File: VERSION

package info (click to toggle)
myproxy 6.2.20-1
links: PTS, VCS
area: main
in suites: forky, sid
size: 3,340 kB
sloc: ansic: 24,830; sh: 4,636; perl: 3,675; makefile: 272
file content (922 lines) | stat: -rw-r--r-- 42,712 bytes
parent folder | download | duplicates (3)
This is MyProxy v6.2.
This version should be protocol compatible with all versions since v0.2.
Binary compatibility of the C API is not guaranteed between releases.

Version History
---------------
v6.2.8
- Update default run directory from /var/run to /run

v6.2.7
- Exit with error if voms-proxy-init fails

v6.2.6
- Remove LICENSE.globus file
- Add BuildRequires perl-interpreter
- Add additional perl dependencies for tests

v6.2.5
- Drop obsolete configure option --with-gpt
- Drop obsolete configure option --with-flavor
- Drop globus_automake_pre and globus_automake_post
- Clean up old GPT references
- Install myproxy-get-trustroots man page

v6.2.4
- Remove usage statistics collection support

v6.2.3
- remove macro overquoting

v6.2.2
- Use 2048 bit CA key for myproxy tests

v6.2.1
- Fix -Werror=format-security errors

v6.2.0
- First Grid Community Toolkit release
- Remove support for openssl101e (RHEL5 is EOL)
- Disable usage statistics reporting by default
- Fix option parsing bug

v6.1.28
- Fix OpenSSL 1.1.0-related typo

v6.1.27
- Remove legacy SSLv3 support

v6.1.26
- Fix error check

v6.1.25
- Don't call ERR_GET_REASON twice #89

v6.1.24
- Fix crash in myproxy_bootstrap_trust() with OpenSSL 1.1.0c

v6.1.23
- Fixes for OpenSSL 1.1.0

v6.1.22
- Check for openssl 101e for epel5

v6.1.21
- Do not overwrite configuration flags

v6.1.20
- Updates for el.5 with openssl101e

v6.1.19
- update myproxy debug/error msgs for accepted_peer_names type change

v6.1.18
- Spelling

v6.1.17
- Handle error returns from OCSP_parse_url

v6.1.16
- Handle invalid proxy_req type

v6.1.15
- GT-616: Myproxy uses resolved IP address when importing names

v6.1.14
- improve rfc2818 name comparison handling

v6.1.13
- Fixed 2 instances of underallocation of memory.

v6.1.12
- Missing -module

v6.1.11
- Fix missing redirect in date detection autoconf

v6.1.10
- Fix version and date string macros

v6.1.9
- Myproxy systemd fix

v6.1.8
  - Properly extract MINOR_VERSION from a three digit PACKAGE_VERSION
  - Fix undefined symbols in myproxy-voms plugin
  - Don't install test wrapper
  - Comments are not allowed in tmpfile.d config files

v6.1.7
  - Allow TLS in myproxy-get-trustroots and myproxy-logon -T

v6.1.6
  - Make VOMS dependency optional

v6.1.5
  - Minor packaging fixes

v6.1.4
  - Stop patching myproxy.sysconfig

v6.1.3
  - Fix incorrect soname change

v6.1.2
  - Update arg parsing to Getopt::Long

v6.1.1
  - Increment library age

v6.1 Oct 2014
  - portability, man page, and build script fixes from Mattias Ellert
  - first release from https://github.com/globus/globus-toolkit sources

v6.0 Jul 2014
  - disable usage stats collection by default
  - make myproxy-server's credential repository storage directory
    optional and run in "CA only" mode if no valid storage directory
  - update default for certificate_issuer_hashalg from sha1 to sha256  
  - handle very long usernames (avoiding ENAMETOOLONG) by creating
    hashed filename in MyProxy repository when username or credname is
    longer than 80 characters - can be overridden by
    MYPROXY_CREDS_MAX_NAMELEN environment variable
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7275)
  - use unbuffered I/O on stdin read of passwords
    (http://jira.globus.org/browse/GT-387)
  - create files in certificate_out_dir with 0600 mode
  - check for out of bounds lifetime values (integer overflows)
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7263)
  - remove Pubcookie support in myproxy-server
  - update build scripts for GT6

v5.9 Jul 2012
  - fix a memory error in myproxy-logon --voms
    when more than 19 entries in vomses file
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7261)

v5.8 Jun 2012
  - fixes for myproxy-server VOMS attribute support:
    API updates for libvomsapi, fixes for FQAN regex matching
  - fix for myproxy-server "Failed to load sub-CA certs from file"
    error when using certificate_issuer_subca_certfile
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7259)
  - update $GLOBUS_LOCATION paths for GT 5.2 in etc.init.d.myproxy

v5.7 May 2012
  - add IPv6 support
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7252)
  - update configure script for platforms where pidfile_open is
    defined in libbsd
  - support limited proxy certificates in myproxy-logon -voms by
    passing -limited option to voms-proxy-init as needed
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7250)
  - add support for TLS 1.1 and TLS 1.2 using OpenSSL 1.0.1 and later

