Changelog.md
Diaspora* now uses TOML for the configuration file. We recommend you to migrate to this new format, as with the next major release (1.0) diaspora* will no longer read the YAML based configuration file at config/diaspora.yml. To do so, please copy config/diaspora.toml.example to config/diaspora.toml and migrate your configuration.
With the release of diaspora* Version 0.9, we now officially support building applications on top of the diaspora* API! Please check out the official API documentation for instructions, and please do file bugs if you notice something that could be improved!
We are looking forward to seeing many creative applications!
After a discussion with our community on Discourse, we decided to remove the pieces of XMPP chat integration that were put in place a while ago. When we first added the chat support, we merged the implementation in an unfinished state in the hopes that the open issues will be addressed eventually, and the implementation would end up more polished. This ended up not being the case. After careful consideration and discussion, we did not manage to come up with clear reasons why we need a chat implementation, so we decided that the best way forward would be to remove it.
Although the chat was never enabled per default and was marked as experimental, some production pods did set up the integration and offered an XMPP service to their users. After this release, diaspora* will no longer contain a chat applet, so users will no longer be able to use the webchat inside diaspora*. The existing module that is used to enable users to authenticate to Prosody using their diaspora* credentials will continue to work, but contact list synchronization might not work without further changes to the Prosody module, which is developed independently from this project.
With this release, we switched from unicorn to puma to run our applications. For podmins running the default setup, this should significantly reduce memory usage, with similar or even better frontend performance! However, as great as this change is, some configuration changes are required.
single_process_mode and embed_sidekiq_worker configurations have been removed. This mode was never truly a "single-process" mode, as it just spawned the Background Workers inside the runserver. If you're using script/server to start your pod, this change does not impact you, but if you're running diaspora* using other means, and you relied on this "single"-process mode, please ensure that Sidekiq workers get started.listen configuration has changed. If you have not set that field in your configuration, you can skip this. Otherwise, make sure to adjust your configuration accordingly:
unix:tmp/diaspora.sock into unix://tmp/diaspora.sock.unix:/run/diaspora/diaspora.sock to unix:///run/diaspora/diaspora.sock.127.0.0.1:3000 to tcp://127.0.0.1:3000.PORT environment variable and the -p parameter to script/server have been removed. If you used that to run diaspora* on a non-standard port, please use the listen configuration.unicorn_worker configuration has been dropped. With Puma, there should not be a need to increase the number of workers above a single worker in any pod of any size.unicorn_timeout configuration has been renamed to web_timeout.script/server, you have to update your setup. If you previously called bin/bundle exec unicorn -c config/unicorn.rb to run diaspora*, you now have to run bin/puma -C config/puma.rb! Please update your systemd-Units or similar accordingly.We use yarn to install the frontend dependencies now, so you need to have that installed. See here for how to install it: https://yarnpkg.com/en/docs/install
We recommend setting up new pods using Ruby 3.3, and updating existing pods to this version as well. Ruby 2.7 is EOL and no longer supported.
If you're currently running your production pod with ./script/server in a tmux or something similar, please be careful. We made some internal changes that result in the script no longer automatically restarting the server if it crashes - instead, it will just shut down. We strongly recommend running your pod using your system's unit manager, for example with this systemd unit.
factory_girl with factory_bot #8218diaspora_federation, remove support for old federation protocol #8368therubyracer #8337unicorn with puma #8392strip_exif flag and always remove exif data from uploaded images #8417apparition with cuprite #8418i18n-inflector-rails for translations #8420lower(name) index on tags to speed up ActsAsTaggableOn #8206To avoid potential security issues, diaspora* now makes sure that ImageMagick image processing always runs with a restricted policy.xml, regardless of the global system settings.
assets:precompile a lot #8362rvm install 2.7. #8366/.well-known/host-meta, check for /.well-known/nodeinfo instead #8377chat_enabled flag from archive export #8265AccountMigration if receiving message to a migrated account #8288http:// links in the UI with their https:// counterparts #8207Photo#ownserhip_of_status_message validation #8214rvm install 2.6. #7929web+diaspora:// links to link to a profile with only the diaspora ID #8000web+diaspora:// handler description #7909Fixes a potential cross-site scripting issue with maliciously crafted OpenGraph metadata on the mobile interface.
statistic.json #7867database.yml.example to fields that may contain special characters #7875script/configure_bundler #7830web+diaspora:// link handler #7826poll_id and author_id #7798Fixes a possible cross-site scripting issue with maliciously crafted OpenGraph metadata.
