Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
Add PKG_DESTDIR_SUPPORT;
Add LICENSE
`$Cambridge: hermes/src/prayer/docs/DONE,v 1.66 2011/06/27 13:39:56 dpc22 Exp $
27/06/2010
==========
Release: Prayer 1.3.4
22/06/2011
==========
draft.c fixes:
Fold long lines of addresses before the entry which reaches 78 characters
when possible, rather than after the first entry which crosses that
boundary. Long standing bug bear of mine but several support functions
needed to be rewritten to use scratch string in place of output buffer.
Long subject lines which are not RFC1522 encoded need to be folded.
separately. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.
RFC1522 is not allowed to fold lines in the middle of a UTF-8 multibyte
character. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.
Tidy library:
Add support for tidyp fork of (apparently abandoned) tidy library.
Fix cross site scripting problem:
MSIE and Chrome think that <!---> is a complete comment. Allows people to
hide scripts inside <!---><script>...<!--->. Strip all comments (which is
something that the old sanitiser had been doing already)
Sieve blocks should check "From: " address in body as well as
envelope sender address. Check "Sender: " as well for completeness.
Linux needs IPPROTO_IPV6 to bind to '0.0.0.0' and '::'
01/11/2010
==========
Mike Brudenell <mike.brudenell@york.ac.uk> reported problem with RFC
2183/RFC 2231 quoting with vey long filenames, or filenames with strange
characters from ASCII range.
20/07/2010
==========
Release: Prayer 1.3.3
08/07/2010
==========
Better handling of complex multipart messages:
Rather than just displaying the first text/plain or text/html that we can
find in the top, (leaving people to access sections for the other parts),
display the entire tree: multipart/alternative are handled as before, but
with other multipart messages, recurse into the subtrees and repeat. Given:
1 (Nested multipart)
1.1 text/html
1.2 text/plain
2 text/plain
we display sections 1.1 and 2. Previously we would display section 2,
which is a bit of a disaster if section (1) was the original message and
a listserver has helpfully tagged on a message footer as a separate bodypart
Combine os_*.c back into a single file (which is where I started off
many years back). Eliminates lots of repeated code.
07/07/2010
==========
Bugs
====
os_bind_inet_socket(unsigned long port, char *interface)
If interface resolves to multiple IP addresses then only binds to the
first. Should really walk along ai->ai_next and bind to each IP address
in turn. Unfortuanetly this means that os_bind_inet_socket() needs to
return an array of sockfds rather than a single int. Parent routines
probably aren't going to play ball either.
Most likely cause will be a hostname which generates both IPv4 and IPv6
addresses. Unfortanately it is a probably that we are going to have
to solve eventually.
05/07/2010
==========
Fix XSS problems reported by:
Jacob H. Hilton <jhh40@cam.ac.uk>
Dr Andrew C Aitchison <A.C.Aitchison@dpmms.cam.ac.uk>
Rather than trying to spot dangerous tags by simple substring matching in C,
I now feed the html through Tidy library (http://tidy.sourceforge.net/),
and then prune unwanted nodes from the parse tree before setting it to
the pretty printer. The only problem is that the Tidy library doesn't
provide any public API for manipulating the parse tree (although it does
provide a public API for walking the tree!?), so I had to dig around to
find the private functions required to remove and manipulate nodes.
Javascript embedded into CSS is also a problem: I need to strip off CSS
character entities before looking for dangerous expressions. The final
part is still a simple string match: I hope that I don't end up having to
generate parse trees for CSS as well as the HTML.
Now passes full test suite at:
https://secure.grepular.com/email_privacy_tester/
Better vacation screen
Subject line
Phrasing
Coping with multiple logins as single user from single browser:
SessionID stored in HTTP Cookie: second login blats first
Can store SessionID in URL (Prayer does this if no cookies available)
Not secure: leaks in HTTP "Referrer" header with links from HTML email.
Solution: Use HTTP Cookie keyed by PID of login session.
Smaller cleanups:
Improve gap between words in spell check (Cambridge house style)
Remove extra blank lines after postpone, restore cycle.
- security fixes
- various bug fixes and small improvements
- new XHTML strict template tree
- add UTF-8 support
- add IPv6 support
- add Raven single sign-on authentication
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
Fix build problem with db4 following a hint by obache@
04/09/2006
==========
Release: Prayer 1.0.18
Important Security fix:
os_connect_unix() had a strcpy() which should have been strncpy() to
prevent buffer overrun. Prayer 1.0.17 was mostly safe.
