+ngIRCd 27 (2024-04-26)
+
+ - Update ChangeLog, NEWS, AUTHORS.md & doc/Platforms.txt for ngIRCd 27.
+ - Clarify in the sample configuration file and the ngircd.conf(5) manual
+ page that the "CAFile" option is unset by default.
+ - Fix channel symbol returned in the RPL_NAMREPLY(353) numeric of NAMES
+ commands for secret (mode +s) channels: this should be "@", not "=".
+ Thanks Val Lorentz <progval+git@progval.net> for the patch!
+ Closes #313.
+ - Add an example filter file for "Fail2Ban": contrib/ngircd-fail2ban.conf.
+ - Don't abort startup when setgid/setuid() fails with EINVAL: Both setgid(2)
+ as well as setuid(2) can fail with EINVAL in addition to EPERM, their
+ manual pages state "EINVAL: The user/group ID specified in uid/gid is not
+ valid in this user namespace ". So not only treat EPERM as an "acceptable
+ error" and continue with logging the error, but do the same for EINVAL.
+ This was triggered by the Void Linux xbps-uunshare(1) tool used for
+ building "XBPS source packages" and reported by luca in #ngircd. Thanks!
+ - Test suite: Don't use "pgrep -u" when LOGNAME and USER are not set
+ Thanks for reporting this on IRC, luca!
+
+ ngIRCd 27~rc1 (2024-04-13)
+ - Validate certificates on server links. Up to now, ngIRCd optionally used
+ SSL/TLS encrypted server-server links but never checked and validated any
+ certificates. Now ngIRCd validates SSL/TLS certificates on outgoing
+ server-server links by default and drops(!) connections when the remote
+ certificate is invalid (for example self-signed, expired, not matching the
+ host name, ...). Therefore you have to make sure that all relevant
+ *certificates are valid* (or to disable certificate validation on this
+ connection using the new `SSLVerify = false` setting in the affected
+ `[Server]` block, where the remote certificate is not valid and you can not
+ fix this issue).
+ The original patch for OpenSSL dates back to 2009 and was written by Florian
+ Westphal and was extended for GnuTLS in 2014 by Christoph Biedl. But it took
+ us another 10 years to bring it to life ... oh my! Many thanks to both
+ Florian and Christoph!
+ Closes #120.
+ - Add support for the "sd_notify" protocol of systemd(8): Periodically
+ "ping" the service manager (every 3 seconds) and set a status message
+ showing current connection statistics which then is included in "systemctl
+ status ngircd.service" output. In addition, this enables using the
+ systemd(8) watchdog functionality ("WatchdogSec") for the "ngircd.service"
+ unit and allows it to use the "notify" service type, which results in
+ better status tracking by the service manager.
+ - Try to set file descriptor limit to its maximum and show info on startup:
+ The number of possible parallel connections is limited by the file
+ descriptor limit of the process (among other things). Therefore try to
+ upgrade the current "soft" limit to its "hard" maximum (but limited to
+ 100000 instead of "infinite"), and show an information or even warning when
+ the limit is still less than the configured "MaxConnections" setting. Please
+ note that ngIRCd and its linked libraries (like PAM) need file descriptors
+ not only for incoming and outgoing IRC connections, but for reading files
+ and inter-process communication, too! Therefore the actual connection limit
+ is less(!) than the file descriptor limit!
+ - Update and fix the logcheck(8) rules file.
+ - METADATA: Fix unsetting the "cloakhost" hostname, which did not result in
+ the original hostname being restored, but actually resulted in an empty
+ string being used as the client hostname -- which is a protocol violation.
+ - Update the "rpm" make target to use the rpmbuild(8) command.
+ - Add a "Docker file" (contrib/Dockerfile) and corresponding documentation
+ (doc/Container.md) to the project. The resulting container is based on the
+ latest Debian "stable-slim" container and built using a "build container".
+ - Remove outdated, unsupported and broken support for splint(1).
+ - Don't show the default config file name on config errors: The configuration
+ can be set in drop-in files in the include directory, too, so it is not
+ clear in which file it is actually missing.
+ - No longer use a default built-in value for the "IncludeDir" directive when
+ a configuration file was explicitly specified on the command line using
+ "--config"/"-f": This way no default include directory is scanned when a
+ possibly non-default configuration file is used which (intentionally) did
+ not specify an "IncludeDir" directive. So now you can use "-f /dev/null"
+ for checking all built-in defaults, regardless of any local configuration
+ files in the default drop-in directory (which would have been read in
+ until this change).
+ - No longer log channel keys ("passwords") for predefined channels.
+ - The server "Name" in the "[Global]" section of the configuration file no
+ longer needs to be set: When not set (or empty), ngIRCd now tries to
+ deduce a valid IRC server name from the local host name ("node name"),
+ possibly adding a ".host" extension when the host name does not contain a
+ dot (".") which is required in an IRC server name ("ID").
+ This new behavior, with all configuration parameters now being optional,
+ allows running ngIRCd without any configuration file at all.
+ - Silence some compiler warnings.
+ - autogen.sh: Prefer automake 1.11 over other releases because this is the
+ last release supporting "de-ANSI-fication" using the included ansi2knr tool.
+ And because we _want_ to support old K&R platforms, we try hard to use this
+ release of automake when available to generate our build system.
+ Note: This is only relevant for you if you are building from Git sources.