python
diff --git a/‎apps/blogs/migrations/0004_normalize_blogentry_urls.py‎
Lines changed: 32 additions & 0 deletions b/‎apps/blogs/migrations/0004_normalize_blogentry_urls.py‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎apps/blogs/parser.py‎
Lines changed: 15 additions & 1 deletion b/‎apps/blogs/parser.py‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎apps/blogs/tests/test_parser.py‎
Lines changed: 25 additions & 1 deletion b/‎apps/blogs/tests/test_parser.py‎
Lines changed: 25 additions & 1 deletion
diff --git a/‎apps/boxes/templatetags/boxes.py‎
Lines changed: 1 addition & 1 deletion b/‎apps/boxes/templatetags/boxes.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apps/companies/templatetags/companies.py‎
Lines changed: 5 additions & 5 deletions b/‎apps/companies/templatetags/companies.py‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎apps/downloads/migrations/0015_releasefile_python_dot_org_urls.py‎
Lines changed: 59 additions & 0 deletions b/‎apps/downloads/migrations/0015_releasefile_python_dot_org_urls.py‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎apps/downloads/models.py‎
Lines changed: 23 additions & 0 deletions b/‎apps/downloads/models.py‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎apps/downloads/templatetags/download_tags.py‎
Lines changed: 5 additions & 6 deletions b/‎apps/downloads/templatetags/download_tags.py‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎apps/downloads/tests/base.py‎
Lines changed: 5 additions & 5 deletions b/‎apps/downloads/tests/base.py‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎apps/downloads/tests/test_models.py‎
Lines changed: 29 additions & 7 deletions b/‎apps/downloads/tests/test_models.py‎
Lines changed: 29 additions & 7 deletions
@@ -0,0 +1,32 @@
+"""Rewrite legacy pythoninsider.blogspot.com URLs to blog.python.org.
+
+Blogger's RSS feed historically served entry links under the old
+pythoninsider.blogspot.com domain.  This one-time migration normalizes
+existing BlogEntry rows so that the parser's runtime normalization
+(added in the same changeset) doesn't create duplicates via
+update_or_create.
+"""
+
+from django.db import migrations
+from django.db.models import Value
+from django.db.models.functions import Replace
+
+
+def normalize_blogentry_urls(apps, schema_editor):
+    BlogEntry = apps.get_model("blogs", "BlogEntry")
+    BlogEntry.objects.filter(url__contains="pythoninsider.blogspot.com").update(
+        url=Replace("url", Value("pythoninsider.blogspot.com"), Value("blog.python.org")),
+    )
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("blogs", "0003_alter_relatedblog_creator_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            normalize_blogentry_urls,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
@@ -1,6 +1,7 @@
 """RSS feed parsing and blog supernav rendering utilities."""
 
 import datetime
+from urllib.parse import urlparse, urlunparse
 
 import feedparser
 from django.conf import settings
@@ -9,6 +10,19 @@
 from apps.blogs.models import BlogEntry, Feed
 from apps.boxes.models import Box
 
+# Blogger serves RSS entry links with this legacy domain instead of
+# the canonical blog.python.org hostname.
+_BLOGGER_LEGACY_HOST = "pythoninsider.blogspot.com"
+
+
+def _normalize_blog_url(url):
+    """Rewrite legacy Blogger URLs to the canonical blog.python.org domain."""
+    parsed = urlparse(url)
+    if parsed.hostname == _BLOGGER_LEGACY_HOST:
+        canonical = urlparse(settings.PYTHON_BLOG_URL)
+        return urlunparse(parsed._replace(scheme=canonical.scheme, netloc=canonical.netloc))
+    return url
+
 
 def get_all_entries(feed_url):
     """Retrieve all entries from a feed URL."""
@@ -22,7 +36,7 @@ def get_all_entries(feed_url):
             "title": e["title"],
             "summary": e.get("summary", ""),
             "pub_date": published,
-            "url": e["link"],
+            "url": _normalize_blog_url(e["link"]),
         }
 
         entries.append(entry)
 
@@ -1,7 +1,7 @@
 import datetime
 import unittest
 
-from apps.blogs.parser import get_all_entries
+from apps.blogs.parser import _normalize_blog_url, get_all_entries
 from apps.blogs.tests.utils import get_test_rss_path
 