v5.6 20 Feb 2012
  - in myproxy-logon --voms, use voms-proxy-init -valid H:M rather
    than voms-proxy-init -hours H so proxy lifetime matches assertion
    lifetime
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7244)
  - on myproxy-server daemon startup, don't exit original process
    until daemon child has completed initialization
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7240)
  - improve myproxy-server pidfile creation: when root, write pidfile
    by default to /var/run/myproxy.pid; write pidfile on startup
    before detaching from parent process; lock pidfile to avoid
    collisions; remove pidfile on SIGTERM shutdown
    [LICENSE.pidfile added for pidfile.c from FreeBSD's libutil.]
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7240)
  - allow escaping of '.' in regular expressions
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7213)
  - when converting to POSIX extended regular expressions for DN
    matching, wrap the expression inside '^(' and ')$' instead of just
    '^' and '$' to ensure matching the entire DN using proper operator
    precedence
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7215)
  - add liblber to link line when using --with-openldap
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7217)
  - fix section number in myproxy-admin-query man page
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7219)
  - in myproxy-admin-load-credential, handle the case of running as
    root but /var/lib/myproxy owned by non-root by switching to the
    non-root user before writing the credential files
    (https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=7234)

v5.5 5 Sep 2011
  - undo escaping of POSIX extended regular expression meta-characters
    in myproxy-server authorization policies (introduced in v5.1)
    to enable full use of POSIX ERE capabilities. For literal matching
    of parentheses and brackets, the characters must again be
    explicitly escaped (i.e., '\(' and '\)'). Non-POSIX handling of
    wildcard characters ('*' and '?') is maintained for backward
    compatibility, so these characters must be escaped if POSIX ERE
    behavior is desired.
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7211)
  - in MyProxy CA, ensure that any domainComponent or emailAddress
    components in the certificate subject are type IA5String per RFC 5280
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7201)
  - add myproxy-logon --certreq option, to accept an externally
    generated certificate request rather than generating private key
    and request internally
    (http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=347)
  - in myproxy-server, fix abort when processing INFO response when
    the user has stored credentials both with and without a credential
    name; bug was introduced in myproxy-server v4.9
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7209)
  - use /var/lib/myproxy as first choice default storage directory,
    for Filesystem Hierarchy Standard compliance; still fallback to
    /var/myproxy and $GLOBUS_LOCATION/var/myproxy for alternatives
  - fix erroneous error message when no VOMS attributes found
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7207)

v5.4 22 Apr 2011
  - support disabling reverse DNS lookup of server hostname in MyProxy clients
    by setting the environment variable GLOBUS_GSSAPI_NAME_COMPATIBILITY
    to STRICT_RFC2818
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6789)
  - prefer to link with libvomsapi instead of libvomsc
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7133)
  - fix double-free in myproxy_install_trusted_cert_files() on write error
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7135)
  - add myproxy-test -generatecerts option and remove dependency on $HOME
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7139)
  - myproxy-server trustroots security improvements:
    - cert_dir no longer defaults to /etc/grid-security/certificates.
    - Server will ignore requests for trustroots if cert_dir is not
      defined.
    - Server will refuse to start if the trustroots directory set using
      cert_dir contains any regular files that are not world-readable.
    - Once started, the server will skip (i.e. will not return to client)
      any regular files found later to NOT have world-readable permissions.
  - fix GPT dependency on globus_proxy_utils package
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7151)
  - Allow empty SASL responses. Needed for Moonshot GS2.
    (http://www.project-moonshot.org/devwiki//testing/myproxy/)

v5.3 17 Jan 2011
  - fix myproxy-logon bug in versions 5.0-5.2 that disabled
    myproxy-server identity verification
    (http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt)
  - if myproxy-logon GSI mutual authentication with the myproxy-server
    fails, try again with client-side anonymous authentication,
    in case the client-side GSI credentials are unacceptable to the
    myproxy-server (for example, signed by an untrusted CA), but the
    myproxy-server would accept an anonymous client
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7103)
  - fix configure checks for globus_usage_stats_send,
    globus_usage_stats_send_array, and
    globus_gsi_proxy_handle_set_extensions when installing without
    existing Globus libraries in LD_LIBRARY_PATH
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7098)
  - in myproxy-server-setup, look in /sbin and /usr/sbin for chkconfig
    or update-rc.d in case they're not in PATH
  - add certificate_issuer_subca_certfile option in myproxy-server.config 
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7119)
  - make all Globus Usage library errors non-fatal
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7111)
  - add myproxy-logon support for requesting certificates containing
    VOMS assertions from myproxy-servers that have
    "allow_voms_attribute_requests true" in myproxy-server.config; if
    the myproxy-server does not add the requested VOMS assertion,
    myproxy-logon tries to add it by running voms-proxy-init as before

