CHANGES updated for ASF release 1.17.0

CHANGES

@@ -1,3 +1,83 @@
+Version 1.17.0  (June 2024)
+
+Upgrade Instructions
+
+  Run: `paster ensure_index development.ini` in Allura dir
+
+  To install updated dependencies, run:
+    pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed
+
+  If using docker, rebuild the allura image and restart containers.
+
+  To enable OAuth 2 with an existing .ini file, add: auth.oauth2.enabled = true
+
+  To switch to the new session cookie handling:
+    - add `session.jwt_secret_keys` to your .ini file, with a value generated by `python -c 'import secrets; print(secrets.token_hex());'`
+    - `session.type = cookie` is no longer used
+    - optionally `session.read_original_format = true` and rename `session.validate_key` to `session.original_format_validate_key` for backwards compatibility. Remove after a transition period
+    - optionally `session.write_original_format = true` if it takes a while to deploy all your code to multiple hosts/procs. Then remove once all processes have new code.
+
+Breaking Changes
+ * [#8556] deprecate has_access(..)() syntax.  Custom extensions using this syntax will need to remove the second ()
+
+Major Changes
+ * [#7272] Support for OAuth 2.0
+
+Security Improvements
+ * [#8526] improved session cookie handling security
+ * [#8536] improve |safe and Markup usage
+ * improve JS syntax and escaping
+ * [#8555] check blocked users better
+ * Python Package Upgrades
+
+SEO
+ * [#8527] discussion app display thread subject in header
+
+Code Repositories
+ * [#8529] support unicode in repo branch names
+
+Wiki
+ * [#8540] fix wiki page 'recent' sort
+
+Tickets
+ * [#8559] tickets API: better type handling
+ * fix username hover on ticket search results
+ * ticket's app titles should display current summary content
+
+General
+ * [#8533] switch python email 'policy' for better line length handling
+ * [#8537] a few JS performance improvements
+ * [#8558] user email changes not getting into solr
+ * keep flash messages more visible
+ * Hide activitystream entries whose corresponding object has been deleted
+ * fully delete history snapshots when deleting artifacts (incl remove from solr)
+ * in password reset, also try lowercasing the email to see if that matches
+
+Admin
+ * support overlapping admin urls, if a tool is installed with "groups" mount point
+ * make active notifications easier to see in the list
+
+Performance
+ * use $regex instead of re.compile in mongo queries, so it uses indexes properly.  Maybe fixed in current mongo versions https://jira.mongodb.org/browse/SERVER-26991
+ * add user_id index to oauth collections
+
+For Developers
+ * [#8528] improve allura.command_init
+ * [#8532] [#8539] improve ruff checks
+ * [#8534] set up github codeql
+ * [#8538] Slight tweak to timeline helper methods
+ * code cleanup using autopep8
+ * Ignore .vscode settings folder
+ * make it easier to change order of sidebar items w/ the AdminExtension
+ * make ldap_conn() be a context manager, so unbind_s can be run automatically
+ * add conftest.py that mocks out tg context
+ * restore c.project.notifications_disabled after a task (can matter in tests)
+ * remove some old six.PY3 checks
+ * update RAT config to work with 0.16
+ * better --profile behavior for scripts, add option for outputfile
+ * remove i18n, only was used a tiny bit in templates
+
+
 Version 1.16.0  (November 2023)
 
 Upgrade Instructions