Initial Update

[pyup-bot]

This is my first visit to this fine repo so I have bundled all updates in a single pull request to make things easier for you to merge.

Close this pull request and delete the branch if you want me to start with single pull requests right away

Here's the executive summary:

Updates

Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.

gevent	1.1rc1	»	1.2.1	PyPI | Changelog | Homepage
gunicorn	19.4.1	»	19.7.1	PyPI | Changelog | Homepage
boto	2.38.0	»	2.46.1	PyPI | Changelog | Repo
django-storages-redux	1.3	»	1.3.2	PyPI | Changelog | Repo
django-mailgun	0.8.0	»	0.9.1	PyPI | Repo
wheel	0.26.0	»	0.29.0	PyPI | Changelog | Repo
django	1.9.5	»	1.10.6	PyPI | Changelog | Homepage
django-environ	0.4.0	»	0.4.1	PyPI | Repo
whitenoise	3.0	»	3.3.0	PyPI | Changelog | Homepage
django-braces	1.8.1	»	1.11.0	PyPI | Changelog | Repo
django-crispy-forms	1.6.0	»	1.6.1	PyPI | Changelog | Repo
django-floppyforms	1.6.1	»	1.7.0	PyPI | Changelog | Repo
django-model-utils	2.4	»	2.6.1	PyPI | Changelog | Repo
Pillow	3.2.0	»	4.0.0	PyPI | Changelog | Homepage
django-allauth	0.25.2	»	0.31.0	PyPI | Changelog | Repo
psycopg2	2.6.1	»	2.7.1	PyPI | Changelog | Homepage | Docs
pytz	2016.3	»	2016.10	PyPI | Homepage | Docs
django-redis	4.4.1	»	4.7.0	PyPI | Changelog | Repo
celery	3.1.23	»	4.0.2	PyPI | Changelog | Homepage | Docs
django-taggit	0.18.1	»	0.22.0	PyPI | Changelog | Repo
dropbox	6.1	»	7.2.1	PyPI | Homepage
django-filter	0.13.0	»	1.0.2	PyPI | Changelog | Repo
djangorestframework	3.3.3	»	3.6.2	PyPI | Changelog | Homepage
coverage	4.0.3	»	4.3.4	PyPI | Changelog | Docs
coverage	4.0.3	»	4.3.4	PyPI | Changelog | Docs
Sphinx	1.4.1	»	1.5.3	PyPI | Changelog | Homepage
django-extensions	1.6.1	»	1.7.7	PyPI | Changelog | Repo | Docs
Werkzeug	0.11.5	»	0.12.1	PyPI | Changelog | Homepage
django-test-plus	1.0.12	»	1.0.17	PyPI | Changelog | Repo
django-test-plus	1.0.12	»	1.0.17	PyPI | Changelog | Repo
factory-boy	2.6.1	»	2.8.1	PyPI | Repo
factory-boy	2.6.1	»	2.8.1	PyPI | Repo
django-debug-toolbar	1.4	»	1.7	PyPI | Changelog | Repo
ipdb	0.9.1	»	0.10.2	PyPI | Changelog | Repo
fabric	1.11.1	»	1.13.1	PyPI | Homepage
pytest	2.9.1	»	3.0.7	PyPI | Changelog | Homepage
pytest-pythonpath	0.7	»	0.7.1	PyPI | Repo
pytest-cov	2.2.1	»	2.4.0	PyPI | Changelog | Repo
pytest-django	2.9.1	»	3.1.2	PyPI | Changelog | Docs
django-coverage-plugin	1.3	»	1.5.0	PyPI | Repo
flake8	2.5.4	»	3.3.0	PyPI | Repo

Changelogs

gevent 1.1rc1 -> 1.2.1

1.2.1

==================

• CI services now test on 3.6.0.
• Windows: Provide socket.socketpair for all Python 3 versions.
  This was added to Python 3.5, but tests were only added in 3.6.
  (For versions older than 3.4 this is a gevent extension.) Previously
  this was not supported on any Python 3 version.
• Windows: List subprocess.STARTUPINFO in subprocess.__all__
  for 3.6 compatibility.
• The _DummyThread objects created by calling
  :func:threading.current_thread from inside a raw
  :class:greenlet.greenlet in a system with monkey-patched
  threading now clean up after themselves when the
  greenlet dies (:class:gevent.Greenlet-based _DummyThreads have
  always cleaned up). This requires the use of a :class:weakref.ref
  (and may not be timely on PyPy).
  Reported in :issue:918 by frozenoctobeer.
• Build OS X wheels with -D_DARWIN_FEATURE_CLOCK_GETTIME=0 for
  compatibility with OS X releases before 10.12 Sierra. Reported by
  Ned Batchelder in :issue:916.

1.2.0

==================

• The c-ares DNS resolver ignores bad flags to getnameinfo, like the
  system resolver does. Discovered when cleaning up the DNS resolver
  tests to produce more reliable results. See :issue:774.

1.2a2

===================

• Update libev to version 4.23.
• Allow the MAKE environment variable to specify the make command
  on non-Windows systems for ease of development on BSD systems where
  make is BSD make and gmake is GNU make (gevent requires GNU
  make). See :issue:888.
• Let :class:gevent.server.StreamServer accept an SSLContext on
  Python versions that support it. Added in :pr:904 by Arcadiy Ivanov.

1.2a1

====================

Incompatible Changes

• Support for Python 2.6 has been removed. See :pr:766.
• Remove module gevent.coros which was replaced by gevent.lock
  and has been deprecated since 1.0b2.
• The internal implementation modules gevent.corecext and
  gevent.corecffi have been moved. Please import from
  gevent.core instead; this has always been the only documented place to
  import from.