Re-updating the German translations to fix some UX issues that were introduced by recent translation efforts.
Fixes notifications when people remove their birthday date #7691
diaspora:// links #7652Fixes an issue with installing and running diaspora* with today released bundler v1.16.0.
There were some issues causing accounts deletions to not properly perform in some cases, see
#7631 and #7639.
To ensure these are reexecuted properly, please run RAILS_ENV=production bin/rake migrations:run_account_deletions
after you've upgraded.
rails_admin_histories table #7597diaspora:// links #7625Update nokogiri to fix multiple libxml2 vulnerabilities.
This release recommends using Ruby 2.4, while retaining Ruby 2.3 as an officially supported version. Ruby 2.1 is no longer officially supported.
Before upgrading, please check if your public/ folder contains a hidden .well-known/ folder.
If so, please delete it since it will prevent the federation from working properly.
report_only and no report_uri is set #7367Fixes a possible Remote Code Execution (CVE-2016-4658) and a possible DoS (CVE-2016-5131) by updating Nokogiri, which in turn updates libxml2.
bundle in script/server #7281Note: Although this is a minor release, the configuration file changed because the old Mapbox implementation is no longer valid, and the current implementation requires additional fields. Chances are high that if you're using the old integration, it will be broken anyway. If you do use Mapbox, please check out the diaspora.yml.example for new parameters.
Content-Security-Policy header #7128Fixes an issue with installing an running diaspora*, caused by a recent bundler update that fixes a bundler bug on which we depended on.
This diaspora* releases comes with a few database cleanup migrations and they could possible take a while. While you should always do that, it is especially important this time to make sure you run the migrations inside a detachable environment like screen or tmux. A interrupted SSH session could possibly harm your database. Also, please make a backup.
With Bundler 1.10 supporting optional groups, we removed the DB environment variable. When updating to this release, please update bundler and select the database support you want:
gem install bundler
bundle install --with mysql # For MySQL and MariaDB
bundle install --with postgresql # For PostgreSQL
For production setups we now additionally recommend adding the --deployment flag.
If you set the DB environment variable anywhere, that's no longer necessary.
This release recommends using Ruby 2.3, while retaining Ruby 2.1 as an officially supported version. Ruby 2.0 is no longer officially supported.
Please note that the default listen parameter for production setups got
changed. diaspora* will no longer listen on 0.0.0.0:3000 as it will now
bind to an UNIX socket at unix:tmp/diaspora.sock. Please change your local
diaspora.yml if necessary.
We dropped support for Redis namespaces in this release. If you previously set
a custom namespace, please note that diaspora* will no longer use the
configured value. By default, Redis supports up to 8 databases which can be
selected via the Redis URL in diaspora.yml. Please check the examples
provided in our configuration example file.
With the port to Bootstrap 3, app/views/terms/default.haml has a new structure. If you have created a customised app/views/terms/terms.haml or app/views/terms/terms.erb file, you will need to edit those files to base your customisations on the new default.haml file.
This release makes diaspora* a OpenID Connect provider. This means you can authenticate to third parties with your diaspora* account and let them act as your diaspora* account on your behalf. This feature is still considered in early development, we still expect edge cases and advanced features of the specificiation to not be handled correctly or be missing. But we expect a basic OpenID Connect compliant client to work. Please submit issues! We will also most likely still change the authorization scopes we offer and started with a very minimal set. Most work still required is on documentation as well as designing and implementing the data API for all of Diaspora's functionality. Contributions are very welcome, the hard work is done!
Due to many issues with Vines, we decided to remove Vines and offer a Prosody example configuration instead. Check the wiki for more information on how to migrate to Prosody if you've been using Vines before.
