INN 2.7.0
2022-07-10
Full changes and diff from previous release
Upgrading to a major release is a good time to ensure that your configuration files, that are usually kept untouched during normal updates, are up-to-date: notably control.ctl (with your local changes in a separate control.ctl.local file), new better default values in inn.conf and innfeed.conf, improvements in innreport.conf (along with innreport-display.conf) and innreport.css, fixes in innwatch.ctl, updated moderators and nocem.ctl files.
You may also want to check that the PGP keys used to verify the signature of control articles and NoCeM notices are still up-to-date and working. The keys of a few hierarchies and NoCeM issuers have recently changed.
Upgrading from 2.6 to 2.7
The following changes require your full attention because a manual intervention may be needed:
-
The require_ssl parameter in readers.conf has been renamed to require_encryption as it applies to any kind of encryption layers, including TLS and SASL security layers. Since innupgrade only takes care of the change in the file named readers.conf, you will have to manually rename that parameter in configuration files for nnrpd with an alternate name.
-
The innreport.conf file in pathetc has been split into a general configuration file (innreport.conf itself) and a display configuration file (innreport-display.conf in pathlib). If you made local changes in sections other than the default section in innreport.conf, and wish to keep them, then you need renaming the new innreport-display.conf file to another name in pathlib, setting this local file name in the new display_conf_file option in innreport.conf, and re-applying your local changes to that local display configuration file.
As a matter of fact, the default display configuration file would otherwise be overwritten each time INN is updated. Bug fixes or enhancements are made from time to time to the display configuration of innreport, and previously couldn't be automatically be merged in innreport.conf on update. This new separate configuration file to parameterize the display will now permit an automatic update (if of course you use the default display configuration file). -
A new inn-secrets.conf configuration file has been added in pathetc. The intent is that, from now on, new secrets used by INN are added to that file, and that all secrets currently stored in several other configuration files eventually move to that file. Make sure it is properly created during the upgrade, and not world-readable. It currently only stores the secrets used for the new Cancel-Lock functionality.
-
The -C flag given to innd to disable the execution of cancels has been deprecated and is no longer taken into account (an error message will be present in your logs if innd is started with it). Instead, a new parameter has been added in inn.conf to tune the types of cancels innd should process. If docancels is set to
require-auth
, which is the default if INN has Cancel-Lock support, only articles originally protected by the Cancel-Lock authentication mechanism can be withdrawn by a valid authenticated cancel article or a valid authenticated supersede request. Withdrawals of articles not originally protected by Cancel-Lock will not be executed. See inn.conf(5) for more details about the different values of the new docancels parameter, and make sure to parameterize it according to your needs. -
The refusecybercancels and verifycancels parameters have been removed from inn.conf. The first was performing an inefficient and inexact check (that should be done, if wanted, in the special
ME
entry in newsfeeds, or even better, ask your peers not to feed you articles withcyberspam
in the Path header field body); the second check performed on the newsgroups present in cancel articles was not useful in innd (this check is relevant to posting agents).
The related lines in inn.conf will be commented by innupgrade during the upgrade. -
The XBATCH command is no longer enabled by default in innd. You'll have to explicitly enable that capability by setting the new xbatch parameter to true in incoming.conf for the peers sending you such compressed batches.
-
The nolist and noresendid parameters in incoming.conf have been respectively renamed to list and resendid (and the meaning of their related boolean values is now the opposite). Besides, the unused comment and email parameters in incoming.conf have been removed. innupgrade will take care of the changes (inverting the boolean values, and commenting the lines with removed parameters).
-
filechan is no longer shipped with INN; it was just a simple version of buffchan. All calls to
filechan
will be changed tobuffchan -u
(for its unbuffered mode) in newsfeeds by innupgrade. If you have local scripts running filechan, you will have to manually take care of the change. -
send-nntp is no longer shipped with INN. If you have local scripts running it, you will have to manually adjust them to use nntpsend which basically does the same thing, better. Or, even greater, use innfeed if that is possible.
-
Wrappers around old Perl and Python authentication and access hooks, pre-dating INN 2.4.0 and identifiable by the nnrpperlauth and nnrppythonauth parameters in inn.conf, are no longer shipped as samples in INN releases. If not already done, you should either replace old hooks with new modern hooks or use the possibilities that readers.conf and regular authenticator and resolver programs offer.
-
The libauth.h header file and the libstorage library have been renamed to libinnauth.h and libinnstorage to homogenize their name with existing libinnhist library. External programs building or linking against them need a manual change.
If you are upgrading from a version prior to INN 2.6, see also upgrades instructions from 2.5 to 2.6.
Bug Fixes
-
Fixed the parsing of hosts and localaddress parameters in readers.conf; exclusion patterns (beginning with
!
) have not been working since INN 2.5.0. -
Improved the robustness of innxmit when receiving
500
or501
response codes from peers, indicating they do not understand the NNTP command or (wrongly) think there is a syntax error. Richard Kettlewell added a proper handling of these responses, making innxmit dropping the refused article instead of keeping sending it over and over (and thus receiving each time the same error in response codes). -
All of the applicable bug fixes from the INN 2.6 STABLE series are also included in INN 2.7.
