| < INSTALL | Russ Allbery > Software > INN > INN 2.7 Documentation | License information > |
Added a new groupexactcount parameter in readers.conf to force nnrpd
to report the exact number of still existing articles in newsgroups instead of
an estimated count. When the estimated number of articles is strictly below
groupexactcount (set to 5 by default), nnrpd now recounts them and
reports the actual value (articles that have been cancelled or overwritten in
self-expiring CNFS buffers may otherwise still be counted in the estimate).
News clients will then be directly aware of empty newsgroups; they would
otherwise have tried to retrieve possible articles, to finally not show
anything to the user.
Programs sending mails now include, when appropriate, an Auto-Submitted
header field in the message headers (either set to auto-generated or
auto-replied, following the recommendation in RFC 3834). Thanks to
Harald Dunkel for this suggestion which will for instance help to avoid
unnecessary vacation replies.
Added a new -a option to innmail to specify additional header fields to add in the headers of messages. This is notably used to internally support the addition of the Auto-Submitted header field in outgoing mails.
Added new ovsqlite-util program to perform some basic consistency checks
and dump operations on an overview database using the ovsqlite method.
More checks and features will be added in future releases. You'll need the
DBI Perl module with the DBD::SQLite driver installed on your system to
use this program.
Added TLS support in pullnews for connections to upstream servers configured in pullnews.marks, and to the downstream server in the existing -s flag. A port can now also be specified for connections to upstream servers (it was already possible for the downstream server only).
Added a new -L option to pullnews to specify the largest wanted article size in bytes. Articles whose size exceeds that value will no longer be downloaded by pullnews.
pullnews now detects a socket timeout while downloading articles from a remote peer. The download gracefully stops, and another attempt can be automatically made according to the setting given with the -t flag. Thanks to Jesse Rehmer for the bug report.
Fixed the generation and the handling of storage tokens on wrapped CNFS buffers, thanks to bug reports from Kamil Jonca:
Duplicate entries were returned by makehistory on fully wrapped cyclic buffers (the first article of the cyclic buffer appeared twice in the output).
The first article of a fully wrapped cyclic buffer was removed too soon from history (expire wrongly thought its storage token was no longer existing after a wrap).
The first article of the previous cycle number of a cyclic buffer containing articles from two different cycle numbers was wrongly considered by makehistory to belong to the current cycle number.
innd no longer dies when a newsfeeds entry has an unexpected trailing whitespace.
The size of duplicated articles was counted twice in totals, average article sizes and graphs by innreport, when parsing innd checkpoints. Thanks to Hauke Lampe for the patch to count it only once.
Customizing the domain part of Message-IDs generated by nnrpd and the server name indicated in Injection-Info header fields is now easier: the domain parameter in the access blocks of readers.conf can be directly used (without needing to set virtualhost as it was previously the case).
If the domain parameter is set in inn.conf or in a readers.conf access block, and has invalid characters, or if the fully qualified domain name (FQDN) of the news server has invalid characters when domain is unset, a fatal error is now reported at startup. It is a basic configuration error which otherwise leads to the generation of invalid article Message-IDs.
Improved the speed of article searches with HDR, LAST, NEXT, and XPAT commands when there is a (huge) gap in article numbers. On newsgroups with several millions of consecutive missing articles (which is a rare situation), these commands could take several seconds to run.
Incoming articles in newsgroups that have exceeded the maximum number of articles they can contain (2^31-1) are now correctly rejected. INN was otherwise happily accepting them but either numbers returned in NNTP responses were not right, or some news clients choked when receiving unexpected large article numbers. (The current version of the NNTP protocol only allows article numbers up to 2^31-1.)
Fixed the renumbering of reported low water marks for empty newsgroups in active after overview expiration, when using the ovsqlite method. They were set to 1 for empty newsgroups whereas they were not supposed to decrease. (These reported low water marks regained their expected values during the next overview expiration, provided that the newsgroup was no longer empty.)
The reported high water mark of empty newsgroups is now correctly set to one less than the reported low water mark in overview data. (Previously, the reported low water mark was set to one more than the reported high water mark.)
Fixed the output of the ctlinnd feedinfo '' command that was returning
information only for the first site, and the output of the ctlinnd name
channel command that was returning partial information for the requested
channel.
The build of external programs which include inn/storage.h was failing because of the unexpected inclusion of config.h in one of the included headers. Also, a few Autoconf results were not correctly made available to external programs. This is now fixed.
Fixed the build on systems whose default shell does not completely meet the Posix standard. A few build scripts were run with the default shell instead of the one found by Autoconf and afterwards used for INN.
Use standard daemon(3) C function, when available, to daemonize innd, nnrpd, ovdb_server and ovsqlite-server instead of an INN-specific function.
The following changes require your full attention because a manual intervention may be needed:
The require_ssl parameter in readers.conf has been renamed to require_encryption as it applies to any kind of encryption layers, including TLS and SASL security layers. Since innupgrade only takes care of the change in the file named readers.conf, you will have to manually rename that parameter in configuration files for nnrpd with an alternate name.
The innreport.conf file in pathetc has been split into a general configuration file (innreport.conf itself) and a display configuration file (innreport-display.conf in pathlib). If you made local changes in sections other than the default section in innreport.conf, and wish to keep them, then you need renaming the new innreport-display.conf file to another name in pathlib, setting this local file name in the new display_conf_file option in innreport.conf, and re-applying your local changes to that local display configuration file.
As a matter of fact, the default display configuration file would otherwise be overwritten each time INN is updated. Bug fixes or enhancements are made from time to time to the display configuration of innreport, and previously couldn't be automatically be merged in innreport.conf on update. This new separate configuration file to parameterize the display will now permit an automatic update (if of course you use the default display configuration file).
A new inn-secrets.conf configuration file has been added in pathetc. The intent is that, from now on, new secrets used by INN are added to that file, and that all secrets currently stored in several other configuration files eventually move to that file. Make sure it is properly created during the upgrade, and not world-readable. It currently only stores the secrets used for the new Cancel-Lock functionality.
The -C flag given to innd to disable the execution of cancels has been
deprecated and is no longer taken into account (an error message will be
present in your logs if innd is started with it). Instead, a new parameter
has been added in inn.conf to tune the types of cancels innd should
process. If docancels is set to require-auth, which is the default
if INN has Cancel-Lock support, only articles originally protected by the
Cancel-Lock authentication mechanism can be withdrawn by a valid authenticated
cancel article or a valid authenticated supersede request. Withdrawals of
articles not originally protected by Cancel-Lock will not be executed.
See inn.conf(5) for more details about the different values of the new
docancels parameter, and make sure to parameterize it according to your
needs.
The refusecybercancels and verifycancels parameters have been removed
from inn.conf. The first was performing an inefficient and inexact check
(that should be done, if wanted, in the special ME entry in newsfeeds,
or even better, ask your peers not to feed you articles with cyberspam
in the Path header field body); the second check performed on the newsgroups
present in cancel articles was not useful in innd (this check is relevant
to posting agents).
The related lines in inn.conf will be commented by innupgrade during the upgrade.
The XBATCH command is no longer enabled by default in innd. You'll have to explicitly enable that capability by setting the new xbatch parameter to true in incoming.conf for the peers sending you such compressed batches.
The nolist and noresendid parameters in incoming.conf have been respectively renamed to list and resendid (and the meaning of their related boolean values is now the opposite). Besides, the unused comment and email parameters in incoming.conf have been removed. innupgrade will take care of the changes (inverting the boolean values, and commenting the lines with removed parameters).
filechan is no longer shipped with INN; it was just a simple version of
buffchan. All calls to filechan will be changed to buffchan -u
(for its unbuffered mode) in newsfeeds by innupgrade. If you have
local scripts running filechan, you will have to manually take care of
the change.
send-nntp is no longer shipped with INN. If you have local scripts running it, you will have to manually adjust them to use nntpsend which basically does the same thing, better. Or, even greater, use innfeed if that is possible.
Wrappers around old Perl and Python authentication and access hooks, pre-dating INN 2.4.0 and identifiable by the nnrpperlauth and nnrppythonauth parameters in inn.conf, are no longer shipped as samples in INN releases. If not already done, you should either replace old hooks with new modern hooks or use the possibilities that readers.conf and regular authenticator and resolver programs offer.
The libauth.h header file and the libstorage library have been renamed to libinnauth.h and libinnstorage to homogenize their name with existing libinnhist library. External programs building or linking against them need a manual change.
If you are upgrading from a version prior to INN 2.6, see also Upgrading from 2.5 to 2.6.
Upgrading to a major release is a good time to ensure that your configuration files, that are usually kept untouched during normal updates, are up-to-date: notably control.ctl (with your local changes in a separate control.ctl.local file), new better default values in inn.conf and innfeed.conf, improvements in innreport.conf (along with innreport-display.conf) and innreport.css, fixes in innwatch.ctl, updated moderators and nocem.ctl files.
You may also want to check that the PGP keys used to verify the signature of control articles and NoCeM notices are still up-to-date and working. The keys of a few hierarchies and NoCeM issuers have recently changed.
Bo Lindbergh has implemented a new overview storage method based on SQLite, known for its long-term stability and compatibility. Robust and faster at reading ranges of overview data, but somewhat slower at writing, this new SQLite-based method is a perfect choice to store overview data.
To select it as your overview method, set the ovmethod parameter in
inn.conf to ovsqlite. Details about ovsqlite, the ovsqlite.conf
configuration file and how to switch to that new modern overview storage
method can be found in the ovsqlite(5) and makehistory(8) man pages.
Julien Elie has implemented Cancel-Lock support in innd and nnrpd, based on RFC 8315 and libcanlock. A new inn-secrets.conf configuration file has been added in pathetc wherein you can set the secrets to use for Cancel-Lock. See the inn-secrets.conf(5) man page for more details.
A new -F flag is recognized by innconfval to indicate the type of file
to parse (by default, inn.conf); just run innconfval -F inn-secrets.conf
to get the values of that new configuration file. Another new flag, -f,
permits specifying another file name to parse than the standard one.
The addcanlockuser parameter has been added in readers.conf to deactivate the generation of user-specific hashes when several different posters have the same identity in an access group. This parameter also permits setting whether the hash, when generated, is based on the username or the (static) IP of the connection.
Added a new tool, gencancel, to help the news administrator generate authenticated cancel control messages, with the expected admin Cancel-Key hashes. See the gencancel(1) man page for more details.
A new docancels parameter has been added in inn.conf to define which
types of cancels innd should process. The -C flag given to innd
is deprecated in favour of that new parameter (you'll see in your logs the
message innd -C flag has been deprecated and has no effect; use docancels in
inn.conf in case you're passing that flag to innd).
Andreas Kempe has implemented blacklistd support in nnrpd. This daemon, available notably in FreeBSD and NetBSD, can be used to prevent brute force attacks by blocking attackers after a number of failed login attempts. When nnrpd is run with the new -B flag, and INN has been configured with the new --with-blacklist option, it will report login attempts to the blacklistd daemon for potential blocking.
Building INN with TLS support using LibreSSL is now supported (only OpenSSL was previously officially supported and tested).
Fixed the parsing of hosts and localaddress parameters in
readers.conf; exclusion patterns (beginning with !) have not been
working since INN 2.5.0.
Improved the robustness of innxmit when receiving 500 or 501
response codes from peers, indicating they do not understand the NNTP
command or (wrongly) think there is a syntax error. Richard Kettlewell
added a proper handling of these responses, making innxmit dropping
the refused article instead of keeping sending it over and over (and
thus receiving each time the same error in response codes).
innreport now collects statistics from innxbatch and generates a section for them in its reports.
The innreport.conf file in pathetc, previously containing almost 2500 lines, has been split into a general configuration file (innreport.conf itself, still in pathetc, with about 60 lines) and a display configuration file (innreport-display.conf, a new separate file in pathlib). The name of this display configuration file can be parameterized in the new display_conf_file option in innreport.conf.
The -m flag given to mailpost now sets a List-ID header field instead of a Mailing-List header field.
rc.news, used to start and stop INN daemons, now checks whether it is run as the news user. It will exit if not the case, to ensure not to tamper with the ownership of files INN manipulates.
filechan has been removed; it was just a simple version of buffchan, which should now be used.
send-nntp has been removed; it was just a simple version of nntpsend, which should now be used (or, even better, innfeed).
The refusecybercancels and verifycancels parameters have been removed from inn.conf. Besides, inews no longer checks if the From or Sender header fields of a cancel or supersede request match the ones of the original article being withdrawn. All of these were either inefficient or inexact checks.
The xbatch parameter has been added in incoming.conf to enable the XBATCH command in innd for specific remote peers. The default is to disable the capability.
The nolist and noresendid parameters in incoming.conf have been respectively renamed to list and resendid (and the meaning of their related boolean values is now the opposite). Besides, the unused comment and email parameters in incoming.conf have been removed.
inews no longer adds a Sender header field nor overwrites an existing one in articles it processes if the new -P flag is used. The Path header field, if unset, no longer systematically contains the path identity of the local news server (you may want to add it manually with the -x flag, if needed). Finally, inews also no longer adds the obsolescent Lines header field.
