Bug 259850 - www/matomo: update 4.2.1 --> 4.5.0
Summary: www/matomo: update 4.2.1 --> 4.5.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Matthias Fechner
URL: https://matomo.org/changelog
Keywords: patch
Depends on:
Blocks:
 
Reported: 2021-11-15 10:36 UTC by Andrej Ebert
Modified: 2021-12-11 10:56 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)
andrej: maintainer-feedback+


Attachments
git diff (158.86 KB, patch)
2021-11-15 10:36 UTC, Andrej Ebert
no flags Details | Diff
poudriere-build log (37.84 KB, text/plain)
2021-11-15 10:39 UTC, Andrej Ebert
no flags Details
poudriere-portlint log (90 bytes, text/plain)
2021-11-15 10:39 UTC, Andrej Ebert
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrej Ebert 2021-11-15 10:36:50 UTC
Created attachment 229506 [details]
git diff

Update to 4.5.0

I also added a patch to supress the file integrity warning caused by the shebangfix to misc/log-analytics/import_logs.py and changed the pkg-message (change to the recommended apache config + upgrade message)

Major Changes:

## Matomo 4.4.0

### Breaking Changes

* The `logme` method for [automatic logins](https://matomo.org/faq/how-to/faq_30/) is now disabled by default for new installations. For existing installations it will be enabled automatically on update. If you do not need it please consider disabling it again for security reasons by setting `login_allow_logme = 0` in `General` section of `config.ini.php`.
* The redirect using the `url` param for the automatic login action `logme`, will no longer do redirects to untrusted hosts. If you need to do redirects to other URLs on purpose, please add the according hosts as `trusted_hosts` entry in `config.ini.php`

### New config.ini.php settings

* When determining the client IP address from proxy headers like X-Forwarded-For, Matomo will by default look at the first IP in the list. If you need to read the last IP instead, the new INI config option `[General] proxy_ip_read_last_in_list` be set to `1`. Using the last IP can be more secure when you are using proxy headers in combination with a load balancer.
* Matomo logs can now be written into "errorlog" (logs using the error_log() php function) and "syslog" (logs to the syslog service) (to complement existing log writers: "screen", "file", "database"). [Learn more.](https://matomo.org/faq/troubleshooting/faq_115/)

### New commands

* Added new command `core:version` which returns the Matomo version number.

## Matomo 4.3.1

### New commands

* Added new command `core:create-security-files` which creates some web server security files if they haven't existed previously (useful when using for example Apache or IIS web server).

## Matomo 4.3.0

### JavaScript Tracker

#### Breaking changes in Matomo JS tracker

* Before the JS tracker method, `enableLinkTracking` did not follow the DOM changes, from this version when the DOM updates, Matomo automatically adds event listeners for new links on the page. It makes it easier to track clicks on links in SPAs. From this version, if we use the `addListener` method to add event listener manually after the DOM has changed and the `enableLinkTracking` is turned on we will track the click event for that element twice.

### Breaking Changes

* Before every JS error was tracked, from this version the same JS error will be only tracked once per page view. If the very same error is happening multiple times, then it will be tracked only once within the same page view. If another page view is tracked or when the page reloads, then the error will be tracked again.
* It's no longer possible to store any class instances directly in the session object. Please use arrays or plain data instead.

### Upcoming Breaking Changes

* In Matomo 4.3.0 we have added a 'passwordConfirmation' parameter to the CorePluginsAdmin.setSystemSettings API method. It is currently optional, but will become mandatory in version 4.4.0. Plugin developers and users of the API should make sure to update their plugins and apps before this happens.

### New config.ini.php settings

* The `password_hash_algorithm`, `password_hash_argon2_threads`, `password_hash_argon2_memory_cost` and `password_hash_argon2_time_cost` INI config options have been added to allow using specific `password_hash` algorithms and options if desired.
* The `enable_php_profiler` INI config option was added. This must now be set to 1 before profiling is allowed in Matomo.
Comment 1 Andrej Ebert 2021-11-15 10:39:30 UTC
Created attachment 229507 [details]
poudriere-build log
Comment 2 Andrej Ebert 2021-11-15 10:39:47 UTC
Created attachment 229508 [details]
poudriere-portlint log
Comment 3 Andrej Ebert 2021-11-15 10:58:07 UTC
Forgot to mention I upgraded to the new version from the submitted port without any problems whatsoever.
Comment 4 Andrej Ebert 2021-11-15 11:51:12 UTC
I'll also take maintainership, if it helps.
Comment 5 Andrej Ebert 2021-11-29 21:21:28 UTC
It seems I cannot remove my falsely addressed (to myself) maintainer-feedback request, can someone do that for me?
Comment 6 Matthias Fechner freebsd_committer 2021-12-11 10:54:52 UTC
Dear Andrej,

thanks a lot for this update, I will commit it.
Could you please prepare an upgrade to newest version 4.6.2 as this also fixes some open security vulnerabilities?
Assign it to me, so we can quickly fix the security problems.

