ikiwiki-hosting (0.20170622) unstable; urgency=medium [ Joey Hess ] * remove, letsnotencrypt: Remove Lets Encrypt renewal file, to avoid the cron job trying to renew deleted sites. * Fix deletion of sites that use https over the web interface. * HTTP Strict Transport Security (HSTS) is enabled for all sites that have redirect_to_https set in their configuration. Thanks, Antoine Beaupré. * Improve ikisite backup to lock the wiki for a much shorter period of time. * Remove .ikiwiki/sessions.db from the ikisite backup, as the file can be rather large, and losing it only means users have to log back in sooner than would otherwise be the case. * ikisite-wrapper: Allow ikisite enable to be run via the wrapper. The CGI uses this to update the site config of an already enabled site when enabling eg redirect_to_https or adding a DNS alias. [ Simon McVittie ] * debian/copyright: Use preferred https URL for Format * debian/control: Declare compliance with Debian Policy 4.0.0 * debian: Update to debhelper compat level 10 -- Simon McVittie Thu, 22 Jun 2017 10:08:31 +0100 ikiwiki-hosting (0.20161219) unstable; urgency=medium [ Joey Hess ] * Initial support for Lets Encrypt. * The use_letsencrypt setting can be set for a site by running ikisite letsencrypt domain, and it will attempt to get the certificate for it using certbot. * ikisite domains: Update certificate using certbot when set of domains changes. * Added ikisite maintaincerts to request/renew Lets Encrypt certs as needed, and added it to the daily cron job. * The files /etc/ikiwiki-hosting/config/$username/domain.{crt,key,chain} are used, when they exist, in preference to the files /etc/ikiwiki-hosting/config/$username/ssl.{key,crt}. This allows a site with multiple domains to have different certificates for them. The Lets Encrypt support uses this. -- Simon McVittie Mon, 19 Dec 2016 20:34:25 +0000 ikiwiki-hosting (0.20160811) unstable; urgency=medium * Explicitly remove current working directory from Perl's library search path, mitigating CVE-2016-1238 (see #588017) * Add a simple autopkgtest for creating and deleting a site * Standards-Version: 3.9.8 (no changes required) * debian/rules: enable compiler hardening -- Simon McVittie Thu, 11 Aug 2016 10:47:22 +0100 ikiwiki-hosting (0.20160123) unstable; urgency=medium * Fix the escaping of { in HostingAutomator by also escaping the }, fixing a regression that broke `ikisite create` -- Simon McVittie Sat, 23 Jan 2016 18:36:45 +0000 ikiwiki-hosting (0.20160121) unstable; urgency=medium [ Joey Hess ] * Fix looping redirection when redirect_to_https is set. Thanks, Antoine Beaupré. * controlpanel: Display unfocused site buttons with low opacity, but still display them. This is an accessability fix; the old hiding method broken caret browsing and screenreaders. [ Simon McVittie ] * d/control: use https for Homepage * d/control: use pkg-perl autopkgtest setup * Fix "unescaped left brace in regex is deprecated" with Perl 5.22 * Normalize packaging through `wrap-and-sort -abst` * Depend on libimage-magick-perl in preference to transitional perlmagick package, similar to #789221 in ikiwiki -- Simon McVittie Thu, 21 Jan 2016 22:46:57 +0000 ikiwiki-hosting (0.20150614) unstable; urgency=medium [ Joey Hess ] * Debian maintainer changed to Simon McVittie. * Added support for emailauth. * Add libcgi-pm-perl to depends. * When creating a new site using makesite plugin, the adminemail is not set to the user's email address, since that would make emailauth messages come from that email address, which might not work due to eg, SPF. * Add libcoy-perl to depends, for ikiwiki's haiku plugin. [ Simon McVittie ] * Ask recent ikiwiki to run in deterministic mode * Set Vcs-Browser * debian/source/format: set to 3.0 (native) * Standards-Version: 3.9.6 (no changes) -- Simon McVittie Sun, 14 Jun 2015 21:03:02 +0100 ikiwiki-hosting (0.20140613) unstable; urgency=medium * Deal with savelog not supporting a count < 2. -- Joey Hess Fri, 13 Jun 2014 12:03:31 -0400 ikiwiki-hosting (0.20140419) unstable; urgency=medium * When branching a site, do not copy over the database files including the session database and the list of email subscriptions. * Fix bug causing it to sometimes wrong username prefix if only one domain is configured. (smcv) * Fix failures when run in a directory others cannot read (such as a protected /root). (anarcat, smcv) * Several changes to SSL handling (smcv) - Add per-site SSL and source configuration files, apache-ssl.conf.tmpl and apache-source.conf.tmpl in addition to the already used apache.conf.tmpl. - ikiwikihosting ikiwiki plugin now has a redirect_to_https setting, so users can choose whether their site should force users to access it via https. - Previously, when ssl was enabled, alias urls always redirected to the http site. Now, this is only done when redirect_to_https is set. * Deal with apache 2.4 upgrade, including making sites-available files with the .conf extension. Remains compatible with apache 2.2. (smcv) Closes: #744789 * Improved method of disabling mod_userdir. (smcv) -- Joey Hess Sat, 19 Apr 2014 15:20:07 -0400 ikiwiki-hosting (0.20140227) unstable; urgency=medium * Fix length @array perl bug. -- Joey Hess Thu, 27 Feb 2014 12:01:43 -0400 ikiwiki-hosting (0.20131025) unstable; urgency=high * Exclude the site from showing up as a referrer in the analog report. * Fix XSS in site creation interface. Thanks, Gopal Bisht. CVE-2013-6047 -- Joey Hess Fri, 25 Oct 2013 18:17:44 -0400 ikiwiki-hosting (0.20130926) unstable; urgency=low * ikisite now contains its own /etc/ikiwiki/wikilist update subcommands, avoiding the need for ikiwiki-update-wikilist to be made suid in order to keep ikiwiki-mass-rebuild working. * https can be enabled for a site by dropping a SSL key and certificate into /etc/ikiwiki-hosting/config/$username/ssl.{key,crt} and running ikisite enable. * Also, a wildcard SSL certificate can be configured to be used by sites that do not have their own DNS. -- Joey Hess Mon, 26 Aug 2013 01:18:52 -0400 ikiwiki-hosting (0.20130504) unstable; urgency=low * One word of the comment at the end of ssh keys is now preserved. * ikisite logs: New command that can tail or dump the apache access.log. Designed to be run remotely. * iki-git-shell: Allow the remote user to specify a command of "logview" or "logdump", to tail or dump the access.log. * Site admins can now view analog reports, if allow_analog_reports is set in ikiwiki-hosting.conf. * ikisite-calendar is not run for sites that do no have archivebase configured, allowing use of the calendar plugin without archive page generation when desired. -- Joey Hess Sat, 04 May 2013 23:51:34 -0400 ikiwiki-hosting (0.20120527) unstable; urgency=low * Add cron.d job to run ikiwiki aggregation every 5 minutes for sites that need it. I thought I had merged this from Branchable's tweaks earlier. * Add welcome banner support after making a new site, enabled by uncommenting the welcome_redir setting. -- Joey Hess Sun, 27 May 2012 17:23:40 -0400 ikiwiki-hosting (0.20120526) unstable; urgency=low * makesite.tmpl: Typo fix. * Conflict with the parallel package, which diverts away the moreutils parallel and would break the RSS/Atom aggregation cron job. -- Joey Hess Sat, 26 May 2012 15:14:17 -0400 ikiwiki-hosting (0.20120425) unstable; urgency=low * Add the ability to hardcode the site's IP address in ikiwiki-hosting.conf, rather than looking at interfaces. Thanks, Antoine Beaupré. * Enable gitweb blame feature. * Add libgravatar-url-perl to depends. * Move removal code for /etc/ikiwiki-hosting/keys/dns/ from ikiwiki-hosting-web to ikiwiki-hosting-common, which creates it. Closes: #670432 -- Joey Hess Wed, 25 Apr 2012 12:22:12 -0400 ikiwiki-hosting (0.20120131) unstable; urgency=low * Fix quoting issue in use of which to