Libraries and Installation

• Update libev to version 4.22 (was 4.20).
• Update tblib to 1.3.0.
• Update Cython to 0.25 (was 0.23.5).
• Update c-ares to version 1.12.0 (was 1.10.0) (release notes <https://c-ares.haxx.se/changelog.html>_).
• For the benefit of downstream package maintainers, gevent is now
  tested with c-ares and libev linked dynamically and not embedded
  (i.e., using the system libraries). However, only the versions
  shipped with gevent are tested and known to work.
• The repository directory layout has been changed to make it easier
  to include third-party dependencies. Likewise, the setup.py script
  has been split to make it easier to build third-party dependencies.
• PyPy/CFFI: The corecffi native extension is now only built at
  installation time. Previously, if it wasn't available, a build was
  attempted at every import. This could lead to scattered "gevent"
  directories and undependable results.
• setuptools is now required at build time on all platforms.
  Previously it was only required for Windows and PyPy.
• POSIX: Don't hardcode /bin/sh into the configuration command
  line, instead relying on sh being on the PATH, as
  recommended by the standard <http://pubs.opengroup.org/onlinepubs/9699919799/utilities/sh.html>_.
  Fixed in :pr:809 by Fredrix Fornwall.

Security

• :mod:gevent.pywsgi now checks that the values passed to
  start_response do not contain a carriage return or newline in
  order to prevent HTTP response splitting (header injection), raising
  a :exc:ValueError if they do. See :issue:775.
• Incoming headers containing an underscore are no longer placed in
  the WSGI environ. See :issue:819.
• Errors logged by :class:~gevent.pywsgi.WSGIHandler no
  longer print the entire WSGI environment by default. This avoids
  possible information disclosure vulnerabilities. Applications can
  also opt-in to a higher security level for the WSGI environment if they
  choose and their frameworks support it. Originally reported
  in :pr:779 by sean-peters-au and changed in :pr:781.

Platforms

• As mentioned above, Python 2.6 is no longer supported.
• Python 3.6 is now tested on POSIX platforms. This includes a few
  notable changes:

• SSLContext.wrap_socket accepts the session parameter, though
  this parameter isn't useful prior to 3.6.
• SSLSocket.recv(0) or read(0) returns an empty byte string. This is
  a fix for Python bug 23804 <http://bugs.python.org/issue23804>_
  which has also been merged into Python 2.7 and Python 3.5.

• PyPy3 5.5.0 alpha (supporting Python 3.3.5) is now tested and passes the
  test suite. Thanks to btegs for :issue:866, and Fabio Utzig for :pr:826.
  Note that PyPy3 is not optimized for performance either by the PyPy
  developers or under gevent, so it may be significantly slower than PyPy2.

Stdlib Compatibility

• The modules :mod:gevent.os, :mod:gevent.signal and
  :mod:gevent.select export all the attributes from their
  corresponding standard library counterpart.
• Python 2: reload(site) no longer fails with a TypeError if
  gevent has been imported. Reported in :issue:805 by Jake Hilton.
• Python 2: sendall on a non-blocking socket could spuriously fail
  with a timeout.

select/poll

• If :func:gevent.select.select is given a negative timeout
  argument, raise an exception like the standard library does.
• If :func:gevent.select.select is given closed or invalid
  file descriptors in any of its lists, raise the appropriate
  EBADF exception like the standard library does. Previously,
  libev would tend to return the descriptor as ready. In the worst
  case, this adds an extra system call, but may also reduce latency if
  descriptors are ready at the time of entry.
• :class:selectors.SelectSelector is properly monkey-patched
  regardless of the order of imports. Reported in :issue:835 by
  Przemysław Węgrzyn.
• :meth:gevent.select.poll.unregister raises an exception if fd is not
  registered, like the standard library.
• :meth:gevent.select.poll.poll returns an event with
  POLLNVAL for registered fds that are invalid. Previously it
  would tend to report both read and write events.

File objects

• FileObjectPosix exposes the read1 method when in read mode,
  and generally only exposes methods appropriate to the mode it is in.
• FileObjectPosix supports a bufsize of 0 in binary write modes.
  Reported in :issue:840 by Mike Lang.
• Python 3: :meth:gevent.socket.connect_ex was letting
  BlockingIOError (and possibly others) get raised instead of
  returning the errno due to the refactoring of the exception
  hierarchy in Python 3.3. Now the errno is returned. Reported in
  :issue:841 by Dana Powers.

Other Changes

• :class:~.Group and :class:~.Pool now return whether
  :meth:~.Group.join returned with an empty group. Suggested by Filippo Sironi in
  :pr:503.
• Unhandled exception reports that kill a greenlet now include a
  timestamp. See :issue:137.
• :class:~.PriorityQueue now ensures that an initial items list is a
  valid heap. Fixed in :pr:793 by X.C.Dong.
• :class:gevent.hub.signal (aka :func:gevent.signal) now verifies
  that its handler argument is callable, raising a :exc:TypeError
  if it isn't. Reported in :issue:818 by Peter Renström.
• If sys.stderr has been monkey-patched (not recommended),
  exceptions that the hub reports aren't lost and can still be caught.
  Reported in :issue:825 by Jelle Smet.
• The :func:gevent.os.waitpid function is cooperative in more
  circumstances. Reported in :issue:878 by Heungsub Lee.
• The various FileObject implementations are more consistent with
  each other. Note: Writing to the io property of a FileObject should be
  considered deprecated.
• Timeout exceptions (and other asynchronous exceptions) could cause
  the BackdoorServer to fail to properly manage the
  stdout/stderr/stdin values. Reported with a patch in :pr:874 by
  stefanmh.
• The BackDoorServer now tracks spawned greenlets (connections) and
  kills them in its stop method.

Servers

- Default to AF_INET6 when binding to all addresses (e.g.,
 ""). This supports both IPv4 and IPv6 connections (except on
 Windows). Original change in :pr:`495` by Felix Kaiser.
- pywsgi/performance: Chunks of data the application returns are no longer copied
 before being sent to the socket when the transfer-encoding is
 chunked, potentially reducing overhead for large responses.

Threads

- Add :class:`gevent.threadpool.ThreadPoolExecutor` (a
 :class:`concurrent.futures.ThreadPoolExecutor` variant that always
 uses native threads even when the system has been monkey-patched)
 on platforms that have ``concurrent.futures``
 available (Python 3 and Python 2 with the ``futures`` backport
 installed). This is helpful for, e.g., grpc. Reported in
 :issue:`786` by Markus Padourek.
- Native threads created before monkey-patching threading can now be
 joined. Previously on Python < 3.4, doing so would raise a
 ``LoopExit`` error. Reported in :issue:`747` by Sergey Vasilyev.

