2023-06-06 3.12

* Per-group reminders are not supported any more.  Users shall decide if they
  want reminders individually.

* Mailing lists are entirely handled in frontend, without the previously
  used cron job.  The list descriptions are passed to mailman as well
  list name, domain, and visibility (public vs. private) when creating
  and reconfiguring the mailing list.

[REQUIREMENTS]

* Perl modules File::Find::Rule, IO::File, String::Random, XML::Writer
  aren't used any more.

[FRONTEND]

* Deleted squads aren't longer kept in the user table.

* Duplicate SSH keys are not added to account any more.

* The obsolete documentation in userguide/ is removed; links to wiki
  are added instead.

* Additional repositories are listed in the top menu as well as
  in the "Development Tools" section.

* A Content-Disposition header is added to atom feeds.

* No more "sitewide" news as opposed to "local" news of the admin group;
  all news from the admin group go to the front page of the website
  as well as to the main page of the admin group.

* Private groups are listed on user's page (/u/$user) when the visitor
  has access to them; when the user is an admin, the group is highlighted.

* Absent 'member since' dates are not treated as broken group history
  any more.

* Controls to modify some Git repository settings are added on a new page
  /git/admin/index.php.

* A new error handler is installed, logging more necessary information
  to track the bugs.

* A facility to reassign mailing lists from one group to another is
  added, /siteadmin/mailman.php.  When superusers visit mail configuration
  page of a group, /mail/admin/?group=<unix_group_name>, they are
  additionally offered controls to unlink, i.e. remove the list from
  the database without deleting it on the Mailman srever, and to create
  a list with an arbitrary name (the template is just '%NAME') and associate
  it with that group.

* /siteadmin/groupedit.php checks if any mailing lists are associated
  with the group, and when they are, it suggests rearranging them
  instead of the "Remove group" link.

* Bug fixes:

** Mailing list descriptions with special chars weren't shown correctly
   in a few places.

** Mailing list creation form didn't support multiple templates with %NAME.

** In frontend/php/forum/forum.php, one argument of SQL query
   had a wrong type.

** Anonymous posts were accepted even when the "captcha" wasn't filled,
   broken since 2022-04-18 (b45631f42).

** Multiple PHP notices and warnings were fixed.

** PHP 8.0 => 8.1 => 8.2 incompatibilities were resolved.

** Fix regression in markup added in 3.11 (commit e61f3ec357d5a): links
   to image files (file #47102) translated to HTML incorrectly,
   per Savannah sr #110868.

** Links to "next results" in tracker item search were incorrect,
   Savannah sr #110869.

** Skillboxes weren't localized.

[BACKEND]

* The backend/mail/sv_mailman.in is removed; the mailing lists are
  handled entirely in frontend.

* New script, backend/mail/sv_mailman-wrapper.pl.in.

* New script, backend/extra/git/sv_cgit.pl.in (fetched from vcs2
  and heavily rewritten).

* New script, backend/extra/git/sv_cgit_about_filter.pl.in.

* sv_cleaner removes irrelevant pieces of news and orphan user data.

* sv_cleaner doesn't check for mailing lists of removed groups any more;
  they should be managed on the frontend before the group is deleted.

* sv_mailmain connects lists.gnu.org directly unless --ssh-user is set empty.

* The --cron option in scripts is ignored, --logfile is added when
  relevant.

* --version option in scripts outputs copyright and license notices.

* New option in sv_aliases, --suffix.

* Replace --debug with --dry-run and --verbose in sv_reminder,
  sv_groups, sv_aliases.

* In sv_groups, the unused --no-etc and --only-etc options are replaced
  with --no-group-check.

* In sv_membersh, configuration code and command line parsing is rewritten;
  substantial documentation is added to --help; the configuration is now
  loaded from @sysconfdir@/savane/membersh-conf.pl rather than
  @sysconfdir@/membersh-conf.pl.