A new -E flag can now be given to inews to silently discard empty articles, instead of bailing out with an error. Another new -m flag permits setting the Message-ID instead of letting inews generate one. And a third new flag, -Y, forces inews to authenticate to the remote news server even if not asked to.
signcontrol has been removed as it embeds per-site configuration which is overwritten each time INN is updated to a newer version, and it is unlikely you ever need it. Nonetheless, if you need to issue PGP-signed control messages, you can still download it from <https://ftp.isc.org/pub/pgpcontrol/>.
Support in controlchan for obsolete sendsys, senduuname and
version control messages has been removed. These control messages,
long been deprecated, should no longer be sent nor honoured nowadays.
Besides, the doifarg keyword in control.ctl is no longer recognized
(it was only used for these three kinds of control messages).
The require_ssl parameter in readers.conf has been renamed to require_encryption, which is a better name as it applies to any kind of encryption layers, including TLS and SASL security layers.
Fixed the use of a deprecated API in Kerberos V5. INN now requires version 1.6.1 or higher of MIT Kerberos v5 to build.
The libauth.h header file and the libstorage library have been renamed to libinnauth.h and libinnstorage to homogenize their name with existing libinnhist library.
All of the applicable bug fixes from the INN 2.6 STABLE series are also included in INN 2.7.
A new step in INN development has been achieved with the migration of the INN project to GitHub. We now make use of the features GitHub provides: issue tracker, pull requests, continuous integration, a user-friendly interface to browse the code, etc. Our Subversion repository has therefore been migrated to Git, and our Trac tickets to the GitHub issue tracker.
An up-to-date nocem.ctl file is provided with this release. You should manually update your nocem.ctl file with the new information recorded about NoCeM issuers, and make sure the right PGP keys are present on your system.
Up-to-date control.ctl and moderators files are provided with this release. You should manually update them (notably for the fido7.* hierarchy).
Added a stricter validation of article numbers given in NNTP commands so that numbers superior to 2^31 are correctly considered invalid. Thanks to Richard Kettlewell for the patch.
Added a check in rc.news for the existence of the pathrun directory. INN won't start until this directory is writable. Previously, it bailed out quickly after starting, without clear logs about why it failed.
Fixed parallel builds using make -j. Thanks to Richard Kettlewell
for the path.
nnrpd now properly gathers timer statistics when a compression layer is active.
nnrpd now properly discards data received from a news client after a timeout when a TLS layer is active. It previously tried to read incoming data before closing the socket, leading to decoding errors from an underlying compression or SASL layer.
innfeed and ovdb_stat now generate status reports in valid HTML syntax.
Fixed a bug in the buffindexed overview that prevented it from working on several systems, amongst them FreeBSD. Unsupported, and useless, permission bits were given to semaphores.
Fixed the detection of library paths at configure time: multilib directories (lib32 or lib64) are now also used if they exist, even if the system does not use multilib. It will notably fix the detection of the OpenSSL 3.0.0 library.
The tlscertfile parameter in inn.conf now permits the use of a complete certificate chain, instead of necessarily having to use tlscafile for additional certificates.
Added support for the new OpenSSL 3.0.0 API, which deprecated a few functions.
The inn.conf default value for tlsprotocols no longer contains TLS versions 1.0 and 1.1, which have been deprecated by RFC 8996.
A new inn.conf parameter has been added to tune the length of the
queue of pending connections to innd, nnrpd and the ovdb
overview storage method: the maxlisten parameter now permits
configuring their listen backlog, whose previously hard-coded values
were 128 for nnrpd and 25 for the others, which was not high
enough for some uses. The default value is now 128 for all of them,
and configurable in inn.conf. Thanks to Kevin Bowling for the patch.
The name of seven man pages for routines built in libinn(3) are now prefixed with libinn_ so as not to consume namespace and conflict with other packages (notably, the list(3) and uwildmat(3) man pages are now named libinn_list(3) and libinn_uwildmat(3)).
Other minor bug fixes and documentation improvements, notably a revised installation checklist and a section summarizing the most used configuration at the beginning of a few complex man pages.
Added support for systemd notifications and socket activation. Use of more features provided by systemd, including more notifications, will come in future releases. Thanks to Marco d'Itri for this first systemd integration into INN.
nnrpd now adapts the length of the DH parameter used during a DHE key exchange so as to comply with the security level OpenSSL 1.1.0 or later expects. Thanks to Michael Baeuerle for the bug report.
cnfsstat now also returns information about retired CNFS buffers: buffers mentioned in cycbuff.conf as a cycbuff but not declared in a metacycbuff.
Switch default innreport behaviour to the common practice of externalizing CSS into a separate file. Its name can be configured with the html_css_url parameter in innreport.conf. If this parameter is unset, the default innreport.css file name will be used and innreport will generate this CSS file for you. Previously generated reports are kept untouched, though, and will still contain inline CSS if you had not already set the html_css_url parameter in previous INN versions. Thanks to Richard Kettlewell for the patch.
sm can now read and store any number of articles given in wire format on its standard input when both -s and -R are used. Only native format was previously possible. Thanks to Bo Lindbergh for the patch.
Added new -a flag to rnews to disallow, if needed, the use
of additional unpackers from the rnews.libexec sub-directory of
pathbin (as set in inn.conf); only rnews and cunbatch
will then be recognized as valid batch commands.
Added new -b flag to rnews to save rejected articles in the bad sub-directory of pathincoming (as set in inn.conf). Otherwise, rnews just logs and discards any articles that are rejected or cannot be parsed for some reason.
Added new -d flag to rnews to log via syslog the Message-ID and the Path header body of each article rejected as a duplicate.
Added new --enable-hardening-flags configure-time option,
enabled by default, to use hardening build flags like -fPIE and
-fstack-protector-strong. This option can easily be disabled if the
compiler or the platform does not support them well. More hardening
build flags will eventually be added in future releases.
Fixed the selection of the elliptic curve to use with OpenSSL 1.1.0 or later; NIST P-256 was enforced instead of using the most secure curve.
A new inn.conf parameter has been added to fine-tune the cipher suites to use with TLS 1.3: the tlsciphers13 now permits configuring them. A separate cipher suite configuration parameter is needed for TLS 1.3 because TLS 1.3 cipher suites are not compatible with TLS 1.2, and vice-versa. In order to avoid issues where legacy TLS 1.2 cipher suite configuration configured in the tlsciphers parameter would inadvertently disable all TLS 1.3 cipher suites, the inn.conf configuration has been separated out.
Fixed a regression since INN 2.6.1 that prevented articles with internationalized header fields (that is to say encoded in UTF-8) from being posted.
Support for Python 3 has been added to INN. Embedded Python filtering and authentication hooks for innd and nnrpd can now use version 3.3.0 or later of the Python interpreter. In the 2.x series, version 2.3.0 or later is still supported.
When configuring INN with the --with-python flag, the PYTHON
environment variable, when set, is used to select the interpreter
to embed. Otherwise, it is searched in standard paths.
In case you change the Python interpreter to embed, make sure that the Python scripts you use are written in the expected syntax for that version of the Python interpreter. Notably, buffer objects have been replaced with memoryview objects in Python 3, and UTF-8 encoding now really matters for string literals (Python 3 uses bytes and Unicode objects).
INN documentation and samples of Python hooks have been updated to provide more examples.
When a Python or Perl filter hook rejects an article, innd now mentions the reason in response to CHECK and TAKETHIS commands. Previously, the reason was given only for the IHAVE command.
nnrpd now properly logs the hostname of clients whose connection failed owing to an issue during the negotiation of a TLS session or high load average.
A new syntaxchecks parameter has been added in inn.conf.
It permits controlling the level of checks performed by innd and
nnrpd. Up to now, only one check can be enabled/disabled: when
laxmid is mentioned in the values of this new parameter, INN accepts
Message-IDs that contain .. in the left part, as well as Message-IDs
with two @ (such Message-IDs would otherwise be considered as
syntactically invalid). See the inn.conf(5) man page for more details.
The check is disabled by default (no-laxmid), which corresponds to the legacy behaviour of INN 2.6.1 and earlier.
Use of the ovdb_server helper server is now the default when using the ovdb overview method, that is to say the default value for the readserver parameter in ovdb.conf is now set to true. It improves stability and avoids deadlocks, timing issues and corrupted ovdb databases.
mailpost now removes empty header fields before attempting to post articles, and keeps trace of them in the newly generated X-Mailpost-Empty-Hdrs header field body. Also, mailpost now sanitizes header fields with regards to empty continuation header lines. Thanks to Kamil Jonca for these bug reports.
A new -z parameter has been added to mailpost to mention a list of header fields to remove from the gated message. Thanks to Dieter Stussy for the patch.
Fixed a bug in inews that was rejecting articles containing header fields whose length exceeded 998 bytes. This limitation is for the length of a single line of a header field (and not for the length of the whole header field, as it was wrongly the case).
Added support for GnuPG's gpg binary (in addition to gpgv) in pgpverify. Indeed, gpg still validates signatures made with weak digest algorithms like MD5 whereas gpgv no longer does. Thanks to Thomas Hochstein for the patch, which permits validating control articles for hierarchies that are still using old PGP keys.
Added similar support for GnuPG's gpg binary in perl-nocem to validate NoCeM notices from issuers who are still using old PGP keys.
A few commands listed in the "Control commands to INND" section in daily Usenet reports were appearing as a mere letter; all of them are now properly converted to meaningful words.
The tlsprotocols parameter in inn.conf now recognizes the
TLSv1.3 value (for OpenSSL versions implementing TLS 1.3, that
is to say starting from OpenSSL 1.1.1).
The buffindexed overview method will now hopefully work properly on systems with a native page size larger than 16KB.
Other minor bug fixes and documentation improvements.
nnrpd now uses -0000 as the time zone for Date and Injection-Date
header fields it generates. It was previously using +0000, wrongly
systematically indicating a local time zone at Universal Time when
localtime is set to false (which is the default) in readers.conf.
The +0000 time zone will now be used only if localtime is set to
true and UTC is really the local time zone of the server.
Julien Elie has implemented in nnrpd the new COMPRESS command described in the draft-murchison-nntp-compress Internet-Draft that extends the NNTP protocol to allow a connection to be effectively and efficiently compressed. News clients that also support that extension will be able to benefit from that bandwidth optimization and improvement in speed. Moreover, using COMPRESS is more secure than TLS-level compression, as far as authentication credentials are concerned.
The default value for the tlscompression parameter in inn.conf has changed. TLS-level compression is now disabled by default, to comply with the best current practices for a secure use of TLS in application protocols like NNTP. Using the new COMPRESS command is recommended.
The tlscompression parameter in inn.conf now also permits disabling TLS-level compression with OpenSSL 0.9.8. It previously had an effect only when OpenSSL 1.0.0 or later was used.
rnews no longer segfaults at startup when started setuid news. Thanks to Marcus Jodorf for the bug report.
Fixed slow nnrpd responses for a few NNTP commands. The TCP_NODELAY
option was unconditionally set whereas only BSD/OS systems needed it.
Thanks to Christian Mock for having discovered that.
Articles containing a Received or a Posted header field are no longer rejected by nnrpd at injection time.
Articles containing control characters or whitespace-only content lines in their headers are now rejected by nnrpd at injection time.
OpenSSL 1.1.0 support has been added to INN.
When an encryption layer is negotiated during a successful use of the STARTTLS command, or after a successful authentication using an SASL mechanism that negotiates an encryption layer, nnrpd now updates the permissions of the news client according to the new secure state of his connection (that is to say auth blocks in readers.conf using the require_ssl parameter are taken into account). Previously, only connections on a dedicated port (usually 563) were taking benefit from that parameter. Thanks to Steve Crook for the bug report.
When a data integrity layer was negotiated during a successful SASL authentication, nnrpd was wrongly reseting any knowledge obtained from the client, such as the current newsgroup and article number. This behaviour now applies only when an encryption layer is negotiated.
nntpsend now correctly waits until all of the child innxmit processes exit before it does. It was causing nntpsend to fail to work properly on systems that use systemd, because when it exits prematurely, systemd kills all of the processes it launched, including the innxmit processes. Thanks to Jonathan Kamens for the patch.
Update from GNU Libtool 2.4.2 to 2.4.6.
Other minor bug fixes and documentation improvements.
The following changes require your full attention because a manual intervention may be needed:
The name and location of the pullnews configuration file have changed. It is now pullnews.marks, located in pathdb when pullnews is run as the news user, or otherwise in the running user's home directory. This file was previously stored in .pullnews in the running user's home directory (even for the news user). If you use pullnews, you need to manually move and rename the configuration file; otherwise, it will no longer work. Note that the -c flag passed to pullnews allows specifying another configuration file, if need be.
The default location of the mailpost database directory has changed from pathtmp to pathdb. If you use mailpost without an explicitly specified database directory (using the -b flag), then you should manually move your current database files mailpost-msgid.dir and mailpost-msgid.pag from pathtmp to pathdb.
If you have been using TLS/SSL with nnrpd before, be aware that the default value of a few inn.conf parameters have changed: the server now decides the preferred cipher (instead of the client), and only TLS protocols are allowed (using the flawed SSLv2 and SSLv3 protocols is now disabled). If you want to change these settings, the respective tlspreferserverciphers and tlsprotocols parameters can be tuned to your needs.
The --with-kerberos configure flag used to add Kerberos v5
support has been renamed to --with-krb5.
The --with-berkeleydb configure flag used to add Berkeley DB
support has been renamed to --with-bdb.
