This upgrades our images to Alpine 3.20, Django 4.2, Mailman 3.3.10,
Postorius 1.3.13, Hyperkitty 1.3.12 and django-mailman3 1.3.15.
Files are re-synced with upstream (either container or project)
files, with versions and any alterations noted.
Change-Id: I78d37c0635d38ecfc1d1143a69892fe8d8685214
After the 2.2.4 release we upgraded to a development commit between
2.2.4 and the future (at that time non existant) 2.2.5 release to fix
integration between meetpad and etherpad. Now there is a proper 2.2.5
and we should update to get off the dev commit.
This release fixes a number of bugs, updates dependencies, and adds
proper swagger documentation for the API. The "complete" changelog can
be seen here:
https://github.com/ether/etherpad-lite/blob/v2.2.5/CHANGELOG.md
Note that I don't believe the API has changed they are merely
documenting it properly using swagger. Our testing should confirm.
To expose the new swagger documentation we do add /api-docs/ and
/api-docs.json to our proxy exclusion list.
We also update our settings.json files to sync with upstream. This pulls
in a new `updateServer` key value pair to set the location that should
be checked by etherpad to determine if there is a newer version
available. I believe this behavior has existing for years they are just
now making it a bit more configurable. Unfortunately the way this value
is used I think we will do a local file lookup if we set the value to
"". I've stuck with the default since this shouldn't be a regression and
we can try to disable it later.
Change-Id: I73a09a0c79db18887cb1703c84f9aebae6f072eb
We're running v1.22.1 currently and v1.22.2 fixes a number of bugs. The
full changelog can be seen here:
https://github.com/go-gitea/gitea/blob/v1.22.2/CHANGELOG.md
The template files we override have not changed and neither has the
Dockerfile since we last upgraded. I expect this should be a fairly
straightforward bugfix upgrade. Reviewers please to read the changelog
to see if there is anything we should be concerned about.
Change-Id: I4983865c94429c4cbcb54329f0f83b2fb0f26404
This updates etherpad to the current develop branch state
(commit 08f199178d2932cc0ec956aaeb3f62e8a535598a) to pull in a fix after
the v2.2.4 release and before v2.2.5. Specifically we're interested in a
fix for embedding etherpad as we do with meetpad.
If a 2.2.5 release is pushed before this lands we should switch over to
that instead.
Change-Id: I497c6b434dae54ed808f62143a4c12fb42cc2c47
There are 2.2.0 and 2.2.1 tags but no built releases and they don't show
up in the changelog for 2.2.2 either. Thats fine we can ignore them and
upgrade to latest (2.2.4) instead. The changelog for 2.2.4 can be found
here:
https://github.com/ether/etherpad-lite/blob/v2.2.4/CHANGELOG.md
Notable this changes how plugins are loaded into the js shipped to the
browser. We should confirm that our plugins are working as expected as
part of this update.
On the config management side of things there are some small updates to
the Dockerfile to sync up with upstream changes to how etherpad is
built. We also update the settings json file to configure log type. Note
this change was only made to the normal settings file and not the docker
settings file upstream so we match that in this change as well.
Finally we also update our mod_rewrite rules in apache to prevent new
javascript loading locations from being redirected to /p/
inappropriately. Previously we were redirecting foo.min.js to
/p/foo.min.js which caused the server to return html instead of js which
led to syntax errors. This then resulted in js errors from the
ep_headings plugin. It appears this plugin is ancient and no longer
maintained and seems to rely on require() functionality that was removed
from etherpad in 2.2.2. We switch to the ep_headings2 plugin instead.
This will allow us to file bugs against maintained software should
problems persist.
Fungi tested ep_headings2 against our production db content and things
seem to work despite this issue existing [0]. We should upgrade
carefully but it seems like things will likely be functional.
We should also check if these redirect rules affect meetpad as well. But
this can likely be done after the upgrade.
[0] https://github.com/ether/ep_headings2/issues/4
Change-Id: I4a907b5170d3612f4525153a0a07c291d6481a92
We'll continue to deploy 'latest' but we tag the etherpad version
explicitly in order to make rollbacks simpler if necessary. Etherpad has
seen a resurgence in development which has led to some potentially
painful upgrade paths that we need to accomodate. Having rollbacks be
possible is a nice safety net.
Change-Id: I3ea59c1e4b33d777fae356d377773a4a60e9313e
We just updated the gerrit image version tags but that did not promote
the images in docker hub so production doesn't see them. Force a rebuild
via the dockerfile (with an updated comment) to actually get images to
promote.