* Remove unused scripts:
  backend/account/sv_users.in
  backend/extra/cvs/sv_extra_daily_cvs_tarball.in
  backend/extra/cvs/sv_extra_daily_cvs_tarball_forbid.in
  backend/extra/cvs/sv_extra_import_cvs.in
  backend/extra/cvs/sv_extra_pserver_cvsroots.in
  backend/extra/cvs/sv_extra_viewcvs_forbidden.in
  backend/extra/subversion/sv_extra_daily_svn_tarball.in.

* New configuration variable, $sys_dir_prefix, to prepend to paths of group
  areas (download and repositories).

* Bug fixes:

** PrintVersionOrHelp emitted spurious error messages.

** Git repository descriptions using UTF-8 non-ASCII characters
   weren't passed to cgitrepos correctly.

** In sv_reminder, the "month before" date was assigned incorrectly.

** In sv_cleaner, user's auxiliary data like preferences and bookmarks
   weren't removed when removing the account.

** In sv_membersh, the allowed paths weren't really asserted
   (e.g. /srv/download/../../tmp/foo).

[BUILD]

* autotools/m4/nls.m4 and autotools/m4/progtest.m4 are updated
  from gettext-0.21.1.

* Bug fixes:

** Some images in the OldCERN theme weren't built.

[I18N]

* Update French, Hebrew, Russian.

2023-03-17 3.11

[BACKEND]

* Bug fixes:

** In Cvs.pm<UpdateCvsNotifications>, file opening errors weren't handled
   correctly.

[FRONTEND]

* When spam is reported, notifications are sent to
  $sys_mail_admin@$sys_mail_domain.

* Anonymous posts are reported to $sys_mail_admin@$sys_mail_domain
  when $sys_watch_anon_posts is set; likewise, posts of new users
  are repored for first $sys_new_user_watch_days.

* Registration task template was improved (commit d16b7e7).

* A link to CVS notification setup was added to group menu.

* IP-based bloking code is removed; it hasn't been used for ages and
  can't be effective these days, anyway.

* The "printer mode" was removed.

* In siteadmin/groupedit.php, fields for custom directories were removed;
  they are not used these days, and group admins can edit those settings
  after group approval (commit 00e5788).

* In "lost password" and "change SSH key" procedures, user-identifying
  data were removed from notifying emails.

* Group submission was rewritten, both texts and markup.

* When the filesystem with Git repositories is mounted on frontend,
  it lists the repositories directly from there rather than from
  $sys_etc_dir/cgitrepos.

* Group type names and descriptions are localized.

* Active languages are selected in initialization time with $sys_linguas.

* The markup rendering (include/markup.php) is rewritten,
  with the following user-visible changes:

** nomarkup and verbatim areas are processed without nesting.

** <strong> and <em> are replaced with <b> and <i>.

** In the ASCII mode, support for nesting ordered and unordered lists
   is added.

** A few bugs are fixed, see the 'Bug fixes' section.

* In tracker comment form, comment type & canned response selector
  was rewritten:

** No comment type selection is offered unless there are at least two
   choices.

** Comment types and canned responses are only available for group
   members, per Savannah sr #110789.

* Bug fixes:

** When user supplied multi-line file descriptions, the file was served
   with a broken header.

** Multiple PHP notices and warnings and a few SQL errors were fixed---hopefully
   more than introduced.

** Diff email list wasn't processed correctly in CVS notification settings
   (cvs/admin/index.php, commit 5303e6fa).

** Git repositories with empty descriptions extracted from cgitrepos
   were listed incorrectly.

** Title of stats/index.php wasn't localized.

** Groyp type name assignent in siteadmin/group_type.php didn't work.

** The LANGUAGE environment variable overrode locale settings requested
   by browsers.

** Asterisks in markup didn't work as documented in cases like
   0 *item*.

** In the ASCII mode, ordered lists were in effect even within
   verbatim blocks, Savannah sr #110621.

** Editing field usage was broken in 3.10.

[I18N]

* Update French, Hebrew, Russian.

* Update pwqcheck messages to the 2.0.2 release.

[BUILD]

* autotols/m4/po.m4 and po/Makefile.am are updated from gettext-0.21.1.