The --enable-ipv6 configure flag no longer exists. IPv6 is now
unconditionally enabled, if available.
$HOME is no longer exported as an environment variable by innshellvars,
innshellvars.tcl and the Perl module INN::Config. It was previously
overriding the default user home directory with pathnews. If you use
these scripts in your own scripts, you will have to take care of that change.
Owing to the implementation of RFC 4643 (AUTHINFO USER/PASS) in innd, if remote peers have to authenticate in order to feed articles, they now have to send a username (which was previously wrongly optional), before sending their password. The mandatory username, though currently unused by innd, can be whatever the remote peer wishes. In previous versions of INN, inncheck was already complaining when passwd.nntp contained an empty username associated with a password.
A manual review of authenticated feeds should then be done so as to ensure that they are properly working.
The Injection-Date and Injection-Info header fields are now generated by nnrpd at injection time instead of the NNTP-Posting-Date, NNTP-Posting-Host, X-Complaints-To and X-Trace header fields. Local scripts that were using (for authentication, privacy, etc.) these now deprecated header fields should be updated. Also note that the Path header field of locally posted articles can also contain the contents of the deprecated NNTP-Posting-Host header field.
The two addnntppostingdate and addnntppostinghost parameters in inn.conf have been respectively renamed to addinjectiondate and addinjectionpostinghost. innupgrade takes care of the modification only for inn.conf; a manual change will therefore be needed for readers.conf, if these parameters are overridden in this file.
The default values of a few inn.conf parameters have changed to make
use of the vastly expanded storage and RAM commonly available today:
datamovethreshold (from 8192 to 16384), msgidcachesize (from
16000 to 64000), overcachesize (from 64 to 128), and
wireformat (now enabled by default).
The generation of status reports and performance timings are now also enabled by default: logstatus and nnrpdoverstats parameters, with a frequency of 10 minutes (status and timer parameters).
The default value of max-queue-size has changed from 5 to 20, and
use-mmap now defaults to true for innfeed.conf.
If you are upgrading from a version prior to INN 2.5, see also Upgrading from 2.4 to 2.5.
The NNTP protocol requires a username to be sent before a password when authentication is used. innd was wrongly allowing only a password to be sent by authenticated peers. See the note above for more details.
The Lines header field is no longer generated by nnrpd at injection time.
The Injection-Date header field is now generated by nnrpd at injection time instead of the deprecated NNTP-Posting-Date header field, when addinjectiondate is set to true. Note that addnntppostingdate has been renamed to addinjectiondate in inn.conf.
The Injection-Info header field is now generated by nnrpd at injection time instead of the deprecated NNTP-Posting-Host (when addinjectionpostinghost is set to true), X-Complaints-To and X-Trace header fields. Note that addnntppostinghost has been renamed to addinjectionpostinghost in inn.conf. The Path header field of locally posted articles now also contains the contents of the NNTP-Posting-Host header field.
A new addinjectionpostingaccount parameter has been added in inn.conf. When set to true, the Injection-Info header field contains an additional posting-account attribute that mentions the username assigned to the user at connection time or after authentication. The default value for this parameter is false.
A few header fields are now considered as obsolete by nnrpd at injection time: NNTP-Posting-Date, NNTP-Posting-Host, X-Complaints-To, X-Trace, Also-Control, Article-Names, Article-Updates, and See-Also header fields.
Besides, nnrpd will similarly reject obsolete sendsys, senduuname and version control messages.
The presence of a Subject header field beginning with cmsg no longer
causes an article to be interpreted as a control message by nnrpd
at injection time.
nnrpd no longer differentiates IHAVE from POST. Articles injected with IHAVE are now treated as though they were injected with POST. It means that if the previous behaviour of IHAVE was expected, innd should handle itself the connection instead of nnrpd.
The name of the pullnews configuration file is now pullnews.marks located in pathdb when pullnews is run as the news user, or otherwise in the running user's home directory. It was previously stored in .pullnews in the running user's home directory (even for the news user).
Fixed a leak of semaphores when using buffindexed. Thanks to Richard Kettlewell for having fixed the issue.
Building with Libtool is no longer optional. The --enable-libtool
option to configure has been removed.
DESTDIR and non-root installs are now properly supported and documented
in INSTALL. The make install, make update and make cert
steps properly obey DESTDIR. Besides, it is no longer a requirement
that the installation step be done by the superuser, as long as the
user executing the install has supplied a DESTDIR value that points
to a writable directory, and the person or process performing the
install corrects the file ownerships when INN is installed on the system
on which it's going to run. Thanks to James Ralston for this support.
When building INN with Berkeley DB, Cyrus SASL, Kerberos v5, OpenSSL, or zlib support, no longer add standard locations to
compiler and linker include flags. Such default paths are now added
only if explicitly given to one or more of the --with-bdb,
--with-bdb-include, --with-bdb-lib, --with-sasl,
--with-sasl-include, --with-sasl-lib, --with-krb5,
--with-krb5-include, --with-krb5-lib, --with-openssl,
--with-openssl-include, --with-openssl-lib, --with-zlib,
--with-zlib-include, or --with-zlib-lib configure flags (the
flags ending with -include and -lib are new in INN 2.6.0).
If the Berkeley DB, Cyrus SASL, Kerberos v5, or OpenSSL SSL
and crypto libraries are found at configure time, INN will now be
built with support for them unless respectively the --without-bdb,
--without-sasl, --without-krb5, or --without-openssl flags
are explicitly passed to configure.
Note that it was already the default behaviour for zlib support when Berkeley DB support was also enabled.
The configure flag --enable-reduced-depends has been added to request
that library probes assume shared libraries are in use and dependencies
of libraries should not be probed. It therefore tries to minimize the
shared library dependencies of the resulting binaries on platforms with
proper shared library dependencies. This is not enabled by default, and
is of interest primarily to people building packages for distributions.
Building INN with Python support now requires the use of Python 2.2.0 or later as the distutils.sysconfig module used was introduced with Python 2.2.0.
The INN test suite driver is now fully synchronized with the upstream version of the C TAP Harness package maintained by Russ Allbery. Keeping the INN test suite driver up-to-date will be possible thanks to a new getc-tap-harness script in the support directory that automatically fetches the latest upstream changes.
Similarly, the new getrra-c-util script permits keeping most of the utility and portability functions synchronized with the upstream version of the rra-c-util package maintained by Russ Allbery.
Other minor bug fixes and documentation improvements.
All of the applicable bug fixes from the INN 2.5 STABLE series are also included in INN 2.6.
New inn.conf parameters used by nnrpd to fine-tune the TLS/SSL configuration have been added: tlsciphers, tlscompression, tlseccurve, tlspreferserverciphers, and tlsprotocols. Many thanks to Christian Mock for his contribution that permits tightening the level of security provided by TLS/SSL.
innwatch no longer creates a child process only for sleeping and then waits on that process. The forked-off process only died after it had done sleeping, which caused the INN service to drop into maintenance state when for instance running under SMF on illumos/Solaris (since not all processes die within timeout). Thanks to Lauri Tirkkonen for the patch.
innd no longer crashes if a channel is supposed to sleep but does not define a waker callback function. Also, the highest file descriptor of sleeping channels is now properly updated. Thanks to Petr Novopashenniy for the bug report.
Add new -i flag to both cnfsstat and innwatch to specify
how many seconds they should sleep at startup. It will especially be
useful in rc.news so that these scripts are actually started and then
sleep by themselves, instead of being started a minute after innd
and therefore not being properly stopped if rc.news stop is invoked
during that minute.
Add new -f flag to innwatch to specify the configuration file to use, in case it is not the default innwatch.ctl file.
Add new -t flag to mailpost to change, if needed, the default directory to use to temporarily store error messages that are sent to the newsmaster. Two paths are now tried by default: pathtmp as set in inn.conf, and then /var/tmp if pathtmp is not writable.
When the creation of a newsgroup needed expanding the tradindexed group index, an already-running nnrpd was not automatically noticing newly created newsgroups. Richard Kettlewell fixed that issue.
Fixed flushing of CNFS buffers when using NFS storage.
Fixed how innupgrade is executed during an update of an INN installation; on a few systems like AIX, it fails to run because its taint mode was improperly declared.
Several improvements have been contributed to pullnews by Geraint Edwards: the new -a flag adds the Diablo-compatible hashfeed ability, the new -B flag triggers header-only feeding, the -m flag now permits removing header fields matching (or not) a given regexp, and rnews reporting is improved.
innreport now properly takes into account the time nnrpd spends writing when using SASL.
scanlogs now only shows the first 50 lines from error log files. Otherwise, all of them were present verbatim in the daily report, and the resulting e-mail could bounce owing to its length. Thanks to Jeffrey M. Vinocur for the bug report.
Fixed the use of the legacy AUTHINFO GENERIC command, that has been broken since INN 2.4.0 (therefore proving readers probably no longer use that method to authenticate). Thanks to Richard Kettlewell for having noticed, though, and contributed to tighten the security of the replies of this command.
Add the nnrp.access2readers.conf contribution script written by Jeffrey M. Vinocur to convert old-style nnrp.access file to readers.conf.
An up-to-date control.ctl file is provided with this release. You should manually update your control.ctl file with the new information recorded about Usenet hierarchies.
A test has been improved in innwatch.ctl so that innwatch no longer throttles innd when no overview directory exists. You should manually update your innwatch.ctl file to get this improvement.
Fixed a long-standing limitation on how controlchan and pgpverify were checking the signer of control messages. They now properly handle the case of several UIDs being defined on a single PGP key, as well as the presence of spaces into UIDs. In previous versions of INN, a few valid control messages got ignored because of that limitation (fido.ger.* and grisbi.* were for instance impacted).
As the name of the radius.conf configuration file shipped with INN for the nnrpd authenticator against a RADIUS server conflicts with the libradius package, this file is renamed to inn-radius.conf (innupgrade takes care of the rename during the update).
The attributes hash is now accessible to nnrpd Perl posting filter. As a result, filter_nnrpd.pl can make use of it. Only authentication and access Perl hooks could previously use the attributes hash. Thanks to Steve Crook for this addition.
INN now properly builds fine with Flex 2.5.36 (this version introduced a change of type for a variable used by INN).
When using funnel feeds, innfeed log files were open forever, which resulted in empty log files, once rotated by scanlogs. innfeed now reopens its log files upon receiving a HUP signal; this signal is in particular sent by scanlogs during log rotation. Thanks to Florian Schlichting for the patch.
Exploder and process channels are now reopened when ctlinnd flushlogs
is used. Otherwise, they could hold open an already deleted errlog
file. The issue affected in particular controlchan or ninpaths,
running as such channels.
Fixed a buffer overflow when using imapfeed with more than a million commands during the same IMAP session. Thanks to David Binderman for the bug report.
Fixed a segfault occurring in innd on systems where time_t is a 64-bit integer. Thanks to S.P. Zeidler for the patch.
Fixed a segfault occurring in nnrpd when a res block was used in readers.conf without the program key.
Fixed an issue where users were denied posting because of an overlapping buffer copy in a check nnrpd was doing. Thanks to Florian Schlichting for the patch.
Fixed a regression that occurred in INN 2.5.3 regarding the path used by default by pullnews for its configuration file. Instead of looking in the running user's home directory, it was looking in the pathnews directory set in inn.conf. Thanks to Tony Evans for the bug report.
When neither wget nor ncftpget nor ncftp was found at configure
time, the path to the simpleftp substitution program shipped with
INN was not properly set in innshellvars, innshellvars.pl, and
the INN::Config Perl module. Thanks to Christian Garbs for the
bug report.
ckpasswd no longer tries to use the ndbm compatibility layer provided by Berkeley DB if Berkeley DB has been built without ndbm support. Also add support for gdbm libraries in ckpasswd.
Fixed a Perl warning in inncheck; using defined(@array) has been
deprecated since Perl 5.16.
Fixed the occurrence of an unexpected cant select error generated by
innd. Thanks to Paul Tomblin for having caught that long-standing
issue.
When building INN with Berkeley DB support, no longer add
-L/usr/lib to the linker include flags; unconditionally adding it
may break the build on systems using lib32 and lib64 directories.
On a fresh INN install, motd.innd and motd.nnrpd are no longer installed by default. Instead, samples for these files are provided in pathetc, named differently so that their default contents are not displayed to news clients before they get customized.
Other minor bug fixes and documentation improvements (like the addition in the readers.conf man page of the log and program parameters in res blocks, and the include directive).
Please note that the HTML_STATUS compile-time option has been replaced
with the htmlstatus parameter in inn.conf. If you used HTML_STATUS,
you should set htmlstatus accordingly.
A confusion in the name of a key in innfeed.conf existed in the source code. Make sure that the misspelled, undocumented backlog-limit-high key is *not* used in your innfeed.conf file; its real name is backlog-limit-highwater. You should rename the key in case it is present in your configuration file. Otherwise, it will not be taken into account. You can run inncheck to verify that the syntax of this file is correct.
It is generally recommended to run inncheck after any changes done to configuration files, especially with the new improved version of this script shipped with INN 2.5.3, thanks to the hard work of Florian Schlichting who added support for the syntax of incoming.conf, innfeed.conf, readers.conf and storage.conf.
