From 63ebcfebd8f10e650942ba4ed10a9104a3208254 Mon Sep 17 00:00:00 2001 From: Jonas Bardino Date: Mon, 8 Jun 2026 12:29:23 +0200 Subject: [PATCH 1/3] Make pytest module installation optional and toggle it off unless using the development flavor as it has conflicts with TracTags and may or may not be affected by a medium severity local vulnerability (CVE-2025-71176) in the version pulled in during build. --- Dockerfile.rocky9 | 9 ++++++--- development.env | 2 ++ development_gdp.env | 2 ++ doc/source/sections/configuration/variables.rst | 3 +++ production.env | 2 ++ 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/Dockerfile.rocky9 b/Dockerfile.rocky9 index 9cf69caa..9cd3bd18 100755 --- a/Dockerfile.rocky9 +++ b/Dockerfile.rocky9 @@ -99,6 +99,7 @@ ARG ENABLE_JOBS=True ARG ENABLE_RESOURCES=True ARG ENABLE_EVENTS=True ARG ENABLE_GRAVATARS=True +ARG ENABLE_PYTEST=False ARG ENABLE_SITESTATUS=True ARG STATUS_SYSTEM_MATCH="ANY" ARG ENABLE_FREEZE=False @@ -834,9 +835,11 @@ RUN if [ "${WITH_PY3}" = "True" ]; then \ pip3 install --no-cache-dir --prefix=$(python3-config --prefix) cracklib; \ fi; -# Module required to run pytests but conflicts with TracTags -RUN if [ "${WITH_PY3}" = "True" ]; then \ - if [ -z "${TRAC_ADMIN_PATH}" ]; then \ +# Module for pytests but unwanted in production and conflicts with TracTags +RUN if [ "${ENABLE_PYTEST}" = "True" ]; then \ + if [ -n "${TRAC_ADMIN_PATH}" ]; then \ + echo "*** TracTags is incompatible with pytest ***" ; exit 1; \ + else \ pip3 install --no-cache-dir pytest; \ fi; \ fi; diff --git a/development.env b/development.env index 88057770..09b1654b 100644 --- a/development.env +++ b/development.env @@ -111,6 +111,8 @@ ENABLE_EVENTS=True ENABLE_QUOTA=False ENABLE_ACCOUNTING=False ENABLE_GRAVATARS=True +# Only enable pytest module in development +ENABLE_PYTEST=True ENABLE_SITESTATUS=True STATUS_SYSTEM_MATCH=ANY ENABLE_FREEZE=True diff --git a/development_gdp.env b/development_gdp.env index bfc8f2a8..a83c33f3 100644 --- a/development_gdp.env +++ b/development_gdp.env @@ -111,6 +111,8 @@ ENABLE_EVENTS=False ENABLE_QUOTA=False ENABLE_ACCOUNTING=False ENABLE_GRAVATARS=False +# Only enable pytest module in development +ENABLE_PYTEST=True ENABLE_SITESTATUS=True STATUS_SYSTEM_MATCH=ANY ENABLE_FREEZE=False diff --git a/doc/source/sections/configuration/variables.rst b/doc/source/sections/configuration/variables.rst index 5f0e0a06..dccd863f 100644 --- a/doc/source/sections/configuration/variables.rst +++ b/doc/source/sections/configuration/variables.rst @@ -368,6 +368,9 @@ Variables * - ENABLE_GRAVATARS - True - Enables optional gravatar integration on user profiles of registered users + * - ENABLE_PYTEST + - False + - Enables optional pytest integration for self-test support e.g. during development * - ENABLE_SITESTATUS - True - Enable the built-in site status through the pop-up in the bottom right corner based on events authored in state/wwwpublic/status-events.json . diff --git a/production.env b/production.env index 3c8bfa3c..07932489 100644 --- a/production.env +++ b/production.env @@ -111,6 +111,8 @@ ENABLE_EVENTS=True ENABLE_QUOTA=False ENABLE_ACCOUNTING=False ENABLE_GRAVATARS=True +# Only enable pytest module in development +ENABLE_PYTEST=False ENABLE_SITESTATUS=True STATUS_SYSTEM_MATCH=ANY ENABLE_FREEZE=True From c0979021ccd6a58752ac9e4c303bcc8c14460860 Mon Sep 17 00:00:00 2001 From: Jonas Bardino Date: Mon, 8 Jun 2026 13:35:53 +0200 Subject: [PATCH 2/3] Add pytest to wordlist. --- .spellcheck-wordlist.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.spellcheck-wordlist.txt b/.spellcheck-wordlist.txt index b52232d2..5bf4e8a6 100644 --- a/.spellcheck-wordlist.txt +++ b/.spellcheck-wordlist.txt @@ -369,3 +369,5 @@ JupyterHub SSLProxyCACertificateFile ANTISLOWLORIS slowloris +PYTEST +pytest From 58f11c1f5833c0fc3f3a30560dc77fa3140afbf9 Mon Sep 17 00:00:00 2001 From: Jonas Bardino Date: Tue, 9 Jun 2026 16:28:49 +0200 Subject: [PATCH 3/3] Add missing exposure of ENABLE_PYTEST arg in section where it's used. --- Dockerfile.rocky9 | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile.rocky9 b/Dockerfile.rocky9 index 9cd3bd18..245cf768 100755 --- a/Dockerfile.rocky9 +++ b/Dockerfile.rocky9 @@ -745,6 +745,7 @@ ARG WITH_PY3 ARG MODERN_WSGIDAV ARG UPGRADE_PARAMIKO ARG ENABLE_CLOUD +ARG ENABLE_PYTEST ARG OPENSTACKSDK_VERSION_OVERRIDE ARG TRAC_ADMIN_PATH