diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c18d2690..da42b927a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,16 +16,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## 2025.03 -## Added +### Added - Oban (worker) dashboard at `/akkoma/oban` -## Fixed +### Fixed - fixed some holes in SigningKey verification potentially allowing they key-user mapping to be poisoned - frontend ZIP files can no longer traverse to paths outside their install dir - fixed user updates trying but failing to renew signing key information - fixed signing key refresh on key rotation -## Changed +### Changed - Dropped obsolete `ap_enabled` indicator from user table and associated buggy logic - The remote user count in prometheus metrics is now an estimate instead of an exact number since the latter proved unreasonably costly to obtain for a merely nice-to-have statistic @@ -39,12 +39,12 @@ Hotfix: Federation could break if a null value found its way into `should_federa ## 2025.01 -## Added +### Added - New config option `:instance, :cleanup_attachments_delay` - It is now possible to display custom source URLs in akkoma-fe; the settings are part of the frontend configuration -## Fixed +### Fixed - Media proxy no longer attempts to proxy embedded images - Fix significant uneccessary overhead of attachment cleanup; it no longer attempts to cleanup attachments of deleted remote posts @@ -53,24 +53,24 @@ Hotfix: Federation could break if a null value found its way into `should_federa - ObjectAge policy no longer leaks belated DMs and follower-only posts - the NodeINfo endpoint now uses the correct content type -## Changed +### Changed - Anonymous objects now federate completely without an id adopting a proposed AP spec errata and restoring federation with e.g. IceShrimp.NET and fedify-based implementations ## 3.13.3 -## BREAKING +### BREAKING - Minimum PostgreSQL version is raised to 12 - Swagger UI moved from `/akkoma/swaggerui/` to `/pleroma/swaggerui/` -## Added +### Added - Implement [FEP-67ff](https://codeberg.org/fediverse/fep/src/branch/main/fep/67ff/fep-67ff.md) (federation documentation) - Meilisearch: it is now possible to use separate keys for search and admin actions - New standalone `prune_orphaned_activities` mix task with configurable batch limit - The `prune_objects` mix task now accepts a `--limit` parameter for initial object pruning -## Fixed +### Fixed - Meilisearch: order of results returned from our REST API now actually matches how Meilisearch ranks results - Emoji are now federated as anonymous objects, fixing issues with some strict servers e.g. rejecting e.g. remote emoji reactions @@ -78,25 +78,25 @@ Hotfix: Federation could break if a null value found its way into `should_federa - Single-selection polls no longer expose the voter_count; MastoAPI demands it be null and this confused some clients leading to vote distributions >100% -## Changed +### Changed - Refactored Rich Media to cache the content in the database. Fetching operations that could block status rendering have been eliminated. ## 2024.04.1 (Security) -## Fixed +### Fixed - Issue allowing non-owners to use media objects in posts - Issue allowing use of non-media objects as attachments and crashing timeline rendering - Issue allowing webfinger spoofing in certain situations ## 2024.04 -## Added +### Added - Support for [FEP-fffd](https://codeberg.org/fediverse/fep/src/branch/main/fep/fffd/fep-fffd.md) (proxy objects) - Verified support for elixir 1.16 - Uploadfilter `Pleroma.Upload.Filter.Exiftool.ReadDescription` returns description values to the FE so they can pre fill the image description field NOTE: this filter MUST be placed before `Exiftool.StripMetadata` to work -## Changed +### Changed - Inbound pipeline error handing was modified somewhat, which should lead to less incomprehensible log spam. Hopefully. - Uploadfilter `Pleroma.Upload.Filter.Exiftool` was replaced by `Pleroma.Upload.Filter.Exiftool.StripMetadata`; the latter strips all non-essential metadata by default but can be configured. @@ -105,7 +105,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa - MRF.InlineQuotePolicy now prefers to insert display URLs instead of ActivityPub IDs - Old accounts are no longer listed in WebFinger as aliases; this was breaking spec -## Fixed +### Fixed - Issue preventing fetching anything from IPv6-only instances - Issue allowing post content to leak via opengraph tags despite :estrict\_unauthenticated being set - Move activities no longer operate on stale user data @@ -121,17 +121,17 @@ Hotfix: Federation could break if a null value found its way into `should_federa JSON-LD-compacted forms of public scope; affected e.g. federation with bovine - Ratelimits encountered when fetching objects are now respected; 429 responses will cause a backoff when we get one. -## Removed +### Removed - ActivityPub Client-To-Server write API endpoints have been disabled; read endpoints are planned to be removed next release unless a clear need is demonstrated ## 2024.03 -## Added +### Added - CLI tasks best-effort checking for past abuse of the recent spoofing exploit - new `:mrf_steal_emoji, :download_unknown_size` option; defaults to `false` -## Changed +### Changed - `Pleroma.Upload, :base_url` now MUST be configured explicitly if used; use of the same domain as the instance is **strongly** discouraged - `:media_proxy, :base_url` now MUST be configured explicitly if used; @@ -147,7 +147,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa - Uploads, emoji and media proxy now restrict Content-Type headers to a safe subset - Akkoma will no longer fetch and parse objects hosted on the same domain -## Fixed +### Fixed - Critical security issue allowing Akkoma to be used as a vector for (depending on configuration) impersonation of other users or creation of bogus users and posts on the upload domain @@ -160,7 +160,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa - our litepub JSON-LD schema is now served with the correct content type - remote APNG attachments are now recognised as images -## Upgrade Notes +### Upgrade Notes - As mentioned in "Changed", `Pleroma.Upload, :base_url` **MUST** be configured. Uploads will fail without it. - Akkoma will refuse to start if this