An up-to-date control.ctl file is provided with this release. You should manually update your control.ctl file with the new information recorded about Usenet hierarchies.
When HDR/XHDR/XPAT were used on a new article coming into a newsgroup, requesting a header field not present in the overview database, the first subsequent OVER/XOVER command did not show that article. A remap of the overview data file was missing in nnrpd. Thanks to Sam Varshavchik for the bug report.
When a header field appeared more than once in an article, it was missing from the overview data. OVER/XOVER, as well as HDR/XHDR/XPAT using the overview, were therefore returning an empty field. The content of the first occurrence is now returned, in accordance with RFC 3977.
Perl and Python filters for innd now also properly initialize their header field variables with the first occurrence of header fields. (It is still the last occurrence for the Perl filter for nnrpd.)
Fixed a possible plaintext command injection during the negotiation of a TLS layer. The vulnerability detailed in CVE-2011-0411 (and CVE-2012-3523, specifically for INN) affects the STARTTLS and AUTHINFO SASL commands. nnrpd now resets its read buffer upon a successful negotiation of a TLS layer. It prevents malicious commands, sent unencrypted, from being executed in the new encrypted state of the session.
Fixed a regression that occurred in INN 2.5.0 when leading whitespace characters have been made significant in header field bodies. It could lead INN to drop articles and throttle itself when running as a slave because Xref header fields generated by other news servers, or even INN 2.4.6, could contain (valid) leading whitespace. Thanks to Matija Nalis for having caught this bug.
Fixed an invalid 431 response to CHECK commands when innd is paused:
the Message-ID of the article to defer was missing. Also fixed another
issue in the messages innd replied; when an error occurred during a
write on a channel, a trailing extra junk byte was added to the reply.
Thanks to River Tarnell for these bug reports.
It is now possible to properly generate daily statistics with sendinpaths thanks to the new -k and -r flags that permit controlling the interval of days for processing dump files. The new -c flag permits sending a copy of the generated e-mail to the newsmaster.
Also fixed an issue with statistics that could be missing or duplicated for a couple of days when monthly sent.
The documentation has been updated and mentions a preferred daily run of sendinpaths. This script is a complete rewrite in Perl, and is based on Mohan Kokal's initial work.
cnfsheadconf now properly recognizes continuation lines in
cycbuff.conf, that is to say lines ending with a backslash (\).
Thanks to John F. Morse for the bug report.
The order of CNFS buffers in a metacycbuff is now properly read and written by cnfsheadconf. There previously was a confusion between hexadecimal and decimal values. Thanks again to John F. Morse.
When the -l flag is given to cnfsstat, the cycbuff.conf and storage.conf files are now reloaded if they have been modified since the previous output of cnfsstat.
A single header field line is limited to 998 bytes, per RFC 5536. innd was previously accepting, and also generating Xref header field lines, up to 1022 bytes. Now, nnrpd (acting as an injecting agent) rejects articles which contain header field lines whose length exceeds 998 bytes. And innd (acting as a relaying or serving agent) no longer checks that.
nnrpd advertises the COUNTS, DISTRIBUTIONS, MODERATORS, MOTD and SUBSCRIPTIONS variants of the LIST command in response to CAPABILITIES. These commands already existed in nnrpd but RFC 6048 had not yet been published.
Add support for LIST MOTD in innd. Consequently, the motd.news configuration file which was previously used only by nnrpd is renamed to motd.nnrpd (innupgrade takes care of the rename). innd uses the new motd.innd file in pathetc for its message of the day.
Fixed an issue at configure time that made INN wrongly assume that OpenBSD (4.6) didn't support Unix-domain sockets. Thanks to Wim Lewis for the patch.
Fixed an issue on systems which do not have a working flock(2) function (Solaris, for instance). mailpost and pullnews are reported not to be usable on such systems. Many thanks to Dennis Davis for the bug report.
A wrapper around shlock is now called in Perl scripts. The
INN::Utils::Shlock module has been added for that use.
Fixed an issue in the Python access hook for nnrpd: it has not been working since Python 2.5 on 64-bit platforms, owing to a change to Python's C API, using a new Py_ssize_t type definition instead of int. Thanks to Raphael Barrois for the patch.
Improve the stability of the Perl filters for innd and nnrpd: properly save and restore the stack pointer when needed.
The Injection-Date header field, when present, is now used by innd and makehistory to determine the posting date of an article. Otherwise, the Date header field is used.
controlchan now imposes a date cutoff on processing control articles. The artcutoff parameter set in inn.conf is used. Otherwise, without that cutoff, old control articles could be maliciously reinjected into Usenet, and replayed. (An unsigned Injection-Date header field could be added to an article that only had a Date header field.) A new -c flag has been added to controlchan to disable the cutoff check, if needed (usually when manually invoking the program).
nnrpd no longer adds or updates the Path header field when an article is forwarded to a moderator. It could otherwise lead to rejects at injection time when the article was approved by the moderator.
The X-Trace header field was not properly generated when an article
was locally posted. The field mentioning the IP address was skipped,
resulting in a wrong syntax for this header field. The local 127.0.0.1 IP
address is now used. Besides, localhost is now mentioned instead of
an obscure stdin in injection header fields.
Fixed a bug in the frequency innfeed logs its status: too many useless lines were written to news.notice. Thanks to Florian Schlichting for the fix.
When unset in innfeed.conf, the dynamic-method parameter now
properly defaults to 3 (instead of 0) and use-mmap to false
(instead of true). These two values were already the recommended ones in
the documentation and the sample file. Note that use-mmap is only used
when innfeed is given file names to send instead of storage API tokens,
which is a fairly rare use case.
innfeed no longer generates an error message (logged in news.err) when a parameter is not defined in innfeed.conf. All the parameters have a default value, so there is no need to warn the user if they are not present in innfeed.conf. Thanks to Dieter Stussy for having reported this problem.
Implement an upper limit to the number of file descriptors innd
can handle. At most (FD_SETSIZE-1) file descriptors can be used. This
upper limit now overrides any superior number set with rlimitnofile
in inn.conf. Thanks to Steve Crook for the bug report.
A default timeout on outgoing sockets (using NNTPconnect) has been added
by Florian Schlichting. For a long time, there have been occasional
problems with actsync (and probably other programs) that would hang
until manually killed or restarted.
The flag -S has been added to innd by Florian Schlichting. When used, innd reports the errors found in incoming.conf and exits.
pullnews no longer stops processing newsgroups when an error occurs during its run (for instance when a newsgroup mentioned in the configuration file is removed from an upstream server). Besides, it can now use authentication when posting to the downstream server.
A few other minor bugs have been fixed as for the way pullnews counts the articles.
Fixed the way innreport handles leap years. It now properly generates HTML reports; dates were assumed to be relative to the current year, which may break their computation during for instance the whole 2012 leap year. Please note that no HTML reports have been lost, and that they will appear when INN is updated to this new version.
A new parameter has been added to inn.conf to determine whether the status file that innd can write out (depending on the value of the status parameter) is plain text or wrapped in HTML. It previously only was a compile-time option, set to true by default. Florian Schlichting added the htmlstatus parameter to provide a configurable behaviour.
It is now possible to run a script at the end of the execution of
innshellvars scripts. If a file named innshellvars.local,
innshellvars.pl.local or innshellvars.tcl.local is present and
executable in pathetc, then it will be executed by the corresponding
innshellvars script (respectively shell, INN::Config Perl module,
and Tcl). A typical use is to add or override variables.
Add support for wire-formatted articles in scanspool.
A lot of work on cleaning old perl4-style code has been done by Florian Schlichting.
inncheck now generates a proper non-zero exit value when errors are found, and allows quiet mode with the -q flag. Florian Schlichting has greatly improved this script in many regards, especially with a config-syntax parser for incoming.conf, innfeed.conf, readers.conf and storage.conf.
inncheck now properly finds the boundaries of substituted variables in newsfeeds thanks to Alexander Bartolich.
docheckgroups no longer uses AWK. On a few systems, the script was failing because of the presence of an old version of AWK that has a limit in the size of the input it can handle. Processing large newsgroups files was consequently impossible. docheckgroups now uses Perl instead of AWK, which solves the issue reported by John F. Morse.
Other minor bug fixes and documentation improvements. In particular, the
debug-shrinking, fast-exit and initial-sleep keys in innfeed.conf
are now documented. The function filter_end(), called when Perl filtering
is turned off, is also documented for the innd and nnrpd Perl filters.
The way checkpoints are handled by innreport for innd and innfeed has totally changed to provide more accurate daily statistics. The first Usenet report after an upgrade to INN 2.5.2 will probably contain incorrect statistics for incoming and outgoing articles because the beginning of the log files that will be used was generated by a previous version of INN.
A new version of innreport.conf is shipped with INN 2.5.2 but, in
order to preserve any local changes, will not be automatically installed
with make update. The changes are minor and not mandatory for the
upgrade.
Julien Elie has implemented in innd the new version of the NNTP
protocol described in RFC 3977, RFC 4643 and RFC 4644, and
innd now recognizes the CAPABILITIES command. Despite these standards,
three commands (IHAVE, CHECK and TAKETHIS) will continue, for
interoperability reasons, to return a reject code (respectively 435,
438, and 439) when the command contains a syntax error instead of
501. The mandatory username argument for authenticated peers is not
enforced in INN 2.5.2 but will be enforced by INN 2.6.0 when it
is released.
Major improvements are:
innd now has a decent parser for NNTP commands. The parser is more
correct (commands like IHAVE<mid>, without a space between the
command and its argument, are no longer valid) and allows leading and
trailing whitespaces in commands. innd also now checks the length of
the NNTP command sent by the client. If the command contains more than
512 bytes (or 497 bytes for an argument), an error is returned and the
command is discarded. After ten unrecognized commands, innd closes the
connection with the appropriate code (400 instead of 500).
The output of the HELP command specifies the arguments expected by NNTP commands, similar to nnrpd's HELP command.
LIST ACTIVE, LIST ACTIVE.TIMES and LIST NEWSGROUPS now allow an optional wildmat argument to restrict the results of those commands to specific newsgroups.
When using HEAD or STAT with an article number or a range, 412 (no
group selected) is now returned instead of 501 (syntax error).
Jeffrey M. Vinocur has implemented support in both innd and nnrpd for whitespace in usernames/passwords provided with AUTHINFO USER/PASS. They were previously treated as invalid arguments or incorrectly parsed. innd and nnrpd now treat everything after the first whitespace character following AUTHINFO USER/PASS, up to, but not including, the final CRLF, as the username/password, in conformity with RFC 4643.
The syntax of Message-IDs is now based on RFC 5536 (USEFOR) instead of RFC 1036. The major change is that quoted-pairs have been removed from the syntax.
The Perl and Python filters for innd now check the Message-ID of articles arriving through TAKETHIS. Only CHECK and IHAVE commands previously used them.
Case-insensitive matches are now used for distributions, path identities, IMAP commands, header field names, and control commands. (Newsgroups are still matched case-sensitively.) Message-IDs are case-sensitively matched, except for history hashes.
The new Archive, Archive-At, Comments, and Summary header fields
defined in RFC 5064 and RFC 5536 can be used in innd filters.
nnrpd now checks at injection time that an article does not contain
an Injection-Info header field, that an Injection-Date header field (if
provided) is valid, and that the Path header field body does not contain
.POSTED. Note that INN does not yet generate these two injection
fields or include the new .POSTED keyword in Path header fields.
These new features will be in the next major release of INN.
LIST SUBSCRIPTIONS now accepts an optional wildmat argument to restrict the results of this command to specific newsgroups.
nnrpd now supports a new LIST variant named COUNTS. LIST COUNTS is a combination of LIST ACTIVE and GROUP. It returns the same result as LIST ACTIVE except that the number of articles in a newsgroup is inserted before its status.
A new flag has been added to newsfeeds entries: Aj, when present,
says to feed articles accepted and filed in junk (due to wanttrash)
to peers based on their newsfeeds feed patterns applied to the
Newsgroups header field as though the article were accepted and all those
groups were locally carried. This is useful if you want to run INN with a
minimal active file and propagate all posts. Thanks to Andrew Gierth
for the patch.
A new parameter has been added to inn.conf: logtrash defines whether a line for articles posted to groups not locally carried by the news server should be added in the news log file to report unwanted newsgroups. The default is true but it can be useful to set it to false (especially when wanttrash is also used).
The procbatchdir keyword has been added to news.daily to specify the backlog directory of innfeed. This is useful when several instances of innfeed are running or when its configuration file is not the default one.
sm now supports a new flag, -c, which shows a decoded form of the storage API token. This was previously done by the contrib showtoken script developed by Olaf Titz and Marco d'Itri.
The O flag in newsfeeds now relies on the contents of the Injection-Info header field if it is present to determine the origin of an article. It falls back on X-Trace if there is no Injection-Info header field.
A new "unsigned long" type bas been added to the configuration parser. It will properly warn the news administrator when a variable supposed to be positive contains a negative integer. It will prevent INN from crashing due to misconfiguration at several places where it did not expect negative values.
innxbatch and innxmit now recognize the new 403 code introduced
by RFC 3977 for a problem preventing the requested action from being
taken.
HDR and OVER commands now return the correct 423 code (instead of
420) when the current article number is used but the article no longer
exists.
actsync, inews, innxbatch, innxmit, nntpget and rnews can now authenticate to news servers which only expect a username, without password, conforming to RFC 4643.
