1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
|
ikiwiki-hosting (0.20180720) UNRELEASED; urgency=medium
* Avoid directly running init scripts, instead use the service command.
* Avoid running apache2ctl graceful which may restart apache, instead use
the service command.
-- Joey Hess <id@joeyh.name> Wed, 17 Apr 2019 11:03:52 -0400
ikiwiki-hosting (0.20180719) upstream; urgency=medium
[ Joey Hess ]
* ikisite: Deleting per-domain letsencrypt cert when a wildcard cert
exists was too dangerous and buggy, including sometimes deleting the
letsencrypt wildcard cert. Removed that behavior; any per-domain cert
will be used in preference to the wildcard cert.
* Further fix to IkiWiki::Hosting for syslog name change.
(Fixes ikidns)
* ikidns: Fix typo in letsencrypt command.
[ Simon McVittie ]
* debian: Pass dpkg-buildflags CFLAGS to make
* debian: Override dh_missing to detect any files that are installed by
dh_auto_install but not packaged
-- Joey Hess <id@joeyh.name> Thu, 19 Jul 2018 10:03:48 -0400
ikiwiki-hosting (0.20180610) upstream; urgency=medium
[ Joey Hess ]
* Renamed IkiWiki::Hosting::syslog to IkiWiki::Hosting::logger to avoid
conflict with Sys::Syslog::syslog.
* Prevent ikisite letsencrypt from unncessarily reloading apache when
there is no configuration change. ikisite maintaincerts runs it once
per site, and the resulting many reloads of apache close together
tended to cause apache to fall over, due to bug #873115.
* ikiwiki-hosting.conf: Removed wildcard_ssl_cert, wildcard_ssl_key,
wildcard_ssl_chain, and in its place added wildcard_ssl_cert_dir.
* ikidns: Added letsencrypt command, which generates wildcard certificates
for the domains listed in ikiwiki-hosting.conf, using DNS verification.
This needs the python3-certbot-dns-rfc2136 package to be installed,
and ikidns to have already been used to configure the dns server.
* ikisite letsencrypt: Avoid getting a per-domain cert when a usable
wildcard cert exists.
* ikisite letsencrypt: When a per-domain cert was already obtained,
and a wildcard cert now exists, the per-domain cert will be deleted,
and the wildcard cert used.
[ Simon McVittie ]
* build: Use `set -e` to trap failure in shell loops
* build: Add a `dist` target to the Makefile
* Move d/changelog to ./CHANGELOG
* Separate upstream releases from Debian packaging
* debian/control: Don't use autopkgtest-pkg-perl. Since 0.20160811 the
autogenerated test list is not used.
* ikiwiki-hosting-web: Depend on real package apache2-suexec-pristine
in preference to virtual apache2-suexec
* ikiwiki-hosting-web: Add missing dependency on lsb-base
* debian/control: Declare compliance with Debian Policy 4.1.4
-- Simon McVittie <smcv@debian.org> Sun, 10 Jun 2018 18:47:55 +0100
ikiwiki-hosting (0.20170622) unstable; urgency=medium
[ Joey Hess ]
* remove, letsnotencrypt: Remove Lets Encrypt renewal file, to avoid
the cron job trying to renew deleted sites.
* Fix deletion of sites that use https over the web interface.
* HTTP Strict Transport Security (HSTS) is enabled for all
sites that have redirect_to_https set in their configuration.
Thanks, Antoine Beaupré.
* Improve ikisite backup to lock the wiki for a much shorter period of time.
* Remove .ikiwiki/sessions.db from the ikisite backup, as the file can be
rather large, and losing it only means users have to log back in sooner
than would otherwise be the case.
* ikisite-wrapper: Allow ikisite enable to be run via the wrapper.
The CGI uses this to update the site config of an already enabled site
when enabling eg redirect_to_https or adding a DNS alias.
[ Simon McVittie ]
* debian/copyright: Use preferred https URL for Format
* debian/control: Declare compliance with Debian Policy 4.0.0
* debian: Update to debhelper compat level 10
-- Simon McVittie <smcv@debian.org> Thu, 22 Jun 2017 10:08:31 +0100
ikiwiki-hosting (0.20161219) unstable; urgency=medium
[ Joey Hess ]
* Initial support for Lets Encrypt.