v5.2 22 Jun 2010
  - allow specification of port numbers in MYPROXY_SERVER list
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7039)
  - support PKCS8 encoded private keys in myproxy-retrieve,
    myproxy-store, and myproxy-admin-load-credential
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7033)
  - add work-around for Globus libraries blocking signals (SIGTERM,
    SIGCHLD, SIGHUP, etc.) when myproxy-server is built with pthr
    flavor (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=7048)
  - increase default RSA key sizes from 1024 bits to 2048 bits per
    NIST SP 800-57 and add MYPROXY_KEYBITS environment variable for
    setting custom RSA key sizes
  - fix configure check for facilitynames structure on Linux to
    support myproxy-server.config syslog_facility option mapping of
    names to numeric values
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6983)
  - add myproxy-admin-adduser -v (verbose) option
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6963)
  - bug fix for possible truncation of ca_ldap_connect_passphrase
    value from myproxy-server.config

v5.1 9 Mar 2010
  - fix configure script check for non-flavored globus_usage and
    globus_gsi_proxy_core libraries for Fedora/EPEL RPM compatibility
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6897)
  - fix myproxy-logon -T segfault after "removed bad CRL file" message
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6909)
  - add server-side support for including VOMS attributes in
    retrieved credentials (from the repository); requires setting
    "allow_voms_attribute_requests true" in myproxy-server.config
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6882)
  - add support for LDAP StartTLS
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6957)
  - fix myproxy-test behavior when -startserver is not given
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6959)
  - fix parsing of certificate_issuer_hashalg (broken since v4.8)
  - treat trustroot file contents as binary data rather than text
    in myproxy-logon -T / myproxy-get-trustroots
  - fix escaping of POSIX extended regular expression meta-characters
    in myproxy-server authorization policies
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6903)
  - added support for GT 4.0.8 metrics library, for backward
    compatibility, and require linking with globus_usage library;
    usage collection can be disabled by setting
    "GLOBUS_USAGE_OPTOUT=1" in the environment of the myproxy-server
  - fix myproxy.h header dependencies
  - changes for compatibility with OpenSSL 1.0.0-beta5

v5.0 4 Dec 2009
  - add Globus Usage Metrics to the myproxy-server
  - in myproxy-server, atomically update credential files and avoid
    unnecessary file copies; NOTE API CHANGE: myproxy_creds_store()
    now moves file to the repository, rather than copying it
  - add myproxy-server.config request_size_limit parameter to control
    myproxy-server network limits, and fix network limit handling to
    apply only to myproxy-server (not clients), so clients can handle
    large X509_CERT_DIR contents
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6889)
  - include extendedKeyUsage=clientAuth in EECs by default per GFD.125
  - add myproxy-logon/myproxy-get-trustroots -b option to allow
    bootstrapping CA trust even when X509_CERT_DIR exists
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6886)
  - myproxy-logon -T / myproxy-get-trustroots fixes/improvements:
    - when cleaning bad CRLs, also remove any CRLs we can't parse
    - when recovering from CRL errors, allow anonymous authentication
      on second attempt, just like first attempt
    - when bootstrapping, restrict CA trust to only the one
      certificate subject needed, rather than a wildcard

v4.9 2 Nov 2009
  - fix support for "check_multiple_credentials true" in
    myproxy-server.config, disabled since v4.4
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6878);
    changes include:
    - limit check_multiple_credentials functionality to GET requests
      (myproxy-logon) only
    - in authorization failures, give underlying error message rather
      than check_multiple_credentials unique error message
    - add myproxy-test cases for check_multiple_credentials and
      myproxy-admin-query

v4.8 10 Sep 2009
  - add myproxy-server.config proxy_extfile and proxy_extapp options
    for including custom certificate extensions in proxy certificates
    issued from the MyProxy repository (analogous to
    certificate_extfile and certificate_extapp for the CA module);
    requires GT 4.2.0 libraries (or later)
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6786)
  - look for VOMS header files in include/voms directory for
    compatibility with Fedora's VOMS package
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6847)
  - exit with an error message when --voms and -o - are used together
    in myproxy-logon
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6807)
  - fix a memory error in myproxy-info/myproxy-destroy error handling
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6849)
  - check myproxy-server.config lines for correct number of arguments
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6852)

