INN 2.7.0 release candidate

Julien ÉLIE julien at trigofacile.com
Mon May 16 19:23:07 UTC 2022


Hi all,

A release candidate for INN 2.7.0 can be downloaded at:

    https://ftp.isc.org/isc/inn/testing/inn-2.7.0rc1.tar.gz

Its MD5 checksum is d4f5c47ea7c47bc94de61af5991c9019.


Feel free to report any issue you may encounter.


The final release is scheduled next month (late June) if there aren't
any reported issues.

Feedback is greatly appreciated as for the release notes, and notably
the upgrade instructions.  Hopefully they are clear enough.



Upgrading from 2.6 to 2.7

     The following changes require your full attention because a manual
     intervention may be needed:

     * The *require_ssl* parameter in readers.conf has been renamed to
       *require_encryption* as it applies to any kind of encryption layers,
       including TLS and SASL security layers.  As innupgrade only takes care
       of the change in the file named readers.conf, you will have to
       manually rename that parameter in configuration files for nnrpd with
       an alternate name.

     * The innreport.conf file in *pathetc* has been split into a general
       configuration file (innreport.conf itself) and a display configuration
       file (innreport-display.conf in *pathlib*).  If you made local changes
       in sections other than the *default* section in innreport.conf, and
       wish to keep them, then you need renaming the new
       innreport-display.conf file to another name in *pathlib*, setting this
       local file name in the new *display_conf_file* option in
       innreport.conf, and re-applying your local changes to that local
       display configuration file.

       As a matter of fact, the default display configuration file would
       otherwise be overwritten each time INN is updated.  Bug fixes or
       enhancements are made from time to time to the display configuration
       of innreport, and couldn't be automatically be merged in
       innreport.conf on update.  This new separate configuration file to
       parameter the display will now permit an automatic update (if of
       course you use the default display configuration file).

     * A new inn-secrets.conf configuration file has been added in *pathetc*.
       The intent is that, from now on, new secrets used by INN are added to
       that file, and that all secrets currently stored in several other
       configuration files eventually move to that file.  Make sure it is
       properly created during the upgrade, and not world-readable.  It
       currently only stores the secrets used for the new Cancel-Lock
       functionality.

     * The -C flag given to innd to disable the execution of cancels has been
       deprecated and is no longer taken into account (an error message will
       be present in your logs if innd is started with it).  Instead, a new
       parameter has been added in inn.conf to tune the types of cancels innd
       should process.  If *docancels* is set to "require-auth", which is the
       default if INN has Cancel-Lock support, only articles originally
       protected by the Cancel-Lock authentication mechanism can be withdrawn
       by a valid authenticated cancel article or a valid authenticated
       supersede request.  Withdrawals of articles not originally protected
       by Cancel-Lock will not be executed.  See inn.conf(5) for more details
       about the different values of the new *docancels* parameter, and make
       sure to parameter it according to your needs.

     * The *refusecybercancels* and *verifycancels* parameters have been
       removed from inn.conf.  The first was performing an inefficient and
       inexact check (that should be done, if wanted, in the special "ME"
       entry in newsfeeds, or even better, ask your peers not to feed you
       articles with "cyberspam" in the Path header field body); the second
       check performed on the newsgroups present in cancel articles was not
       useful in innd (it is relevant to posting agents).

       The related lines in inn.conf will be commented by innupgrade during
       the upgrade.

     * The XBATCH command is no longer enabled by default in innd.  You'll
       have to explicitly enable that capability by setting the new *xbatch*
       parameter to true in incoming.conf for the peers sending you such
       compressed batches.

     * The *nolist* and *noresendid* parameters in incoming.conf have been
       respectively renamed to *list* and *resendid* (and the meaning of
       their related boolean values is now the opposite).  Besides, the
       unused *comment* and *email* parameters in incoming.conf have been
       removed.  innupgrade will take care of the changes (inverting the
       boolean values, and commenting the lines with removed parameters).