By 28/06/2006
=============
Release: Prayer 1.0.17
Fix small foulup wuth gethostbyname() calculations when binding Prayer
to specific interfaces.
Cleanups to stop char vs unsigned char warnings with latest c-client.
Make sure that all internal draft messages consistently use CRLF.
Security audit for Prayer frontend following attack:
Optional Chroot environment (See chroot options in config file).
Stripped out debugging code.
04/11/2005
==========
Fix small foulups with abook_lookup:
Couldn't add last address to existing draft.
Block LDAP metacharacters from search.
By 13/06/2005
=============
Release: Prayer 1.0.16
Fix silly bug when replying to multipart messages where the main message
and the text/plain subpart have different encoding (missing mail_body
call).
Add a limit_vm backstop to stop single runaway process from taking
over the system.
By 10/06/2005
=============
Release: Prayer 1.0.15 (1.0.13 and 14 internal releases only).
list screen doesn't set "current" message to middle of range. Means that
switching between various sort modes works more consistently.
Go fishing for text/plain or failing that text/html bodypart within top
level of multipart/mixed or multipart/alternate message when replying to a
message. Behaviour should now be consistent with cmd_forward and
cmd_display.
Include LDAP and local finger database lookups (latter for Cambridge use only)
Addressbook screen:
Addressbook sort (can be set on Manage => Preferences => Display)
Addressbook bulk removal
Import and Export CSV (Outlook) format address screen
Spellcheck:
Support native aspell as well as ispell, aspell in ispell compatibility mode.
Means that Quoted text is not checked if the following is set:
Manage => Preferences => Extra Compose =>
Skip quoted text on spell check
By 09/08/2005
=============
Spam whitelist
Test the Referer header on login. Two independant prayer.cf options:
referer_block_invalid and referer_log_invalid
Test the Referer: header before performing a /redirect/ action in
order to protect against URL redirector abuse
Doesn't work with "Save Target As". Remove entirely
Confirm on expunge.
Cleanup up account_message error reporting so consistent.
Fix format=flowed quoting problems.
Fix memory leak in mailbox download (2 x size of mail folder) until
next transfer or idle shutdown.
25/01/2005
==========
line_wrap_on_send preference not used by draft_init().
Fixed problems with multipart/alternate display and forwarding
around at either build-time or at run-time is:
USE_TOOLS+= perl # build-time
USE_TOOLS+= perl:run # run-time
Also remove some places where perl5/buildlink3.mk was being included
by a package Makefile, but all that the package wanted was the Perl
executable.
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
* Apparently "mutex" is already claimed by a system header on Solaris.
* File locking on Linux (probably other operating systems) is pretty
dumb when lots of processes are trying to lock a single file
for serialisation: all of the processes are woken each time
that the file is unlocked. Most of the process will simply loop
inside the kernel and attempt to lock again. Presumably this
approach makes nonblocking locks and EINTR easier to do, but
it does mean that you can get occasional load average spikes.
Add MUTEX_SEMAPHORE to implement System V semaphore based lock,
which does not have this problem in Linux. Warning: System V
semaphores are a finite resource, and they are not released
automatically. See: prayer-sem-prune.
* Quotas now reported in MBytes rather than KBytes.
* Add download links for text/html and text/plain attachments
* Fix bug with body->type TYPEMESSAGE: c-client API very poorly
documented :(
* Strip out common HTML entity encodings that might be used in
HREFs with text/html attachments.
* Fix mydb_db3.c to work with DB4.
* Integrate into Tony's funky packaging system for Hermes and PPSW.
* Add interface to automatic spam folder pruning utility that I
wrote for Cyrus (controlled through special Sieve files).
* Fix uploads where mailboxes contain NUL characters (translate to
space?)
* Assorted minor bugfixes
* Fix nasty /redirect bug that I managed to introduce by switching
from url_encode to canon_encode to work around bug in Opera.
Missing a url_encode: infinite loop from dumb UAs :(. Otherwise
identical to 1.0.9.
* Few minor bug fixes, covered in CVS history.
pkgsrc changes:
* Rename the source rc.d script in the default RCD_SCRIPTS style.
* Respect ${VARBASE}.
* Avoid the DB_VERB_CHKPOINT flag with latest db4 (where it's been removed).
* Patch from jdc@ for 64-bit big-endian hosts.
XXX rc.d script doesn't stop all the prayer slaves
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
Creates user and group now.
"make reinstall" works again.
No change of ownership of /usr/pkg/sbin anymore.
New RCD script (needs work on non-NetBSD platforms regarding "ps" command
options).
Bump revision.