2023-02-01 3.10

[FRONTEND]

* Securimage is replaced with Text_CAPTCHA.

* When exiting due to missing parameters, the list of the missing
  parameters is displayed.

* New page, /bugs/item.php, to extract tracker items encrypted
  to user's GPG key non-interactively (without having to log in).

* When sending message from /sendmessage.php, a checkbox
  'Send me a copy' is added.

* Canned responses are quoted when quoting preview in order to
  make it possible to customize them.

* Newest supported PHP version is promoted to 8.1; multiple
  updates are committed.

* When looking for "site-specific" files, source tree is tried first;
  the old location (via $sys_inc_dir) isn't supported any more.

* Posts marked as spam are only shown their authors and tracker
  admins.

* New special field, 'updated' is added, Savannah sr #109372.

* In trackers, controls for adding comments aren't offered unless
  commenting is allowed.

* In trackers, date selections are made optional.

* In robots.txt, spam and users' GPG keys are "disallowed."

* Running locally:

** Configuration is updated.

** Support shortcuts /u/ => /users/, /p/ => /projects/.

** Support paths in /file.

* New skill levels: "10 yr - 20 yr", "20 yr - 40 yr",
  "40 yr - 80 yr", "> 80 years".

* $sys_datefmt setting isn't supported any more.

* "Stone age menu" description is updated.

* On "Use CVS" pages, markup is improved.

* Support for "broken MSIE" arrangements is dropped.

* Bug fixes:

** SQL query error when sending email notifications, Savannah
   sr #110647.

** Fix PHP warning when changing posting restrictions.

** Fix exit_permission_denied status code.

** When formatting in ASCII mode, commentless items were skipped.

** Adding originator email and adding users to item notification
   lists were broken for anonymous posts; Savannah sr #110658.

** On Field Usage pages, in some cases unapplicable labels were shown.

** In tracker item list, selection based on dates was broken.

** In tracker item list, user preference weren't applied correctly.

** In a few cases, special character decodig was wrong.

** In tracker item list table head, "Submitted by" is shortened
   to "Submitter", "Submitted on" to "Submitted", Savannah sr #109372.

** In php/images/, a few missing links are added; execution permission
   is cleared from files.

** New item preview is fixed, Savannah sr #110700.

** Cookies are passed to subdomains in order to make attachments
   to private items accessible.

** In tracker item lists, "multiple" date selections were broken.

** Posts from non-existing users were handled incorrectly,
   e.g. Savannah patch #2240.

** Mailing list creation was broken since 3f27e1bb.

** Fix PHP warnings when attaching files in trackers.

** Fix multiple PHP notices.

** In /stats/index.php, statistics for periods didn't work.

** In tracker item lists, chunk sizes like "00" resulted
   in modulo zero.

** When displaying member list, superusers were treated as members,
   pending members were still invited in the group; resume and "watch"
   links for squads where offered; roles were explained twice
   on the page.

** /siteadmin/retestconfig.php didn't work

** In item history, a few kinds of user-supplied values weren't
   escaped properly.

[BACKEND]

* Add $sys_banned_email_domains and --dry_ryn in misc/sv_cleaner.in

[I18N]

* Update French, Hebrew, Russian.

* In "detailed" member list, compound strings like
  "task tracker" . " " . "technician" weren't localized correctly.

[BUILD]

* Bug fixes:

** autoreconf wasn't invoked correctly.

** The 'distcheck' rule is fixed in po/.

2022-04-29 3.9

[FRONTEND]

* Add sys_upload_dir writability check in testconfig.php.

* Add new preables to group preferences, Savannah sr #110528.

* Switch to single-column layout in Account Conf, Savannah sr #109699.

* Add preview to original submissions in trackers, Savannah sr #109413.

* Process canned response and comment type in preview.

* Bug fixes:

** Fix JavaScript-related regressions, Savannah sr #110630.

** Make sure that uploaded files aren't overwritten, Savannah sr #109422.

** In emails reporting tracker activity, ordered lists weren't enumerated
   for original submissions, Savannah sr #110621.