     * filechan is no longer shipped with INN; it was just a simple version
       of buffchan.  All calls to "filechan" will be changed to "buffchan -u"
       (for its unbuffered mode) in newsfeeds by innupgrade.  If you have
       local scripts running filechan, you will have to manually take care of
       the change.

     * send-nntp is no longer shipped with INN.  If you have local scripts
       running it, you will have to manually adjust them to use nntpsend
       which basically does the same thing, better.  Or, even greater, use
       innfeed if that is possible.

     * Wrappers around old Perl and Python authentication and access hooks,
       pre-dating INN 2.4.0 and identifiable by the *nnrpperlauth* and
       *nnrppythonauth* parameters in inn.conf, are no longer shipped as
       samples in INN releases.  If not already done, you should either
       replace old hooks with new modern hooks or use the possibilities
       readers.conf and regular authenticator and resolver programs offer.

     * The libauth.h header file and the libstorage library have been renamed
       to libinnauth.h and libinnstorage to homogenize their name with
       existing libinnhist library.  External programs building or linking
       against them need a manual change.

     If you are upgrading from a version prior to INN 2.6, see also
     "Upgrading from 2.5 to 2.6".


Changes from 2.6.5 to 2.7.0

     * Upgrading to a major release is a good time to ensure that your
       configuration files, that are usually kept untouched during normal
       updates, are up-to-date: notably control.ctl (with your local changes
       in a separate control.ctl.local file), new better default values in
       inn.conf and innfeed.conf, improvements in innreport.conf (along with
       innreport-display.conf) and innreport.css, fixes in innwatch.ctl,
       updated moderators and nocem.ctl files.

       You may also want to check that the PGP keys used to verify the
       signature of control articles and NoCeM notices are still up-to-date
       and working.  The keys of a few hierarchies and NoCeM issuers have
       recently changed.

     * Bo Lindbergh has implemented a new overview storage method based on
       SQLite, known for its long-term stability and compatibility.  Robust
       and faster at reading ranges of overview data, but somewhat slower at
       writing, this new SQLite-based method is a perfect choice to store
       overview data.

       To select it as your overview method, set the *ovmethod* parameter in
       inn.conf to "ovsqlite".  Details about ovsqlite, the ovsqlite.conf
       configuration file and how to switch to that new modern overview
       storage method can be found in the ovsqlite(5) and makehistory(8) man
       pages.

     * Julien Elie has implemented Cancel-Lock support in innd and nnrpd,
       based on RFC 8315 and libcanlock.  A new inn-secrets.conf
       configuration file has been added in *pathetc* wherein you can set the
       secrets to use for Cancel-Lock.  See the inn-secrets.conf(5) man page
       for more details.

       A new -F flag is recognized by innconfval to get the values of that
       new configuration file (run "innconfval -F inn-secrets.conf").
       Another new flag, -f, permits specifying a file different than the
       default one.

       The *addcanlockuser* parameter has been added in readers.conf to
       deactivate the generation of user-specific hashes when several
       different posters have the same identity in an access group.

     * Added a new tool, gencancel, to help the news administrator generate
       authenticated cancel control messages, with the expected admin
       Cancel-Key hashes.  See the gencancel(1) man page for more details.

     * A new *docancels* parameter has been added in inn.conf to define which
       types of cancels innd should process.  The -C flag given to innd is
       deprecated in favour of that new parameter (you'll see in your logs
       the message "innd -C flag has been deprecated and has no effect; use
       docancels in inn.conf" in case you're passing that flag to innd).

     * Andreas Kempe has implemented blacklistd support in nnrpd.  This
       daemon, available notably in FreeBSD and NetBSD, can be used to
       prevent brute force attacks by blocking attackers after a number of
       failed login attempts.  When nnrpd is run with the new -B flag, and
       INN has been configured with the new --with-blacklist option, it will
       report login attempts to the blacklistd daemon for potential blocking.

     * Building INN with TLS support using LibreSSL is now supported (only
       OpenSSL was previously officially supported and tested).