The keyword generation code now generates a Keywords header field only if the original article does not already have one. The generated Keywords header field no longer begins with a comma. If keyword generation is set to true in inn.conf but the Keywords header field is not stored in the overview, the news administrator is warned and keyword generation deactivated, since it exists only to populate the overview data.
Two segfaults in keyword generation were fixed. The first occurred when an article already had a Keywords header field longer than the keylimit parameter. The second was caused by a possible invalid pointer beyond the newly allocated Keywords header field.
Fixed innd handling of empty lines. innd was not properly discarding an empty command and was closing the connection when it received only whitespace in a command.
Fixed a bug in how innd responded to reader commands when readers were not allowed. A superfluous blank line was sent in its response.
Fixed a bug in innd's response to TAKETHIS when authentication is
required. Previously, 480 code was returned immediately without
accepting the multi-line data block first, which broke synchronization in
the NNTP protocol.
Fixed a bug in recognizing the article terminator when empty articles were fed to innd via IHAVE or TAKETHIS, leading to treating subsequent NNTP commands as part of the article.
When innd could not provide information for LIST ACTIVE.TIMES and LIST
NEWSGROUPS, it was returning an invalid error message without a response
code. The proper 503 answer code is now returned.
When an unauthenticated user tried to post an article, nnrpd replied
440 (posting not allowed) instead of the correct 480 (authentication
required) response if the user might be able to post after authentication.
Thanks to Daniel Weber for the bug report.
Fixed a bug in both innd and nnrpd answers to LIST commands where the output was not checked for valid dot stuffing.
Fixed a bug leading to junked non-control articles being sent to control-only feeds, and also fixed handling of poisoned control groups. Thanks to Andrew Gierth for the patch.
Fixed a bug in innreport leading to incorrect summing of innd stats when hostname was set to an IPv6 address instead of a fully qualified domain name. Thanks to Petr Novopashenniy for the bug report.
Changed how innreport uses innd and innfeed checkpoint messages. Previously, connections held open for multiple days led to skewed and incorrect statistics on how many articles had been received or sent. The count is now more accurate and, for each connection of a feed, only depends on incominglogfrequency in inn.conf and stats-period in innfeed.conf.
Fixed a bug in nnrpd Perl filter: a header field whose name begins with the name of a standardized header field was not properly handled.
Fixed a bug in how innd was parsing Message-ID and Supersedes header
field bodies which contained trailing whitespace. The article was
corrupted by an unexpected \r in the middle of the header field body.
nnrpd now checks the syntax of the Message-ID header field, if present.
Fixed various bugs in how leading whitespace was treated in header fields. The
HDR, XHDR and XPAT commands were not properly showing leading whitespace
in header field bodies. Lone \n and \r characters are now changed into
spaces and \r\n is just removed. archive, makehistory, and
tdx-util now keep leading whitespace in header field bodies when generating
overview data, and archive now changes \n (when not preceded by \r)
into a space when generating overview data.
Fixed a bug in the generation of overview data which may corrupt previously generated overview data when a pseudo Xref header field is injected in an extra overview field.
Fixed a bug in the parsing of the ovgrouppat wildmat in inn.conf that prevented overview data from being generated when poisoned groups were specified but a latter sub-pattern matched the group. A uwildmat expression is now correctly handled, and a potential segfault has been fixed. Thanks to Dieter Stussy for the bug report.
Fixed a bug when HDR, XHDR and XPAT were used when virtualhost was set to true in readers.conf. The Xref header field of articles posted to only one newsgroup appeared empty.
Fixed a bug in tdx-util in parsing empty overview fields when called with -A or -F.
Fixed a bug in cvtbatch, which was returning only the size of the
headers of an article when the b parameter was used with the -w
flag. It now correctly returns the size of the whole article, which is
what b was documented to do. cvtbatch also has a new t
parameter, which can be used with the -w flag to retrieve the arrival
time of an article.
Fixed a bug in how mailpost handles cross-posting feature. It was not properly detaching from sendmail. Thanks to Harald Dunkel for the patch.
Fixed a bug in the newsfeeds C flag: the count of followup groups
was one less than the real number. When the value of the Followup-To
header field is poster, it is no longer considered to be a followup.
Thanks to Dieter Stussy for the patch.
When using tradindexed, the overview data for a cancelled article is now immediately removed from the overview. Thanks to Lars Magne Ingebrigtsen for the patch.
batcher has not supported the retrieval of an article with its file name for a long time. The -S flag has therefore been removed.
inews no longer rejects articles that contain more than 50 header fields. Thanks to Torsten Jerzembeck for the bug report.
news.daily no longer sends superfluous mails when the nomail keyword is given. Mail is only sent when there is real output. Previously, there would always be headings and empty lines left over from the structuring of the full report, which are now omitted. Also, the output of programs executed with postexec is now included in the regular mail. Thanks to Florian Schlichting for the patch.
innconfval no longer maps NULL string or list values to an empty string or list and instead maps them to undefined values. This fixes an issue reported by Kamil Jonca: nnrpd was inserting an empty Organization header field when the organization parameter in inn.conf was unset.
Other minor bug fixes and documentation improvements.
Fixed a segfault in imap_connection which could occur when SASL was used.
Fixed a segfault in the keyword generation code which was assuming that an article was nul-terminated. Fixed another segfault in the keyword generation code when an article already contained a Keywords header field. Thanks to Nix for the bug reports.
Owing to the US-CERT vulnerability note VU#238019, Cyrus SASL library has slightly changed. imap_connection and nnrpd now handle that change. Otherwise, some answers are too long to be properly computed during SASL exchanges.
Fixed a memory allocation problem which caused nnrpd to die when retrieving via HDR/XHDR/XPAT the contents of an extra overview field absent from the headers of an article. The NEWNEWS command was also affected on very rare cases. Thanks to Tim Woodall for the bug report.
HDR/XHDR/XPAT answers are now robust when the overview database is inconsistent. When the overview schema was modified without the overview database being rebuilt, wrong results could be returned for extra fields (especially a random portion of some other header field). The desired header field name is now explicitly searched for in the overview information.
Fixed the source which is logged to the news log file for local
postings when the local server is not listed in incoming.conf.
A wrong name was used, taken amongst known peers. The source is now
logged as localhost.
Fixed a bug in the timecaf storage method: only the first 65535 articles could be retrievable in a CAF, though everything was properly stored. (A Crunched Article File contains all the articles that arrive to the news server during 256 seconds.)
The storage token now uses 4 bytes to store the article sequence number for timecaf, instead of only 2 bytes. Thanks to Kamil Jonca for the bug report and also the patch.
Fixed a bug in both timecaf and timehash which prevented them from working on systems where short ints were not 16-bit integers.
When there is not enough space to write an entire CAF header, the timecaf storage manager now uses a larger blocksize. On 32-bit systems, the CAF header is about 300 bytes, leaving about 200 bytes for the free bitmap index (the remaining of a 512-byte blocksize). On 64-bit systems, the size of the CAF header could exceed 512 bytes, thus leaving no room for the free bitmap index. A 1 KB blocksize is then used, or a larger size if need be.
A new CNFS version has been introduced by Miquel van Smoorenburg in the CNFS header. CNFSv4 uses 4 KB blocks instead of 512 bytes, which more particularly makes writes faster. CNFSv4 supports files/partitions up to 16 TB with a 4 KB blocksize.
Existing CNFS buffers are kept unchanged; only new CNFS buffers are initialized with that new version.
grephistory -l now returns the contents of the expires history field
as well as the hash of the Message-ID. Besides, when the storage API
token does not exist, grephistory -v now also returns the hash
of the requested Message-ID.
The check on cancel messages when verifycancels is set to true in inn.conf has been changed to verify that at least one newsgroup in the cancel message can be found in the article to be cancelled. This new feature is from Christopher Biedl.
The previous behaviour was to check whether the cancel message is from the same person as the original post, which is extremely easy to spoof; besides, RFC 5537 (USEPRO) mentions that "cancel control messages are not required to contain From and Sender header fields matching the target message. This requirement only encouraged cancel issuers to conceal their identity and provided no security".
The way the /remember/ line in expire.ctl works has changed.
History retention for an article was done according to its original
arrival time; it is now according to its original posting date.
Otherwise, unnecessary data may be kept too long in the history
file.
To achieve that, the HISremember() function in history API now
expects a fourth parameter: the article posting time.
Note that article expiration has not changed and is still based on arrival time, unless the -p flag is passed to expire or expireover, in which case posting time is used.
The default value for /remember/ has changed from 10 to 11
because it should be one more than the artcutoff parameter
in inn.conf, so that articles posted one day into the future
are properly retained in history.
auth_krb5 has been rewritten by Russ Allbery to use modern Kerberos APIs. Note that using ckpasswd with PAM support and a Kerberos PAM module instead of this authenticator is still recommended.
A new -L flag has been added by Jonathan Kamens to makehistory so as to specify a load average limit. If the system load average exceeds the specified limit, makehistory sleeps until it goes below the limit.
As UTF-8 is the default character set in RFC 3977, ctlinnd pause,
ctlinnd readers, ctlinnd reject, ctlinnd reserve, ctlinnd throttle
and nnrpd -r commands now require the given reason to be encoded in UTF-8,
so that it can be properly sent to news readers. The creator's name given
to ctlinnd newgroup is also expected to be encoded in UTF-8.
The output of consistency checks for article storage and the history
file no longer appears by default when cnfsstat -a is used. A new -v
flag has been added to cnfsstat so as to see it.
The default path for TLS certificates has changed from pathnews/lib
to pathetc. It only affects new INN installations or generations of
certificates with make cert. Besides, a default value has been
added to tlscapath because it is required by nnrpd when TLS
is used.
gzip(1) is now the default UUCP batcher in send-uucp instead of compress(1) because gzip is more widely available than compress, due to old patent issues. Note that there is no impact on decompression as it is handled by rnews.
cnfsheadconf now uses the Perl core module Math::BigInt rather
than the deprecated bigint.pl library. When used without specifying
a CNFS buffer, it now properly displays the status of all CNFS buffers.
The following changes require your full attention because a manual intervention may be needed:
In order to process control messages, controlchan now needs the
MIME::Parser module. Packages are available from most distributions,
or you can install the module directly from CPAN (MIME-tools in
modules/by-module/MIME/, for instance on ftp.perl.org).
Perl 5.8.0 or later is recommended for INN. If you are using an earlier
version, you will also need the Encode module for correct processing of
control messages. (It is included with Perl itself in 5.8.0 and later.)
Checkgroups control messages are now differently handled by controlchan: all matching lines in control.ctl will be used for a given checkgroups and a doit action will really be executed (adding, removing and changing the status of newsgroups). You should make sure that your local configuration does not rely on the previous behaviour of only mailing changes, without actually performing them.
You should use the new control.ctl.local file shipped with INN in pathetc and, at the same time, update your control.ctl and moderators files. Also make sure that your active.times, distrib.pats and newsgroups files are properly encoded in UTF-8, as it is strongly recommended by RFC 3977.
The overview.fmt file is no longer used by INN. Two new parameters
have been added to inn.conf: extraoverviewadvertised and
extraoverviewhidden. Although innupgrade takes care of the
change during make update, you should make sure that your overview
database is consistent with all the fields declared in overview.fmt
because they will all be advertised, and Xref:full forced as the
eighth overview field. See the inn.conf(5) man page for more information
about these parameters.
The innreport configuration file has slightly changed. The new innreport.conf file shipped with INN should be used and your possible changes backported to this new version.
The $SPOOLBASE variable has been renamed to $SPOOLDIR in innshellvars
in order to be more consistent. It impacts shell scripts only. If you
import innshellvars and use that variable in your scripts, you will
have to rename it.
gpgverify is no longer included in INN, pgpverify now has better support for GnuPG and should be used instead.
The auth_smb authenticator program to check passwords with an SMB authentication is no longer included in INN. It was a stripped-down version of pam_smbpass(5), wasn't maintained, and likely had security problems. To authenticate to an SMB server such as Samba, use PAM and ckpasswd's PAM support instead.
The parameters used by nnrpd to provide TLS support are now
tlscafile, tlscapath, tlscertfile and tlskeyfile in
inn.conf. The sasl.conf file used for that in previous versions of
INN is obsolete. innupgrade takes care of the change during make
update.
The nntpactsync parameter has been renamed to incominglogfrequency in inn.conf; innupgrade handles this renaming during the update.
In newsfeeds, innfeed should be run directly rather than through
startinnfeed. innupgrade will attempt to take care of this
modification during make update.
When starting innd by hand, innd can just be run directly rather than using inndstart. If you get error messages about resetting the file descriptor limits, you may need to increase the file descriptor limits. See the sample init script in contrib for an example of how to do this.
If you are upgrading from a version prior to INN 2.4, see also Upgrading from 2.3 to 2.4.
Ken Murchison has contributed SASL authentication support for nnrpd,
implementing the AUTHINFO SASL section of RFC 4643. If the
--with-sasl option is given to configure, nnrpd will be able to
authenticate clients via secure SASL mechanisms.
Julien Elie has implemented in nnrpd the new version of the NNTP
protocol described in RFC 3977, RFC 4642 and RFC 4643.