* The use_letsencrypt setting can be set for a site by running
ikisite letsencrypt domain, and it will attempt to get the certificate
for it using certbot.
* ikisite domains: Update certificate using certbot when set of domains
changes.
* Added ikisite maintaincerts to request/renew Lets Encrypt certs as needed,
and added it to the daily cron job.
* The files /etc/ikiwiki-hosting/config/$username/domain.{crt,key,chain}
are used, when they exist, in preference to the files
/etc/ikiwiki-hosting/config/$username/ssl.{key,crt}. This allows
a site with multiple domains to have different certificates
for them. The Lets Encrypt support uses this.
-- Simon McVittie <smcv@debian.org> Mon, 19 Dec 2016 20:34:25 +0000
ikiwiki-hosting (0.20160811) unstable; urgency=medium
* Explicitly remove current working directory from Perl's library
search path, mitigating CVE-2016-1238 (see #588017)
* Add a simple autopkgtest for creating and deleting a site
* Standards-Version: 3.9.8 (no changes required)
* debian/rules: enable compiler hardening
-- Simon McVittie <smcv@debian.org> Thu, 11 Aug 2016 10:47:22 +0100
ikiwiki-hosting (0.20160123) unstable; urgency=medium
* Fix the escaping of { in HostingAutomator by also escaping the },
fixing a regression that broke `ikisite create`
-- Simon McVittie <smcv@debian.org> Sat, 23 Jan 2016 18:36:45 +0000
ikiwiki-hosting (0.20160121) unstable; urgency=medium
[ Joey Hess ]
* Fix looping redirection when redirect_to_https is set.
Thanks, Antoine Beaupré.
* controlpanel: Display unfocused site buttons with low opacity, but still
display them. This is an accessability fix; the old hiding method broken
caret browsing and screenreaders.
[ Simon McVittie ]
* d/control: use https for Homepage
* d/control: use pkg-perl autopkgtest setup
* Fix "unescaped left brace in regex is deprecated" with Perl 5.22
* Normalize packaging through `wrap-and-sort -abst`
* Depend on libimage-magick-perl in preference to transitional
perlmagick package, similar to #789221 in ikiwiki
-- Simon McVittie <smcv@debian.org> Thu, 21 Jan 2016 22:46:57 +0000
ikiwiki-hosting (0.20150614) unstable; urgency=medium
[ Joey Hess ]
* Debian maintainer changed to Simon McVittie.
* Added support for emailauth.
* Add libcgi-pm-perl to depends.
* When creating a new site using makesite plugin, the adminemail
is not set to the user's email address, since that would make
emailauth messages come from that email address, which
might not work due to eg, SPF.
* Add libcoy-perl to depends, for ikiwiki's haiku plugin.
[ Simon McVittie ]
* Ask recent ikiwiki to run in deterministic mode
* Set Vcs-Browser
* debian/source/format: set to 3.0 (native)
* Standards-Version: 3.9.6 (no changes)
-- Simon McVittie <smcv@debian.org> Sun, 14 Jun 2015 21:03:02 +0100
ikiwiki-hosting (0.20140613) unstable; urgency=medium
* Deal with savelog not supporting a count < 2.
-- Joey Hess <joeyh@debian.org> Fri, 13 Jun 2014 12:03:31 -0400
ikiwiki-hosting (0.20140419) unstable; urgency=medium
* When branching a site, do not copy over the database
files including the session database and the list of email
subscriptions.
* Fix bug causing it to sometimes wrong username prefix if only one
domain is configured. (smcv)
* Fix failures when run in a directory others cannot read (such as a
protected /root). (anarcat, smcv)
* Several changes to SSL handling (smcv)
- Add per-site SSL and source configuration files,
apache-ssl.conf.tmpl and apache-source.conf.tmpl in addition
to the already used apache.conf.tmpl.
- ikiwikihosting ikiwiki plugin now has a redirect_to_https
setting, so users can choose whether their site should force users
to access it via https.
