Any reason you don't use an arrow func here?

Module docstring

Can we not just use the one from hostingsvcs to avoid duplicate code?

"HTTP GET"

Should be indented.

Needs to be qualified.

Should be indented.

Needs to be qualified.

Needs to be qualified.

Needs to be qualified.

Should be indented.

Needs to be qualified.

Should be indented.

Module level docstring.

Don't we usually have these at top of funcs?

Django behaviour is to remove error'ed fields from cleaned_data.
Shouldn't this be a ValidationError(_(...)) since self.error_class is ErrorList ?
Same below.

Module level docstring.

Can we distribute these?

Rather, review requests that are attachment-only.

This isn't Review Bot.

Module level docstring.

No blank line here.

Blank line between these.

You still need to pop travis_custom_endpoint out of self._errors. Same below.

Small typo in the example generated configuration. The comma shouldn't be there after the DJANGO_VERSION=1.6.11.

Can we use travis-ci instead of travisci?

You can do:

$server.setVisible($endpoint.val() === 'E');

Maybe condense these to be two lines?

u = urlopen(URLRequest(...))
return json.loads(u.read())

dict?

reviewboard.reviews.models.review_request.ReviewRequest

Maybe we can use the existing list and perform a - [ReviewRequestRepositoryTypeChoice] (or whatever)?

and on the previous line.

We should probably use six.text_type(e) instead of e directly.
Same below.

Can simplify this a bit:

if warning['key']:
    ...

    message = ...
else:
    message = warning['message']

self._errors['travis_yml'] = self.error_class([message])

Can we log with request=self.request on all these logging statements, so we'll have user/Local Site context?

repository's
Let's also just use double quotes for this string instead of escaping the apostrophes.

Let's pull out the repository into a variable. It'll prevent the Review Bot complaint, since it should be able to wrap, and we access the repository further below anyway.

We can include this in the function.

Can these be:

notifications = travis_config.get('notifications') or {}


?

Can use += [ ... ]

We're going to need to check for IntegrityErrors, in case another process beat this one to the punch on creating the user.

*args

**kwargs

You can wrap after the . anywhere now.

This will crash if HTTP_SIGNATURE isn't present.

Should be bullet-proof this? Log an error if we get a KeyError?

Does this raise an exception if any part of this fails?

We should bullet-proof this as well.

You can pass the method in directory. There's no this being used.

We should guard against the request failing or the data not being parsable. (Proxy servers may get in the way and spit out garbage, for instance.)
What we do in GitHub and other places is we have a function that does the request and returns JSON data, and it checks everything. We should maybe have _make_request do that (optionally, if it's being used for non-JSON requests as well).

"GitHub"

Can you wrap these in parens so it's a little more visually clear what's happening?
Since this is Python 2.7, we can also use {...} instead of set([...]}.

Sine this line's too long, and we dig into cryptography.hazmat.primitives a bunch, let's just pull primitives out.

GitHub

Should this be marked for translation?

Do we want to limit the scope of this token?

Barring the UI issues below, this all looks good to me.

This help text should probs be aligned with the description above.

Alignment here is off.

We definitely should have a warning that they should omit secret environment variables, because people will be able to print out the environment in the log with a malicious patch.