We've decreased the amount of sidekiq queues from 13 to 5 in PR #6950. The new queues are organized according to priority for the jobs they will process. When upgrading please make sure to empty the sidekiq queues before shutting down the server for an update.
If you run your sidekiq with a custom queue configuration, please make sure to update that for the new queues.
The new queues are: urgent, high, medium, low, default.
When you upgrade to the new version, some jobs may persist in the old queues. To move them to the default queue, so they're processed, run:
bin/rake migrations:legacy_queues
Note that this will retry all dead jobs, if you want to prevent that empty the dead queue first.
The command will report queues that still have jobs and launch sidekiq process for that queues.
parent_author_signature from relayables #6586REDISTOGO_URL environment variable #6863StatusMessage#raw_message #6921script/server #6693Update to Rails 4.2.7.1 which fixes CVE-2016-6316 and CVE-2016-6317.
We made a mistake and removed mysql2 from the Gemfile.lock in a recent gem update. Since this could cause some issues for some installations, we decided to release a hotfix.
Update Nokogiri to 1.6.8, which in turn updates libxml2 to 2.9.4 and libxslt to 1.1.29, addressing a range of security issues. See https://groups.google.com/forum/#!topic/ruby-security-ann/RCHyF5K9Lbc for more details.
This security release disables post fetching for relayables. Due to an insecure implementation, fetching of root posts for relayables could allow an attacker to distribute malicious/spoofed/modified posts for any person.
Disabling the fetching will make the current federation a bit less reliable, but for a hotfix, this is the best solution. We will re-enable the fetching in 0.6.0.0 when we moved out the federation into its own library and are able to implement further validation during fetches.
suppress_annoying_errors eating too much errors #6653Fix evil regression caused by Active Model no longer exposing
include_root_in_json in instances.
Fix a leak of potentially private profile data to unauthorized users who were sharing with the person and on a pod that received that data.
diaspora_federation-rails gem #6151let instead of before blocks #6199diaspora* versions prior 0.5.1.2 leaked potentially private profile data (namely the bio, birthday, gender and location fields) to unauthorized users. While the frontend properly hid them, the backend missed a check to not include them in responses. Thanks to @cmrd-senya for finding and reporting the issue.
Update rails to 4.2.2, rack to 1.6.2 and jquery-rails to 4.0.4. This fixes
hasPhotos and hasText functions #5969og:urls #5926Use the correct setting for captcha length instead of defaulting to 1 always.
This release includes a major upgrade of the background processing system Sidekiq. To upgrade cleanly:
RAILS_ENV=production bundle exec sidekiq and wait 5-10 minutes, then stop it again (hit CTRL+C)Please edit config/initializers/secret_token.rb, replacing secret_token with
secret_key_base.
# Old
Rails.application.config.secret_token = '***********...'
# New
Diaspora::Application.config.secret_key_base = '*************...'
You also need to take care to set RAILS_ENV and to clear the cache while precompiling assets: RAILS_ENV=production bundle exec rake tmp:cache:clear assets:precompile
This release drops official support for the Ruby 1.9 series. This means we will no longer test against this Ruby version or take care to choose libraries that work with it. However that doesn't mean we won't accept patches that improve running diaspora* on it.
At the same time we adopt support for the Ruby 2.1 series and recommend running on the latest Ruby version of that branch. We continue to support the Ruby 2.0 series and run our comprehensive test suite against it.
The default for including jQuery from a CDN has changed. If you want to continue to include it from a CDN, please explicitly set the jquery_cdn setting to true in diaspora.yml.
For MySQL databases, replace charset: utf8 with encoding: utf8mb4 and change collation from utf8_bin to utf8mb4_bin in the file config/database.yml.
This is enables full UTF8 support (4bytes characters), including standard emoji characters.
See database.yml.example for reference.
Please make sure to stop Diaspora prior running this migration!
This release adds experimental integration with XMPP for real-time chat. Please see our wiki for further informations.
The way services are shown in the statistics.json route is changing. The keys relating to showing whether services are enabled or not are moving to their own container as "services": {....}, instead of having them all in the root level of the JSON.