SSL

- On Python 2.7.9 and above (more generally, when the SSL backport is
 present in Python 2), :func:`gevent.ssl.get_server_certificate`
 would raise a :exc:`ValueError` if the system wasn't monkey-patched.
 Reported in :issue:`801` by Gleb Dubovik.
- On Python 2.7.9 and Python 3, closing an SSL socket in one greenlet
 while it's being read from or written to in a different greenlet is
 less likely to raise a :exc:`TypeError` instead of a
 :exc:`ValueError`. Reported in :issue:`800` by Kevin Chen.

subprocess module

• Setting SIGCHLD to SIG_IGN or SIG_DFL after :mod:gevent.subprocess
  had been used previously could not be reversed, causing
  Popen.wait and other calls to hang. Now, if SIGCHLD has been
  ignored, the next time :mod:gevent.subprocess is used this will be
  detected and corrected automatically. (This potentially leads to
  issues with :func:os.popen on Python 2, but the signal can always
  be reset again. Mixing the low-level process handling calls,
  low-level signal management and high-level use of
  :mod:gevent.subprocess is tricky.) Reported in :issue:857 by
  Chris Utz.
• Popen.kill and send_signal no longer attempt to send signals
  to processes that are known to be exited.

Several backwards compatible updates to the subprocess module have
been backported from Python 3 to Python 2, making
:mod:gevent.subprocess smaller, easier to maintain and in some cases
safer.

• Popen objects can be used as context managers even on Python 2. The
  high-level API functions (call, etc) use this for added safety.
• The :mod:gevent.subprocess module now provides the
  :func:gevent.subprocess.run function in a cooperative way even
  when the system is not monkey patched, on all supported versions of
  Python. (It was added officially in Python 3.5.)
• Popen objects save their args attribute even on Python 2.
• :exc:gevent.subprocess.TimeoutExpired is defined even on Python 2,
  where it is a subclass of the :exc:gevent.timeout.Timeout
  exception; all instances where a Timeout exception would
  previously be thrown under Python 2 will now throw a
  TimeoutExpired exception.
• :func:gevent.subprocess.call (and check_call) accepts the
  timeout keyword argument on Python 2. This is standard on Python
  3, but a gevent extension on Python 2.
• :func:gevent.subprocess.check_output accepts the timeout and
  input arguments on Python 2. This is standard on Python 3, but a
  gevent extension on Python 2.

1.1.2

====================

• Python 2: sendall on a non-blocking socket could spuriously fail
  with a timeout.
• If sys.stderr has been monkey-patched (not recommended),
  exceptions that the hub reports aren't lost and can still be caught.
  Reported in :issue:825 by Jelle Smet.
• :class:selectors.SelectSelector is properly monkey-patched
  regardless of the order of imports. Reported in :issue:835 by
  Przemysław Węgrzyn.
• Python 2: reload(site) no longer fails with a TypeError if
  gevent has been imported. Reported in :issue:805 by Jake Hilton.

1.1.1

===================

• Nested callbacks that set and clear an Event no longer cause
  wait to return prematurely. Reported in :issue:771 by Sergey
  Vasilyev.
• Fix build on Solaris 10. Reported in :issue:777 by wiggin15.
• The ref parameter to :func:gevent.os.fork_and_watch was being ignored.
• Python 3: :class:gevent.queue.Channel is now correctly iterable, instead of
  raising a :exc:TypeError.
• Python 3: Add support for :meth:socket.socket.sendmsg,
  :meth:socket.socket.recvmsg and :meth:socket.socket.recvmsg_into
  on platforms where they are defined. Initial :pr:773 by Jakub
  Klama.

1.1.0

===================

• Python 3: A monkey-patched :class:threading.RLock now properly
  blocks (or deadlocks) in acquire if the default value for
  timeout of -1 is used (which differs from gevent's default of
  None). The acquire method also raises the same :exc:ValueError
  exceptions that the standard library does for invalid parameters.
  Reported in :issue:750 by Joy Zheng.
• Fix a race condition in :class:~gevent.event.Event that made it
  return False when the event was set and cleared by the same
  greenlet before allowing a switch to already waiting greenlets. (Found
  by the 3.4 and 3.5 standard library test suites; the same as Python
  bug 13502_. Note that the Python 2 standard library still has this
  race condition.)
• :class:~gevent.event.Event and :class:~.AsyncResult now wake
  waiting greenlets in the same (unspecified) order. Previously,
  AsyncResult tended to use a FIFO order, but this was never
  guaranteed. Both classes also use less per-instance memory.
• Using a :class:~logging.Logger as a :mod:pywsgi error or request
  log stream no longer produces extra newlines. Reported in
  :issue:756 by ael-code.
• Windows: Installing from an sdist (.tar.gz) on PyPI no longer
  requires having Cython installed first. (Note that the binary installation
  formats (wheels, exes, msis) are preferred on Windows.) Reported in
  :issue:757 by Ned Batchelder.
• Issue a warning when :func:~gevent.monkey.patch_all is called with
  os set to False (not the default) but signal is still True
  (the default). This combination of parameters will cause signal
  handlers for SIGCHLD to not get called. In the future this might
  raise an error. Reported by Josh Zuech.
• Issue a warning when :func:~gevent.monkey.patch_all is called more
  than once with different arguments. That causes the cumulative set of all True
  arguments to be patched, which may cause unexpected results.
• Fix returning the original values of certain threading
  attributes from :func:gevent.monkey.get_original.

.. _bug 13502: http://bugs.python.org/issue13502

1.1rc5

=====================

• SSL: Attempting to send empty data using the
  :meth:~socket.socket.sendall method of a gevent SSL socket that has
  a timeout now returns immediately (like the standard library does),
  instead of incorrectly raising :exc:ssl.SSLEOFError. (Note that
  sending empty data with the :meth:~socket.socket.send
  method does raise SSLEOFError in
  both gevent and the standard library.) Reported in :issue:719 by
  Mustafa Atik and Tymur Maryokhin, with a reproducible test case
  provided by Timo Savola.