 
@@ -24,3 +24,27 @@ def test_entries(self):
             self.entries[0]["url"],
             "http://feedproxy.google.com/~r/PythonInsider/~3/tGNCqyOiun4/introducing-electronic-contributor.html",
         )
+
+
+class NormalizeBlogUrlTest(unittest.TestCase):
+    def test_rewrites_pythoninsider_blogspot(self):
+        url = "https://pythoninsider.blogspot.com/2026/02/join-the-python-security-response-team.html"
+        self.assertEqual(
+            _normalize_blog_url(url),
+            "https://blog.python.org/2026/02/join-the-python-security-response-team.html",
+        )
+
+    def test_rewrites_http_to_canonical_scheme(self):
+        url = "http://pythoninsider.blogspot.com/2026/01/some-post.html"
+        self.assertEqual(
+            _normalize_blog_url(url),
+            "https://blog.python.org/2026/01/some-post.html",
+        )
+
+    def test_preserves_non_blogspot_urls(self):
+        url = "http://feedproxy.google.com/~r/PythonInsider/~3/abc/some-post.html"
+        self.assertEqual(_normalize_blog_url(url), url)
+
+    def test_preserves_blog_python_org_urls(self):
+        url = "https://blog.python.org/2026/02/some-post.html"
+        self.assertEqual(_normalize_blog_url(url), url)
@@ -15,7 +15,7 @@
 def box(label):
     """Render the content of a Box identified by its label slug."""
     try:
-        return mark_safe(Box.objects.only("content").get(label=label).content.rendered)
+        return mark_safe(Box.objects.only("content").get(label=label).content.rendered)  # noqa: S308
     except Box.DoesNotExist:
         log.warning("WARNING: box not found: label=%s", label)
         return ""
@@ -2,12 +2,12 @@
 
 from django import template
 from django.template.defaultfilters import stringfilter
-from django.utils.html import format_html
+from django.utils.html import format_html_join, mark_safe
 
 register = template.Library()
 
 
-@register.filter(is_safe=True)
+@register.filter()
 @stringfilter
 def render_email(value):
     """Render an email address with obfuscated dots and at-sign using spans."""
@@ -16,8 +16,8 @@ def render_email(value):
         mailbox_tokens = mailbox.split(".")
         domain_tokens = domain.split(".")
 
-        mailbox = "<span>.</span>".join(mailbox_tokens)
-        domain = "<span>.</span>".join(domain_tokens)
+        mailbox = format_html_join(mark_safe("<span>.</span>"), "{}", [(token,) for token in mailbox_tokens])
+        domain = format_html_join(mark_safe("<span>.</span>"), "{}", [(token,) for token in domain_tokens])
 
-        return format_html(f"{mailbox}<span>@</span>{domain}")
+        return mailbox + mark_safe("<span>@</span>") + domain
     return None
@@ -0,0 +1,59 @@
+# Generated by Django 5.2.11 on 2026-02-25 14:13
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("downloads", "0014_releasefile_sha256_sum"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddConstraint(
+            model_name="releasefile",
+            constraint=models.CheckConstraint(
+                condition=models.Q(
+                    models.Q(
+                        ("url__exact", ""),
+                        ("url__startswith", "https://www.python.org/"),
+                        ("url__startswith", "http://www.python.org/"),
+                        _connector="OR",
+                    ),
+                    models.Q(
+                        ("gpg_signature_file__exact", ""),
+                        ("gpg_signature_file__startswith", "https://www.python.org/"),
+                        ("gpg_signature_file__startswith", "http://www.python.org/"),
+                        _connector="OR",
+                    ),
+                    models.Q(
+                        ("sigstore_signature_file__exact", ""),
+                        ("sigstore_signature_file__startswith", "https://www.python.org/"),
+                        ("sigstore_signature_file__startswith", "http://www.python.org/"),
+                        _connector="OR",
+                    ),
+                    models.Q(
+                        ("sigstore_cert_file__exact", ""),
+                        ("sigstore_cert_file__startswith", "https://www.python.org/"),
+                        ("sigstore_cert_file__startswith", "http://www.python.org/"),
+                        _connector="OR",
+                    ),
+                    models.Q(
+                        ("sigstore_bundle_file__exact", ""),
+                        ("sigstore_bundle_file__startswith", "https://www.python.org/"),
+                        ("sigstore_bundle_file__startswith", "http://www.python.org/"),
+                        _connector="OR",
+                    ),
+                    models.Q(
+                        ("sbom_spdx2_file__exact", ""),
+                        ("sbom_spdx2_file__startswith", "https://www.python.org/"),
+                        ("sbom_spdx2_file__startswith", "http://www.python.org/"),
+                        _connector="OR",
+                    ),
+                ),
+                name="only_python_dot_org_urls",
+                violation_error_message="All file URLs must begin with 'https://www.python.org/'",
+            ),
+        ),
+    ]
@@ -357,6 +357,17 @@ def update_boxes_on_release_file_delete(sender, instance, **kwargs):
     _update_boxes_for_release_file(instance)
 