     * Fixed the parsing of *hosts* and *localaddress* parameters in
       readers.conf; exclusion patterns (beginning with "!") have not been
       working since INN 2.5.0.

     * Improved the robustness of innxmit when receiving 500 or 501 response
       codes from peers, indicating they do not understand the NNTP command
       or (wrongly) think there is a syntax error.  Richard Kettlewell added
       a proper handling of these responses, making innxmit dropping the
       refused article instead of keeping sending it over and over (and thus
       receiving each time the same error in response codes).

     * innreport now collects statistics from innxbatch and generates a
       section for them in its reports.

     * The innreport.conf file in *pathetc*, previously containing almost
       2500 lines, has been split into a general configuration file
       (innreport.conf itself, still in *pathetc*, with about 60 lines) and a
       display configuration file (innreport-display.conf, a new separate
       file in *pathlib*).  The name of this display configuration file can
       be parametered in the new *display_conf_file* option in
       innreport.conf.

     * The -m flag given to mailpost now sets a List-ID header field instead
       of a Mailing-List header field.

     * rc.news, used to start and stop INN daemons, now checks whether it is
       run as the news user.  It will exit if not the case, to ensure not to
       tamper with the ownership of files INN manipulates.

     * filechan has been removed; it was just a simple version of buffchan,
       which should now be used.

     * send-nntp has been removed; it was just a simple version of nntpsend,
       which should now be used (or, even better, innfeed).

     * The *refusecybercancels* and *verifycancels* parameters have been
       removed from inn.conf.  Besides, inews no longer checks if the From or
       Sender header fields of a cancel or supersede request match the ones
       of the original article being withdrawn.  All of these were either
       inefficient or inexact checks.

     * The *xbatch* parameter has been added in incoming.conf to enable the
       XBATCH command in innd for specific remote peers.  The default is to
       disable the capability.

     * The *nolist* and *noresendid* parameters in incoming.conf have been
       respectively renamed to *list* and *resendid* (and the meaning of
       their related boolean values is now the opposite).  Besides, the
       unused *comment* and *email* parameters in incoming.conf have been
       removed.

     * inews no longer adds a Sender header field nor overwrites an existing
       one in articles it processes if the new -P flag is used.  The Path
       header field, if unset, no longer systematically contains the path
       identity of the local news server (you may want to add it manually
       with the -x flag, if needed).  Finally, inews also no longer adds the
       obsolescent Lines header field.

     * A new -E flag can now be given to inews to silently discard empty
       articles, instead of bailing out with an error.  Another new -m flag
       permits setting the Message-ID instead of letting inews generate one.
       And a third new flag, -Y, forces inews to authenticate to the remote
       news server even if not asked to.

     * signcontrol has been removed as it embeds per-site configuration which
       is overwritten each time INN is updated to a newer version, and it is
       unlikely you ever need it.  Nonetheless, if you need to issue
       PGP-signed control messages, you can still download it from
       <https://ftp.isc.org/pub/pgpcontrol/>.

     * Support in controlchan for obsolete *sendsys*, *senduuname* and
       *version* control messages has been removed.  These control messages,
       long been deprecated, should no longer be sent nor honoured nowadays.
       Besides, the "doifarg" keyword in control.ctl is no longer recognized
       (it was only used for these three kinds of control messages).

     * The *require_ssl* parameter in readers.conf has been renamed to
       *require_encryption*, which is a better name as it applies to any kind
       of encryption layers, including TLS and SASL security layers.

     * Fixed the use of a deprecated API in Kerberos V5.  INN now requires
       version 1.6.1 or higher of MIT Kerberos v5 to build.

     * The libauth.h header file and the libstorage library have been renamed
       to libinnauth.h and libinnstorage to homogenize their name with
       existing libinnhist library.

     * All of the applicable bug fixes from the INN 2.6 STABLE series are
       also included in INN 2.7.


-- 
Julien ÉLIE

« – C'est une bonne situation ça, scribe ?
   – Oh, c'est une situation assise. » (Astérix)


More information about the inn-workers mailing list