Change-Id: I0ea50b1d92b8633e59d4c4aff1b0ec8c7a47a0b5
This newer version actually restores APIKEY authentication, but we
already converted to oauth2.0 so we don't revert. Otherwise it seems
like there are a number of small fixes. Full change log here:
https://github.com/ether/etherpad-lite/blob/v2.1.1/CHANGELOG.md
In this change we resync configuration template files which results in a
few small updates. We also realign the dockerfile with upstream which
also results in a few small updates one of which is bumping the nodejs
version to 22 from 20.
Change-Id: I39664fde59a7cc9fdf2451d41018ae11b9e99b79
Changes made on our side to make this upgrade happen:
* Update the gitea checkout tag to v1.22.1
* Update the golang container version to 1.22 as gitea 1.22 has an
undocumented hard dependency on golang 1.22 or newer.
* Update our overridden template files to match latest gitea template
changes.
* Update our app.ini config to switch from [oauth2].ENABLE to
[oauth2].ENABLED as the previous config string is deprecated and will
be removed in 1.23.0 per:
...es/setting/oauth2.go:124:loadOAuth2From() [E] Deprecation: config
option `[oauth2].ENABLE` presents, please use `[oauth2].ENABLED`
instead because this fallback will be/has been removed in v1.23.0
The full release notes for this release can be found here:
https://github.com/go-gitea/gitea/blob/v1.22.1/CHANGELOG.md
I've including the list of breaking changes below with my own
annotations on how/whether they affect us.
* BREAKING
* Improve reverse proxy documents and clarify the AppURL guessing behavior (https://github.com/go-gitea/gitea/pull/31003) (https://github.com/go-gitea/gitea/pull/31020)
* This isn't actually a breaking chagne but they have improved docs
around how to properly set Host and X-Forwarded-Proto headers for
gitea to enable better logging behind a reverse proxy. We should
investigate.
* Remember log in for a month by default (https://github.com/go-gitea/gitea/pull/30150)
* Default was a week. We should consider rolling back to low values
since we don't have real users.
* Breaking summary for template refactoring (https://github.com/go-gitea/gitea/pull/29395)
* All custom templates need to follow these changes
* I don't think we're using any of the changed methods/functions in
our templates. Testing should help confirm this.
* Recommend/convert to use case-sensitive collation for MySQL/MSSQL (https://github.com/go-gitea/gitea/pull/28662)
* This is the doctor update to address case sensitivity problems
between git and gitea. We'll need to test this as part of our
upgrade process and testing.
* Make offline mode as default to not connect external avatar service by default (https://github.com/go-gitea/gitea/pull/28548)
* We are already disabling gravatar. I think this will disable it
harder.
* Include public repos in the doer's dashboard for issue search (https://github.com/go-gitea/gitea/pull/28304)
* This affects end user dashboard info rendering which we don't use.
* Use restricted sanitizer for repository description (https://github.com/go-gitea/gitea/pull/28141)
* We already control what goes into repo descriptions via
projects.yaml. Shouldn't really affect us.
* Support storage base path as prefix (https://github.com/go-gitea/gitea/pull/27827)
* This change looks scary at first glance but appears to only affect
minio storage systems (which is like an s3 abstraction layer). We
store things to disk and shouldn't be affected if I read the PR
correctly.
* Enhanced auth token / remember me (https://github.com/go-gitea/gitea/pull/27606)
* THis appears to improve security but it isn't clear what the
effect on end users is. We'll see if our CI jobs are happy with
new token generation I guess.
* Rename the default themes to gitea-light, gitea-dark, gitea-auto (https://github.com/go-gitea/gitea/pull/27419)
* If you didn't see the new themes, please remove the [ui].THEMES config option from app.ini
* We don't do anything special for themes so this should noop for
us.
* Require MySQL 8.0, PostgreSQL 12, MSSQL 2012 (https://github.com/go-gitea/gitea/pull/27337)
* Our version of MariaDB should be new enough to rough rough feature
equivalent with MySQL 8.0 and newer. We might consider helping
upstream add MariaDB testing if they haven't already though.
Change-Id: Ifb4f0d92d70bc06f717e6535f1b67a221e127180
There are new bugfix updates for both of the Gerrit images we are
building. Bump up to these new releases. The delta between these updates
and what we are already running should be quite small since we just
updated updates recently which will update the main gerrit repo off of
stable branches. Many plugins are fixed to tags but many of those simply
get retagged with new versions. There are some exceptions to this like
the codemirror-editor plugin though.
Overall though should be a straightforward update.
Change-Id: Ic8df1922672317f463e39548f318eae77796b9fd
The last rebuild only promoted our Gerrit 3.8 image. This appears to
have happened because we only modified the jobs and not the Dockerfile
itself. Fix this by modifying the Dockerfile which should rebuild and
promote both 3.8 and 3.9 images ensuring that our upgrade testing tests
what we want to upgrade to.