v4.7 6 May 2009
  - in myproxy-get-trustroots and myproxy-logon -T, update files
    atomically (using rename) rather than overwriting
  - add myproxy-get-trustroots.cron example for keeping
    /etc/grid-security/certificates up-to-date
  - support linking against flavored VOMS libraries
  - fix "self-authorization" check for CA requests
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6713)
  - check certificate requests and issued certificates in the CA:
    (http://bugzilla.globus.org/globus/show_bug.cgi?id=6648)
    - add certificate_request_checker and certificate_issuer_checker
      options in myproxy-server.config for specifying call-outs
      before and after the MyProxy CA signs certificates
    - example myproxy-cert-checker and myproxy-certreq-checker
      call-outs are installed in $GLOBUS_LOCATION/share/myproxy
    - only accept RSA keys in certificate requests
    - don't allow RSA exponents < 65537
    - add min_keylen option in myproxy-server.config for specifying a
      minimum allowed RSA key length
  - add syslog_facility option in myproxy-server.config to configure
    the myproxy-server to log to the specified syslog facility; the
    default is the "daemon" facility
    (http://bugzilla.globus.org/globus/show_bug.cgi?id=6717)
  - added an example in myproxy-accepted-credentials-mapapp
    of how to ban users
    (http://grid.ncsa.illinois.edu/myproxy/blacklist.html)
  - added myproxy-admin-query -o option to query by owner DN
  - replace fixed-length buffer in read_data_file() (credential
    repository file parser) with dynamically-sized buffer to support
    credentials with policies longer than 511 characters
    (http://bugzilla.globus.org/globus/show_bug.cgi?id=6723)
  - added certificate_serial_skip in myproxy-server.config to support
    staggered serial numbers across multiple CA instances
  - added certificate_issuer_hashalg in myproxy-server.config to
    configure the MyProxy CA to issue certificates using SHA-2 hash
    algorithms (SHA-224, SHA-256, SHA-384, SHA-512) rather than SHA-1
    (the default). Requires OpenSSL 0.9.8 or later.

v4.6 25 Mar 2009
  - add myproxy-get-trustroots command to download trusted CA
    certificates without client-side authentication
    (http://bugzilla.globus.org/globus/show_bug.cgi?id=5899)
  - add sasl_mech, sasl_serverFQDN, and sasl_user_realm
    options to myproxy-server.config
  - include certificate subject in myproxy-admin-adduser output
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6324)
  - handle error response message from myproxy-server during delegation
    (http://bugzilla.ncsa.uiuc.edu/show_bug.cgi?id=359)

v4.5 12 Feb 2009
  - in myproxy-server, disallow release of a credential based only on
    authentication with a client credential of the same subject (i.e.,
    self-renewal) unless "allow_self_authorization true" is specified
    in myproxy-server.config
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6630)
  - fix myproxy-logon --voms interaction with --out option
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6612)
  - implement stricter checks on myproxy-server storage directory
    security using Safefile's safe_is_path_trusted_r()
    (http://pages.cs.wisc.edu/~kupsch/safefile/); for now, these
    checks result in WARNING messages rather than errors
  - added myproxy-server --portfile option, useful when binding to a
    random available port via myproxy-server --port 0
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6623)

v4.4 12 Dec 2008
  - allow $MYPROXY_SERVER and -s command-line options to be a
    comma-separated list of hostnames to try to connect to
  - in myproxy-server, fail on startup or reconfig with an "unsafe
    policy" error if a policy of trusted_retrievers "*" is specified
    without also specifying a restrictive default_trusted_retrievers
    policy, to avoid an unsafe policy that could release credentials
    to any client without additional authentication.
  - in myproxy-server, log info for the received client request before
    the authorization check, so we have the request info for
    troubleshooting purposes even if the request is denied.
  - in myproxy-server, fail on startup if PAM, SASL, or OCSP is
    configured in myproxy-server.config but the needed libraries are
    not linked in
  - fix problem with OpenSSL engine (for HSM support) being shutdown
    on child process failures
  - fix bug when issuing certificates with subject containing "//"
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6488)
  - add support for multiple --voms options to myproxy-init/logon
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6436)
  - added myproxy-info --credname option
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6561)
  - for myproxy-logon -T, bootstrap the trusted certificates directory
    atomically (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6432)
  - for myproxy-logon --voms, request the correct proxy type from
    voms-proxy-init
  - added example myproxy-revoke and myproxy-crl.cron scripts for
    revoking certificates issued by the MyProxy CA and generating CRLs
  - added max_cred_lifetime option in myproxy-server.config to limit
    the lifetime of credentials stored in the repository