I'm sure that @joneum is fine that we commit security related updates without his approval if we do not break the port.
Comment 7 commit-hook freebsd_committer 2021-12-11 10:55:41 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=190142ee2954b30d3c525ddd00c2223fe72bdc45

commit 190142ee2954b30d3c525ddd00c2223fe72bdc45
Author:     Andrej Ebert <andrej@ebert.su>
AuthorDate: 2021-12-11 10:44:42 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2021-12-11 10:44:42 +0000

    www/matomo: update to 4.5.0

    I also added a patch to supress the file integrity warning caused by the shebangfix to misc/log-analytics/import_logs.py and changed the pkg-message (change to the recommended apache config + upgrade message)

    Changelog:
    https://matomo.org/changelog

    Major Changes:

    * The `logme` method for [automatic logins](https://matomo.org/faq/how-to/faq_30/) is now disabled by default for new installations. For existing installations it will be enabled automatically on update. If you do not need it please consider disabling it again for security reasons by setting `login_allow_logme = 0` in `General` section of `config.ini.php`.
    * The redirect using the `url` param for the automatic login action `logme`, will no longer do redirects to untrusted hosts. If you need to do redirects to other URLs on purpose, please add the according hosts as `trusted_hosts` entry in `config.ini.php`

    * When determining the client IP address from proxy headers like X-Forwarded-For, Matomo will by default look at the first IP in the list. If you need to read the last IP instead, the new INI config option `[General] proxy_ip_read_last_in_list` be set to `1`. Using the last IP can be more secure when you are using proxy headers in combination with a load balancer.
    * Matomo logs can now be written into "errorlog" (logs using the error_log() php function) and "syslog" (logs to the syslog service) (to complement existing log writers: "screen", "file", "database"). [Learn more.](https://matomo.org/faq/troubleshooting/faq_115/)

    * Added new command `core:version` which returns the Matomo version number.

    * Added new command `core:create-security-files` which creates some web server security files if they haven't existed previously (useful when using for example Apache or IIS web server).

    * Before the JS tracker method, `enableLinkTracking` did not follow the DOM changes, from this version when the DOM updates, Matomo automatically adds event listeners for new links on the page. It makes it easier to track clicks on links in SPAs. From this version, if we use the `addListener` method to add event listener manually after the DOM has changed and the `enableLinkTracking` is turned on we will track the click event for that element twice.

    * Before every JS error was tracked, from this version the same JS error will be only tracked once per page view. If the very same error is happening multiple times, then it will be tracked only once within the same page view. If another page view is tracked or when the page reloads, then the error will be tracked again.
    * It's no longer possible to store any class instances directly in the session object. Please use arrays or plain data instead.

    * In Matomo 4.3.0 we have added a 'passwordConfirmation' parameter to the CorePluginsAdmin.setSystemSettings API method. It is currently optional, but will become mandatory in version 4.4.0. Plugin developers and users of the API should make sure to update their plugins and apps before this happens.

    * The `password_hash_algorithm`, `password_hash_argon2_threads`, `password_hash_argon2_memory_cost` and `password_hash_argon2_time_cost` INI config options have been added to allow using specific `password_hash` algorithms and options if desired.
    * The `enable_php_profiler` INI config option was added. This must now be set to 1 before profiling is allowed in Matomo.

    PR:             259850
    Approved by:    maintainer timeout

 www/matomo/Makefile             |   3 +-
 www/matomo/distinfo             |   6 +-
 www/matomo/files/pkg-message.in |  29 +-
 www/matomo/pkg-plist            | 995 +++++++++++++++++++++++++++++++++++++---
 4 files changed, 961 insertions(+), 72 deletions(-)
Comment 8 Matthias Fechner freebsd_committer 2021-12-11 10:56:31 UTC
Committed, thanks.