back to the index

Armin Ronacher

Index // Archive // Projects // About

Werkzeug 0.5.1 Released

written by Armin Ronacher, on Thursday, July 9, 2009 20:32.

I just released Version 0.5.1 of Werkzeug, the swiss army knife of Python web developers. Tons of bugfixes went into this release making it what 0.5 should have been: rock solid.

Grab it while it's hot from the python package index, read the changelog, or the documentation.

Tagged as: announcement, werkzeug

Comments

  1. Lovely!

    —  lericson on Thursday, July 9, 2009 21:16 #

  2. Thank you!

    —  Randy on Friday, July 10, 2009 1:25 #

  3. Thank you for your work. The most crucial part of my web-dev combo becomes better with every day. :)

    —  zgoda on Friday, July 10, 2009 7:00 #

  4. Hi,

    Could you please publish a .tar.gz package of it to pypi? It is much more convenient for packaging (in my case, in the OpenBSD ports system).

    -d

    PS. I hope there is a Zine release in the works too.

    —  djm on Sunday, July 12, 2009 8:48 #

  5. @4: I created the source dist from a windows machine where the zip file is the default. I will try to upload a .tar.gz as well.

    —  Armin Ronacher on Sunday, July 12, 2009 9:37 #

  6. Just to explain why: the .zip files do not seem to include file permissions, so some files default to being installed with mod 0666 - obviously not desirable.

    —  djm on Sunday, July 12, 2009 9:54 #

  7. @6: That will not change if I create tarballs. The core problem is that there is that Windows uses ACLs instead of simple POSIX permissions and ACLs are not stored in Zip files.

    Not really sure how to fix that. Why do those archives include permissions at all?

    —  Armin Ronacher on Sunday, July 12, 2009 16:46 #

  8. @7 I don't know the answer to your question, but your .zip package of Werkzeug will unpack in such a way that the install will create files with mode 0666.

    I only noticed it because OpenBSD's packaging tools are paranoid to check for this case. Fortunately, none of the 0666 files are .py, so local privilege escalation by code execution doesn't seem possible but they could still be abused for other mischief (e.g. hiding from quota).

    Two ways to fix the problem would be to either build the package on a Unix system, or figure out how to get zip to not record permissions when it creates the archive - IIRC the Unix zip commnd has a -X option (or somesuch) tht disables recording some extended information, maybe this is it?

    —  djm on Monday, July 13, 2009 13:05 #

  9. @8: I'll figure something out. Worst case is I'll release on my server or OS X notebook from now on.

    —  Armin Ronacher on Wednesday, July 15, 2009 8:22 #

  10. Armin, I have an idea/suggestion for Werkzeug.

    I'm using it as a debugging tool for my Django app and it works great, just like EvalException middleware I used in the past.

    Could you add an equivalent to Ian's PrintDebugMiddleware which intercepts print statements and then appends them to HTML served?

    —  Max Ischenko on Saturday, September 19, 2009 11:10 #

  11. @10: Already planned. The Debugger will be greatly improved and is moved into a separate package with the next release.

    —  Armin Ronacher on Wednesday, September 23, 2009 16:27 #

Leave a Reply