schleuder (3.3.0-4~bpo9+2) stretch-backports; urgency=medium
* debian/patches:
- Pull in upstream patch to strip HTML-part of
multipart/alternative-messages if it contains keywords. The keywords
aren't parsed, because Schleuder doesn't touch any HTML. In order to
prevent the keywords from being disclosed to third parties, for example
via resent messages, the HTML-part is completely dropped. This issue
should be considered privacy-sensitive.
-- Georg Faerber <georg@riseup.net> Tue, 12 Feb 2019 11:25:55 +0000
schleuder (3.3.0-4~bpo9+1) stretch-backports; urgency=medium
* Rebuild for stretch-backports.
-- Georg Faerber <georg@riseup.net> Tue, 09 Oct 2018 21:41:31 +0000
schleuder (3.3.0-4) unstable; urgency=medium
* debian/schleuder.postinst:
- Handle upgrade from schleuder < 3.0. (Closes: #867031)
* debian/rules:
- Make the build verbose.
* debian/.gitlab-ci.yml:
- Install and start haveged, drop linking /dev/random to /dev/urandom. A
recent change in the CI infrastructure of salsa.d.o made this necessary,
as the former solution failed due to "read-only file system".
-- Georg Faerber <georg@riseup.net> Thu, 04 Oct 2018 10:07:21 +0000
schleuder (3.3.0-3) unstable; urgency=medium
* debian/watch:
- Ensure that the version group starts with a digit. Otherwise, uscan
might try to pull in the schleuder-cli release tarball.
-- Georg Faerber <georg@riseup.net> Tue, 02 Oct 2018 09:07:06 +0000
schleuder (3.3.0-2) unstable; urgency=medium
* debian/schleuder.postinst:
- Fix permissions of the config which sets default values for new lists.
-- Georg Faerber <georg@riseup.net> Thu, 27 Sep 2018 22:52:57 +0000
schleuder (3.3.0-1) unstable; urgency=medium
* New upstream release.
* debian/changelog:
- Fix typos.
* debian/copyright:
- Use team@schleuder.org as upstream contact email.
- Use HTTPS in link to GPL version 3.
- Wrap and sort.
* debian/control:
- Bump Standards-Version to 4.2.1, no changes needed.
- Use schleuder.org as upstream homepage.
- Depend on ruby-factory-bot, instead of ruby-factory-girl, while
building.
- Require ruby-mail-gpg >= 0.3.3~. (Closes: #901168)
- Require default-mta or postfix or mail-transport-agent.
- Wrap and sort.
* debian/patches:
- Add patch to remove rack-test dependency, as we are not dealing with
ruby 2.1.
- Drop obsolete patch to fix paths, applied upstream.
- Drop obsolete patch to bump attempts to start SKS mock, fixed upstream.
- Refresh for new release.
* debian/schleuder.postinst:
- Run 'schleuder install' via 'runuser' as the schleuder user.
- Change ownership of the '/etc/schleuder' directory to the schleuder user,
to ensure TLS certificates can be written there.
- Drop obsolete parts which fixed permissions and ownership of the
SQLite database and the certificates. Instead, rely on 'schleuder
install' to do the right thing.
- Make configs writable by the root user, and readable by the schleuder
user.
- Drop 'find', introduced in the last release, in an useless attempt to
overcome the security issues related to recursive chmod or chown.
Instead, specific filenames and directories are used if invoking either
chmod or chown. Thanks a lot, dkg!
- Drop obsolete version check, which compared the to-be-installed version
against the already installed version.
- Finally, fix typos and intendation.
* debian/schleuder.preinst:
- Handle the backup directory exclusively via this file, if upgrading from
schleuder < 3.0. Before, permissions were fixed in the 'postinst' stage.
- Also, while at it, fix intendation.
* debian/ruby-tests.rake:
- Add environment variable to sleep in between SKS mock start attempts.
* debian/schleuder.dirs:
- Create the '/usr/local/lib/schleuder/filters' directory to enable users
to provide their own custom filters.
- Drop obsolete directories.
- Wrap and sort.
* debian/schleuder.install:
- Wrap and sort.
* debian/schleuder.manpages:
- Wrap and sort.
* debian/schleuder.schleuder-api-daemon.service:
- Point to documentation at schleuder.org.
* debian/watch:
- Use schleuder.org to check for new versions.
* debian/.gitlab-ci.yml:
- Introduce configuration to make use of continuous integration as
provided by salsa.debian.org.
-- Georg Faerber <georg@riseup.net> Thu, 27 Sep 2018 15:58:48 +0000
schleuder (3.2.2-1) unstable; urgency=medium
* New upstream release.
* debian/changelog: Remove trailing whitespaces.
* debian/compat: Bump debhelper compat level to 11.
* debian/control:
- Bump Standards-Version to 4.1.3, no changes needed.
- Use salsa.debian.org in Vcs-Browser and Vcs-Git fields, as
anonscm.debian.org is deprecated and accordingly, all repositories were
moved.
- Bump required debhelper version to 11~.
