correctly calculated on updates (#1305).

  • Fix a query regular expression so that Fedora update ids work (d5bec3fa).

  • Karma thresholds can now be set when autopush is disabled (#1033).

Development improvements

  • The Vagrant development environment automatically configures the BODHI_URL environment variable so that the client talks to the local server instead of production or staging.

  • Test coverage is up another percentage to 82%.

  • Bodhi is now PEP-8 compliant.

  • The development environment now displays all Python warnings once.

Release contributors

The following developers contributed to Bodhi 2.5.0:

  • Ryan Lerch

  • Trishna Guha

  • Jeremy Cline

  • Ankit Raj Ojha

  • Ariel O. Barria

  • Randy Barlow


Bodhi 2.4.0 is a feature and bugfix release.


  • The web interface now displays whether an update has autopush enabled (#999).

  • Autopush is now disabled on any update that receives authenticated negative karma (#1191).

  • Bodhi now links to Koji builds via TLS instead of plaintext (#1246).

  • Some usage examples have been added to the bodhi man page.

  • Bodhi’s server package has a new script called bodhi-clean-old-mashes that can recursively delete any folders with names that end in a dash followed by a string that can be interpreted as a float, sparing the newest 10 by lexigraphical sorting. This should help release engineers keep the Koji mashing folder clean.

  • There is now a bodhi.client.bindings module provided by the Bodhi client package. It contains Python bindings to Bodhi’s REST API.

  • The bodhi CLI now prints autokarma and thresholds when displaying updates.

  • bodhi-push now has a --version flag.

  • There are now man pages for bodhi-push and initialize_bodhi_db.


  • Users’ e-mail addresses will now be updated when they log in to Bodhi (#902).

  • The masher now tests for repomd.xml instead of the directory that contains it (#908).

  • Users can now only upvote an update once (#1018).

  • Only comment on non-autokarma updates when they meet testing requirements (#1009).

  • Autokarma can no longer be set to NULL (#1048).

  • Users can now be more fickle than ever about karma (#1064).

  • Critical path updates can now be free of past negative karma ghosts (#1065).

  • Bodhi now comments on non-autokarma updates after enough time has passed (#1094).

  • bodhi-push now does not crash when users abort a push (#1107).

  • bodhi-push now does not print updates when resuming a push (#1113).

  • Bodhi now says “Log in” and “Log out” instead of “Login” and “Logout” (#1146).

  • Bodhi now configures the Koji client to retry, which should help make the masher more reliable (#1201).

  • Bodhi is now compatible with Pillow-4.0.0 (#1262).

  • The bodhi cli no longer prints update JSON when setting the request (#1408195).

  • Bodhi’s signed handler now skips builds that were not assigned to a release.

  • The comps file is now cloned into an explicit path during mashing.

  • The buildsystem is now locked during login.

Development improvements

  • A great deal of tests were written for Bodhi. Test coverage is now up to 81% and is enforced by the test suite.

  • Bodhi’s server code is now PEP-8 compliant.

  • The docs now contain contribution guidelines.

  • The build system will now fail with a useful Exception if used without being set up.

  • The Vagrantfile is a good bit fancier, with hostname, dnf caching, unsafe but performant disk I/O, and more.

  • The docs now include a database schema image.

  • Bodhi is now run by systemd in the Vagrant guest.

  • The Vagrant environment now has several helpful shell aliases and a helpful MOTD to advertise them to developers.

  • The development environment now uses Fedora 25 by default.

  • The test suite is less chatty, as several unicode warnings have been fixed.

Dependency change

  • Bodhi server now depends on click for bodhi-push.

Release contributors

The following contributors submitted patches for Bodhi 2.4.0:

  • Trishna Guha

  • Patrick Uiterwijk

  • Jeremy Cline

  • Till Mass

  • Josef Sukdol

  • Clement Verna

  • andreas

  • Ankit Raj Ojha

  • Randy Barlow


Bodhi 2.3.3 converts koji auth to be done with krb5 and fixes one bug:

  • Use krb5 for koji (PR#1129).

  • Disable caching koji sessions during mashing process (PR#1134).

Thanks to Patrick Uiterwijk for contributing both of these commits!


Bodhi 2.3.2 is a bugfix release that addresses the following issues:

  • push.py now defaults to the current releases (#1071).

  • Fixed a typo in the masher in sending an ostree compose message (PR#1072).

  • Fixed a typo in looking up an e-mail template (#1073).

  • The fedmsg name is now passed explicitly (PR#1079).

  • The man page was corrected to state that builds should be comma separated (PR#1095).

  • Fixed a race condition between robosignatory and the signed handler (#1111).

  • Fix querying the updates for resumption in push.py (e7cb3f13).

  • push.py now prompts for the username if not given (abeca57e).

Release contributors

The following contributors authored patches for 2.3.2:

  • Patrick Uiterwijk

  • Randy Barlow


Bodhi 2.3.1 fixes #1067, such that edited updates now tag new builds into the pending_signing_tag instead of the pending_testing_tag. This is needed for automatic signing gating to work.