 
+def condition_url_is_blank_or_python_dot_org(column: str):
+    """Conditions for a URLField column to force 'http[s]://python.org'."""
+    return (
+        models.Q(**{f"{column}__exact": ""})
+        | models.Q(**{f"{column}__startswith": "https://www.python.org/"})
+        # Older releases allowed 'http://'. 'https://' is required at
+        # the API level, so shouldn't show up in newer releases.
+        | models.Q(**{f"{column}__startswith": "http://www.python.org/"})
+    )
+
+
 class ReleaseFile(ContentManageable, NameSlugModel):
     """Individual files in a release.
 
@@ -406,4 +417,16 @@ class Meta:
                 condition=models.Q(download_button=True),
                 name="only_one_download_per_os_per_release",
             ),
+            models.CheckConstraint(
+                condition=(
+                    condition_url_is_blank_or_python_dot_org("url")
+                    & condition_url_is_blank_or_python_dot_org("gpg_signature_file")
+                    & condition_url_is_blank_or_python_dot_org("sigstore_signature_file")
+                    & condition_url_is_blank_or_python_dot_org("sigstore_cert_file")
+                    & condition_url_is_blank_or_python_dot_org("sigstore_bundle_file")
+                    & condition_url_is_blank_or_python_dot_org("sbom_spdx2_file")
+                ),
+                name="only_python_dot_org_urls",
+                violation_error_message="All file URLs must begin with 'https://www.python.org/'",
+            ),
         ]
@@ -6,8 +6,7 @@
 import requests
 from django import template
 from django.core.cache import cache
-from django.utils.html import format_html
-from django.utils.safestring import mark_safe
+from django.utils.html import format_html, format_html_join, mark_safe
 
 from apps.downloads.models import Release
 
@@ -111,11 +110,11 @@ def wbr_wrap(value: str | None) -> str:
 
     # Split into two halves, each half has internal <wbr> breaks
     midpoint = len(chunks) // 2
-    first_half = "<wbr>".join(chunks[:midpoint])
-    second_half = "<wbr>".join(chunks[midpoint:])
+    first_half = format_html_join(mark_safe("<wbr>"), "{}", [(chunk,) for chunk in chunks[:midpoint]])
+    second_half = format_html_join(mark_safe("<wbr>"), "{}", [(chunk,) for chunk in chunks[midpoint:]])
 
-    return mark_safe(
-        f'<span class="checksum-half">{first_half}</span><wbr><span class="checksum-half">{second_half}</span>'
+    return format_html(
+        '<span class="checksum-half">{}</span><wbr><span class="checksum-half">{}</span>', first_half, second_half
     )
 
 
 
@@ -36,22 +36,22 @@ def setUp(self):
             release=self.release_275,
             name="Windows x86 MSI Installer (2.7.5)",
             description="Windows binary -- does not include source",
-            url="ftp/python/2.7.5/python-2.7.5.msi",
+            url="https://www.python.org/ftp/python/2.7.5/python-2.7.5.msi",
         )
         self.release_275_windows_64bit = ReleaseFile.objects.create(
             os=self.windows,
             release=self.release_275,
             name="Windows X86-64 MSI Installer (2.7.5)",
             description="Windows AMD64 / Intel 64 / X86-64 binary -- does not include source",
-            url="ftp/python/2.7.5/python-2.7.5.amd64.msi",
+            url="https://www.python.org/ftp/python/2.7.5/python-2.7.5.amd64.msi",
         )
 
         self.release_275_osx = ReleaseFile.objects.create(
             os=self.osx,
             release=self.release_275,
             name="Mac OSX 64-bit/32-bit",
             description="Mac OS X 10.6 and later",
-            url="ftp/python/2.7.5/python-2.7.5-macosx10.6.dmg",
+            url="https://www.python.org/ftp/python/2.7.5/python-2.7.5-macosx10.6.dmg",
         )
 
         self.release_275_linux = ReleaseFile.objects.create(
@@ -60,7 +60,7 @@ def setUp(self):
             release=self.release_275,
             is_source=True,
             description="Gzipped source",
-            url="ftp/python/2.7.5/Python-2.7.5.tgz",
+            url="https://www.python.org/ftp/python/2.7.5/Python-2.7.5.tgz",
             filesize=12345678,
         )
 