- Add the propcs package as a build dependency, as some specs use
'pgrep'.
* debian/copyright: Bump years to include 2018 and use HTTPS in link to
copyright format specification.
* debian/patches:
- Refresh for release 3.2.2-1.
- Add patch to remove the spec which tests and expects the install to
fail, if a shell-process fails, as it fails itself, currently. The
discussion with upstream how to solve this in a sane way is ongoing.
- Add patch to increase attempts to start the SKS mock keyserver which is
used for running the specs, and the time to sleep between each attempt.
Sometimes, the SKS mock keyserver didn't start within the given time,
leading to failed specs. This will be fixed upstream and included in the
next release.
- Add patch to disable Tor and to enforce the use of the so called
"standard resolver" for DNS resolution in dirmngr. It seems, dirmngr
still sometimes has problems to connect to a keyserver if invoked in a
chroot, leading to failed specs. This patch only affects the dirmngr
configuration related to running the specs.
* debian/Rakefile: Add new alias for database setup as used by upstream.
* debian/{rules,s-a-d.service}: In debhelper compat level 11, the systemd
sequence for dh was removed, and the dh_systemd_{enable,start,stop}
helpers as well. Accordingly, drop the obsolete helpers and make use of
the new dh_installsystemd helper.
Moreover, if specifying '--name' for dh_installsystemd, debhelper now
expects the systemd service file to be installed to be named as
$package-name.$service-name.service. Accordingly, rename the service file
of the API daemon.
* debian/schleuder.postinst: Fix permissions of files and directories. A
user reported upstream, that the files inside '/etc/schleuder' had the
executable bit set.
At the same time it was reported in bugs #889060 and #889488, that doing
recursive chmod or chown might lead to root escalation on systems with
'fs.protected_hardlinks=0'.
This change fixes both problems via using 'find'. Additionally, the
permissions are made more strict, to ensure that the directories and
files are only accessible by the schleuder user. Before, the schleuder
group was allowed access, too.
* debian/watch: Update for new upstream release download location.
-- Georg Faerber <georg@riseup.net> Tue, 13 Feb 2018 03:24:52 +0100
schleuder (3.2.1-1) unstable; urgency=medium
* New upstream release.
* debian/control:
- Drop unnecessary dependency on init-system-helpers, as this is an
essential package.
- Explicitly depend on ruby-gpgme >= 2.0.13~: Up until 2.0.12, ruby-gpgme
suffered from a bug which lead to false constructed key capabilities. In
2013, the bug was found and a patch was written, but it took three more
years for the patch to be included in a release.
- Relax required rake version. This helps with backporting schleuder to
stretch, and ensures a minimal delta between buster and stretch.
* debian/NEWS: Add note about how to rely on the Debian keyserver defaults.
* debian/patches:
- Add patch to rely on the Debian keyserver defaults in the schleuder
config. (Closes: #852710)
- Drop patch to disable bundler, integrated upstream.
- Refresh for release 3.2.1-1.
* debian/ruby-tests.rake:
- Disable bundler and test coverage check.
- Don't kill gpg-agent before and after running the tests, integrated
upstream.
- Use random path for database and lists directory to prevent known
tmpfile attacks.
* debian/tests:
- Explain why we aren't using haveged anymore, and instead, why we link
/dev/random to /dev/urandom. Please, don't do this in production!
- Accordingly, drop obsolete dependency on haveged.
- Checking the status of the API is now possible without authentication.
Therefore, update the expected response if querying the API status
during autopkgtest.
-- Georg Faerber <georg@riseup.net> Fri, 27 Oct 2017 18:42:56 +0200
schleuder (3.1.2-3) unstable; urgency=medium
* debian/tests/upstream-tests: Drop starting haveged manually, because
this doesn't work anymore, if invoked in a container. Instead, link
/dev/random to /dev/urandom.
* debian/ruby-tests.rake: Kill gpg-agent before and after running tests.
This might help with making schleuder build reproducibly.
-- Georg Faerber <georg@riseup.net> Sat, 30 Sep 2017 14:21:38 +0200
schleuder (3.1.2-2) unstable; urgency=medium
* debian/control:
- Bump Standards-Version to 4.1.1.0, no changes needed.
- Drop obsolete build dependency on 'dh-systemd'.
- Drop obsolete 'Testsuite', this is added automatically by dpkg-source
since dpkg 1.17.1, if a debian/tests/control file exists.
-- Georg Faerber <georg@riseup.net> Sat, 30 Sep 2017 09:05:32 +0200
schleuder (3.1.2-1) unstable; urgency=medium
* New upstream release.
* debian/copyright:
- Bump years to include 2017.
- Fix upstream source location.
* debian/control: Bump required rake version to >= 12~.
* debian/schleuder.preinst:
- Check for existing schleuder < 3.0 data first, before doing the backup.
(Closes: #867031)
- Don't use 'echo' to inform the user about the data migration process,
but instead via a proper NEWS file.
* debian/NEWS: Add said file with notes on how to migrate schleuder < 3.0
data.