Bodhi 2.3.0 is a feature and bug fix release.


  • The package input field is now autofocused when creating new updates (PR#876).

  • Releases now have a pending_signing_tag (3fe3e219).

  • fedmsg notifications are now sent during ostree compositions (b972cad0).

  • Critical path updates will have autopush disabled if they receive negative karma (b1f71006).

  • The e-mail templates reference dnf for Fedora and yum for Enterprise Linux (1c1f2ab7).

  • Updates are now obsoleted if they reach the unstable threshold while pending (f033c74c).

  • Bodhi now gates Updates based on whether they are signed yet or not (PR#1011).


  • Candidate builds and bugs are no longer duplicated while searching (#897).

  • The Bugzilla connection is only initialized when needed (950eee2c).

  • A sorting issue was fixed on the metrics page so the data is presented correctly (487acaaf).

  • The Copyright date in the footer of the web interface is updated (1447b6c7).

  • Bodhi will comment with the required time instead of the elapsed time on updates (#1017).

  • Bodhi will only comment once to say that non-autopush updates have reached the threshold (#1009).

  • /masher/ is now allowed in addition to /masher for GET requests (cdb621ba).


Bodhi now depends on fedmsg-atomic-composer >= 2016.3, which addresses a few issues during mashing.

Development improvements

Bodhi 2.3.0 also has a few improvements to the development environment that make it easier to contribute to Bodhi or improve Bodhi’s automated tests:

  • Documentation was added to describe how to connect development Bodhi to staging Koji (7f3b5fa2).

  • An unused locked_date_for_update() method was removed (b87a6395).

  • The development.ini.example base_address was changed to localhost so requests would be allowed (0fd5901d).

  • The setup.py file has more complete metadata, making it more suitable for submission to PyPI (5c201ac2).

  • The #bodhi and #fedora-apps channels are now documented in the readme file (52093069).

  • A new test has been added to enforce PEP-8 style and a few modules have been converted to conform (bbafc9e6).

Release contributors

The following contributors authored patches for 2.3.0:

  • Josef Sukdol

  • Julio Faracco

  • Patrick Uiterwijk

  • Randy Barlow

  • Richard Fearn

  • Trishna Guha


This release fixes two issues:

  • #989, where Karma on non-autopush updates would reset the request to None.

  • #994, allowing Bodhi to be built on setuptools-28.


This release fixes #951, which prevented updates with large numbers of packages to be viewable in web browsers.


This is another in a series of bug fix releases for Bodhi this week. In this release, we’ve fixed the following issues:

  • Disallow comment text to be set to the NULL value in the database (#949).

  • Fix autopush on updates that predate the 2.2.0 release (#950).

  • Don’t wait on mashes when there aren’t any (68de510c).


Bodhi 2.2.1 is a bug fix release, primarily focusing on mashing issues:

  • Register date locked during mashing (#952).

  • UTF-8 encode the updateinfo before writing it to disk (#955).

  • Improved logging during updateinfo generation (#956).

  • Removed some unused code (07ff664f).

  • Fix some incorrect imports (9dd5bdbc and b1cc12ad).

  • Rely on self.skip_mash to detect when it is ok to skip a mash (ad65362e).


Bodhi 2.2.0 is a security and feature release, with a few bug fixes as well.


This update addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is warped to make it more difficult to solve through automation. Thanks to Patrick Uiterwijk for discovering and reporting this issue.


  • Bodhi’s approve_testing.py script will now comment on updates when they have reached a stable karma threshold (5b0d1c7c).

  • The web interface now displays a push to stable button when the karma reaches the right level when autokarma is disabled (#772 and #796).

  • Masher messages now have an “agent”, so it is possible to tell which user ran the mash (45e4fc9f).

  • Locked updates now list the time they were locked (#831).

  • Bugs are closed and commented on in the same Bugzilla POST (#404).

  • Karma values equal to 0 are no longer displayed with a green background to better distinguish them from positive karma reports (#799).

  • Updates display a link to the feedback guidelines (#865).

  • The new CLI now has a man page (95574831).

  • The CLI now has a --version flag (#895).


  • Locked updates that aren’t part of a current push will now be pushed and warnings will be logged (bf4bdeef). This should help us to fix #838.

  • Don’t show users an option to push to stable on obsoleted updates (#848).

  • taskotron updates are shown per build, rather than per update (ce2394c6, 8e199668).

  • The Sphinx documentation now builds again (b3f80b1b).

  • Validator messages are now more useful and helpful (#630).

  • The Bodhi CLI no longer depends on the server code to function (#900).

  • Private bugs will no longer prevent the updates consumer from continuing (#905).

  • bootstrap is now included in the setuptools manifest for the server package (#919).

Commit log

The above lists are the highlights of what changed. For a full list of the changes since 2.1.8, please see the changelog.