- Previously, when ssl was enabled, alias urls always redirected
to the http site. Now, this is only done when
redirect_to_https is set.
* Deal with apache 2.4 upgrade, including making sites-available files
with the .conf extension. Remains compatible with apache 2.2.
(smcv) Closes: #744789
* Improved method of disabling mod_userdir. (smcv)
-- Joey Hess <joeyh@debian.org> Sat, 19 Apr 2014 15:20:07 -0400
ikiwiki-hosting (0.20140227) unstable; urgency=medium
* Fix length @array perl bug.
-- Joey Hess <joeyh@debian.org> Thu, 27 Feb 2014 12:01:43 -0400
ikiwiki-hosting (0.20131025) unstable; urgency=high
* Exclude the site from showing up as a referrer in the analog report.
* Fix XSS in site creation interface. Thanks, Gopal Bisht.
CVE-2013-6047
-- Joey Hess <joeyh@debian.org> Fri, 25 Oct 2013 18:17:44 -0400
ikiwiki-hosting (0.20130926) unstable; urgency=low
* ikisite now contains its own /etc/ikiwiki/wikilist update subcommands,
avoiding the need for ikiwiki-update-wikilist to be made suid in
order to keep ikiwiki-mass-rebuild working.
* https can be enabled for a site by dropping a SSL key and
certificate into /etc/ikiwiki-hosting/config/$username/ssl.{key,crt}
and running ikisite enable.
* Also, a wildcard SSL certificate can be configured to be used by
sites that do not have their own DNS.
-- Joey Hess <joeyh@debian.org> Mon, 26 Aug 2013 01:18:52 -0400
ikiwiki-hosting (0.20130504) unstable; urgency=low
* One word of the comment at the end of ssh keys is now preserved.
* ikisite logs: New command that can tail or dump the apache access.log.
Designed to be run remotely.
* iki-git-shell: Allow the remote user to specify a command of "logview"
or "logdump", to tail or dump the access.log.
* Site admins can now view analog reports, if allow_analog_reports is
set in ikiwiki-hosting.conf.
* ikisite-calendar is not run for sites that do no have archivebase
configured, allowing use of the calendar plugin without archive page
generation when desired.
-- Joey Hess <joeyh@debian.org> Sat, 04 May 2013 23:51:34 -0400
ikiwiki-hosting (0.20120527) unstable; urgency=low
* Add cron.d job to run ikiwiki aggregation every 5 minutes
for sites that need it. I thought I had merged this from
Branchable's tweaks earlier.
* Add welcome banner support after making a new site,
enabled by uncommenting the welcome_redir setting.
-- Joey Hess <joeyh@debian.org> Sun, 27 May 2012 17:23:40 -0400
ikiwiki-hosting (0.20120526) unstable; urgency=low
* makesite.tmpl: Typo fix.
* Conflict with the parallel package, which diverts away the
moreutils parallel and would break the RSS/Atom aggregation cron job.
-- Joey Hess <joeyh@debian.org> Sat, 26 May 2012 15:14:17 -0400
ikiwiki-hosting (0.20120425) unstable; urgency=low
* Add the ability to hardcode the site's IP address in ikiwiki-hosting.conf,
rather than looking at interfaces. Thanks, Antoine Beaupré.
* Enable gitweb blame feature.
* Add libgravatar-url-perl to depends.
* Move removal code for /etc/ikiwiki-hosting/keys/dns/ from
ikiwiki-hosting-web to ikiwiki-hosting-common, which creates it.
Closes: #670432
-- Joey Hess <joeyh@debian.org> Wed, 25 Apr 2012 12:22:12 -0400
ikiwiki-hosting (0.20120131) unstable; urgency=low
* Fix quoting issue in use of which to determine if package is installed.
Closes: #658063
-- Joey Hess <joeyh@debian.org> Tue, 31 Jan 2012 15:53:19 -0400
ikiwiki-hosting (0.20120125) unstable; urgency=low
* Add the adduser_basedir configuration file setting, which can be used
to create sites someplace other than /home. Thanks, Philip Hands.