1.1rc4

=====================

• Python 2: Using the blocking API at import time when multiple
  greenlets are also importing should not lead to LoopExit.
  Reported in :issue:728 by Garrett Heel.
• Python 2: Don't raise :exc:OverflowError when using the readline
  method of the WSGI input stream without a size hint or with a large
  size hint when the client is uploading a large amount of data. (This
  only impacted CPython 2; PyPy and Python 3 already handled this.)
  Reported in :issue:289 by ggjjlldd, with contributions by Nathan
  Hoad.
• :class:~gevent.baseserver.BaseServer and its subclasses like
  :class:~gevent.pywsgi.WSGIServer avoid allocating a new closure for
  each request, reducing overhead.
• Python 2: Under 2.7.9 and above (or when the PEP 466 SSL interfaces
  are available), perform the same hostname validation that the
  standard library does; previously this was skipped. Also,
  reading, writing, or handshaking a closed
  :class:~ssl.SSLSocket now raises the same :exc:ValueError
  the standard library does, instead of an :exc:AttributeError.
  Found by updating gevent's copy of the standard library test cases.
  Initially reported in :issue:735 by Dmitrij D. Czarkoff.
• Python 3: Fix :meth:~ssl.SSLSocket.unwrap and SNI callbacks.
  Also raise the correct exceptions for unconnected SSL sockets and
  properly validate SSL hostnames. Found via updated standard library
  tests.
• Python 3: Add missing support for :meth:socket.socket.sendfile. Found via updated
  standard library tests.
• Python 3.4+: Add missing support for
  :meth:socket.socket.get_inheritable and
  :meth:~socket.socket.set_inheritable. Found via updated standard
  library tests.

1.1rc3

=====================

• Python 2: Support the new PEP 466 :mod:ssl interfaces on any Python 2
  version that supplies them, not just on the versions it officially
  shipped with. Some Linux distributions, including RedHat/CentOS and
  Amazon have backported the changes to older versions. Reported in
  :issue:702.
• PyPy: An interaction between Cython compiled code and the garbage
  collector caused PyPy to crash when a previously-allocated Semaphore
  was used in a __del__ method, something done in the popular
  libraries requests and urllib3. Due to this and other Cython
  related issues, the Semaphore class is no longer compiled by Cython
  on PyPy. This means that it is now traceable and not exactly as
  atomic as the Cython version, though the overall semantics should
  remain the same. Reported in :issue:704 by Shaun Crampton.
• PyPy: Optimize the CFFI backend to use less memory (two pointers per
  watcher).
• Python 3: The WSGI PATH_INFO entry is decoded from URL escapes
  using latin-1, not UTF-8. This improves compliance with PEP 3333 and
  compatibility with some frameworks like Django. Fixed in :pr:712
  by Ruben De Visscher.

1.1rc2

=====================

• Exceptions raised by gevent's SSL sockets are more consistent with
  the standard library (e.g., gevent's Python 3 SSL sockets raise
  :exc:socket.timeout instead of :exc:ssl.SSLError, a change
  introduced in Python 3.2).
• Python 2: gevent's socket's sendall method could completely ignore timeouts
  in some cases. The timeout now refers to the total time taken by
  sendall.
• gevent's SSL socket's sendall method should no longer raise SSL3_WRITE_PENDING
  in rare cases when sending large buffers. Reported in :issue:317.
• :func:gevent.signal.signal now allows resetting (SIG_DFL) and ignoring (SIG_IGN) the
  SIGCHLD signal at the process level (although this may allow race
  conditions with libev child watchers). Reported in :issue:696 by
  Adam Ning.
• :func:gevent.spawn_raw now accepts keyword arguments, as
  previously (incorrectly) documented. Reported in :issue:680 by Ron
  Rothman.
• PyPy: PyPy 2.6.1 or later is now required (4.0.1 or later is
  recommended).
• The CFFI backend is now built and usable on CPython implementations
  (except on Windows) if cffi is installed before gevent is
  installed. To use the CFFI backend, set the environment variable
  GEVENT_CORE_CFFI_ONLY before starting Python. This can aid
  debugging in some cases and helps ensure parity across all
  combinations of supported platforms.
• The CFFI backend now calls the callback of a watcher whose args attribute is
  set to None, just like the Cython backend does. It also only
  allows args to be a tuple or None, again matching the Cython backend.
• PyPy/CFFI: Fix a potential crash when using stat watchers.
• PyPy/CFFI: Encode unicode paths for stat watchers using
  :meth:sys.getfilesystemencoding like the Cython backend.
• The internal implementation modules gevent._fileobject2,
  gevent._fileobject3, and gevent._util were removed. These
  haven't been used or tested since 1.1b1.

gunicorn 19.4.1 -> 19.7.1

19.7.1

===================

• fix: continue if SO_REUSEPORT seems to be available but fails (:issue:1480)
• fix: support non-decimal values for the umask command line option (:issue:1325)

19.7.0

===================

• The previously deprecated gunicorn_django command has been removed.
  Use the :ref:gunicorn-cmd command-line interface instead.
• The previously deprecated django_settings setting has been removed.
  Use the :ref:raw-env setting instead.
• The default value of :ref:ssl-version has been changed from
  ssl.PROTOCOL_TLSv1 to ssl.PROTOCOL_SSLv23.
• fix: initialize the group access list when initgroups is set (:issue:1297)
• add environment variables to gunicorn access log format (:issue:1291)
• add --paste-global-conf option (:issue:1304)
• fix: print access logs to STDOUT (:issue:1184)
• remove upper limit on max header size config (:issue:1313)
• fix: print original exception on AppImportError (:issue:1334)
• use SO_REUSEPORT if available (:issue:1344)
• fix leak <https://github.com/benoitc/gunicorn/commit/b4c41481e2d5ef127199a4601417a6819053c3fd>_ of duplicate file descriptor for bound sockets.
• add --reload-engine option, support inotify and other backends (:issue:1368, :issue:1459)
• fix: reject request with invalid HTTP versions
• add child_exit callback (:issue:1394)
• add support for eventlets _AlreadyHandled object (:issue:1406)
• format boot tracebacks properly with reloader (:issue:1408)
• refactor socket activation and fd inheritance for better support of SystemD (:issue:1310)
• fix: o fds are given by default in gunicorn (:issue:1423)
• add ability to pass settings to GUNICORN_CMD_ARGS environment variable which helps in container world (:issue:1385)
• fix: catch access denied to pid file (:issue:1091)
• many additions and improvements to the documentation

