Merge pull request #31 from guardian/merge-0.14.0

Merge freedomofpress 0.14.0

.github/ISSUE_TEMPLATE/proposal.md

@@ -0,0 +1,39 @@
+---
+name: Technical proposal
+about: propose a major technical or architectural change
+
+---
+
+<!--Use this template to help kickstart discussions of specific technical and architectural proposals. It's OK to be unclear about who should be involved or even what to propose to solve the problem under discussion.-->
+
+## Proposal:
+
+### Affected components
+<!--Which system components are (probably) in scope? (list as many as make sense)
+    - SecureDrop Server
+    - SecureDrop Workstation
+    - SecureDrop Client
+    - Don't know
+    -->
+
+### People and roles
+<!--Tag people who should be involved in this proposal.-->
+
+### Problem Statement
+<!--Describe the problem that needs solving, or the architectural change that you'd like to see.-->
+
+### Solution impact
+<!--If we do solve this problem, what impact does it have, and for who?-->
+
+### Requirements and constraints
+<!--What requirements would a solution to the problem above have to satisfy? What existing technical constraints would affect potential solutions?-->
+
+### Exploration
+<!--Provide more context for the problem and potential solutions. (OK to leave blank if you want more group input.)-->
+
+### Initial proposal
+<!-- If you have one, propose a solution to the problem. (OK to leave blank, OK to duplicate this section in future edits with alternative proposals.) -->
+
+### Selected proposal
+<!--Leave blank for now - this section will record the agreed-upon solution to the problem.-->
+

.github/workflows/build.yml

@@ -7,7 +7,7 @@ on:
 # Only build for latest push/PR unless it's main or release/
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) && !startsWith( github.ref, 'refs/heads/gh-readonly-queue/' ) }}
 
 defaults:
   run:

.github/workflows/cargo-vet.yml

@@ -9,14 +9,14 @@ on:
 # Only build for latest push/PR unless it's main or release/
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) && !startsWith( github.ref, 'refs/heads/gh-readonly-queue/' ) }}
 
 jobs:
   cargo-vet:
     name: Vet Dependencies
     runs-on: ubuntu-latest
     # Keep version in sync with rust-toolchain.toml
-    container: rust:1.78.0
+    container: rust:1.81.0
     env:
       CARGO_VET_VERSION: 0.9.0
     steps:

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ on:
 # Only build for latest push/PR unless it's main or release/
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) && !startsWith( github.ref, 'refs/heads/gh-readonly-queue/' ) }}
 
 defaults:
   run:
@@ -105,7 +105,7 @@ jobs:
   rust:
     runs-on: ubuntu-latest
     # Keep version in sync with rust-toolchain.toml
-    container: rust:1.78.0
+    container: rust:1.81.0
     steps:
       - uses: actions/checkout@v4
       - name: Configure Qubes repository

.github/workflows/sdk.yml

@@ -7,7 +7,7 @@ on:
 # Only build for latest push/PR unless it's main or release/
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) && !startsWith( github.ref, 'refs/heads/gh-readonly-queue/' ) }}
 
 defaults:
   run:

.github/workflows/security.yml

@@ -7,7 +7,7 @@ jobs:
   rust-audit:
     runs-on: ubuntu-latest
     # Keep version in sync with rust-toolchain.toml
-    container: rust:1.78.0
+    container: rust:1.81.0
     steps:
       - uses: actions/checkout@v4
       - name: Check Rust dependencies

.github/workflows/test.yml

@@ -7,7 +7,7 @@ on:
 # Only build for latest push/PR unless it's main or release/
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith( github.ref, 'refs/heads/release/' ) && !startsWith( github.ref, 'refs/heads/gh-readonly-queue/' ) }}
 
 defaults:
   run:
@@ -43,7 +43,7 @@ jobs:
         if: ${{ matrix.component == 'proxy' }}
       - uses: actions/checkout@v4
       # Install Rust, keep in sync with rust-toolchain.toml
-      - uses: dtolnay/rust-toolchain@1.78.0
+      - uses: dtolnay/rust-toolchain@1.81.0
         if: ${{ matrix.component == 'proxy' }}
       - name: Install dependencies
         run: |

Makefile

@@ -48,6 +48,7 @@ safety:  ## Run safety dependency checks on build dependencies
 		--ignore 67895 \
 		--ignore 70612 \
 		--ignore 71591 \
+		--ignore 74735 \
  		-r
 
 .PHONY: shellcheck

changelog.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## 0.14.0
+
+* Add support for selecting and deleting multiple sources (#2208, #2188, #2230, #2252, #2293, #2299, #2300)
+* Use builtin `venv` module instead of `virtualenv` (#2246)
+* Improve logging of API failures (#2245)
+* Improve client keyboard shortcuts handling (#2209)
+* Fix client crash when a source with an in-progress download is deleted (#2217)
+* Improve exception handling for download failures (#2275, #2276)
+* Add French language support (#2283)
+* Updated multiple dependencies (#2253, #2267, #2214, #2210, #2211)
+
+* Internal and development
+  * Switch securedrop-client package Architecture to "any" (#2178)
+  * Have `run.sh` automatically emit full debug logs (#2198)
+  * Have `make build-debs` print tag signature, if any (#2205)
+  * Upgrade Rust toolchain to 1.81.0 (#2215)
+  * Fixes to SD test cassettes (#2225)
+  * Re-enable `ruff` for files in proxy/ (#2234)
+  * Don't have CI cancel GitHub merge queue jobs (#2235)
+  * Updated multiple dependencies (#2280, #2181, #2183)
+
 ## 0.13.2
 
 * Don't let Range header persist into other requests (#2195)
@@ -12,7 +33,7 @@
 * Broaden printing support to all filetypes supported by LibreOffice (#2166)
 * Display an error message if user tries to print an unprintable file type (#2166)
 * Use single PrintDialog GUI element for all print actions (#2143)
-* Remove unused _from_string methods from SDK (#2144)
+* Remove unused `_from_string` methods from SDK (#2144)
 * Update build toolchain and `setuptools` for CVE-2024-6345 (#2136, [securedrop-builder#501](https://github.com/freedomofpress/securedrop-builder/pull/501))
 * Update `ruff` to 0.5.4 (#2138)
 

client/.semgrep/custom-rules.yml

@@ -180,3 +180,11 @@ rules:
     # Forbid any other use of assert
     - pattern-regex: |
         assert.*
+
+- id: enforce-setshortcut-style
+  patterns:
+    - pattern-not-regex: setShortcut\(Shortcuts\.(.*?)\)
+    - pattern-regex: setShortcut\((.*?)\)
+  message: "Use Shortcuts enum to register shortcuts"
+  languages: [python]
+  severity: WARNING

client/MANIFEST.in

@@ -29,5 +29,6 @@ prune securedrop_client/locale
 #     graft securedrop_client/locale/$LANG
 #
 # Please keep this list alphabetized.
+graft securedrop_client/locale/fr
 graft securedrop_client/locale/pt_PT
 graft securedrop_client/locale/zh_Hans