Consequently, nnrpd now recognizes the CAPABILITIES command, the
HDR and LIST HEADERS commands, the second optional argument to specify
a range of articles to LISTGROUP, the OVER command, as well as the
:bytes and :lines metadata items.
Heath Kehoe has added the ability to compress overview data before
it is stored in ovdb. It significantly improves the performance
of this storage method and reduces the time spent by expireover.
See the new --with-zlib option to configure and the ovdb(5)
man page.
Alexander Bartolich has greatly improved innreport and especially its XHTML output (an XSL transformation is also provided, if needed, in innreport-filter.xslt, in the contrib directory).
inndstart and startinnfeed are no longer part of INN and are no longer used. Instead, a separate setuid root helper program written by Russ Allbery is used to bind to the news ports (and does only that), and is run by innd and nnrpd when necessary. This means that INN may not be able to increase file descriptor limits for itself the way that it could before. If you get error messages about resetting the file descriptor limits, you may need to increase the file descriptor limits as root before running rc.news as the news user. See the sample init script in contrib for an example of how to do this. More information on file descriptor limits can be found in INSTALL.
INN's IPv6 support was largely rewritten by Russ Allbery. IPv4 and IPv6 are now handled through the same code wherever possible, the new IPv6-aware APIs are used everywhere possible, and replacement functions are provided for systems that don't have them yet. The network code is now much more centralized, eliminating lots of duplicate code and adding better IPv6 support to some utilities.
INN now uses Autoconf 2.61 or later for configuration. As a result,
some configure options have changed slightly and more of the standard
--*dir options should be supported in lieu of the old INN-specific
options. See configure --help for the available options.
Thanks to Kirill Berezin, the buffindexed overview method now supports buffers larger than 2 GB. It is not necessary to compile INN with large file support to use such large buffers with buffindexed. Buffindexed is now also more robust with mmaped files and uses more optimized data placement.
tinyleaf, a miniature IHAVE-only leaf server written by Russ Allbery, is now included. See the tinyleaf(8) man page for more information.
controlchan recognizes the new application/news-groupinfo entity
described in USEPRO and can handle character set conversions of newsgroup
descriptions. The MIME::Parser and Encode modules are used.
Processing control messages has been greatly improved, especially
checkgroups: the active and newsgroups files are now properly
updated when they are processed, and all matching lines in control.ctl
for a given checkgroups are honoured (which for instance allows using
both drop and doit actions for the same checkgroups message).
A new control.ctl.local file has also been added in pathetc. Rules set in that file override rules in control.ctl, allowing administrators to specify local rules for some control messages without modifying the control.ctl configuration file that comes with INN. It also specifies encodings to use for the newsgroups file. By default, UTF-8 will be used for newsgroup descriptions, as strongly recommended by RFC 3977.
The Perl and Python filter_mode hooks are now called when innd is
shutting down via either ctlinnd shutdown or ctlinnd xexec with a
new mode value of shutdown. This will allow the Perl hooks to save
filter data across innd restarts without requiring that the news
administrator throttle the server first. (Python already had a separate
close hook that is also called.)
The legacy innshellvars.pl script has been replaced with a real INN
Perl module INN::Config for Perl programs. The location of Perl
modules can be set with the --with-libperl-dir option to configure.
All Perl scripts shipped with INN have been converted to use that module.
You may want to consider using INN::Config in your Perl scripts, though
innshellvars.pl is still provided with INN.
Support for embedded Tcl filters in innd has been removed. It hasn't worked for some time and causes innd crashes if compiled in (even if not used). If someone wants to step forward and maintain it, we recommend starting from scratch and emulating the Perl and Python filters.
If strippath is set in readers.conf, the whole user-supplied Path header field will now be stripped. Previously, the final component of the user-supplied Path header field body would still be retained.
news2mail can now set the envelope-from address of the mails it sends. A third optional part in news2mail.cf entries has been added by D. Stussy to achieve that.
The -g option to nnrpd is no longer supported. If you are verifying passwords against the system password database, see the ckpasswd(8) man page, and in particular the -s option. (A much better idea would be to just use PAM, which ckpasswd supports.)
Fixed a bug in ctlinnd renumber which was resetting the low and high
water marks of empty newsgroups in the active file. This command
now makes the low water mark one more than the real high water mark.
The answers to LIST ACTIVE, GROUP and LISTGROUP have also been fixed
to do that.
Support for bzip2-compressed batches (with bunbatch) has been added.
news.daily now processes innfeed dropped files during daily maintenance, running procbatch.
Support for runasuser and runasgroup parameters in inn.conf allows setting the news user and the news group under which the news server runs. Thanks to Ivan Shmakov for this feature.
New other options have been added to configuration files: ignore in incoming.conf, logstatus, nnrpdflags and verifygroups in inn.conf, and log-time-format in innfeed.conf.
The --with-http-dir option has also been added to configure to set
pathhttp in inn.conf.
The nntpactsync parameter has been renamed to incominglogfrequency in inn.conf.
The sasl.conf file has been removed in favour of new parameters in inn.conf to deal with TLS support: tlscafile, tlscapath, tlscertfile and tlskeyfile.
The overview.fmt file has been removed in favour of new parameters in inn.conf to deal with transition periods to accommodate overview reconfigurations. It is now possible to specify on the one hand the fields that should be advertised by nnrpd in response to LIST OVERVIEW.FMT and used for HDR, XHDR and XPAT requests (see the new extraoverviewadvertised parameter) and on the other hand the additional fields that should be silently generated (see the new extraoverviewhidden parameter).
Support for Berkeley DB versions prior to 4.3 has been dropped. You will have to use at least Berkeley DB 4.4; the recommended version is 4.7.
INN now builds entirely free of warnings from GCC with fairly aggressive warning options enabled. This involved lots of cleanup of const strings, signed versus unsigned type handling, correcting printf formats, and other changes that fixed obscure bugs and made INN's code more robust. Russ Allbery has also done considerable cleanup work on some of INN's internals, simplifying, refactoring, and removing duplicate code.
INN's test suite is now much more comprehensive and tests some high-level functions as well as more of the portability and utility function layer.
A lot of work has been done on documentation: improvements of existing documents, new documentation, and proof-reading. Sample configuration files are also more detailed.
All of the applicable bug fixes from the INN 2.4 STABLE series are also included in INN 2.5.
Fixed the segfault of the radius authenticator when none of the radius servers respond. Thanks to Matija Nalis for this patch.
Fixed a lost initialization in buffindexed, which resolves a potential segfault, thanks to a patch by Kirill Berezin.
INN now properly supports Perl 5.10.0 (and also 5.8.9); Perl filters were causing innd to segfault on a few systems like FreeBSD.
Fixed a long-standing bug which affected Perl hooks for innd: the variable containing the body of an article was not properly created, which caused regular expressions matching new lines to fail. It especially affected filters like Cleanfeed which sometimes failed to detect unwanted articles.
To fix that issue, Julien Elie added the use of a shared string, available since Perl 5.7.2, with a fall back to a slower but reliable copy of such bodies in case the function is not available. Using a Perl version superior to 5.7.2 is therefore recommended.
Fixed two bugs which could prevent nnrpd from being run as a daemon
in FreeBSD. Thanks to Johan van Selst for having identified the
problem and to Kai Gallasch for having provided a testing FreeBSD server.
The listening address was not initialized to ::0 or 0.0.0.0 when
the -b flag was not used and an incorrect size was given when IPv6
was enabled and the binding done using IPv4.
Some annoying assertion failures occurring in innfeed have been fixed by Russ Allbery and Julien Elie.
Fixed a bug in mod-active for aliased newsgroups. Only = was written
to the active file. Thanks to D. Stussy for this patch.
Fixed a bug which caused innd not to honour the Ad flag in newsfeeds.
Fixed a bug in the IP address displayed for localhost in innd's
status file. It was not correctly initialized.
Fixed a permission issue: XHDR and XPAT were not checking the rights the user had to read articles when accessing them by their Message-ID.
Fixed a bug in the replies of XHDR, XOVER and XPAT when the newsgroup
is empty. Two initial replies were sent instead of one: the right 420
code followed by a wrong 224 code.
When no newsgroup is selected, LISTGROUP now returns the right 412 code
(instead of 481).
inncheck now uses a range of permissions to see whether the file modes are correctly set. Therefore, different configurations depending on the security the user wants to enforce on his system are possible.
A new improved version of docheckgroups is shipped with INN. The -u flag permits updating automatically the newsgroups file (with a proper number of tabulations and an alphabetical sort), removing obsolete descriptions and adding new ones. A second argument on command-line permits specifying which newsgroups should not be checked, so as not to treat them.
An email= keyword has been added by James Ralston to news.daily in order to supply another mail address than the one set at configure time for Usenet daily reports.
An updated moderators file with information about the aioe.*, perl.* and si.* hierarchies is provided.
An updated control.ctl file is provided.
INN supports Berkeley DB 4.7, which is the recommended version to use owing to various bugs affecting previous versions of Berkeley DB.
Other minor bugs have also been fixed.
Fixed the "alarm signal" around SSL_read in nnrpd: it allows
a proper disconnection of news clients which were previously hanging
when posting an article through an SSL connection. Moreover, the
clienttimeout parameter now works on SSL connections. Thanks to
Matija Nalis for the patch.
SO_KEEPALIVE is now implemented for SSL TCP connections on systems
which support it, allowing system detection and closing the dead
TCP SSL connections automatically after system-specified time. Thanks
to Matija Nalis for the patch.
Fixed a segmentation fault when an article of a size greater than remaining in the stack is retrieved via SSL. Thanks to Chris Caputo for this patch.
Fixed a few segfaults and bugs which affected both Python innd and nnrpd hooks. They no longer check the existence of methods not used by the hooked script. An issue with Python exception handling was also fixed, as well as a segfault fixed by Russ Allbery which happened whenever one closes and then reopens Python in the same process. Julien Elie also fixed a bug when reloading Python filters (they were not always correctly reloaded) and a segfault when generating access groups with embedded Python filters for nnrpd. Many thanks to David Hlacik for its bug reports.
The nnrpd.py stub file in order to test Python nnrpd hooks, as mentioned in their documentation, is now installed; only INN.py was previously installed in pathfilter.
Fixed a bug in INN.py and add missing methods to it.
Fixed a long-standing bug in innreport which prevented it from correctly reporting nnrpd and innfeed log messages.
Fixed a hang in Perl hooks on (at least) HP/PA since Perl 5.10.
Fixed a compilation problem on some platforms because of AF_INET6 which
was not inside a HAVE_INET6 block in innfeed.
Fixed a bug in innfeed which contained thrice the same IPs for each peer; it unnecessarily slowed the peer IP rotation for innfeed. Thanks, D. Stussy, for having seen that. Miquel van Smoorenburg provided the patch.
A new heavily improved version of pullnews is shipped with this INN release. This new version is provided by Geraint Edwards. He added no more than 16 flags, fixed some bugs and integrated the backupfeed contrib script by Kai Henningsen, adding again 6 other flags. A long-standing but very minor bug in the -g option was especially fixed and items from the to-do list implemented. Many thanks again to Geraint Edwards.
New header fields are accessible through Perl and Python innd filtering hooks. You will find the exact list in the INN Python Filtering and Authentication Hooks documentation (doc/hook-python) and in Python samples. Thanks to Matija Nalis for this addition of new useful header fields.
New samples for Python nnrpd hooks are shipped with INN: nnrpd_access.py for access control and nnrpd_dynamic.py for dynamic access control. The nnrpd_auth.py script is now only used for authorization control. See the readers.conf man page for more information (especially the python_auth, python_access and python_dynamic parameters). The documentation about INN Python Filtering and Authentication Hooks has also been improved by Julien Elie.
Fixed incomplete checking of packet sizes in the ctlinnd interface in the no-Unix-domain-sockets case. This is a potential buffer overflow in dead code since basically all systems INN builds on support Unix domain sockets these days. Also track the buffer size more correctly in the client side of this interface for the Unix domain socket case.
Group blocks in incoming.conf are now correctly parsed and no longer cause segfaults when loading this file.
Fixed a problem with innfeed continuously segfaulting on amd64 hardware (and possibly on lots of 64-bit platforms). Many thanks to Ollivier Robert for his patch and also to Kai Gallasch for having reported the problem and provided the FreeBSD server to debug it.
scanlogs now rotates innfeed's log file, which prevents innfeed from silently dying when its log file reaches 2 GB.
Perl 5.10 support has been added to INN thanks to Jakub Bogusz.
Some news clients hang when posting an article through an SSL connection:
it seems that nnrpd's SSL routines make it wrongly wait for data
completion. In order to fix the problem, the select() wait is now
just bypassed. However, the idle timer stat is currently not collected
for such connections. Thanks to Kachun Lee for this workaround.
Fixed a bug in the display of the used compressor (cunbatch was used
if arguments were passed to gzip or bzip2).
Fixed a bug in mailpost and pullnews which prevented useful error messages to be seen. Also add the -x flag to pullnews in order to insert Xref header fields in articles which lack one.
If compiling with Berkeley DB, use its ndbm compatibility layer for ckpasswd in preference to searching for a traditional dbm library. INN also supports Berkeley DB 4.4, 4.5 and 4.6 thanks to Marco d'Itri.
ovdb_init now properly closes stdin/out/err when it becomes a daemon. The issue was reported by Viktor Pilpenok and fixed by Marco d'Itri.