The keys will still be available in the root level within the 0.5 release. The old keys will be removed in the 0.6 release.
Removing of old inactive users can now be done automatically by background processing. The amount of inactivity is set by after_days. A warning email will be sent to the user and after an additional warn_days, the account will be automatically closed.
This maintenance is not enabled by default. Podmins can enable it by for example copying over the new settings under settings.maintenance to their diaspora.yml file and setting it enabled. The default setting is to expire accounts that have been inactive for 2 years (no login).
It is now possible to enable an automatic proxying of external assets, for example images embedded via Markdown or OpenGraph thumbnails loaded from insecure third party servers through a Camo proxy.
This is disabled by default since it requires the installation of additional packages and might cause some traffic. Check the wiki page for more information and detailed installation instructions.
Podmins can now set the currency for donations, and use an unhosted button if they can't use a hosted one. Note: you need to copy the new settings from diaspora.yml.example to your diaspora.yml file. The existing settings from 0.4.x and before will not work any more.
diaspora* no longer adds a div.container to wrap custom splash pages. This adds the ability for podmins to write home pages using Bootstrap's fluid design. Podmins who added a custom splash page in app/views/home/_show.{html,mobile}.haml need to wrap the contents into a div.container to keep the old design. You will find updated examples in our wiki.
opengraph_parser with open_graph_reader #5462more link on mobile stream pages #5400This release brings a new ToS feature that allows pods to easily display to users the terms of service they are operating on. This feature is not enabled by default. If you want to enable it, please add under settings in config/diaspora.yml the following and restart diaspora. If in doubt see config/diaspora.yml.example:
terms:
enable: true
When enabled, the footer and sidebar will have a link to terms page, and sign up will have a disclaimer indicating that creating an account means the user accepts the terms of use.
While the project itself doesn't restrict what kind of terms pods run on, we realize not all podmins want to spend time writing them from scratch. Thus there is a basic ToS template included that will be used unless a custom one available.
To modify (or completely rewrite) the terms template, create a file called app/views/terms/terms.haml or app/views/terms/terms.erb and it will automatically replace the default template, which you can find at app/views/terms/default.haml.
There are also two configuration settings to customize the terms (when using the default template). These are optional.
settings.terms.jurisdiction - indicate here in which country or state any legal disputes are handled.settings.terms.minimum_age - indicate here if you want to show a minimum required age for creating an account.There is a new Rake task podmin:admin_mail available to allow podmins to easily send news and notices to users. The rake task triggers emails via the normal diaspora mailer mechanism (so they are embedded in the standard template) and takes the following parameters:
all - all users in the database (except deleted)active_yearly - users logged in within the last yearactive_monthly - users logged in within the last monthactive_halfyear - users logged in within the last 6 monthsExample shell command (depending on your environment);
RAILS_ENV=production bundle exec rake podmin:admin_mail['active_monthly','./message.html','Important message from pod']
Read more about specifying arguments to Rake tasks.
A regression caused accounts deletions to not properly perform in some cases, see #4792.
To ensure these are reexecuted properly, please run RAILS_ENV=production bundle exec rake accounts:run_deletions
after you've upgraded.
This version will break federation to pods running on versions prior 0.1.1.0.
A new feature has been added to allow pods to report extra statistics. Automatically after this code change, the route /statistics.json contains some basic data that was also available before via page headers (pod name, version, status of signups). But also, optionally podmins can enable user and post counts in the diaspora.yml configuration file. The counts are by default switched off, so if you want to report the total user, active user and local post counts, please edit your diaspora.yml configuration with the example values in diaspora.yml.example and uncomment the required lines as indicated.
We now recommend using Ruby 2.0 with Diaspora. If you're using RVM make sure to run:
rvm get stable
rvm install 2.0.0
cd ~/diaspora
git pull
cd - && cd ..