v4.3 2 Sep 2008
  - improve MyProxy CA error message on incorrect passphrase.
    specifically, in myproxy-server, if passphrase in the request is
    non-empty, fail immediately if it can't be verified, rather than
    trying other methods; this forces other authentication methods
    (SASL, renewal) to send an empty passphrase (which current clients
    do by default), but it results in a better error message in the
    common case when an incorrect passphrase is given.  also stop
    appending "invalid pass phrase" to the more specific error
    message from PAM or OpenSSL.
  - fix -m command-line option for myproxy-init and myproxy-logon
  - fix myproxy-init --voms with GT_PROXY_MODE="old"
  - in myproxy-init --voms, use voms-proxy-init -vomslife so VOMS AC
    lifetime matches proxy lifetime
  - if myproxy-init --local_proxy and --voms options are used
    together, only call voms-proxy-init once, and use that proxy to
    create the local proxy (via grid-proxy-init)
  - add a default timeout of 120 seconds for myproxy-server child
    processes to service requests before aborting, customizable via
    the myproxy-server.config request_timeout parameter
  - in myproxy-server, read incoming messages up to 1MB maximum to
    avoid memory exhaustion under heavy load
  - on myproxy-server startup, perform more sanity checks before fork
    to become daemon so exit status of original process is set to 1 on
    errors (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6325)
  - in myproxy-server, don't re-read config file automatically on
    changes (i.e., undo change in v4.2); instead, re-read on SIGHUP
    (http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5627)
  - add reconfig method to etc.init.d.myproxy
  - make myproxy-admin-adduser less verbose by only showing the output
    of grid-cert-request on errors
  - added myproxy-admin-adduser -p option for specifying the CA
    private key password using openssl format (see the PASS PHRASE
    ARGUMENTS section in the openssl(1) man page)
  - associate "Connection from xxx.xxx.xxx.xxx" syslog message with
    child pid so it matches up with other syslog messages for that
    client

v4.2 10 Jan 2008
  - add support for $GT_PROXY_MODE="rfc" in myproxy-init
  - in the myproxy-server, no longer default to issuing a "legacy
    globus proxy" from an end-entity certificate; instead, issue
    the default proxy type according to the GSI library version
  - drop support for $GT_PROXY_MODE="old" in myproxy-logon;
    however, myproxy-init still supports $GT_PROXY_MODE="old"
  - in myproxy-server, re-read config file automatically on changes
  - fixes for newer OpenSSL versions used in GT 4.2
  - fixes for MIT Kerberos 1.6 support (via SASL)

v4.1 10 Sep 2007
  - in myproxy-server, listen on $MYPROXY_SERVER_PORT if defined
  - for myproxy-logon/myproxy-retrieve -T, fix handling of zero length
    files and process only regular files (not subdirectories)

v4.0 11 Jul 2007
  - add myproxy-server-setup script for simple server install
  - fix myproxy-logon/myproxy-retrieve -T bug that caused trust
    bootstrap to fail when no certificates directory exists
  - add myproxy-admin-load-credential --retrieve_key and
    --retrievable_by_cert options
  - add myproxy-admin-addservice for distributing host/service
    credentials

v3.9 12 Jun 2007
  - update myproxy-logon/myproxy-retrieve -T behavior:
    - if no certificates directory exists, install the
      myproxy-server's CA certificate to bootstrap trust
    - if authentication to the myproxy-server fails due to a CRL
      error, remove problematic CRL file(s) and retry
    - if running as root, store trust roots in
      /etc/grid-security/certificates rather than
      ~root/.globus/certificates and credentials in
      /etc/grid-security/hostcert.pem/hostkey.pem
  - add --voms options to myproxy-init and myproxy-logon to add VOMS
    attributes, analogous to voms-proxy-init -voms; requires
    voms-proxy-init to be installed and configured
  - add myproxy-admin-query --config option

v3.8 13 Apr 2007
  - drop support for Globus Toolkit versions 3.0 and 2.4
  - fix myproxy-replicate errors for credentials with usernames or
    crednames containing spaces
  - fix server-side problem when linking against globus_gssapi_gsi
    version 4.12 and later that causes "no shared cipher" errors
  - return more concise error messages to clients for common errors,
    with additional diagnostics written to the server log
  - fix configure check for OCSP functions in OpenSSL for enabling
    OCSP support
  - for --help, --usage, and --version options, exit with status 0
    after printing help/usage/version information
  - add OpenSSL Engine support in the MyProxy CA to enable the use of
    hardware tokens via new myproxy-server.config
    certificate_openssl_engine options
  - check if client authenticates with a limited proxy, and if so,
    only allow the client to obtain another limited proxy, unless
    ignore_globus_limited_proxy_flag is set in myproxy-server.config
  - optionally store all certificates issued by the MyProxy CA in a
    directory via the certificate_out_dir myproxy-server.config option

v3.7 12 Dec 2006
  - fix handling of usernames containing '/', '-', and '.' characters;
    note this required a change to the myproxy-server repository
    format, so credential data files written by a new myproxy-server
    won't be readable by an older myproxy-server
  - verify that credentials in the myproxy-server repository are still
    valid (i.e., not revoked) before performing delegation
  - added myproxy-admin-query --invalid option for listing, locking,
    or removing invalid credentials from repository
  - optionally check OCSP status of stored credentials before
    performing delegation via myproxy-server.config ocsp settings;
    requires GT 3.2 (OpenSSL 0.9.7) or later
  - update etc.init.d.myproxy script to use pidfile to locate server
    to stop (rather than searching ps output), include a restart
    option, and exit with error if $GLOBUS_LOCATION isn't set
  - if the myproxy-server hostname given by $MYPROXY_SERVER or the -s
    option resolves to multiple IP addresses, clients will connect to
    each address until a connection is established or all fail
  - added accepted_credentials_mapapp call-out version of
    accepted_credentials_mapfile in myproxy-server.config
  - support unencrypted, although still signed, Pubcookie granting
    cookies as passwords
  - added myproxy-server.config syslog_ident option
  - improved MyProxy CA logging
  - added myproxy-server --listen to specify host/ip to bind to