[DOCUMENTATION]

* Drop obsolete info.

[BUILD]

* Regenerate ChangeLog from git automatically.

[I18N]

* Update Russian.

* Update French, Hebrew from the TP.

2022-04-01 3.8

[FRONTEND]

* Group names 'bug', 'help', 'info' are disallowed: their mailing
  lists ("info-gnu") could conflict with standard GNU names.

* init.php takes into account autoconfigured value of $sysconfdir.

* Drop support for mysql extention; always use mysqli.

* Rewrite user-supplied parameter sanitizing framework.

* In /project/admin/editgroupnotifications.php, show intro
  for the first tracker, Savannah sr #110333.

* In emails reporting tracker comments, ordered lists
  are enumerated, Savannah sr #110621.

* On the login page, don't ask whether to stay in HTTPS.

* Irrelevant texts were removed from group register confirmation
  page.

* Names of removed squads can be used for new squads.

* Support for legacy locations for site-specific texts was dropped.

* Don't add user agent and REMOTE_ADDR to headers when sending mails,
  Savannah sr #110592.

* Remove link to cookbook from sidebar, disable cookbook search.

* Support protocol-relative links in markup.

* Preserve first space in line in markup, Savannah sr #110562.

* Bug fixes:

** Tracker comment numbering was wrong when some comments were marked as spam.

** Comments with removed comment_type were invisible.

** History for removing cross-tracker dependencies were written incorrectly.

** Users who couldn't post resume couldn't also enable skillboxes; now
   setting skillboxes is allowed for all users.

** Markup:

*** Fix processing of '@':  URLs like www.example.org/a@b.html
    produced links like
    <a href="http://www.example.org/a">www.example.org/a</a>@b.html

*** Unclosed +verbatim+ blocks didn't show up, Savannah sr #110626.

** Emails in "Replaced by" in tracker item history weren't hidden
   for anonymous visitors.

[DOCUMENTATION]

* Update REQUIREMENTS.

[BUILD]

* Make distcheck work.

[SAMPLE LOCAL INSTANCE]

* Add $sys_gpg_name to local2/etc-savane/.savane.conf.php; update
  $sys_unix_group_name and notes on mock-up db.

[BACKEND]

* Add dummy savane.conf.pl installed by default to let basic tests run.

* Install Perl modules to $libexec, make them runnable
  with --help and --version options.

* Add path to Savane Perl modules to Perl scripts.

* Remove obsolete files.

[I18N]

* Update Russian.

* Add Hebrew from TP.

* Update French and "Simplified" Chinese from TP.

[SITE-SPECIFIC]

* Remove obsolete files from etc/ and
  frontend/php/site-specific/gnu-content/faq/.

* Update bzr info, Savannah task #9943.

* Move FAQ link up in site help menu.

2021-10-05 3.7

[FRONTEND]

* Make CVS admin page usable and accessible from group pages.

* New DEVEL_STATUS, Decommissioned.

[BACKEND]

* Fully maintain Savane CVS hooks in sv_groups.

[I18N]

* Update French and "Simplified" Chinese from TP.

* Update Russian.

2021-03-23 3.6

[FRONTEND]

* Fix search, Savannah sr #110244.

* Add release keyring to group preferences, display it instead of concatenated
  personal keys.

* Add selectable default query for trackers, Savannah sr #109504.

* Add new tracker restriction level to make them read-only.

* Fix tracker submenu for the case when an alternative URL is used.

* Various PHP-related fixes.

* Minor documentation fixes and updates.

* Add a distinct domain for user-supplied files to improve security.

* Make sure that user_name is unique when renaming accounts.

* Show diagnostics when lost user-supplied files are requested.

* Fix markdown link processing, Savannah sr #110128.

* Fix a few vulnerabilities.

* Fix restrictions on having resume.

* Account "real" names are checked against forbidden templates.

* Add a means to pre-fill new item submissions, Savannah sr #109904.

* Fix handling date fields in tracker comment previews.

* Avoid login redirections to external websites.

