Created attachment 210030 [details] net-im/py-matrix-synapse patch from 1.6.1 to 1.7.1 The matrix team has just released the 1.7.1 version of synapse containing three security relevant fixes[1]. In addition to this, the 1.7.0 release now strongly recommends the use of postgresql. Sqlite is only recommended for testing or small non-federated setups and future releases of synapse may disable federation by default for instances using sqlite, see [2]. I've therefore included PGSQL as a default option and updated the pkg-message with a note on upgrade. In addition, I've added the postges setup/migration documentation to the installed docfiles. I'll also write a vuxml entry for this, once a have a few more minutes to spare. The updated 1.7.1 port builds and runs fine for me. Cheers, Sascha [1] https://github.com/matrix-org/synapse/releases/tag/v1.7.1 [2] https://github.com/matrix-org/synapse/releases/tag/v1.7.0
Build info is available at https://gitlab.com/swills/freebsd-ports/pipelines/104025583
Created attachment 210038 [details] vuxml entry for py-matrix-synapse releases prior to 1.7.1 Here's the vuxml entry adapted from the release notes. :)
Created attachment 210084 [details] net-im/py-matrix-synapse patch from 1.6.1 to 1.7.2 Here's another bump to 1.7.2, which includes two bugfixes for regressions introduced in the 1.7 release.
A commit references this bug: Author: decke Date: Fri Dec 20 21:05:45 UTC 2019 New revision: 520526 URL: https://svnweb.freebsd.org/changeset/ports/520526 Log: Document py-matrix-synapse vulnerabilities PR: 242702 Submitted by: Sascha Biberhofer <ports@skyforge.at> Changes: head/security/vuxml/vuln.xml
I'll take it
A commit references this bug: Author: decke Date: Fri Dec 20 21:16:09 UTC 2019 New revision: 520527 URL: https://svnweb.freebsd.org/changeset/ports/520527 Log: net-im/py-matrix-synapse: - Update to 1.7.2 - Enable PostgreSQL support per default as recommended from upstream - Add messages for updating PR: 242702 Submitted by: Sascha Biberhofer <ports@skyforge.at> (maintainer) Changes: head/net-im/py-matrix-synapse/Makefile head/net-im/py-matrix-synapse/distinfo head/net-im/py-matrix-synapse/files/pkg-message.in
Committed, Thanks!
The change to the default backend should have been separated from the security update. Combining them makes it more difficult to merge to the quarterly branch
(In reply to Kubilay Kocak from comment #8) While I can see your point, I wouldn't really call this a change to the default backend. The package just pulls in both backends now, so people have a choice by default and no longer need to install the postgres dependencies manually. I didn't drop sqlite from the default options so that existing installations are not affected, but I would like to think about this in a future release. The 1.7 release itself also doesn't change the way sqlite is handled, it just prints a tiny warning on start making it more clear to the user that sqlite comes with performance limitations, so sqlite users shouldn't be affected in any way by the new version and don't need to migrate anything on update in the immediate future. I hope this is "ok" (while probably not ideal) for a merge into quarterly, but if there's anything else I can (and should) do about this then please let me know.
^Triage: Track no MFH