Change-Id: I8d06ea9971a6ee0c0e06e6fe2b73391526be6220
This updates changes how Etherpad is built and how authentication is
managed for API requests. This ends up changing a lot of our tooling
around etherpad but etherpad itself (other than the auth changes)
doesn't seem to change much. In response to this I update our admin docs
on common api tasks to use the new process. Then update our testinfra
testing as well to cover that to ensure it all continues to work
properly after this change.
Note the Dockerfile updates are all adapted from upstream. I'm actually
not fond of the decisions they have made in this image build, but being
in sync is probably more important than fixing the multistage builds and
being different.
This change jumps us from v1.9.7 to 2.0.3 (covers releases 2.0.0, 2.0.1,
and 2.0.2 too). A changelog can be found here:
https://github.com/ether/etherpad-lite/blob/v2.0.3/CHANGELOG.md
Change-Id: Ia7c4f26d893b4fc4a178262e1a6b9f3fa80d2a5c
This is our semi regular python base image rebuild. This ensures we're
running relatively up to date python builds as well as base system
packages (though many of our image builds update the base system too).
Change-Id: Ice918219a64bd5845de9dc3330bf292261c6a80e
Gitea wants us to move the robots.txt file to a new location. It
currently logs a warning about it:
2024/04/17 19:30:56 cmd/web.go:191:serveInstalled() [E] Found legacy public
asset "robots.txt" in CustomPath. Please move it to
/custom/public/robots.txt
Change-Id: Ic4a7f3bbe4633972e0409b37b511fdb03f968442
This is a bugfix update upgrade from v1.21.10 to v1.21.11. None of the
templates we override have been changed between these two versions
according to git diff.
A full changelog can be found here:
https://github.com/go-gitea/gitea/blob/v1.21.11/CHANGELOG.md
Change-Id: I4d3648e311fe87b275856f2d73aca4a79c2c5507
Gitea and OpenDev are playing a game of tag. Whenever we bump our
deployment up to the lastest version they release a new version the next
day. That means there is now a v1.21.10 available shortly after updating
to v1.21.9.
Again this appears to be a fairly straight forward bug fix release.
There are no diffs in the templates we override between 1.21.9 and
1.21.10. Full release notes can be found here:
https://github.com/go-gitea/gitea/blob/v1.21.10/CHANGELOG.md
Change-Id: I7491d18b14100ca6457d42994a45de1e70de8758
Almost immediately after we upgraded to 1.21.8 a new 1.21.9 release
became available. Again this appears to largely be a bugfix release with
no super important changes for us. However, there are performance
improvements which are always nice to see. The template files that we
override have not changed between 1.21.8 and 1.21.9.
Full change log can be found here:
https://github.com/go-gitea/gitea/blob/v1.21.9/CHANGELOG.md
Change-Id: Ica763081203d9be44c9de0923a261afa820c891b
This is a bugfix release with no template updates and no other impactful
deployment changes that I can see. Full changelog notes can be found
here:
https://github.com/go-gitea/gitea/blob/v1.21.8/CHANGELOG.md
Change-Id: I6009bbebc261e87702b7f603bf179be89d31edb9
This upgrades our gitea container image and, thus deployment, to version
1.21.7 from 1.21.5. There are no updates to the three template files we
override upstream according to git diff in the gitea repo.
A full changelog can be found here:
https://github.com/go-gitea/gitea/blob/v1.21.7/CHANGELOG.md
Change-Id: I95d92f47085532275bf0f2508f9026e9394aebc7
There is at least one Gerrit bugfix for an NPE that we should pick up by
this update. There are also improvements to the MINA SSHD server that
gerrit runs.
Full changelogs can be found here:
https://www.gerritcodereview.com/3.8.html#384
Change-Id: Icba387496457c5a60fd914a6ee689104d3a52c1d
This change updates etherpad to version 1.9.7 from 1.9.6. The
changelog [0] is minimal, but does indicate there are changes to plugin
installations. Looking at the upstream Dockerfile, which we based our
Dockerfile on, there are no changes between 1.9.6 and 1.9.7 implying
this plugin installation update is transparent to us. That said we
should hold a node and test that our plugins are working as expected.
[0] https://github.com/ether/etherpad-lite/blob/v1.9.7/CHANGELOG.md
Change-Id: Ie708299fae39549f048f37938daa60668189be67
This update includes a number of bugfixes. The changelog can be found
here: https://github.com/go-gitea/gitea/blob/v1.21.5/CHANGELOG.md.