Added support for Diablo quickhash and hashfeed algorithms. It allows distributing the messages among several peers (new Q flag for newsfeeds). Thanks to Miquel van Smoorenburg for this implementation in INN.
innd now listens on separate sockets for IPv4 and IPv6 connections
if the IPV6_V6ONLY socket option is available. There might also be
operating systems that still have separate IPv4 and IPv6 TCP implementations,
and advanced features like TCP SACK might not be available on v6 sockets.
Thanks to Miquel van Smoorenburg for this patch.
The two configuration options bindaddress and bindaddress6 can now
be set on a per-peer basis for innfeed. Setting bindaddress6
to none tells innfeed to never attempt an IPv6 connection to that
host. Thanks to Miquel van Smoorenburg for this patch.
Added an nnrpdflags parameter to inn.conf (modelled on the concept of innflags) to permit passing of command line arguments to instances of nnrpd spawned from innd.
A new inn.conf parameter called pathcluster has been added: it allows appending a common name to the Path header field body on all incoming articles. pathhost and pathalias (if set) are still appended to the path as usual, but pathcluster is always appended as the last element (e.g. on the leftmost side of the Path header field body). Thanks to Miquel van Smoorenburg for this feature.
simpleftp has been rewritten to use Net::FTP. Indeed, ftp.pl
is no longer shipped with Perl 5 and the script did not work.
perl-nocem will now check for a timeout and re-open the socket
if required. Additionally, perl-nocem will switch to
cancel_ctlinnd in case cancel_nntp fails after sending
the Message-ID. Thanks to Christoph Biedl for the patch. A more
detailed documentation has also been written for perl-nocem(8).
The RADIUS configuration is now wrapped in a server {} block in
radius.conf.
Checkgroups when there is nothing to change no longer result in sending
a blank mail to administrators. Besides, no mail is sent by controlchan
for the creation of a newsgroup when the action is no change.
Checkgroups are now properly propagated even though the news server does not carry the groups they are posted to.
controlchan and docheckgroups now handle wire format messages so that articles from the spool can be directly fed to them.
Newgroup control messages for existing groups now change their description. If a mail is sent to administrators, it reminds them to update their newsgroups file. It also warns when there are missing or obsolete descriptions. Furthermore, the newsgroups file is now written prettier (from one to three tabulations between the name of the group and its short description) and to.* groups cannot be created.
The sample control.ctl file has been extensively updated.
Fixed empty LISTGROUP replies which were not terminated. Thanks to David Canzi for the patch.
In response to a LIST [file] command, if the file does not exist,
we assume it is not maintained and return 503 instead of 215 and
an empty file. Moreover, capability to LIST ACTIVE.TIMES for a wildmat
pattern as its third argument has been added in order to select wanted
newsgroups.
inews now tries to authenticate if it does not receive a 200 return
code after MODE READER. Indeed, it might be able to post even with
a 201 return code and also with another codes like 440 or 480.
If creating a new history file, set the ownership and mode appropriately. inncheck also expects fewer things to be private to the news user. Most of the configuration files will never contain private information like passwords.
Other minor bug fixes and documentation improvements.
Previous versions of INN had an optimization for handling XHDR Newsgroups
that used the Xref header field from overview. While this does make
the command much faster, it doesn't produce accurate results and breaks
the NNTP protocol, so this optimization has been removed.
Fixed a bug in innd that allowed it to accept articles with duplicated header fields if the header field occurred an odd number of times. Modified the programs for rebuilding overview to use the last Xref header field if there are multiple ones to avoid problems with spools that contain such invalid articles.
Fixed yet another problem with verifying that a user has permissions to approve posts to a moderated group. Thanks, Jens Schlegel.
Increase the send and receive buffer on the Unix domain socket used by ctlinnd. This should allow longer replies (particularly for innstat) on platforms with very low default Unix domain socket buffer sizes.
rnews's handling of articles with null characters, NNTP errors, header problems, and deferrals has been significantly improved.
Thomas Parmelan added support to send-uucp for specifying the funnel or exploder site to flush for feeds managed through one and fixed a problem with picking up old stranded work files.
Many other more minor bug fixes, optimization improvements, and documentation fixes.
INN is now licensed under a less restrictive license (about as minimally restrictive as possible shy of public domain), and the clause similar to the old BSD advertising clause has been dropped.
make install and make update now always install the newly built binaries,
rather than only installing them if the modification times are newer.
This is the behavior that people expect. make install now also
automatically builds a new (empty) history database if one doesn't already
exist.
The embedded Tcl filter code has been disabled (and will be removed entirely in the next major release of INN). It hasn't worked for some time and causes innd crashes if compiled in (even if not used). If someone wants to step forward and maintain it, I recommend starting from scratch and emulating the Perl and Python filters.
ctlinnd should now successfully handle messages from INN up to the maximum allowable packet size in the protocol, fixing problems sites with many active peers were having with innstat output.
Overview generation has been fixed in both makehistory and innd to follow the rules in the latest NNTP draft rather than just replacing special characters with spaces. This means that the unfolding of folded header fields will not introduce additional, incorrect whitespace in the overview data.
nnrpd now uniformly responds with a 480 or 502 status code to attempts
to read a newsgroup to which the user does not have access, depending on
whether the user has authenticated. Previously, it returned a 411 status
code, claiming the group didn't exist, which confuses the reactive
authentication capability of news readers.
If a user is not authorized to approve articles (using the A access
control in readers.conf), articles that include an Approved header field
will be rejected even if posted to unmoderated groups. Some other site
may consider that group to be moderated.
The configuration parser used for readers.conf and others now correctly
handles # inside quoted strings and is more robust against unmatched
double quotes.
Messages mailed to moderators had two spaces after the colons in the header fields, rather than one. This bug has been fixed.
A bug that could cause heap corruption and random crashes in innd if INN were compiled with Python support has been fixed.
Some problems with innd's tracking of article size and enforcement of the configured maximum article size have been fixed.
pgpverify will now correctly verify signatures generated by GnuPG and better supports GnuPG as the PGP implementation.
INN's code should now be more 64-bit clean in its handling of size_t, pointer differences, and casting of pointers, correcting problems that showed up on 64-bit platforms like AMD64.
Improved the error reporting in the history database code, in inews, in controlchan, and in expire.
Many other, more minor bugs have also been fixed.
SECURITY: Handle the special filing of control messages into per-type newsgroups more robustly. This closes a potentially exploitable buffer overflow. Thanks to Dan Riley for his excellent bug report.
Fixed article handling in innd so that articles without a Path header field (arising from peers sending incorrectly formatted articles or injecting incorrectly formatted articles through rnews) would not cause innd to crash. (This was not exploitable.)
Fixed a serious bug in XPAT handling, thanks to Tommy van Leeuwen.
configure now looks for sendmail only in /usr/sbin and
/usr/lib, not on the user's path. This should reduce the need
for --with-sendmail if your preferred sendmail is in a standard
location.
The robustness of the tradindexed overview method has been further increased, handling more edge cases arising from corrupted databases and oddly-named newsgroups.
innd now never decreases the high water mark of a newsgroup when renumbering, which should help ameliorate overview and active file synchronization problems.
Do not close and reopen the history file on ctlinnd reload when the server is paused or throttled. This was breaking ctlinnd reload all during a server pause.
Various minor portability and compilation issues fixed. Substantial numbers of compiler warnings have been cleaned up, thanks largely to work by Ilya Kovalenko.
Multiple other more minor bugs have been fixed.
Documentation and man pages have been clarified and updated.
The inn.conf parser has changed between INN 2.3 and 2.4. Due to that
change, options in inn.conf that contain whitespace or a few other
special characters must be quoted with double quotes, and empty parameters
(parameters with no value) are not allowed. INN 2.4 comes with a script,
innupgrade, run automatically during make update, that will attempt
to fix any problems that it finds with your inn.conf file, saving the
original as inn.conf.OLD.
This change is the beginning of standardization of parsing and syntax across all of INN's configuration files.
The history subsystem now has a standard API that allows other backends to be used. Because of this, you now need to specify the history method in inn.conf. Adding:
hismethod: hisv6
will tell INN to use the same history backend as was used in previous versions. innupgrade should take care of this for you.
ovdb is known to have some locking and timing issues related to how nnrpd shuts down (or fails to shut down) the overview databases. If you have stability problems with ovdb, try setting readserver to true in ovdb.conf. This will funnel all ovdb reads through a single process with a cleaner interface to the underlying Berkeley DB database.
If you use Perl authentication for nnrpd (if nnrpdperlauth in inn.conf is true), there have been major changes. See "Changes to Perl Authentication Support for nnrpd" in doc/hook-perl for details.
Similarly, if you use Python authentication for nnrpd (if nnrpdpythonauth in inn.conf is true), there have been major changes. See "Changes to Python Authentication and Access Control Support for nnrpd" in doc/hook-python for details.
If you use send-uucp, it has been completely rewritten and now takes a configuration file to specify its behavior. See its man page for more information. If you use sendbatch, it is no longer included in INN since the new send-uucp can handle all of the same functionality.
The wildmat API has been renamed (to uwildmat and friends; see uwildmat(3) for the interfaces) to distinguish it from Rich $alz's original version, since it now supports UTF-8. This may require changes in other software packages that link against INN's libraries.
If you are upgrading from a version prior to INN 2.3, see Upgrading from 2.2 to 2.3.
IPv6 support has been added, disabled by default. If you have IPv6 connectivity, build with --enable-ipv6 to try it. There are no known bugs, but please report any problems you find (or even successes, if you use an unusual platform). There are a few changes of interest; further information is available in doc/IPv6-info.
The tradindexed overview method has been completely rewritten and should be considerably more robust in the face of system crashes. A new utility, tdx-util, is provided to examine the contents of the overview database, repair inconsistencies, and rebuild the overview for particular groups from a tradspool news spool. See tdx-util(8) for more details.
The Perl and Python authentication hooks for readers have been extensively overhauled and integrated better with readers.conf. See the Changes sections in doc/hook-perl and doc/hook-python for more details.
nnrpd now optionally supports article injection via IHAVE, see readers.conf(5). Any articles injected this way must have Date, From, Message-ID, Newsgroups, Path, and Subject header fields. X-Trace and X-Complaints-To header fields will be added if the appropriate options are set in readers.conf, but other header fields will not be modified/inserted (e.g. NNTP-Posting-Host, NNTP-Posting-Date, Organization, Lines, Cc, Bcc, and To header fields).
nnrpd now handles arbitrarily long lines in POST and IHAVE; administrators who want to limit the length of lines in locally posted articles will need to add this to their local filters instead.
nnrpd no longer handles the poorly-specified RFC 977 optional fourth argument to the NEWGROUPS command specifying the "distributions" that the command was supposed to apply to.
Clients that use that argument will break. There are not believed to be any such clients, and it's easy enough to just filter the returned list of newsgroups (which is generally fairly short) to achieve the same results.
nnrpd no longer accepts UTC as a synonym for GMT for NEWGROUPS or NEWNEWS. This usage was never portable, and was rejected by the NNTP working group. It is being removed now in the hope that it will be caught before anyone starts to rely on it.
innfeed supports a new peer parameter, backlog-feed-first, that if set
to true feeds any backlog to a peer before new articles, see
innfeed.conf(5). When used in combination with max-connections set to 1,
this can be used to enforce in-order delivery of messages to a peer that
is doing Xref slaving, avoiding cases where a higher-numbered message is
received before a lower-numbered message in the same group.
Several other, more minor protocol issues have been fixed: connections
rejected due to the connection rate limiting in innd receive 400 replies
instead of 504 or 505, and ARTICLE without an argument will always either
retrieve the current article or return a 423 error, never advance the
current article number to the next valid article.
See doc/compliance-nntp for all of the known issues with INN's compliance with the current NNTP draft.
All accesses to the history file for all parts of INN now go through a generic API like the storage and overview subsystems do. This will eventually allow new history implementations to be dropped in without affecting the rest of INN, and will significantly improve the encapsulation of the history subsystem. See the libinnhist(3) man page for the details of the interface.
INN now uses a new parser for the inn.conf file. This means that
parameters containing whitespace or other special characters must now be
quoted; see inn.conf(5). It fixes the long-standing bug that certain
values must be included in inn.conf even if using the defaults for the
use of shell or Perl scripts, and it will serve as the basis for
standardizing and cleaning up the configuration file parsing in other
parts of INN. innupgrade is run during make update and should convert
an existing inn.conf file for you.
send-uucp has been replaced by a completely rewritten version from Marco d'Itri, Edvard Tuinder, and Miquel van Smoorenburg, which uses a configuration file that specifies batch sizes, compression methods, and hours during which batches should be generated. The old sendbatch script has been retired, since send-uucp can now handle everything that it did.
Two configure options have changed names: --with-tmp-path is now
--with-tmp-dir, and --with-largefiles is now --enable-largefiles, to
improve consistency and better match the autoconf option guidelines.
Variables can now be used in the newsfeeds file to make it easier to specify many similar feeds or feed patterns. See the newsfeeds(5) man page for details.
Local connections to INN support a new special mode, MODE CANCEL, that allows efficient batch cancellation of messages. This is intended to be the preferred interface for external spam and abuse filters like NoCeM. See "CANCEL FEEDS" in innd(8) for details.