Breaking Change
+++++++++++++++

• Python 2.6.0 is the last supported version

19.6.0

===================

Core & Logging
++++++++++++++

• improvement of the binary upgrade behaviour using USR2: remove file locking (:issue:1270)
• add the --capture-output setting to capture stdout/stderr tot the log
  file (:issue:1271)
• Allow disabling sendfile() via the SENDFILE environment variable
  (:issue:1252)
• fix reload under pycharm (:issue:1129)

Workers
+++++++

• fix: make sure to remove the signal from the worker pipe (:issue:1269)
• fix: gthread worker, handle removed socket in the select loop
  (:issue:1258)

19.5.0

===================

Core
++++

• fix: Ensure response to HEAD request won't have message body
• fix: lock domain socket and remove on last arbiter exit (:issue:1220)
• improvement: use EnvironmentError instead of socket.error (:issue:939)
• add: new FORWARDDED_ALLOW_IPS environment variable (:issue:1205)
• fix: infinite recursion when destroying sockets (:issue:1219)
• fix: close sockets on shutdown (:issue:922)
• fix: clean up sys.exc_info calls to drop circular refs (:issue:1228)
• fix: do post_worker_init after load_wsgi (:issue:1248)

Workers
+++++++

• fix access logging in gaiohttp worker (:issue:1193)
• eventlet: handle QUIT in a new coroutine (:issue:1217)
• gevent: remove obsolete exception clauses in run (:issue:1218)
• tornado: fix extra "Server" response header (:issue:1246)
• fix: unblock the wait loop under python 3.5 in sync worker (:issue:1256)

Logging
+++++++

• fix: log message for listener reloading (:issue:1181)
• Let logging module handle traceback printing (:issue:1201)
• improvement: Allow configuring logger_class with statsd_host (:issue:1188)
• fix: traceback formatting (:issue:1235)
• fix: print error logs on stderr and access logs on stdout (:issue:1184)

Documentation
+++++++++++++

• Simplify installation instructions in gunicorn.org (:issue:1072)
• Fix URL and default worker type in example_config (:issue:1209)
• update django doc url to 1.8 lts (:issue:1213)
• fix: miscellaneous wording corrections (:issue:1216)
• Add PSF License Agreement of selectors.py to NOTICE (:issue: 1226)
• document LOGGING overriding (:issue:1051)
• put a note that error logs are only errors from Gunicorn (:issue:1124)
• add a note about the requirements of the threads workers under python 2.x (:issue:1200)
• add access_log_format to config example (:issue:1251)

Tests
+++++

• Use more pytest.raises() in test_http.py

19.4.5

===================

• fix: NameError fileno in gunicorn.http.wsgi (:issue:1178)

19.4.4

===================

• fix: check if a fileobject can be used with sendfile(2) (:issue:1174)
• doc: be more descriptive in errorlog option (:issue:1173)

================
Changelog - 2017

.. note::

Please see :doc:news for the latest changes

19.4.3

===================

• fix: don't check if a file is writable using os.stat with SELINUX (:issue:1171)

19.4.2

===================

Core
++++

• improvement: handle HaltServer in manage_workers (:issue:1095)
• fix: Do not rely on sendfile sending requested count (:issue:1155)
• fix: claridy --no-sendfile default (:issue:1156)
• fix: LoggingCatch sendfile failure from no file descriptor (:issue:1160)

Logging
+++++++

• fix: Always send access log to syslog if syslog is on
• fix: check auth before trying to own a file (:issue:1157)

Documentation
+++++++++++++

• fix: Fix Slowloris broken link. (:issue:1142)
• Tweak markup in faq.rst

Testing
+++++++

• fix: gaiohttp test (:issue:1164)

boto 2.38.0 -> 2.46.1

2.46.1

============

📅 2017/02/20

Fixes a bug where a recently added module was not added to setup.py

Changes

• Add boto.vendored.regions to setup.py (:issue:3682, :sha:43e796d1)

2.45.0

============

📅 2016/12/14

Add support for eu-west-2 region.

Changes

• Add support for eu-west-2 (:issue:3654, :sha:40c68db)

2.44.0

============

📅 2016/12/08

Adds support for ca-central-1 region and gs object-level storage class.

Changes

• Update endpoints (:issue:3649, :sha:a1eae11)
• Add gs support for object-level storage class features. (:issue:3635, :sha:dc4bf34)

2.43.0

============

📅 2016/10/17

Adds support for us-east-2 endpoint.

Changes

• Add support for us-east-2 endpoint (:sha:262ed00)
• Account for metadata update propagation delay (:issue:3615, :sha:592dae3)
• boto.dynamodb2.table.Tablebatch_get() fails to paginate results if provisioned throughput is exceeded (:issue:3574, :sha:abb3847)

2.42.0

============

📅 2016/07/19

Updates the Mechanical Turk API and fixes some bugs.

Changes

• Respect is_secure parameter in generate_url_sigv4 (:sha:59ba28d)
• Update MTurk API (:issue:3563, :sha:250d891)

2.41.0

============

📅 2016/06/27

Update documentation and endpoints file.

Changes

• Update endpoints.json (:issue:3564, :sha:5e786b4)
• Remove the broken link to PDF's (:issue:3562, :sha:46ffb0c)

2.40.0

===========

📅 2016/04/28

Fixes several bugs.

Changes

• ryansydnor-s3: Allow s3 bucket lifecycle policies with multiple transitions (:sha:c6d5af3)
• Fixes upload parts for glacier (:issue:3524, :sha:d1973a4)
• pslawski-unicode-parse-qs: Move utility functions over to compat Add S3 integ test for non-ascii keys with sigv4 Fix quoting of tilde in S3 canonical_uri for sigv4 Parse unicode query string properly in Python 2 (:issue:2844, :sha:5092c6d)
• ninchat-config-fix: Add setstate to fix pickling test fail Add unit tests for config parsing Don't access parser through dict Config: Catch specific exceptions when wrapping ConfigParser methods Config: Don't inherit from ConfigParser (:issue:3474, :sha:c21aa54)

2.39.0

============

📅 2016/01/18

Add support for ap-northeast-2, update documentation, and fix several bugs.