There is a security fix for inappropriate access to non public container
images. We don't how private data and we don't use the container
registry in gitea so this doesn't affect us.
There are no changes to template files that we override.
Change-Id: I9419a22736de82e135a25fca22aef1ed10c19e1a
We are currently running 1.21.3 so this shouldn't be a huge upgrade for
us. Full changelog can be found here:
https://github.com/go-gitea/gitea/blob/v1.21.4/CHANGELOG.md
Two template files are removed from our custom template overrides. They
were both included for the 1.21.3 so that we could manually patch a bug
that resulted in HTTP 500 errors when using gitea's code search
functionality. Upstream included these fixes in the 1.21.4 release so we
don't need to override to fix this any longer. This should be covered by
a testinfra test case now too.
Change-Id: I221e5cd185631751c082bdf5e2902057e5200dc0
We've experienced some runaway growth of Gitea archive cache files
on one of our backends, which according to upstream is often caused
by web crawlers indexing the archive URLs. They recommended updating
our robots.txt to the current state of https://gitea.com/robots.txt
in order to help mitigate the issue.
I've kept things we expressly commented out before still commented
out, or anything that seems similar to what we commented out on the
assumption that the reasons would carry over.
After some discussion in IRC, we also decided it would make sense to
disallow /avatars and /user/* like they do.
Change-Id: I2b43b89de08c9a9d170e1ecbd14b1e6336fd2c84
Upgrade Gitea to 1.21.3. The changelogs for this release can be found
here:
https://github.com/go-gitea/gitea/blob/v1.21.3/CHANGELOG.md
I have attempted to collect the interesting bits in this commit message
as well as information on why we do or don't make changes to address
these items.
1.21.0
* BREAKING
* Restrict certificate type for builtin SSH server (https://github.com/go-gitea/gitea/pull/26789)
* We don't use the builtin SSH server and don't use certificates
for auth. Nothing to do here.
* Refactor to use urfave/cli/v2 (https://github.com/go-gitea/gitea/pull/25959)
* The major change here updated `gitea` to stop accepting
`gitea web`'s command options. Our dockerfile is set up to use
`CMD ["/usr/local/bin/gitea", "web"]` so we are not affected.
* Move public asset files to the proper directory (https://github.com/go-gitea/gitea/pull/25907)
* We update the testinfra test for robots.txt to more robustly
check file contents. Previously it checked a very generic
prefix which may indicate a generic file being served.
* We move custom/public/img into custom/public/assets/img.
Screenshots should be used to confirm this works as expected.
* Remove commit status running and warning to align GitHub (https://github.com/go-gitea/gitea/pull/25839)
(partially reverted: Restore warning commit status (https://github.com/go-gitea/gitea/pull/27504) (https://github.com/go-gitea/gitea/pull/27529))
* We don't rely on commit statuses as this is a read only replica
of Gerrit.
* Remove "CHARSET" config option for MySQL, always use "utf8mb4" (https://github.com/go-gitea/gitea/pull/25413)
* We don't set [database].CHARSET. Doesn't affect us.
* Set SSH_AUTHORIZED_KEYS_BACKUP to false (https://github.com/go-gitea/gitea/pull/25412)
* We don't set this value explicitly so the default will flip from
true to false for us. I don't think this is an issue because we
keep track of our pubkeys in git.
* SECURITY
* Dont leak private users via extensions (https://github.com/go-gitea/gitea/pull/28023) (https://github.com/go-gitea/gitea/pull/28029)
* We don't use private users.
* Expanded minimum RSA Keylength to 3072 (https://github.com/go-gitea/gitea/pull/26604)
* We have rotated keys used to replicate from gerrit to gitea to
work around this. Now are keys are long enough to make gitea
happy.
* BUILD
* Dockerfile small refactor (https://github.com/go-gitea/gitea/pull/27757) (https://github.com/go-gitea/gitea/pull/27826)
* I've updated our Dockerfile to mimic these changes. Comment
whitespace as well as how things are copied and chmoded in the
build image have been updated.
* TODO the file copies aren't working for us. I think due to how we
ultimately clone the git repo. We use RUN but upstream is using
COPY against the local build dir. I've aligned as best as I can,
but we should see if we can do a similar COPY on our end.
* Fix build errors on BSD (in BSDMakefile) (#27594) (#27608)
* We don't run on BSD.
* Fully replace drone with actions (#27556) (#27575)
* This is how upstream builds their images. Doesn't affect our
builds.
* Enable markdownlint no-duplicate-header (#27500) (#27506)
* Build time linters are somethign we don't care too much about on
our end.