Two new options, nfsreader and nfswriter, have been added to inn.conf to aid in building NFS based shared reader/writer platforms. On the writer server, configure nfswriter to true and on all of the readers, configure nfsreader to true; these options add calls to force data out to the NFS server and force it to be read directly from the NFS server at the appropriate moments. Note that it has only been tested on Solaris 8, using CNFS as the storage mechanism and tradindexed as the overview method.
A new option, tradindexedmmap, has been added to inn.conf. If set
to true (the default), then the tradindexed overview method will use
mmap() to access its overview data (in 2.3 you couldn't control this; it
always used mmap).
Thanks to code contributed by CMU, innfeed can now feed an IMAP server as well as other NNTP servers. See the man page for innfeed(8) for more information.
An authenticator, auth_smb, that checks a username and password against a remote Samba server is now included. See auth_smb(8) for details.
The wildmat functions in INN now support UTF-8, in a way that should allow
them to still work with most simple 8-bit character sets in widespread
use. As part of this change, some additional wildmat interfaces are now
available and the names have changed (to uwildmat, where u is for
Unicode). See uwildmat(3) for the details.
The interface between external authenticators and nnrpd is now properly documented, in doc/external-auth. A library implementing this interface in C is provided, which should make it easier to write additional authenticators resolvers. See libauth(3) for details, and any of the existing programs in authprogs/ for examples.
INN now checks to ensure that the configured temporary directory is not world-writeable. Additionally, most (if not all) of the temporary file creation in INN now uses functions that create temporary files properly and safely.
All of the applicable bug fixes from the INN 2.3 STABLE series are also included in INN 2.4.
Clients using POST are no longer permitted to provide an Injector-Info header field.
Fixed a bug causing posts with a Followup-To header field set to a moderated group to be rejected if the posting user didn't have permission to approve postings.
Fixed bugs in inncheck with setuid rnews or setgid inews, in
innconfval with inn.conf parameters containing shell metacharacters
but no spaces, and in parsedate.y with some versions of yacc.
Fixed a variety of size-related printf format warnings (e.g., %d
vs. %ld) thanks to the work of Winfried Szukalski.
LIST ACTIVE no longer returns data when given a single group argument if the client is not authorized to read that group.
XHDR and XPAT weren't correctly parsing article header fields, resulting in searches for the header field name "newsgroup" matching the header field name "newsgroups".
Made CNFS more robust against crashes by actually syncing the cycbuff headers to disk as was originally intended.
Fixed a memory leak in the tradspool code.
Two bugs in pgpverify when using GnuPG were fixed: it now correctly checks for gpgv (rather than pgp) when told to use GnuPG and expects the keyring to be pubring.gpg (not pubring.pgp).
Substantial updates to the sample provided control.ctl file.
Compilation fixes with Perl 5.8.0, Berkeley DB 4.x, current versions of Linux (including with large file support), and Tru64. inndf fixes for ReiserFS.
Various bugs in the header handling in nnrpd have been fixed, including hangs when using virtual domains and improper processing of folded header fields under certain circumstances.
Other minor bug fixes and documentation improvements.
pgpverify now supports using GnuPG to check signatures (rather than PGP) without the pgpgpg wrapper. GnuPG can check both old-style RSA signatures and new OpenPGP signatures and is recommended over PGP 2.6. If you have GnuPG installed, pgpverify will use it rather than PGP, which means that you may have to create a new key ring for GnuPG to use to verify signatures if you were previously using PGP.
Users can no longer post articles containing Approved header fields to moderated groups by default; they must be specifically given that permission with the access parameter in readers.conf. See the man page for more details.
Two bugs in repacking overview index files and a reliability bug with writing overview data were all fixed in the tradindexed overview method, hopefully making it somewhat more reliable, particularly for makehistory.
If rc.news.local exists in the INN binary directory, it will be run with the start or stop argument whenever rc.news is run. This is available as a hook for local startup and shutdown code.
The default history table hash sizes were increased because a too-small value can cause serious performance problems (whereas a too-large hash just wastes a bit of disk space).
The sample control.ctl file has been extensively updated.
Wildmat exclusions (@ and !) should now work properly in storage.conf
newsgroup patterns.
The implementation of the -w flag for expireover was fixed; previously, the value given to -w to change expireover's notion of the current time was scaled by too much.
Various other more minor bug fixes, standards compliance fixes, and documentation improvements.
innxmit can again handle regular filenames as input as well as storage API tokens (allowing it to be used to import an old traditional spool).
Several problems with tagged-hash history files have been fixed thanks to the debugging efforts of Andrew Gierth and Sang-yong Suh.
A very long-standing (since INN 1.0!) NNTP protocol bug in nnrpd was fixed. The response to an ARTICLE command retrieving a message by Message-ID should have the Message-ID as the third word of the response, not the fourth. Fixing this is reported to possibly cause problems with some Netscape browsers, but other news servers correctly follow the protocol.
Some serious performance problems with expiration of tradspool should now be at least somewhat alleviated. tradspool and timehash now know how to output file names for removal rather than tokens, and fastrm's ability to remove regular files has been restored. This should bring expiration times for tradspool back to within a factor of two of pre-storage-API expiration times.
Added a sample subscriptions file and documentation for it and innmail.
Various other bug fixes and documentation updates.
inews no longer downloads the active file, no longer tries to send postings to moderated groups to the moderator directly, and in general duplicates less of the functionality of nnrpd, instead letting nnrpd handle it. This fixes the problem of inews not working properly for users other than news without being setgid.
Added a man page for ckpasswd.
A serious bug in the embedded Perl authentication hooks was fixed, thanks to Jan Rychter.
The annoying compilation problem with embedded Perl filtering on Linux systems without libgdbm installed should be fixed.
INN now complains loudly at configure time if the configured path for temporary files is world-writeable, since this configuration can be a security hole.
Many other varied bug fixes and documentation fixes of all sorts.
Simply doing a make update is not sufficient to upgrade; the history and
overview information will also have to be regenerated, since the formats
of both files have changed between 2.2 and 2.3. Regardless of whether you
were using the storage API or traditional spool under 2.2, you'll need to
rebuild your overview and history files. You will also need to add a
storage.conf file, if you weren't using the storage API under INN 2.2. A
good default storage.conf file for 2.2 users would be:
method tradspool {
newsgroups: *
class: 0
}
Create this storage.conf file before rebuilding history or overview.
If you want to allow readers, or if you want to expire based on newsgroup name, you need to tell INN to generate overview data and pick an overview method by setting ovmethod in inn.conf. See INSTALL and inn.conf(5) for more details.
The code that generates the dbz index files has been split into a separate program, makedbz. makehistory still generates the base history file and the overview information, but some of its options have been changed. To rebuild the history and overview files, use something like:
makehistory -b -f history.n -O -T /usr/local/news/tmp -l 600000
(change the /usr/local/news/tmp path to some directory that has plenty of temporary space, and leave off -O if you're running a transit-only server and don't intend to expire based on group name, and therefore don't need overview.) Or if your overview is buffindexed, use:
makehistory -b -f history.n -O -F
Both will generate a new history file as history.n and rebuild overview at the same time. If you want to preserve a record of expired Message-IDs in the history file, run:
awk 'NF==2 { print; }' < history >> history.n
to append them to the new history file you created above. Look over the new history file and make sure it looks right, then generate the new index files and move them into place:
makedbz -s `wc -l < history.n` -f history.n
mv history.n history
mv history.n.dir history.dir
mv history.n.hash history.hash
mv history.n.index history.index
(Rather than .hash and .index files, you may have a .pag file if you're using tagged hash.)
For reader machines, nnrp.access has been replaced by readers.conf. There currently isn't a program to convert between the old format and the new format (if you'd like to contribute one, it would be welcomed gratefully). The new file is unfortunately considerably more complex as a result of its new capabilities; please carefully read the example readers.conf provided and the man page when setting up your initial configuration. The provided commented-out examples cover the most common installation (IP-based authentication for all machines on the local network).
INN makes extensive use of mmap(2) for the new overview mechanisms, so at the present time NFS-mounting the spool and overview on multiple reader machines from one central server probably isn't feasible in this version. mmap tends to interact poorly with NFS (at the least, NFS clients won't see updates to the mapped files in situations where they should). (The preferred way to fix this would, rather than backing out the use of mmap or making it optional, to add support for Diablo-style header feeds and pull-on-demand of articles from a master server.)
The flags for overchan have changed, plus you probably don't want to run overchan at all any more. Letting innd write overview data itself results in somewhat slower performance, but is more reliable and has a better failure mode under high loads. Writing overview data directly is the default, so in a normal upgrade from 2.2 to 2.3 you'll want to comment out or remove your overchan entry in newsfeeds and set useoverchan to false in inn.conf.
crosspost is no longer installed, and no longer works (even with traditional spool). If you have an entry for crosspost in newsfeeds, remove it.
If you're importing a traditional spool from a pre-storage API INN server, it's strongly recommended that you use NNTP to feed the articles to your new server rather than trying to build overview and history directly from the old spool. It's more reliable and ensures that everything gets put into the right place. The easiest way to do this is to generate, on your old server, a list of all of your existing article files and then feed that list to innxmit. Further details can be found in the FAQ at <https://www.eyrie.org/~eagle/faqs/inn.html>.
If you are using a version of Cleanfeed that still has a line in it like:
$lines = $hdr{'__BODY__'} =~ tr/\n/\n/;
you will need to change this line to:
$lines = $hdr{'__LINES__'};
to work with INN 2.3 or later. This is due to an internal optimization of the interface to embedded filters that's new in INN 2.3.
New readers.conf file (replaces nnrp.access) which allows more flexible specification of access restrictions. Included in the sample implementations is a RADIUS-based authenticator.
Unified overview has been replaced with an overview API, and there are now three separate overview implementations to choose from. One (tradindexed) is very like traditional overview but uses an additional index file. The second (buffindexed) uses large buffers rather than separate files for each group and can handle a higher incoming article rate while still being fast for readers. The third (ovdb) uses Berkeley DB to store overview information (so you need to have Berkeley DB installed to use it). The ovmethod key in inn.conf chooses the overview method to use.
Note that ovdb has not been as widely tested as the other overview mechanisms and should be considered experimental.
All article storage and retrieval is now done via the storage API. Traditional spool is now available as a storage type under the storage API. (Note that the current traditional spool implementation causes nightly expire to be extremely slow for a large number of articles, so it's not recommended that you use the tradspool storage method for the majority of a large spool.)
The timecaf storage method has been added, similar to timehash but storing multiple articles in a single file. See INSTALL for details on it.
INN now supports embedded Python filters as well as Perl and Tcl filters, and supports Python authentication hooks.
There is preliminary support for news reading over SSL, using OpenSSL.
To simplify anti-abuse filtering, and to be more compliant with news
standards and proposed standards, INN now treats as control messages
only articles containing a Control header field. A Subject header field
body beginning with cmsg is no longer sufficient for a message to
be considered a control message, and the Also-Control header field is
no longer supported.
The INN build system no longer uses subst. (This will be transparent to
most users; it's an improvement and modernization of how INN is
configured.)
The build and installation system has been substantially overhauled.
make update now updates scripts as well as binaries and documentation,
there is better support for parallel builds (make -j), there is less
make recursion, and far more of the system-dependent configuration is
handled directly by autoconf. libtool build support (including shared
library support) should be better than previous releases.
All of the applicable bug fixes from the INN 2.2 STABLE series are also included in INN 2.3.
INN no longer installs inews setgid news or rnews setuid root
by default. If you need the old behavior, --enable-uucp-rnews
and/or --enable-setgid-inews must be given to configure. See
INSTALL for more information.
A security hole when verifycancels is turned on in inn.conf (not the default) was fixed.
Message-IDs are now limited to 250 octets to prevent interoperability problems with other servers.
Various other security paranoia fixes have been made.
Embedded Perl filters fixed to work with Perl 5.6.0.
Lots of bug fixes.
Various minor bug fixes and a Y2K bug fix. The Y2K bug is in version 2.2.1 only and will show up after Jan 1st, 2000 when a news reader issues a NEWNEWS command for a date prior to the year 2000.
Various bug fixes, mostly notably fixes for potential buffer overflow security vulnerabilities.
New storage.conf file (replaces storage.ctl).
New (optional) way of handling non-cancel control messages (controlchan) that serializes them and prevents server overload from control message storms.
Support for actsyncd to fetch active file with ftp; configured
by default to use <ftp://ftp.isc.org/pub/usenet/CONFIG/active.Z> if
you run actsyncd. Be sure to read the manual page for actsync to
configure an actsync.ign file for your site, and test simpleftp
if you do not configure with wget or ncftp. Also see
<https://ftp.isc.org/pub/usenet/CONFIG/README>.
Some options to configure are now moved to inn.conf
(merge-to-groups and pgp-verify, without the hyphen).
inndf, a portable version of df(1), is supplied.
New cnfsstat program to show stats of CNFS buffers.
news2mail and mailpost programs for gatewaying news to mail and mail to news are supplied.
pullnews program for doing a sucking feed is provided (not meant for large feeds).
The innshellvars.csh.in script is obsolete (and lives in the obsolete directory, for now).
| < INSTALL | Russ Allbery > Software > INN > INN 2.7 Documentation | License information > |