v3.6 10 Aug 2006
  - support credential renewal via the MyProxy CA using
    myproxy-server.config authorized_renewers/default_renewers options
  - provide an access control list for storing credentials via the
    myproxy-server.config accepted_credentials_mapfile option
  - fix insecure temporary file handling in myproxy-admin-adduser
  - fix insecure input handling in myproxy-get-delegation.cgi example
  - support VOMS attributes in myproxy-server.config policies
  - in CA, issue certificates valid starting 5 minutes in the past to
    account for possible clock skew between hosts
  - add check_multiple_credentials option in myproxy-server.config
    to allow clients to retrieve a credential for a given username
    even if the associated "credential name" isn't provided (via
    myproxy-logon --credname)

v3.5 14 Mar 2006
  - dropped support for certificate_issuer option in
    myproxy-server.config; use certificate_issuer_cert instead
  - added myproxy_accept_delegation_ex() to retrieve credentials to a
    buffer rather than a file
  - in myproxy-logon, added support for writing credential to standard
    output via '-o -' option; also added --quiet option
  - added myproxy-logon --no_credentials option to authenticate
    without retrieving credentials
  - added certificate_mapapp call-out for mapping usernames to
    certificate subject distinguished names for the CA module
  - added certificate_extfile and certificate_extapp (call-out) for
    setting extensions in certificates issued by CA module
  - do not indicate in info command error output whether credentials
    owned by someone else exist, to avoid giving potentially useful
    information to an attacker
  - delegate credentials with minimum lifetime of 5 minutes to avoid
    problems with clock skew
  - fixed build problem with GT 2.4/3.0 introduced in v3.4:
    EVP_MD_CTX_cleanup() wasn't in OpenSSL 0.9.6

v3.4 19 Dec 2005
  - added myproxy-test -valgrind option for detecting memory errors
  - fixed memory errors found with myproxy-test -valgrind
  - fixed handling of lifetime=0 requests in myproxy-server

v3.3 2 Dec 2005
  - API changes: new trusted_retrievers member for
    struct myproxy_creds and struct myproxy_request_t
  - generate 1024 bit keys instead of 512 bit keys
  - add support for certificate-only authentication to the
    myproxy-server via myproxy-init -Z and myproxy-server.config
    trusted_retrievers options
  - add support for CA username to DN resolution via LDAP using
    myproxy-server.config ca_ldap options
  - add myproxy-server authentication support for Pubcookie
    (http://www.pubcookie.org/) granting cookie via
    pubcookie_granting_cert and pubcookie_app_server_key
    myproxy-server.config options
  - add myproxy-init --local_proxy option to create a local proxy
    credential after storing a credential on the myproxy-server
  - add myproxy-init --keyfile/--certfile options
  - fix segmentation fault on reverse lookup in client
  - fix SASL build problems on Darwin
  - fix client-side memory leak in GSI_SOCKET_authentication_init()
  - in CA, use SHA1 instead of MD5 digest algorithm, set CA:FALSE in
    X509v3 Basic Constraints, include X509v3 Subject Key Identifier,
    and optionally set email X509v3 Subject Alternative Name using
    certificate_issuer_email_domain in myproxy-server.config
  - support alternate syntax "min max" for GLOBUS_TCP_PORT_RANGE and
    improve error handling and documentation for this environment
    variable

v3.2 11 Oct 2005
  - fix fd_set compiler error introduced in v3.1

v3.1 11 Oct 2005
  - fix compilation problem on platforms without setenv()

v3.0 28 Sep 2005
  - add ability for myproxy-server to act as a CA by setting
    certificate_issuer options in myproxy-server.config
  - fix for static builds using 'gpt-build -static'
  - fixes for SASL support
  - increased myproxy-server's listen(2) backlog for improved
    scalability
  - modify myproxy-test to use "$LOGNAME.myproxy-test" for a username
    to avoid overwriting any existing credentials
  - include configured trusted certificate directory in debug/verbose
    output
  - install example myproxy-server.config to
    $GLOBUS_LOCATION/share/myproxy instead of potentially overwriting
    existing version in $GLOBUS_LOCATION/etc
  - warn on unknown directives in myproxy-server.config

v2.3 28 Jul 2005
  - fix AIX compliation problems in PAM module

v2.2 14 Jul 2005
  - fix TRU64 compilation problem
  - for --dn_as_username option, get DN from user proxy if available
    rather than requiring access to user certificate