* Enable production source maps for index.js, fix CSS sourcemaps (https://github.com/go-gitea/gitea/pull/27291) (https://github.com/go-gitea/gitea/pull/27295)
* This emits a source map for index.js which can be used for in
browser debugging. Don't think this is anything we need to take
action on.
* Update snap package (#27021)
* We don't use a snap package.
* Bump go to 1.21 (https://github.com/go-gitea/gitea/pull/26608)
* Our go version is updated in the Dockerfile.
* Bump xgo to go-1.21.x and node to 20 in release-version (https://github.com/go-gitea/gitea/pull/26589)
* Our node version is updated in the Dockerfile.
* Add template linting via djlint (#25212)
* Build time linters are somethign we don't care too much about on
our end.
1.21.1
* SECURITY
* Fix comment permissions (https://github.com/go-gitea/gitea/pull/28213) (https://github.com/go-gitea/gitea/pull/28216)
* This affects disclosure of private repo content. We don't have
private repos so shouldn't be affected.
1.21.2
* SECURITY
* Rebuild with recently released golang version
* We'll automatically rebuild with newer golang too.
* Fix missing check (https://github.com/go-gitea/gitea/pull/28406) (https://github.com/go-gitea/gitea/pull/28411)
* There is minimal info here but it appears to be related to
issues. We don't use issues so shouldn't affect us.
* Do some missing checks (https://github.com/go-gitea/gitea/pull/28423) (https://github.com/go-gitea/gitea/pull/28432)
* There is minimal info here but it appears to be related to
checks around private repos. We don't use private repos so this
shouldn't affect us.
1.21.3
* SECURITY
* Update golang.org/x/crypto (https://github.com/go-gitea/gitea/pull/28519)
* This addresses recent concerns found in ssh for gitea's built in
ssh implementation. We use openssh as provided by debian so will
rely on our distro to provide fixes.
Finally 1.21.x broke rendering of code search templates. The issue is
here: https://github.com/go-gitea/gitea/issues/28607. To address this
I've vendored the two fixed template files
(https://github.com/go-gitea/gitea/pull/28576/files)into our custom
template dirs. Once upstream makes a release with these fixes we can
drop the custom files entirely as we don't override anything special in
them.
Change-Id: Id714826a9bc7682403afcf90f2761db8c84eacbf
This bumps etherpad to 1.9.5. The changelog is minimal for this update,
but upstream switches to nodejs 20 by default so we make the same update
here. We also remove TidyHTML configs from our configs to match upstream
updates that did the same thing. Complete release notes can be found
here:
https://github.com/ether/etherpad-lite/blob/v1.9.5/CHANGELOG.md
We should hold a node and test functionality before merging this change.
Change-Id: Ib6cd888f35624490f630e091f184946e9c4e48aa
This is a bugfix release with some security updates that while maybe not
critical due to our use of gitea as a read only mirror would be good to
get in anyway. Additionally we'll want to be on the latest 1.20 release
before updating to 1.21.
The changelog can be found here:
https://github.com/go-gitea/gitea/blob/v1.20.6/CHANGELOG.md
Git diff reports no template updates between 1.20.5 and 1.20.6 in the
templates that we override.
Change-Id: Idd38660dce53b5765c1ab4bc021544bd105df138
This was still set to bullseye which isn't a problem for our Zuul jobs
as they always specify what version to use. However, local builds would
build bullseye by default which isn't super useful now that the vast
majority of images are built on top of bookworm. Swap things around to
avoid potential confusion.
Change-Id: If68e32a358268a423e35e44e3150115cd1da6f8c
Refresh our versions of settings.json.docker and
settings.json.template from upstream, incorporating our local
preferences as edits to the latter (the former is included in the
container image we publish but the latter gets mapped over it during
deployment).
Changes to the required version of node-log4js in Etherpad 1.9.4
will invalidate our custom logging configuration and error out,
preventing the service from starting, so go ahead and remove it now.
Change-Id: Ic05ed9be7b6900ba9cdfa09b28600bcd55b770fd
Upstream golang updates are worth recompiling gitea under. Details can
be found in the golang 1.20 release notes:
https://go.dev/doc/devel/release#go1.20.minor
Change-Id: I6ddeaa23d5aee23928d6f448095bb69fe82d94a9
This adds a python-base:3.11-bookworm-debug image, which is built
on the normal python:3.11-bookworm upstream image instead of the
slim upstream image. The normal image includes debug symbols for
the python interpreter which is compiled during its build phase,
so this is the best way to get an opendev python-base image with
debug symbols.
Change-Id: I1d89ac947cd3bea8a468f3ee022fb4cc93bece1f