* Don't use savelog -C, it spews an ls error message.
* ikisite checksetup: Bugfix, when plugins are added or removed and there
are no other changes, the site was not updated.
* Use invoke-rc.d. Closes: #657336
-- Joey Hess <joeyh@debian.org> Wed, 25 Jan 2012 15:00:37 -0400
ikiwiki-hosting (0.20111005) unstable; urgency=low
* ikisite-wrapper: Allow getsetup subcommand to access the branchable
and adminuser values, which are needed when branching.
-- Joey Hess <joeyh@debian.org> Wed, 05 Oct 2011 13:32:12 -0400
ikiwiki-hosting (0.20110926) unstable; urgency=low
* Further hardening: Use setsid when running code as a site user.
* Add libtext-multimarkdown-perl to depends, needed for multimarkdown
support (see #630705).
* Fix disablesshkey.
-- Joey Hess <joeyh@debian.org> Mon, 26 Sep 2011 14:01:06 -0400
ikiwiki-hosting (0.20110608) unstable; urgency=low
* Set timezone to GMT in auto setup files, to avoid random system timezimes
from leaking out to existing sites when changesetup or upgrade is run.
* gitpush: Push non-master branches too.
* Configure git-daemon to know about external domain names of sites.
* missingsite: Stop providing an index.cgi, just use apache.conf.tmpl
for the missingsite to DirectoryIndex index.html ikiwiki.cgi
* More portable environment clearing.
* ikisite analog: Output to stdout, not stderr.
* ikisite logview: Tails logs.
-- Joey Hess <joeyh@debian.org> Wed, 08 Jun 2011 10:29:25 -0400
ikiwiki-hosting (0.20110515) unstable; urgency=low
* Improve security robustness, blocking escalation from site users to
httpd user, by moving apache log directory out of users home directory
to /var/log/ikiwiki-hosting/, and using suexec with cgi programs moved
to /var/www.
Thanks, Simon McVittie
* Lock down permissions of ikiwiki.setup, .git, .gitconfig, .gitignore,
public_html/, source/, apache/.
* Lock down source.git, unless branchability is enabled.
* The apache.conf.tmpl files are no longer read from the user's home
directory, but instead from /etc/ikiwiki-hosting/config/$username/.
* Note that previously created sites will continue using
the old locations and permissions. Using "ikisite upgrade"
to upgrade them is highly recommended.
* Added support for anonymous git push.
It will only work if the home directory of a site is on a
filesystem that supports POSIX ACLs, otherwise git-daemon
won't be able to write to the source.git directory.
* Anonymous git push enabled by default for new wikis,
not for blogs or existing sites.
* Support ipv6-only operation.
* Add gitpush plugin, which can be used to push changes to a site on
to other git repositories.
* Remove dns key directory on purge. Closes: #625817
* Don't run cron jobs once removed. Closes: #625815
-- Joey Hess <joeyh@debian.org> Sun, 15 May 2011 16:23:42 -0400
ikiwiki-hosting (0.20110424) unstable; urgency=low
* Remove unused dependency on libdigest-sha1-perl. Closes: #623957
-- Joey Hess <joeyh@debian.org> Sun, 24 Apr 2011 16:02:16 -0400
ikiwiki-hosting (0.20110420) unstable; urgency=low
* ikisite sudo: Use SHELL if set; /bin/sh as dash is a horrible interactive
shell.
* better handling of www special case when making a site
* ikiwiki-hosting-web-backup: Fix removal of morgued sites from primary
backup.
* ikisite checklock renamed to checksite, and can check that a requested
nonce has been created, to notice if site creation crashed part way
through.
* Include copy of entire AGPL in debian/copyright due to absurd policy
requirements that it not be in a separate file, despite all common
licenses being shipped in separate files in Debian.
-- Joey Hess <joeyh@debian.org> Wed, 20 Apr 2011 15:52:38 -0400
ikiwiki-hosting (0.20110401) unstable; urgency=low
* Initial release to Debian.
-- Joey Hess <joeyh@debian.org> Fri, 01 Apr 2011 20:41:11 -0400
|