is not set. @@ -168,20 +168,20 @@ Hotfix: Federation could break if a null value found its way into `should_federa ## 2024.02 -## Added +### Added - Full compatibility with Erlang OTP26 - handling of GET /api/v1/preferences - Akkoma API is now documented - ability to auto-approve follow requests from users you are already following - The SimplePolicy MRF can now strip user backgrounds from selected remote hosts -## Changed +### Changed - OTP builds are now built on erlang OTP26 - The base Phoenix framework is now updated to 1.7 - An `outbox` field has been added to actor profiles to comply with AP spec - User profile backgrounds do now federate with other Akkoma instances and Sharkey -## Fixed +### Fixed - Documentation issue in which a non-existing nginx file was referenced - Issue where a bad inbox URL could break federation - Issue where hashtag rel values would be scrubbed @@ -189,7 +189,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa ## 2023.08 -## Added +### Added - Added a new configuration option to the MediaProxy feature that allows the blocking of specific domains from using the media proxy or being explicitly allowed by the Content-Security-Policy. - Please make sure instances you wanted to block media from are not in the MediaProxy `whitelist`, and instead use `blocklist`. @@ -202,7 +202,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa - OTP26 is currently "unsupported". It will probably work, but due to the way it handles map ordering, the test suite will not pass for it as yet. -## Changed +### Changed - Alpine OTP builds are now from alpine 3.18, which is OpenSSLv3 compatible. If you use alpine OTP builds you will have to update your local system. @@ -213,19 +213,19 @@ Hotfix: Federation could break if a null value found its way into `should_federa - Blocks/Mutes now return from max ID to min ID, in line with mastodon. - The AnonymizeFilename filter is now enabled by default. -## Fixed +### Fixed - Deactivated users can no longer show up in the emoji reaction list - Embedded posts can no longer bypass `:restrict\_unauthenticated` - GET/HEAD requests will now work when requesting AWS-based instances. -## Security +### Security - Add `no_new_privs` hardening to OpenRC and systemd service files - XML parsers cannot load any entities (thanks @Mae@is.badat.dev!) - Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories -## Removed +### Removed - Builds for debian oldstable (bullseye) - If you are on oldstable you should NOT attempt to update OTP builds without @@ -233,7 +233,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa ## 2023.05 -## Added +### Added - Custom options for users to accept/reject private messages - options: everybody, nobody, people\_i\_follow - MRF to reject notes from accounts newer than a given age @@ -241,16 +241,16 @@ Hotfix: Federation could break if a null value found its way into `should_federa post gets boosted outside of your local bubble and people your instance does not know about reply to it. -## Fixed +### Fixed - Support for `streams` public key URIs - Bookmarks are cleaned up on DB prune now -## Security +### Security - Fixed mediaproxy being a bit of a silly billy ## 2023.04 -## Added +### Added - Nodeinfo keys for unauthenticated timeline visibility - Option to disable federated timeline - Option to make the bubble timeline publicly accessible @@ -264,7 +264,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa ## 2023.03 -## Fixed +### Fixed - Allowed contentMap to be updated on edit - Filter creation now accepts expires\_at @@ -324,7 +324,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa ## 2022.12 -## Added +### Added - Config: HTTP timeout options, :pool\_timeout and :receive\_timeout - Added statistic gathering about instances which do/don't have signed fetches when they request from us - Ability to set a default post expiry time, after which the post will be deleted. If used in concert with ActivityExpiration MRF, the expiry which comes _sooner_ will be applied. @@ -334,7 +334,7 @@ Hotfix: Federation could break if a null value found its way into `should_federa - Option to extend `reject` in MRF-Simple to apply to entire threads, where the originating instance is rejected - Extra information to failed HTTP requests -## Changed +### Changed - MastoAPI: Accept BooleanLike input on `/api/v1/accounts/:id/follow` (fixes follows with mastodon.py) - Relays from akkoma are now off by default - NormalizeMarkup MRF is now on by default @@ -343,30 +343,30 @@ Hotfix: Federation could break if a null value found its way into `should_federa - Overhauled static-fe view for logged-out users - Blocked instances will now not be sent _any_ requests, even fetch ones that would get rejected by MRF anyhow -## Removed +### Removed - FollowBotPolicy - Passing of undo/block into MRF -## Upgrade Notes +### Upgrade Notes - If you have an old instance, you will probably want to run `mix pleroma.database prune_task` in the foreground to catch it up with the history of your instance. ## 2022.11 -## Added +### Added - Officially supported docker release - Ability to remove followers unilaterally without a block - Scraping of nodeinfo from remote instances to display instance info - `requested_by` in relationships when the user has requested to follow you -## Changed +### Changed - Follows no longer override domain blocks, a domain block is final - Deletes are now the lowest priority to publish and will be handled after creates - Domain blocks are now subdomain-matches by default -## Fixed +### Fixed - Registrations via ldap are now compatible with the latest OTP24 -## Update notes +### Update notes - If you use LDAP and run from source, please update your elixir/erlang to the latest. The changes in OTP24.3 are breaking. - You can now remove the leading `*.` from domain blocks, but you do not have to. @@ -1686,7 +1686,7 @@ curl -Lo ./bin/pleroma_ctl 'https://git.pleroma.social/pleroma/pleroma/raw/devel - User-Agent is now sent correctly for all HTTP requests. - MRF: Simple policy now properly delists imported or relayed statuses -## Removed +### Removed - Configuration: `config :pleroma, :fe` in favor of the more flexible `config :pleroma, :frontend_configurations` ## [0.9.99999] - 2019-05-31