Changes

• Autodetect sigv4 for ap-northeast-2 (:issue:3461, :sha:c2a17ce)
• Added support for ap-northeast-2 (:issue:3454, :sha:c3c1ddd)
• Remove VeriSign Class 3 CA from trusted certs (:issue:3450, :sha:8a025df)
• Add note about boto3 on all pages of boto docs (:sha:9bd904c)
• Fix for listing EMR steps based on cluster_states filter (:issue:3399, :sha:0f92f35)
• Fixed param name in set_contents_from_string docstring (:issue:3420, :sha:e30297b)
• Closes 3441 Remove py3 test whitelist Update rds to pass on py3 Update mturk to pass tests on py3 Update cloudsearchdomain tests to work with py3 (:issue:3441, :sha:5b2f552)
• Run tests against py35 (:sha:7d039d0)
• Fix Glacier test failure in python 3.5 due to MagicMock (:issue:3412, :sha:d042f07)
• Undo log message change BF(PY3): use except ... as syntax instead of except ..., (:sha:607cad7)
• Fix travis CI builds for PY3 (:issue:3439, :sha:22ab610)
• Spelling fixes (:issue:3425, :sha:f43bbbd)
• Fixed docs (:issue:3401, :sha:4f66311)
• Add deprecation notice to emr methods (:issue:3422, :sha:cee6159)
• Add some GovCloud endpoints (:issue:3421, :sha:5afc068)

django-storages-redux 1.3 -> 1.3.2

1.3.2

---

• Fix memory leak from not closing underlying temp file in s3boto backend (106_) thanks kmmbvnr
• Allow easily specifying a custom expiry time when generating a url for S3BotoStorage (96_) thanks mattbriancon
• Check for bucket existence when the empty path ('') is passed to storage.exists in S3BotoStorage -
  this prevents a crash when running collecstatic -c on Django 1.9.1 (112) fixed in 116 thanks xblitz

.. _106: jschneier/django-storages#106
.. _96: jschneier/django-storages#96
.. _112: jschneier/django-storages#112
.. _116: jschneier/django-storages#116

1.3.1

---

• A few Azure Storage fixes [pass the content-type to Azure, handle chunked content, fix url] (45__) thanks erlingbo
• Add support for a Dropbox (dropbox) storage backend, thanks ZuluPro (76_)
• Various fixes to the apache_libcloud backend [return the number of bytes asked for by .read, make .name non-private, don't
  initialize to an empty BytesIO object] thanks kaedroho (55_)
• Fix multi-part uploads in s3boto backend not respecting AWS_S3_ENCRYPTION (94_) thanks andersontep
• Automatically gzip svg files thanks comandrei (100_)

.. __: jschneier/django-storages#45
.. _76: jschneier/django-storages#76
.. _55: jschneier/django-storages#55
.. _94: jschneier/django-storages#94
.. _100: jschneier/django-storages#100

wheel 0.26.0 -> 0.29.0

0.29.0

======

• Fix compression type of files in archive (Issue 155, Pull Request 62,
  thanks Xavier Fernandez)

0.28.0

======

• Fix file modes in archive (Issue 154)

0.27.0

======

• Support forcing a platform tag using --plat-name on pure-Python wheels, as
  well as nonstandard platform tags on non-pure wheels (Pull Request 60, Issue
  144, thanks Andrés Díaz)
• Add SOABI tags to platform-specific wheels built for Python 2.X (Pull Request
  55, Issue 63, Issue 101)
• Support reproducible wheel files, wheels that can be rebuilt and will hash to
  the same values as previous builds (Pull Request 52, Issue 143, thanks
  Barry Warsaw)
• Support for changes in keyring >= 8.0 (Pull Request 61, thanks Jason R.
  Coombs)
• Use the file context manager when checking if dependency_links.txt is empty,
  fixes problems building wheels under PyPy on Windows (Issue 150, thanks
  Cosimo Lupo)
• Don't attempt to (recursively) create a build directory ending with ..
  (invalid on all platforms, but code was only executed on Windows) (Issue 91)
• Added the PyPA Code of Conduct (Pull Request 56)

django 1.9.5 -> 1.10.6

1.10.6

===========================

March 1, 2017

Django 1.10.6 fixes several bugs in 1.10.5.

Bugfixes

• Fixed ClearableFileInput’s "Clear" checkbox on model form fields where
  the model field has a default (:ticket:27805).

• Fixed RequestDataTooBig and TooManyFieldsSent exceptions crashing
  rather than generating a bad request response (:ticket:27820).

• Fixed a crash on Oracle and PostgreSQL when subtracting DurationField
  or IntegerField from DateField (:ticket:27828).

• Fixed query expression date subtraction accuracy on PostgreSQL for
  differences larger than a month (:ticket:27856).

• Fixed a GDALException raised by GDALClose on GDAL ≥ 2.0
  (:ticket:27479).

===========================

1.10.5

===========================

January 4, 2017

Django 1.10.5 fixes several bugs in 1.10.4.

Bugfixes

• Fixed a crash in the debug view if request.user can't be retrieved, such
  as if the database is unavailable (:ticket:27567).

• Fixed occasional missing plural forms in JavaScriptCatalog
  (:ticket:27418).

• Fixed a regression in the timesince and timeuntil filters that caused
  incorrect results for dates in a leap year (:ticket:27637).

• Fixed a regression where collectstatic overwrote newer files in remote
  storages (:ticket:27658).

===========================

1.10.4

===========================

December 1, 2016

Django 1.10.4 fixes several bugs in 1.10.3.

Bugfixes

• Quoted the Oracle test user's password in queries to fix the "ORA-00922:
  missing or invalid option" error when the password starts with a number or
  special character (:ticket:27420).

• Fixed incorrect app_label / model_name arguments for
  allow_migrate() in makemigrations migration consistency checks
  (:ticket:27461).

• Made Model.delete(keep_parents=True) preserve parent reverse
  relationships in multi-table inheritance (:ticket:27407).

• Fixed a QuerySet.update() crash on SQLite when updating a
  DateTimeField with an F() expression and a timedelta
  (:ticket:27544).

• Prevented LocaleMiddleware from redirecting on URLs that should return
  404 when using prefix_default_language=False (:ticket:27402).

• Prevented an unnecessary index from being created on an InnoDB ForeignKey
  when the field was added after the model was created (:ticket:27558).

===========================

1.10.3

===========================

November 1, 2016

Django 1.10.3 fixes two security issues and several bugs in 1.10.2.