* Decode HTML entities in fields, Savannah sr #109857.

* Add a list of recent anonymous posts to the siteadmin area.

* Add a list of account activities to user account page in the siteadmin area.

* Notify users when removing idle accounts, Savannah sr #109838.

* Improve output of invalid user IDs on user pages.

* Fix reverse dependency history, Savannah sr #109698.

[I18N]

* Enable Portuguese.

[BACKEND]

* Drop group GPG keyring-related dead code.

[DATABASE]

* Convert group_preferences.preference_value to mediumtext to hold group
  GPG release keys.

2019-07-05 3.5

[FRONTEND]

* Actually make it run on PHP 7.0: use mysqli_* instead of mysql_*
  when available, replace a few other functions.

* Add 'quote' buttons to trackers.

* Add /markup-test.php page with an updated markup documentation
  and a test facility.  Improve markup rendering.

* Fix 'Clean Reload' and 'Printer Version' links for pages like
  /p/www-tr and /u/rms.

* Improve footer and menu text readability in some themes.

* Fix group registration page.

* Serve all images from the same website, remove the CSP exception
  for images.

* Improve registration template HTML.

* Make theme selection logic more consistent: rely primarily
  on user's preferences and only use cookies when the user
  is anonymous.

* Add test for cgitrepos on /testconfig.php.

* Fix a 12 years old bug on Squad Administration page.

* Sanitize user-supplied attachment filenames; fix rendering of
  existings files with HTML special characters in their name.

* Fix spacing in header fields of emails with non-ASCII characters.

* Add links to browsing additional Git repositories to group's pages.

* Include VCS host fingerprint on "Use Git" and "Use Hg" pages.

* Fix processing tracker queries that contain no bug id.

* Remove shadows under <h?> elements.

* Fix nextprev url, Savannah sr #109673.

* Add a configuration variable for GPG executable.

* Fix tracker preview: it didn't preserve fields like 'Status' changed
  by the user.

* Enforce restrictions on "real names" of users: disallow '",<

* Convert 'unavailable' links from <a> to <del>.

* Move GPLv3+ to the top of license list.

* Fix feedback on query form edit page.

* Rewrite Export to work syncrhonously, without the need for cron jobs.

* Add a control for site admins to rename accounts.

* Remove accounts more aggressively: set username to _<account_no>,
  drop "Delete" vs. "Suspend" distinction. [anti-spam]

* Don't let users add resume until they join to any group. [anti-spam]

* Show site admins previous user names and link to the account when
  deleting accounts.

* Differentiate self-removed accounts from admin-removed accounts using
  "real name".

* Add user markers when exporting group GPG keyring to show whose
  keys are listed in which place.

* In email notifications from trackers, add URLs of attached files.

* On user's page, add links for editing account for site admins.

[I18N]

* Update French translation from the TP.

* Update Russian translation.

[BACKEND]

* Clear idle accounts in sv_cleaner.in. [anti-spam]

* Fix time calculations in sv_cleaner.in.

* Remove obsolete tasks in sv_cleaner.in.

* Add 'cookbook' to tracker list in sv_cleaner.in.

[CONFIGURATION]

* Fix gettext detection.

[BUILD]

* Use configured value of MSGMERGE.

2019-01-09 3.4

[CONFIGURATION]

* Tarball name is fixed: savannah -> savane.

[I18N]

* Update translations from TranslationProject.

* Enable French, Russian and Spanish translations.

* Make context_icon alt attribute localizable.

[FRONTEND]

* Improve page handling user's GPG keys.  Add a means to test submitted
  keys.

* Multiple cosmetic HTML improvements.

* Show shorter dates in trackers when possible; render full dates
  with ISO format.

* Fix HTML errors found with HTML_CodeSniffer.

* Fix handling user input per OBB-636261 and OBB-647866.

* Use HTTPS URLs in email notifications.

* Drop logging user's IPs.

* Disallow emgedding in frames; move JavaScript and styles to separate
  files; add a CSP header.

* Fix a few bugs.

