Release notes


Bodhi 2.4.0 is a feature and bugfix release.


  • The web interface now displays whether an update has autopush enabled (#999).
  • Autopush is now disabled on any update that receives authenticated negative karma (#1191).
  • Bodhi now links to Koji builds via TLS instead of plaintext (#1246).
  • Some usage examples have been added to the bodhi man page.
  • Bodhi’s server package has a new script called bodhi-clean-old-mashes that can recursively delete any folders with names that end in a dash followed by a string that can be interpreted as a float, sparing the newest 10 by lexigraphical sorting. This should help release engineers keep the Koji mashing folder clean.
  • There is now a bodhi.client.bindings module provided by the Bodhi client package. It contains Python bindings to Bodhi’s REST API.
  • The bodhi CLI now prints autokarma and thresholds when displaying updates.
  • bodhi-push now has a --version flag.
  • There are now man pages for bodhi-push and initialize_bodhi_db.


  • Users’ e-mail addresses will now be updated when they log in to Bodhi (#902).
  • The masher now tests for repomd.xml instead of the directory that contains it (#908).
  • Users can now only upvote an update once (#1018).
  • Only comment on non-autokarma updates when they meet testing requirements (#1009).
  • Autokarma can no longer be set to NULL (#1048).
  • Users can now be more fickle than ever about karma (#1064).
  • Critical path updates can now be free of past negative karma ghosts (#1065).
  • Bodhi now comments on non-autokarma updates after enough time has passed (#1094).
  • bodhi-push now does not crash when users abort a push (#1107).
  • bodhi-push now does not print updates when resuming a push (#1113).
  • Bodhi now says “Log in” and “Log out” instead of “Login” and “Logout” (#1146).
  • Bodhi now configures the Koji client to retry, which should help make the masher more reliable (#1201).
  • Bodhi is now compatible with Pillow-4.0.0 (#1262).
  • The bodhi cli no longer prints update JSON when setting the request (#1408195).
  • Bodhi’s signed handler now skips builds that were not assigned to a release.
  • The comps file is now cloned into an explicit path during mashing.
  • The buildsystem is now locked during login.

Development improvements

  • A great deal of tests were written for Bodhi. Test coverage is now up to 81% and is enforced by the test suite.
  • Bodhi’s server code is now PEP-8 compliant.
  • The docs now contain contribution guidelines.
  • The build system will now fail with a useful Exception if used without being set up.
  • The Vagrantfile is a good bit fancier, with hostname, dnf caching, unsafe but performant disk I/O, and more.
  • The docs now include a database schema image.
  • Bodhi is now run by systemd in the Vagrant guest.
  • The Vagrant environment now has several helpful shell aliases and a helpful MOTD to advertise them to developers.
  • The development environment now uses Fedora 25 by default.
  • The test suite is less chatty, as several unicode warnings have been fixed.

Dependency change

  • Bodhi server now depends on click for bodhi-push.

Release contributors

The following contributors submitted patches for Bodhi 2.4.0:

  • Trishna Guha
  • Patrick Uiterwijk
  • Jeremy Cline
  • Till Mass
  • Josef Sukdol
  • Clement Verna
  • andreas
  • Ankit Raj Ojha
  • Randy Barlow


Bodhi 2.3.3 converts koji auth to be done with krb5 and fixes one bug:

  • Use krb5 for koji (#1129).
  • Disable caching koji sessions during mashing process (#1134).

Thanks to Patrick Uiterwijk for contributing both of these commits!


Bodhi 2.3.2 is a bugfix release that addresses the following issues:

  • now defaults to the current releases (#1071).
  • Fixed a typo in the masher in sending an ostree compose message (#1072).
  • Fixed a typo in looking up an e-mail template (#1073).
  • The fedmsg name is now passed explicitly (#1079).
  • The man page was corrected to state that builds should be comma separated (#1095).
  • Fixed a race condition between robosignatory and the signed handler (#1111).
  • Fix querying the updates for resumption in (e7cb3f13).
  • now prompts for the username if not given (abeca57e).

Release contributors

The following contributors authored patches for 2.3.2:

  • Patrick Uiterwijk
  • Randy Barlow


Bodhi 2.3.1 fixes #1067, such that edited updates now tag new builds into the pending_signing_tag instead of the pending_testing_tag. This is needed for automatic signing gating to work.


Bodhi 2.3.0 is a feature and bug fix release.