User with hardcoded password created when running tests on Oracle

When running tests with an Oracle database, Django creates a temporary database
user. In older versions, if a password isn't manually specified in the database
settings TEST dictionary, a hardcoded password is used. This could allow
an attacker with network access to the database server to connect.

This user is usually dropped after the test suite completes, but not when using
the manage.py test --keepdb option or if the user has an active session
(such as an attacker's connection).

A randomly generated password is now used for each test run.

DNS rebinding vulnerability when DEBUG=True

Older versions of Django don't validate the Host header against
settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them
vulnerable to a DNS rebinding attack <http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>_.

While Django doesn't ship a module that allows remote code execution, this is
at least a cross-site scripting vector, which could be quite serious if
developers load a copy of the production database in development or connect to
some production services for which there's no development instance, for
example. If a project uses a package like the django-debug-toolbar, then
the attacker could execute arbitrary SQL, which could be especially bad if the
developers connect to the database with a superuser account.

settings.ALLOWED_HOSTS is now validated regardless of DEBUG. For
convenience, if ALLOWED_HOSTS is empty and DEBUG=True, the following
variations of localhost are allowed ['localhost', '127.0.0.1', '::1']. If
your local settings file has your production ALLOWED_HOSTS value, you must
now omit it to get those fallback values.

Bugfixes

• Allowed User.is_authenticated and User.is_anonymous properties to be
  tested for set membership (:ticket:27309).

• Fixed a performance regression when running migrate in projects
  with RenameModel operations (:ticket:27279).

• Added model_name to the allow_migrate() calls in makemigrations
  (:ticket:27200).

• Made the JavaScriptCatalog view respect the packages argument;
  previously it was ignored (:ticket:27374).

• Fixed QuerySet.bulk_create() on PostgreSQL when the number of objects is
  a multiple plus one of batch_size (:ticket:27385).

• Prevented i18n_patterns() from using too much of the URL as the language
  to fix a use case for prefix_default_language=False (:ticket:27063).

• Replaced a possibly incorrect redirect from SessionMiddleware when a
  session is destroyed in a concurrent request with a SuspiciousOperation
  to indicate that the request can't be completed (:ticket:27363).

===========================

1.10.2

===========================

October 1, 2016

Django 1.10.2 fixes several bugs in 1.10.1.

Bugfixes

• Fixed a crash in MySQL database validation where SELECT sql_mode
  doesn't return a result (:ticket:27180).

• Allowed combining contrib.postgres.search.SearchQuery with more than one
  & or | operators (:ticket:27143).

• Disabled system check for URL patterns beginning with a '/' when
  APPEND_SLASH=False (:ticket:27238).

• Fixed model form default fallback for CheckboxSelectMultiple,
  MultiWidget, FileInput, SplitDateTimeWidget, SelectDateWidget,
  and SplitArrayWidget (:ticket:27186). Custom widgets affected by this
  issue should implement :meth:~django.forms.Widget.value_omitted_from_data.

• Fixed a crash in runserver logging during a "Broken pipe" error
  (:ticket:27271).

• Fixed a regression where unchanged localized date/time fields were listed as
  changed in the admin's model history messages (:ticket:27302).

===========================

1.10.1

===========================

September 1, 2016

Django 1.10.1 fixes several bugs in 1.10.

Bugfixes

• Fixed a crash in MySQL connections where SELECT SQL_AUTO_IS_NULL
  doesn't return a result (:ticket:26991).

• Allowed User.is_authenticated and User.is_anonymous properties to be
  compared using ==, !=, and | (:ticket:26988, 🎫27154).

• Removed the broken BaseCommand.usage() method which was for
  optparse support (:ticket:27000).

• Fixed a checks framework crash with an empty Meta.default_permissions
  (:ticket:26997).

• Fixed a regression in the number of queries when using RadioSelect with a
  ModelChoiceField form field (:ticket:27001).

• Fixed a crash if request.META['CONTENT_LENGTH'] is an empty string
  (:ticket:27005).

• Fixed the isnull lookup on a ForeignKey with its to_field
  pointing to a CharField or pointing to a CharField defined with
  primary_key=True (:ticket:26983).

• Prevented the migrate command from raising
  InconsistentMigrationHistory in the presence of unapplied squashed
  migrations (:ticket:27004).

• Fixed a regression in Client.force_login() which required specifying a
  backend rather than automatically using the first one if multiple
  backends are configured (:ticket:27027).

• Made QuerySet.bulk_create() properly initialize model instances on
  backends, such as PostgreSQL, that support returning the IDs of the created
  records so that many-to-many relationships can be used on the new objects
  (:ticket:27026).

• Fixed crash of django.views.static.serve() with show_indexes enabled
  (:ticket:26973).

• Fixed ClearableFileInput to avoid the required HTML attribute when
  initial data exists (:ticket:27037).

• Fixed annotations with database functions when combined with lookups on
  PostGIS (:ticket:27014).

• Reallowed the {% for %} tag to unpack any iterable (:ticket:27058).

• Made makemigrations skip inconsistent history checks on non-default
  databases if database routers aren't in use or if no apps can be migrated
  to the database (:ticket:27054, 🎫27110, 🎫27142).

• Removed duplicated managers in Model._meta.managers (:ticket:27073).

• Fixed contrib.admindocs crash when a view is in a class, such as some of
  the admin views (:ticket:27018).

• Reverted a few admin checks that checked field.many_to_many back to
  isinstance(field, models.ManyToManyField) since it turned out the checks
  weren't suitable to be generalized like that (:ticket:26998).

• Added the database alias to the InconsistentMigrationHistory message
  raised by makemigrations and migrate (:ticket:27089).

• Fixed the creation of ContentType and Permission objects for models
  of applications without migrations when calling the migrate command with
  no migrations to apply (:ticket:27044).

• Included the already applied migration state changes in the Apps instance
  provided to the pre_migrate signal receivers to allow ContentType
  renaming to be performed on model rename (:ticket:27100).

• Reallowed subclassing UserCreationForm without USERNAME_FIELD in
  Meta.fields (:ticket:27111).

• Fixed a regression in model forms where model fields with a default that
  didn't appear in POST data no longer used the default (:ticket:27039).

=========================

1.10

=========================

August 1, 2016

Welcome to Django 1.10!