* Make the code PHP 7.0-compatible:

** Avoid reserved names.

** Eliminate egreg*.

* Use user_delete to delete users instead of settings their status
  to 'D'.

[BACKEND]

* sv_membersh: prevent user from breaking out of scp-restricted shell

2018-05-20 3.3

[I18N]

* Missing in 3.2: savane.pot is updated.

2018-05-20 3.2

[FRONTEND]

* Multiple typo fixes.

* Language selection is rewritten. New way to select language is added
  for the case when regular browser means don't work.

* Most strings to i18n are reviewed, translator's comments are added.

* Comment preview is implemented for trackers.

* A few PHP notices and warnings are fixed.

* Some dead links are removed.

* In Markup, named links to trackers are supported, like
  [task #4913 our most important task] and
  [comment #289 my second reply].

* When deleting account, non-active groups are ignored
  per Savannah Task #14513.

* OBB-296182 is fixed.

* Getting group keyring was fixed per Savannah sr #109450.

* Due to a MySQL bug, some Unicode characters didn't display
  in tracker comments correctly, per Savannah sr #109450.

* When registering a new user account, a message explaining
  what the confirmation email looks like is shown,
  per Savannah sr #109310.

* Account Configuration -> Change GPG Key:
  a sample key is shown to explain what it should look like;
  a button to test the submitted key is added.

* Some fixes in CSS.

* In Markup, URL parts like "*checkout*" were shown in bold.

[SITE-SPECIFIC]

* Webpages (including "site-specific content") are imported to Git;
  they are localized together with frontend messages.

* Apache 2.0 is added to license list.

* Add SHA256 VCS server SSH key fingerprints to MD5 ones.

2017-05-23 3.1-cleanup2

[CONFIGURATION]

* .mo (translation files) will be installed in /usr/local/share/locale
  by default, and the $sys_localedir configuration variable should be
  set accordingly.

* $sys_appdatadir (default "/var/lib/savane") and
  $sys_trackers_attachments_dir (default
  "$sys_appdatadir/trackers_attachments")

* The behavior of SCP changed somewhere between OpenSSH 5.2 and 5.5
  (inclusive).  It now passes an extra '--' argument before the copy
  destination.  You may need to adapt your '$regexp_scp' in
  '/etc/membersh-conf.pl'.


[SITE-SPECIFIC]

* git/index.txt added: displayed in /git/index.php

* hg/index.txt added: displayed in /hg/index.php

* bzr/index.txt added: displayed in /bzr/index.php

* account/login.txt added: displayed in /account/login.php

[FRONTEND]

* New TextCHA antispam in the user registration process.


[BACKEND]

* Git, Mercurial and Bazaar support.	


[DATABASE STRUCTURE]

* Store trackers attachments on the filesystem. On large sites such as
  Savannah, there are now ~17000 files totalling >400MB, which becomes
  inconvient to handle (huge dumpfiles, etc.). The migration script
  stores files in /var/lib/savane/trackers_attachments by
  default. Files are named after their file_id, to avoid naming issues
  (duplicates, security, simplicity, etc.)


[DEVELOPER NOTES]

* Code compatible with PHP5

* Cleaner PHP code (less warnings, allowing to look for real issues)

* More secure input validation (prevents SQL injections and CSRF);
  works with register_globals=off and magic_quotes=off.

* Test Savane on http://localhost:50080/ with single line:
    make -C tests/minimal_configs/

* Build system based on autoconf & automake, plus MakeMaker for the
  Perl library

* Full UTF-8 database (including declarations and ordering)

================================================================
Copyright (C) 2001-2011, 2013, 2017 Sylvain Beucler
Copyright (C) 2013, 2014, 2017-2023 Ineiev

This file is part of Savane.

Code written before 2008-03-30 (commit 8b757b2565ff) is distributed
under the terms of the GNU General Public license version 3 or (at your
option) any later version; further contributions are covered by
the GNU Affero General Public license version 3 or (at your option)
any later version.  The license notices for the AGPL and the GPL follow.

Savane is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

Savane is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

Savane is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

Savane is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