determine if package is installed. Closes: #658063 -- Joey Hess Tue, 31 Jan 2012 15:53:19 -0400 ikiwiki-hosting (0.20120125) unstable; urgency=low * Add the adduser_basedir configuration file setting, which can be used to create sites someplace other than /home. Thanks, Philip Hands. * Don't use savelog -C, it spews an ls error message. * ikisite checksetup: Bugfix, when plugins are added or removed and there are no other changes, the site was not updated. * Use invoke-rc.d. Closes: #657336 -- Joey Hess Wed, 25 Jan 2012 15:00:37 -0400 ikiwiki-hosting (0.20111005) unstable; urgency=low * ikisite-wrapper: Allow getsetup subcommand to access the branchable and adminuser values, which are needed when branching. -- Joey Hess Wed, 05 Oct 2011 13:32:12 -0400 ikiwiki-hosting (0.20110926) unstable; urgency=low * Further hardening: Use setsid when running code as a site user. * Add libtext-multimarkdown-perl to depends, needed for multimarkdown support (see #630705). * Fix disablesshkey. -- Joey Hess Mon, 26 Sep 2011 14:01:06 -0400 ikiwiki-hosting (0.20110608) unstable; urgency=low * Set timezone to GMT in auto setup files, to avoid random system timezimes from leaking out to existing sites when changesetup or upgrade is run. * gitpush: Push non-master branches too. * Configure git-daemon to know about external domain names of sites. * missingsite: Stop providing an index.cgi, just use apache.conf.tmpl for the missingsite to DirectoryIndex index.html ikiwiki.cgi * More portable environment clearing. * ikisite analog: Output to stdout, not stderr. * ikisite logview: Tails logs. -- Joey Hess Wed, 08 Jun 2011 10:29:25 -0400 ikiwiki-hosting (0.20110515) unstable; urgency=low * Improve security robustness, blocking escalation from site users to httpd user, by moving apache log directory out of users home directory to /var/log/ikiwiki-hosting/, and using suexec with cgi programs moved to /var/www. Thanks, Simon McVittie * Lock down permissions of ikiwiki.setup, .git, .gitconfig, .gitignore, public_html/, source/, apache/. * Lock down source.git, unless branchability is enabled. * The apache.conf.tmpl files are no longer read from the user's home directory, but instead from /etc/ikiwiki-hosting/config/$username/. * Note that previously created sites will continue using the old locations and permissions. Using "ikisite upgrade" to upgrade them is highly recommended. * Added support for anonymous git push. It will only work if the home directory of a site is on a filesystem that supports POSIX ACLs, otherwise git-daemon won't be able to write to the source.git directory. * Anonymous git push enabled by default for new wikis, not for blogs or existing sites. * Support ipv6-only operation. * Add gitpush plugin, which can be used to push changes to a site on to other git repositories. * Remove dns key directory on purge. Closes: #625817 * Don't run cron jobs once removed. Closes: #625815 -- Joey Hess Sun, 15 May 2011 16:23:42 -0400 ikiwiki-hosting (0.20110424) unstable; urgency=low * Remove unused dependency on libdigest-sha1-perl. Closes: #623957 -- Joey Hess Sun, 24 Apr 2011 16:02:16 -0400 ikiwiki-hosting (0.20110420) unstable; urgency=low * ikisite sudo: Use SHELL if set; /bin/sh as dash is a horrible interactive shell. * better handling of www special case when making a site * ikiwiki-hosting-web-backup: Fix removal of morgued sites from primary backup. * ikisite checklock renamed to checksite, and can check that a requested nonce has been created, to notice if site creation crashed part way through. * Include copy of entire AGPL in debian/copyright due to absurd policy requirements that it not be in a separate file, despite all common licenses being shipped in separate files in Debian. -- Joey Hess Wed, 20 Apr 2011 15:52:38 -0400 ikiwiki-hosting (0.20110401) unstable; urgency=low * Initial release to Debian. -- Joey Hess Fri, 01 Apr 2011 20:41:11 -0400