v2.1 6 Jul 2005
  - fix compilation problem for ISO C89 compilers
  - fix myproxy-init compatibility with Java CoG grid-proxy-init in
    PATH (use grid-proxy-init -hours instead of -valid)
  - improve PAM error messages
  - fix error message on server-side authorized_renewers check
  - perform reverse lookup on server IP address for authorization
    consistency with other GSI clients
  - removed myproxy_resolve_hostname() from API

v2.0 8 Jun 2005
  - unified versioning with GPT packaging
  - added native PAM support (not requiring SASL)
  - added support for managing trusted CA certificates using
    myproxy-logon/myproxy-retrieve -T option
  - added the myproxy-replicate utility for managing multiple
    myproxy-server repository replicas for high availability
  - added myproxy_version() and myproxy_check_version() functions
    to verify headers match the shared library in use
  - fixed bug in previous version that caused myproxy-get-delegation
    not to be included in binary GPT installs
  - use system getopt_long() if available; otherwise, use included
    getopt_long from NetBSD instead of GNU version as previous
  - fixed server side bug where the default_key_retrievers policy was
    always applied even if the credential had a key retriever policy
  - fixed myproxy-test GT 2.4 compatibility problem in v0.6.5
  - fixed myproxy_get_delegation() signature, erroneously changed in
    v0.6.2, to maintain API-level compatibility
  - added dynamic buffer management for improved handling of large
    messages

v0.6.5 8 Apr 2005 (GPT package version 1.17)
  - added support for RFC 3820 proxy certificate format
  - renamed myproxy-get-delegation to myproxy-logon;
    kept myproxy-get-delegation symlink for backward compatibility
  - added myproxy-store and myproxy-retrieve commands for storing and
    retrieving credentials directly to/from the repository;
    note myproxy-retrieve support must be explicitly enabled by
    setting authorized_key_retrievers in myproxy-server.config
  - write temp proxy to /tmp/myproxy-proxy.<uid>.<pid> instead of
    /tmp/myproxy-proxy.<uid> so we can run more than one myproxy-init
    in an account at a time
  - added myproxy-test -performance option for performance testing
  - fixed potential logging race condition when running myproxy-server
    in verbose mode
  - fixed potential network race condition in myproxy-init
  - for myproxy-admin-change-pass, only prompt for existing password
    if existing credential is encrypted
  - check for invalid options passed to myproxy commands
  - fixed a myproxy-admin-change-pass segmentation fault when the
    storage directory is invalid
  - improve error messages for too-short passphrases (6 character minimum)

v0.6.4 4 Jan 2005 (GPT package version 1.16)
  - fixed file permission bug in myproxy-admin-load-credential

v0.6.3 22 Nov 2004 (GPT package version 1.15)
  - updated GPT packaging for compatibility with GT 3.9.3
    (globus_gssapi_gsi-4.0)
  - added support for $GT_PROXY_MODE="old" in myproxy-get-delegation,
    to retrieve a "legacy globus proxy" from an end-entity certificate
    stored in the MyProxy repository.
  - modified client tools to attempt connecting to the server first,
    before prompting for user input, to catch server problems early.
  - added initial experimental support for Kerberos authentication via
    the SASL/GSSAPI mechanism.
  - removed dependency on perl Expect package in myproxy-test
  - added myproxy-test -startserver option
  - added myproxy-server --pidfile option to ease myproxy-server
    shutdown

v0.6.2 21 Jun 2004 (GPT package version 1.14)
  - added initial experimental support for PAM authentication via
    the SASL/PLAIN mechanism.
  - changed myproxy-admin-change-pass so an empty pass phrase
    can be used for unencrypted keys (for example, for renewal keys)
  - fixed myproxy-admin-adduser to not depend on nonexistent
    myproxy-admin-adduser-config command
  - removed pass phrase functions from myproxy-admin-load-credential,
    so the existing pass phrase on the source key is kept as is.
    Use myproxy-admin-change-pass to change the pass phrase of a
    credential after loading.
  - fixed GT 2.2 and Java CoG incompatibility introduced in v0.6.1.
    Note: if repository contains end-entity credentials, Java CoG
    will retrieve old-style (legacy) proxies because the Java CoG
    certificate request doesn't specify the proxy type.
  - changed signature of myproxy_get_delegation() method.
    original signature is restored in v2.0.

v0.6.1 30 Mar 2004 (GPT package version 1.13)
  Fixed a bug where the myproxy-server would always delegate new-style
  proxy credentials from end-entity credentials in repository.  The
  myproxy-server now respects proxy type in the certificate request
  when end-entity credentials are stored in repository.  However, if
  the repository contains proxy credentials, the server will delegate
  a proxy of the same type as stored in the repository irrespective of
  the certificate request, because new-style and old-style proxies
  can't be mixed.  This bug fix resulted in an incompatibility with GT
  2.2 and Java CoG clients, fixed in v0.6.2.