These release notes cover the :ref:new features <whats-new-1.10>, as well as
some :ref:backwards incompatible changes <backwards-incompatible-1.10> you'll
want to be aware of when upgrading from Django 1.9 or older versions. We've
:ref:dropped some features <removed-features-1.10> that have reached the end
of their deprecation cycle, and we've :ref:begun the deprecation process for some features <deprecated-features-1.10>.

See the :doc:/howto/upgrade-version guide if you're updating an existing
project.

Python compatibility

Like Django 1.9, Django 1.10 requires Python 2.7, 3.4, or 3.5. We highly
recommend and only officially support the latest release of each series.

.. _whats-new-1.10:

What's new in Django 1.10

Full text search for PostgreSQL

django.contrib.postgres now includes a :doc:collection of database functions </ref/contrib/postgres/search> to allow the use of the full text
search engine. You can search across multiple fields in your relational
database, combine the searches with other lookups, use different language
configurations and weightings, and rank the results by relevance.

It also now includes trigram support, using the :lookup:trigram_similar
lookup, and the :class:~django.contrib.postgres.search.TrigramSimilarity and
:class:~django.contrib.postgres.search.TrigramDistance expressions.

New-style middleware

:doc:A new style of middleware is introduced </topics/http/middleware> to
solve the lack of strict request/response layering of the old-style of
middleware described in DEP 0005 <https://github.com/django/deps/blob/master/final/0005-improved-middleware.rst>_.
You'll need to :ref:adapt old, custom middleware <upgrading-middleware> and
switch from the MIDDLEWARE_CLASSES setting to the new :setting:MIDDLEWARE
setting to take advantage of the improvements.

Official support for Unicode usernames

The :class:~django.contrib.auth.models.User model in django.contrib.auth
originally only accepted ASCII letters in usernames. Although it wasn't a
deliberate choice, Unicode characters have always been accepted when using
Python 3.

The username validator now explicitly accepts Unicode letters by
default on Python 3 only. This default behavior can be overridden by changing
the :attr:~django.contrib.auth.models.User.username_validator attribute of
the User model, or to any proxy of that model, using either
:class:~django.contrib.auth.validators.ASCIIUsernameValidator or
:class:~django.contrib.auth.validators.UnicodeUsernameValidator. Custom user
models may also use those validators.

Minor features

:mod:django.contrib.admin

• For sites running on a subpath, the default :attr:URL for the "View site" link <django.contrib.admin.AdminSite.site_url> at the top of each admin page
  will now point to request.META['SCRIPT_NAME'] if set, instead of /.

• The success message that appears after adding or editing an object now
  contains a link to the object's change form.

• All inline JavaScript is removed so you can enable the
  Content-Security-Policy HTTP header if you wish.

• The new :attr:InlineModelAdmin.classes <django.contrib.admin.InlineModelAdmin.classes> attribute allows specifying
  classes on inline fieldsets. Inlines with a collapse class will be
  initially collapsed and their header will have a small "show" link.

• If a user doesn't have the add permission, the object-tools block on a
  model's changelist will now be rendered (without the add button, of course).
  This makes it easier to add custom tools in this case.

• The :class:~django.contrib.admin.models.LogEntry model now stores change
  messages in a JSON structure so that the message can be dynamically translated
  using the current active language. A new LogEntry.get_change_message()
  method is now the preferred way of retrieving the change message.

• Selected objects for fields in ModelAdmin.raw_id_fields now have a link
  to object's change form.

• Added "No date" and "Has date" choices for DateFieldListFilter if the
  field is nullable.

• The jQuery library embedded in the admin is upgraded from version 2.1.4 to
  2.2.3.

:mod:django.contrib.auth

• Added support for the :ref:Argon2 password hash <argon2_usage>. It's
  recommended over PBKDF2, however, it's not the default as it requires a
  third-party library.

• The default iteration count for the PBKDF2 password hasher has been increased
  by 25%. This backwards compatible change will not affect users who have
  subclassed django.contrib.auth.hashers.PBKDF2PasswordHasher to change the
  default value.

• The :func:~django.contrib.auth.views.logout view sends "no-cache" headers
  to prevent an issue where Safari caches redirects and prevents a user from
  being able to log out.

• Added the optional backend argument to :func:~django.contrib.auth.login
  to allow using it without credentials.

• The new :setting:LOGOUT_REDIRECT_URL setting controls the redirect of the
  :func:~django.contrib.auth.views.logout view, if the view doesn't get a
  next_page argument.

• The new redirect_authenticated_user parameter for the
  :func:~django.contrib.auth.views.login view allows redirecting
  authenticated users visiting the login page.

• The new :class:~django.contrib.auth.backends.AllowAllUsersModelBackend and
  :class:~django.contrib.auth.backends.AllowAllUsersRemoteUserBackend ignore
  the value of User.is_active, while
  :class:~django.contrib.auth.backends.ModelBackend and
  :class:~django.contrib.auth.backends.RemoteUserBackend now reject inactive
  users.

:mod:django.contrib.gis

• :ref:Distance lookups <distance-lookups> now accept expressions as the
  distance value parameter.

• The new :attr:GEOSGeometry.unary_union <django.contrib.gis.geos.GEOSGeometry.unary_union> property computes the
  union of all the elements of this geometry.

• Added the :meth:GEOSGeometry.covers() <django.contrib.gis.geos.GEOSGeometry.covers> binary predicate.

• Added the :meth:GDALBand.statistics() <django.contrib.gis.gdal.GDALBand.statistics> method and
  :attr:~django.contrib.gis.gdal.GDALBand.mean
  and :attr:~django.contrib.gis.gdal.GDALBand.std attributes.

• Added support for the :class:~django.contrib.gis.db.models.MakeLine
  aggregate and :class:~django.contrib.gis.db.models.functions.GeoHash
  function on SpatiaLite.

• Added support for the
  :class:~django.contrib.gis.db.models.functions.Difference,
  :class:~django.contrib.gis.db.models.functions.Intersection, and
  :class:~django.contrib.gis.db.models.functions.SymDifference
  functions on MySQL.

• Added support for instantiating empty GEOS geometries.

• The new :attr:~django.contrib.gis.geos.WKTWriter.trim and
  :attr:~django.contrib.gis.geos.WKTWriter.precision properties
  of :class:~django.contrib.gis.geos.WKTWriter allow controlling
  output of the fractional part of the coordinates in WKT.