  • The package input field is now autofocused when creating new updates (#876).
  • Releases now have a pending_signing_tag (3fe3e219).
  • fedmsg notifications are now sent during ostree compositions (b972cad0).
  • Critical path updates will have autopush disabled if they receive negative karma (b1f71006).
  • The e-mail templates reference dnf for Fedora and yum for Enterprise Linux (1c1f2ab7).
  • Updates are now obsoleted if they reach the unstable threshold while pending (f033c74c).
  • Bodhi now gates Updates based on whether they are signed yet or not (#1011).


  • Candidate builds and bugs are no longer duplicated while searching (#897).
  • The Bugzilla connection is only initialized when needed (950eee2c).
  • A sorting issue was fixed on the metrics page so the data is presented correctly (487acaaf).
  • The Copyright date in the footer of the web interface is updated (1447b6c7).
  • Bodhi will comment with the required time instead of the elapsed time on updates (#1017).
  • Bodhi will only comment once to say that non-autopush updates have reached the threshold (#1009).
  • /masher/ is now allowed in addition to /masher for GET requests (cdb621ba).


Bodhi now depends on fedmsg-atomic-composer >= 2016.3, which addresses a few issues during mashing.

Development improvements

Bodhi 2.3.0 also has a few improvements to the development environment that make it easier to contribute to Bodhi or improve Bodhi’s automated tests:

  • Documentation was added to describe how to connect development Bodhi to staging Koji (7f3b5fa2).
  • An unused locked_date_for_update() method was removed (b87a6395).
  • The development.ini.example base_address was changed to localhost so requests would be allowed (0fd5901d).
  • The file has more complete metadata, making it more suitable for submission to PyPI (5c201ac2).
  • The #bodhi and #fedora-apps channels are now documented in the readme file (52093069).
  • A new test has been added to enforce PEP-8 style and a few modules have been converted to conform (bbafc9e6).

Release contributors

The following contributors authored patches for 2.3.0:

  • Josef Sukdol
  • Julio Faracco
  • Patrick Uiterwijk
  • Randy Barlow
  • Richard Fearn
  • Trishna Guha


This release fixes two issues:

  • #989, where Karma on non-autopush updates would reset the request to None.
  • #994, allowing Bodhi to be built on setuptools-28.


This release fixes #951, which prevented updates with large numbers of packages to be viewable in web browsers.


This is another in a series of bug fix releases for Bodhi this week. In this release, we’ve fixed the following issues:

  • Disallow comment text to be set to the NULL value in the database (#949).
  • Fix autopush on updates that predate the 2.2.0 release (#950).
  • Don’t wait on mashes when there aren’t any (68de510c).


Bodhi 2.2.1 is a bug fix release, primarily focusing on mashing issues:

  • Register date locked during mashing (#952).
  • UTF-8 encode the updateinfo before writing it to disk (#955).
  • Improved logging during updateinfo generation (#956).
  • Removed some unused code (07ff664f).
  • Fix some incorrect imports (9dd5bdbc and b1cc12ad).
  • Rely on self.skip_mash to detect when it is ok to skip a mash (ad65362e).


Bodhi 2.2.0 is a security and feature release, with a few bug fixes as well.


This update addresses CVE-2016-1000008 by disallowing the re-use of solved captchas. Additionally, the captcha is warped to make it more difficult to solve through automation. Thanks to Patrick Uiterwijk for discovering and reporting this issue.


  • Bodhi’s script will now comment on updates when they have reached a stable karma threshold (5b0d1c7c).
  • The web interface now displays a push to stable button when the karma reaches the right level when autokarma is disabled (#772 and #796).
  • Masher messages now have an “agent”, so it is possible to tell which user ran the mash (45e4fc9f).
  • Locked updates now list the time they were locked (#831).
  • Bugs are closed and commented on in the same Bugzilla POST (#404).
  • Karma values equal to 0 are no longer displayed with a green background to better distinguish them from positive karma reports (#799).
  • Updates display a link to the feedback guidelines (#865).
  • The new CLI now has a man page (95574831).
  • The CLI now has a --version flag (#895).


  • Locked updates that aren’t part of a current push will now be pushed and warnings will be logged (bf4bdeef). This should help us to fix #838.
  • Don’t show users an option to push to stable on obsoleted updates (#848).
  • taskotron updates are shown per build, rather than per update (ce2394c6, 8e199668).
  • The Sphinx documentation now builds again (b3f80b1b).
  • Validator messages are now more useful and helpful (#630).
  • The Bodhi CLI no longer depends on the server code to function (#900).
  • Private bugs will no longer prevent the updates consumer from continuing (#905).
  • bootstrap is now included in the setuptools manifest for the server package (#919).

Commit log

The above lists are the highlights of what changed. For a full list of the changes since 2.1.8, please see the changelog.