New Features
-
Bo Lindbergh has implemented a new overview storage method based on SQLite, known for its long-term stability and compatibility. Robust and faster at reading ranges of overview data, but somewhat slower at writing, this new SQLite-based method is a perfect choice to store overview data.
To select it as your overview method, set the ovmethod parameter in inn.conf toovsqlite
. Details about ovsqlite, the ovsqlite.conf configuration file and how to switch to that new modern overview storage method can be found in the ovsqlite(5) and makehistory(8) man pages. -
Julien Élie has implemented Cancel-Lock support in innd and nnrpd, based on RFC 8315 and libcanlock. A new inn-secrets.conf configuration file has been added in pathetc wherein you can set the secrets to use for Cancel-Lock. See the inn-secrets.conf(5) man page for more details.
A new -F flag is recognized by innconfval to indicate the type of file to parse (by defaultinn.conf
); just runinnconfval -F inn-secrets.conf
to get the values of that new configuration file. Another new flag, -f, permits specifying another file name to parse than the standard one.
The addcanlockuser parameter has been added in readers.conf to deactivate the generation of user-specific hashes when several different posters have the same identity in an access group. This parameter also permits setting whether the hash, when generated, is based on the username or the (static) IP of the connection. -
Added a new tool, gencancel, to help the news administrator generate authenticated cancel control messages, with the expected admin Cancel-Key hashes. See the gencancel(1) man page for more details.
-
A new docancels parameter has been added in inn.conf to define which types of cancels innd should process. The -C flag given to innd is deprecated in favour of that new parameter (you'll see in your logs the message
innd -C flag has been deprecated and has no effect; use docancels in inn.conf
in case you're passing that flag to innd). -
Andreas Kempe has implemented blacklistd support in nnrpd. This daemon, available notably in FreeBSD and NetBSD, can be used to prevent brute force attacks by blocking attackers after a number of failed login attempts. When nnrpd is run with the new -B flag, and INN has been configured with the new --with-blacklist option, it will report login attempts to the blacklistd daemon for potential blocking.
-
Building INN with TLS support using LibreSSL is now supported (only OpenSSL was previously officially supported and tested).
-
innreport now collects statistics from innxbatch and generates a section for them in its reports.
-
The innreport.conf file in pathetc, previously containing almost 2500 lines, has been split into a general configuration file (innreport.conf itself, still in pathetc, with about 60 lines) and a display configuration file (innreport-display.conf, a new separate file in pathlib). The name of this display configuration file can be parameterized in the new display_conf_file option in innreport.conf.
-
The -m flag given to mailpost now sets a List-ID header field instead of a Mailing-List header field.
-
rc.news, used to start and stop INN daemons, now checks whether it is run as the news user. It will exit if not the case, to ensure not to tamper with the ownership of files INN manipulates.
-
filechan has been removed; it was just a simple version of buffchan, which should now be used.
-
send-nntp has been removed; it was just a simple version of nntpsend, which should now be used (or, even better, innfeed).
-
The refusecybercancels and verifycancels parameters have been removed from inn.conf. Besides, inews no longer checks if the From or Sender header fields of a cancel or supersede request match the ones of the original article being withdrawn. All of these were either inefficient or inexact checks.
-
The xbatch parameter has been added in incoming.conf to enable the XBATCH command in innd for specific remote peers. The default is to disable the capability.
-
The nolist and noresendid parameters in incoming.conf have been respectively renamed to list and resendid (and the meaning of their related boolean values is now the opposite). Besides, the unused comment and email parameters in incoming.conf have been removed.
-
inews no longer adds a Sender header field nor overwrites an existing one in articles it processes if the new -P flag is used. The Path header field, if unset, no longer systematically contains the path identity of the local news server (you may want to add it manually with the -x flag, if needed). Finally, inews also no longer adds the obsolescent Lines header field.
-
A new -E flag can now be given to inews to silently discard empty articles, instead of bailing out with an error. Another new -m flag permits setting the Message-ID instead of letting inews generate one. And a third new flag, -Y, forces inews to authenticate to the remote news server even if not asked to.
-
signcontrol has been removed as it embeds per-site configuration which is overwritten each time INN is updated to a newer version, and it is unlikely you ever need it. Nonetheless, if you need to issue PGP-signed control messages, you can still download it from https://ftp.isc.org/pub/pgpcontrol/.
-
Support in controlchan for obsolete sendsys, senduuname and version control messages has been removed. These control messages, long been deprecated, should no longer be sent nor honoured nowadays. Besides, the
doifarg
keyword in control.ctl is no longer recognized (it was only used for these three kinds of control messages). -
The require_ssl parameter in readers.conf has been renamed to require_encryption, which is a better name as it applies to any kind of encryption layers, including TLS and SASL security layers.
-
Fixed the use of a deprecated API in Kerberos V5. INN now requires version 1.6.1 or higher of MIT Kerberos v5 to build.
-
The libauth.h header file and the libstorage library have been renamed to libinnauth.h and libinnstorage to homogenize their name with existing libinnhist library.