* debian/patches/0003-bin-fix-require.patch: Refresh for 3.1.2-1.
-- Georg Faerber <georg@riseup.net> Thu, 13 Jul 2017 13:40:47 +0200
schleuder (3.1.1-1) unstable; urgency=medium
* New upstream release.
* debian/patches/0001-lib-fix-paths.patch: Refresh for new release.
-- Georg Faerber <georg@riseup.net> Sun, 25 Jun 2017 14:58:01 +0200
schleuder (3.1.0-3) unstable; urgency=medium
* debian/rules:
- Install SysV init script.
- Drop unneeded debhelper '--no-start' overrides; debhelper should
enable and start the Schleuder API daemon.
* debian/control:
- Depend on lsb-base package for init-functions.
- Fix (Build-)Depends: formatting.
- Bump Standards-Version to 4.0.0.
* debian/schleuder-api-daemon.init: Rework SysVinit script: Fix formatting
and styling, add required and recommend commands status, reload,
force-reload by Lintian.
* debian/schleuder.cron.weekly: Refresh keys first, ignore errors and don't
exit early. (Closes: #853836)
* debian/schleuder.preinst: If upgrading from schleuder 2, move data to
separate backup dir and inform the user. (Closes: #853841)
* debian/schleuder.postinst:
- Remove obsolete deb-systemd-helper calls, this is handled by debhelper
now.
- Ensure sane permissions of backup dir. (Closes: #853841)
* debian/schleuder.postrm: Remove the backup dir if purging the package.
(Closes: #853841)
* debian/README.Debian: Add notes to migrate lists from schleuder 2 to 3.
(Closes: #853841)
* debian/patches: As data is now moved to a separate backup dir if upgrading
from schleuder 2, drop the obsolete patching of 'schleuder install', which
disabled the check for existing data. (Closes: #853841)
-- Georg Faerber <georg@riseup.net> Tue, 20 Jun 2017 13:17:00 +0200
schleuder (3.1.0-2) unstable; urgency=medium
* debian/tests/upstream-tests: Ensure haveged is running before executing
the upstream provided tests, which rely heavily on entropy.
* debian/tests/control: Add 'needs-root' restriction to actually be able to
start haveged manually. The provided init script disables the automatic
start in containerized environments.
-- Georg Faerber <georg@riseup.net> Tue, 13 Jun 2017 00:28:23 +0200
schleuder (3.1.0-1) unstable; urgency=medium
* New upstream release.
* debian/gbp.conf: Removed, not needed anymore.
* debian/watch: Fixed, broken due to Gitlab upgrade.
-- Georg Faerber <georg@riseup.net> Sat, 10 Jun 2017 19:37:40 +0200
schleuder (3.0.1-1) unstable; urgency=medium
* New upstream release.
* debian/schleuder.cron.weekly: Refresh keys from the keyservers.
* debian/schleuder.{dirs,install}: Ship Postfix config file.
* debian/patches/: Refresh for Debian schleuder release 3.0.1-1.
* debian/control: Add dirmngr to {Build-}Depends:.
* debian/tests/check-status: Rework check against installed API daemon. This
is needed because of the recent upstream changes which made TLS and API
keys mandatory.
-- Georg Faerber <georg@riseup.net> Thu, 26 Jan 2017 12:33:06 +0100
schleuder (3.0.0~beta17-2) unstable; urgency=medium
* debian/control: Depend on cron or cron-daemon. (Closes: #851732)
* debian/schleuder.postinst: Don't 'touch' database; fixed upstream.
* debian/tests/control: Install haveged to help with entropy.
* debian/watch: Watch 0xacab.org; the upstream repository moved.
* debian/ruby-tests.rake: Fix and call cleanup task.
-- Georg Faerber <georg@riseup.net> Wed, 25 Jan 2017 15:27:28 +0100
schleuder (3.0.0~beta17-1) unstable; urgency=medium
[ Georg Faerber ]
* New upstream release. (Closes: #850545)
* debian/schleuder-api-daemon.init: Add sysvinit script.
* debian/patches: Refresh for Debian schleuder release 3.0.0~beta17-1.
* debian/ruby-tests.rake:
- Cover all upstream tests.
- Remove test database to make the build reproducible.
[ Sebastien Badia ]
* debian/control:
- Wrap and sort.
- Add ruby-factory-girl as Build-Depends.
* debian/compat: Bump debhelper compat to 10.
-- Georg Faerber <georg@riseup.net> Thu, 12 Jan 2017 19:52:43 +0100
schleuder (3.0.0~beta11-2) unstable; urgency=medium
* debian/schleuder.postinst: Restart the API daemon by default
* debian/ruby-tests.rake: Load correct Rakefile and ensure clean
environment
-- Georg Faerber <georg@riseup.net> Tue, 13 Dec 2016 18:56:32 +0100
schleuder (3.0.0~beta11-1) unstable; urgency=medium
* Initial release (Closes: #845636)
-- Georg Faerber <georg@riseup.net> Mon, 12 Dec 2016 16:20:50 +0100