v0.6.0 22 Mar 2004 (GPT package version 1.12)
  - added max_proxy_lifetime server configuration option for limiting
    the lifetime of retrieved credentials

v0.5.9 28 Jan 2004 (GPT package version 1.11)
  - removed requirement for /dev/urandom and instead let OpenSSL seed
    its random number generator itself using its standard methods
  - added myproxy-admin-change-pass command
  - changed myproxy-get-delegation -d option to have effect even when
    -a option is not given
  - added support for OpenSSL 0.9.7

v0.5.8 23 Sep 2003 (GPT package version 1.10)
  - fixed networking problem with v0.5.7 on some platforms

v0.5.7 25 Aug 2003 (GPT package version 1.9)
  - fixed additional problems with handling large credentials
  - bugfix: myproxy-admin-load-credential fails to prompt for
    passphrase of source credential in versions 0.5.4-0.5.6.

v0.5.6 31 Jul 2003 (GPT package version 1.8)
  - added support for Globus Toolkit 3.0 libraries
  - added support for new GSI proxy certificate format
  - fixed 'myproxy-info -d'
  - fixed credential problem when using Globus Toolkit 2.4 libraries
  - removed buffer length restriction in credential renewal protocol

v0.5.5 30 May 2003 (GPT package version 1.7)
  - added support for Globus Toolkit 2.4 libraries
  - added support for external passphrase quality enforcement with
    passphrase_policy_program command in myproxy-server.config
  - added support for locking credentials via myproxy-admin-query
  - included example myproxy.cron script for removing expired credentials
  - fixed problems with installed headers
  - added MYPROXY_SERVER_PORT environment variable

v0.5.4 2 May 2003 (GPT package version 1.6)
  - myproxy-admin-adduser command added
  - default lifetime of delegated proxies changed to 12 hours instead of 2
  - --passphrase option added to myproxy-admin-load-credential
  - new options (including remove option) added to myproxy-admin-query
  - compatibility problem with v0.2 (introduced in v0.5.0) fixed
  - OSX build problem fixed
  - support for delegating proxies with maximum lifetime added

v0.5.3 19 Mar 2003 (GPT package version 1.5)
  This version fixes a build problem on AIX.

v0.5.2 10 Mar 2003 (GPT package version 1.4)
  This version adds the myproxy-admin-query and
  myproxy-admin-load-credential commands and adds support for running
  the myproxy-server with a /CN=myproxy/fqhn credential.

v0.5.1 12 Feb 2003 (GPT package version 1.3)
  This release fixes a bug where the X509_USER_CERT and X509_USER_KEY
  environment variables would confuse myproxy-init.

v0.5.0 15 Nov 2002 (GPT package version 1.2)
  This is the first version for Globus Toolkit 2.2.  It adds support
  for storing multiple credentials per username, stores private keys
  encrypted with the credential's passphrase (if set), and adds the
  myproxy-change-pass-phrase command.  It is also the first version to
  be released unter the NCSA Open Source license.  Note that due to
  version incompatibilities with Globus Toolkit 2.2 libraries and the
  Java CoG (not specific to MyProxy), this and future versions of
  MyProxy are not compatible with Java CoG versions before 1.0.

v0.4.6 3 Sep 2002 (GPT package version 1.1)
  This version adds sample init.d and xinetd entries in the GPT
  package.

v0.4.5 28 Aug 2002 (GPT package version 1.0)
  This is the first version packaged with GPT.  In addition to changes
  for GPT compatibility, it contains minor changes to some MyProxy
  debug messages.

v0.4.4 22 Mar 2002
  This version adds the myproxy-info command.

v0.4.3 6 Mar 2002
  This version adds support for per-credential authorization.  Users
  can specify retrieval/renewal policies for a credential on upload
  using myproxy-init.

v0.4.2 4 Feb 2002
  This version includes the GSI distinguished name matching logic that
  was removed in v0.4.0, so for example host/fqhn will now match fqhn
  again.  It also adds support for restricting the TCP port ranges of
  the clients.

v0.4.1 4 Dec 2001
  This version adds support for Globus 2.0 and optionally using the
  distinguished name from the proxy certificate as the default myproxy
  username.

v0.4.0 20 Nov 2001
  This version adds support for anonymous X.509 client authentication,
  to allow users to retrieve a credential using their myproxy
  passphrase when they don't already have a credential.  The myproxy
  server configuration file can enable or disable anonymous and
  certificate-based (from v0.3) authentication.

v0.3 5 Oct 2001
  This version adds support for certificate-based authentication in
  addition to passphrase based authentication, to enable credential
  renewal.  It was developed by Daniel Kouril and Miroslav Ruda for
  the European DataGrid project.

v0.2alpha3 11 Oct 2000
  This version was used by many grid portals.

v0.2alpha1 27 Sep 2000

v0.2 20 Sep 2000

v0.1b3 30 June 2000

v0.1b2 08 May 2000

v0.1b1 05 May 2000

v0.1 03 Apr 2000