For more details see https://wiki.diasporafoundation.org/Updating
Added:
Removed:
Updated:
Attention: This release includes a potentially long running migration! However it should be safe to run this while keeping your application servers on.
to field blank when sending a private message causes a server error #4227We replaced our queue system with Sidekiq. You might know that Resque needs Redis. Sidekiq does too, so don't remove it, it's still required. Sidekiq uses a threaded model so you'll need far less processes than with Resque to do the same amount of work.
To update do the following:
Before updating (even before the git pull!) stop your application
server (Unicorn by default, started through Foreman).
In case you did already run git pull checkout v0.0.3.4:
git fetch origin
git checkout v0.0.3.4
bundle
Start Resque web (you'll need temporary access to port 5678, check your Firewall if needed!):
bundle exec resque-web
In case you need it you can adjust the port with the -p flag.
One last time, start a Resque worker:
RAILS_ENV=production QUEUE=* bundle exec rake resque:work
Visit Resque web via http://your_host:5678, wait until all queues but the failed one are empty (show 0 jobs).
Kill the Resque worker by hitting Ctrl+C. Kill Resque web with:
bundle exec resque-web -k
Don't forget to close the port on the Firewall again, if you had to open it.
In case you needed to do step 2., run:
git checkout master
bundle
Proceed with the update as normal (migrate database, precompile assets).
Before starting Diaspora again ensure that you reviewed the new
environment.sidekiq section in config/diaspora.yml.example and,
if wanted, transfered it to your config/diaspora.yml and made any
needed changes. In particular increase the environment.sidekiq.concurrency
setting on any medium sized pod. If you do change that value, edit
your config/database.yml and add a matching pool: n to your database
configuration. n should be equal or higher than the amount of
threads per Sidekiq worker. This sets how many concurrent
connections to the database ActiveRecord allows.
If you aren't using script/server but for example passenger, you no
longer need to start a Resque worker, but a Sidekiq worker now. The
command for that is:
bundle exec sidekiq
The only gotcha for Heroku single gear setups is that the setting name to spawn a background worker from the unicorn process changed. Run
heroku config:remove SERVER_EMBED_RESQUE_WORKER
heroku config:set SERVER_EMBED_SIDEKIQ_WORKER=true
We're automatically adjusting the ActiveRecord connection pool size for you.
Larger Heroku setups should have enough expertise to figure out what to do by them self.
The Capistrano deployment scripts were removed from the main source code repository, since they were no longer working. They will be moved into their own repository with a new maintainer, you'll be able to find them under the Diaspora* Github organization once everything is set up.
/a/b/c/config/boot.rb/../../Gemfile to require and open things, create a proper path instead.public/default.html #3811server.db to server.database to match the example configuration.debugger since it was causing bundle problems, and is not necessary given 1.9.3 has a built-in debugger.script/get_config.rbconfig/script_server.yml is removed and replaced by the server section in config/diaspora.yml
Have a look at the updated example!RAILS_ENV and DB are now prefered over those set in config/diaspora.ymlENVIRONMENT_UNICORN_EMBED_RESQUE_WORKER got renamed to SERVER_EMBED_RESQUE_WORKERfollow_diasporahq has now to be set to true to enable following the DiasporaHQ account. Was falseAnd their dependencies.
Fix exception when the root of a reshare of a reshare got deleted #3546
Copy over config/diaspora.yml.example to config/diaspora.yml and migrate your settings! An updated Heroku guide including basic hints on howto migrate is here.
The new configuration system allows all possible settings to be overriden by environment variables. This makes it possible to deploy heroku without checking any credentials into git. Read the top of config/diaspora.yml.example for an explanation on how to convert the setting names to environment variables.
The following gems and their related files were removed as they aren't widely enough used to justify maintenance for them by the core developers. If you use them please maintain them in your fork.
The following gems were removed because their are neither used in daily development or are just CLI tools that aren't required to be loaded from the code:
Refactoring of the JavaScript code; it is now completely rewritten to make use of Backbone.js. This paves the way for future improvements such as post preview or edit toolbar/help.
The feature-flag on users and all the code in connection with experimental UX changes got removed/reverted. Those are the parts that became Makr.io. The single-post view will also be revamped/reverted, but that didn't make it into this release.