@@ -77,7 +77,7 @@ def setUp(self):
             release=self.draft_release,
             is_source=True,
             description="Gzipped source",
-            url="ftp/python/9.7.2/Python-9.7.2.tgz",
+            url="https://www.python.org/ftp/python/9.7.2/Python-9.7.2.tgz",
         )
 
         self.hidden_release = Release.objects.create(
 
@@ -1,7 +1,10 @@
 import datetime as dt
 from unittest.mock import patch
 
-from apps.downloads.models import Release, ReleaseFile
+from django.db import IntegrityError, transaction
+from django.db.models import URLField
+
+from apps.downloads.models import OS, Release, ReleaseFile
 from apps.downloads.tests.base import BaseDownloadTests
 
 
@@ -160,7 +163,7 @@ def test_update_supernav(self):
                 release=self.python_3,
                 slug=slug,
                 name="Python 3.10",
-                url=f"/ftp/python/{slug}.zip",
+                url=f"https://www.python.org/ftp/python/{slug}.zip",
                 download_button=True,
             )
 
@@ -179,7 +182,7 @@ def test_update_supernav(self):
             os=self.windows,
             release=release,
             name="MSIX",
-            url="/ftp/python/pymanager/pymanager-25.0.msix",
+            url="https://www.python.org/ftp/python/pymanager/pymanager-25.0.msix",
             download_button=True,
         )
 
@@ -199,7 +202,7 @@ def test_update_supernav_skips_os_without_files(self):
         """
         # Arrange
         from apps.boxes.models import Box
-        from apps.downloads.models import OS, update_supernav
+        from apps.downloads.models import update_supernav
 
         # Create an OS without any release files
         OS.objects.create(name="Android", slug="android")
@@ -215,7 +218,7 @@ def test_update_supernav_skips_os_without_files(self):
                 release=self.python_3,
                 slug=slug,
                 name="Python 3.10",
-                url=f"/ftp/python/{slug}.zip",
+                url=f"https://www.python.org/ftp/python/{slug}.zip",
                 download_button=True,
             )
 
@@ -247,7 +250,7 @@ def test_release_file_save_triggers_box_updates(self, mock_home, mock_sources, m
             os=self.windows,
             release=self.python_3,
             name="Windows installer",
-            url="/ftp/python/3.10.19/python-3.10.19.exe",
+            url="https://www.python.org/ftp/python/3.10.19/python-3.10.19.exe",
             download_button=True,
         )
 
@@ -268,7 +271,7 @@ def test_release_file_save_skips_unpublished_release(self, mock_home, mock_sourc
             os=self.windows,
             release=self.draft_release,
             name="Windows installer draft",
-            url="/ftp/python/9.7.2/python-9.7.2.exe",
+            url="https://www.python.org/ftp/python/9.7.2/python-9.7.2.exe",
         )
 
         mock_supernav.assert_not_called()
@@ -289,3 +292,22 @@ def test_release_file_delete_triggers_box_updates(self, mock_home, mock_sources,
         mock_supernav.assert_called()
         mock_sources.assert_called()
         mock_home.assert_called()
+
+    def test_release_file_urls_not_python_dot_org(self):
+        for field in ReleaseFile._meta.get_fields():  # noqa: SLF001
+            if not isinstance(field, URLField):
+                continue
+            with self.subTest(field.name), transaction.atomic():
+                kwargs = {
+                    "url": "https://www.python.org/ftp/python/9.7.2/python-9.7.2.exe",
+                    # field.name may be 'url', but will replace the default value.
+                    field.name: "https://notpython.com/python-9.7.2.txt",
+                }
+
+                with self.assertRaises(IntegrityError):
+                    ReleaseFile.objects.create(
+                        os=self.windows,
+                        release=self.draft_release,
+                        name="Windows installer draft",
+                        **kwargs,
+                    )