Bug#924732: unblock: matrix-synapse/0.99.2-2

Sat, 16 Mar 2019 09:09:56 -0700 

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package matrix-synapse

This upload fixes these issues:

* #923573: when installing synapse with sysvinit and a strict umask, the
  signing key will be generated with owner/mode making it inaccessible
  for the system user synapse runs as. The change is to squash owner/mode
  to the expected values.
* #923574: No longer enable webclient by default, since it’s been
  recently removed, to eliminate a warning.
* #923586: Print a warning when the configuration file setting the
  server name is missing. Previously, the init script would just exit
  with no diagnostic, leaving the users puzzled.

Also, this upload updates NEWS with an important detail regarding
upcoming removal of self-signed certificates support, and slightly
changes formatting in the init script.

Please see the attached diff for more details.

unblock matrix-synapse/0.99.2-2

- -- 
Cheers,
  Andrej

-----BEGIN PGP SIGNATURE-----

iQFIBAEBCAAyFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlyNHrkUHGFuZHJld3No
QGRlYmlhbi5vcmcACgkQXkCM2RzYOdJ4Lwf+MzBtXH8b9pfpDVZYL9CZIRbfhmQH
1B8jMSs/ndZnRztTkS3r6S/1tx/Nagof04yQNJqirMx8ctC2Lt0H0GqGtMVO3Ror
uiK+wZmYUJ6oCaOdh4uaChEnfaXSDnn9nQx6PNMJtljmZgDSA+lA/ziaCuFo6XIK
WKBF2gTDaSKGYfKbu95NeuFSwY2KOKzUNZx0Vul9Ly/2djX3IcC1Em95xEuHl3mu
du3PdiL7bbcPjcO4/svUi1UgqotLTYsOn8sYo7kLMyC1VIH3mBjv+aluVpF5KFp6
Ncf2EmeKGsZAsW4Y8ZCKUZpWbMw1iUUyT5T3vFBaWT2qGikbAfZBFR6+mQ==
=zA57
-----END PGP SIGNATURE-----

diff --git a/debian/NEWS b/debian/NEWS
index a7621ab..1239f31 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -14,6 +14,11 @@ matrix-synapse (0.99.0-1) unstable; urgency=medium
   in Debian packages, which means that you need to set it up manually
   for now.
 
+  Please note that if your homeserver runs under a different domain
+  name than your server name, you will need to configure the .well-known
+  resource; just having an SRV record will not be enough to federate
+  with Synapse 1.0 servers.
+
   See /usr/share/doc/matrix-synapse/misc/MSC1711_certificates_FAQ.md.gz
   for more details.
 
diff --git a/debian/changelog b/debian/changelog
index 151dbb6..86912b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+matrix-synapse (0.99.2-2) unstable; urgency=medium
+
+  * Make sure the key file is owned by the user running synapse
+    (Closes: #923573).
+  * No longer enable webclient by default (Closes: #923574).
+  * Print a warning when the server name has not been set (Closes: #923586).
+  * Update NEWS with a note on .well-known vs SRV.
+
+ -- Andrej Shadura <[email protected]>  Sat, 16 Mar 2019 16:48:56 +0100
+
 matrix-synapse (0.99.2-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/homeserver.yaml b/debian/homeserver.yaml
index 68f749f..53df7a7 100644
--- a/debian/homeserver.yaml
+++ b/debian/homeserver.yaml
@@ -139,7 +139,6 @@ listeners:
         # List of resources to host on this listener.
         names:
           - client     # The client-server APIs, both v1 and v2
-          - webclient  # The bundled webclient.
 
         # Should synapse compress HTTP responses to clients that support it?
         # This should be disabled if running synapse behind a load balancer
@@ -170,7 +169,7 @@ listeners:
     x_forwarded: false
 
     resources:
-      - names: [client, webclient]
+      - names: [client]
         compress: true
       - names: [federation]
         compress: false
diff --git a/debian/matrix-synapse.init b/debian/matrix-synapse.init
index d537d8d..f6c1869 100755
--- a/debian/matrix-synapse.init
+++ b/debian/matrix-synapse.init
@@ -52,23 +52,31 @@ get_config_key()
 do_start()
 {
        # Fail silently if CONFIGFILE_SERVERNAME doesn't exist
-       [ -f $CONFIGFILE_SERVERNAME ] || return 0
+       if [ ! -f $CONFIGFILE_SERVERNAME ]
+       then
+           log_warning_msg "$CONFIGFILE_SERVERNAME not found, not starting 
synapse."
+           return 0
+       fi
+       KEYFILE=$(get_config_key signing_key_path)
 
        # Running --generate-config to create keys if any are absent.
        # Doesn't matter if not
        $PYTHON -m "synapse.app.homeserver" $CONFIGS --generate-keys || return 2
+       # Make sure the key file is owned by the user running synapse
+       chown $USER:nogroup $KEYFILE
+       chmod 0600 $KEYFILE
 
        # Return
        #   0 if daemon has been started
        #   1 if daemon was already running
        #   2 if daemon could not be started
-       PIDFILE=`get_config_key "pid_file"`
+       PIDFILE=$(get_config_key pid_file)
        RETVAL=$?
        if [ "$RETVAL" != 0 ]; then
                return $RETVAL
        fi
        if [ -r "$PIDFILE" ]; then
-               kill -0 `cat $PIDFILE` && return 1
+               kill -0 $(cat $PIDFILE) && return 1
        fi
 
        export PYTHONPATH
@@ -95,7 +103,7 @@ do_stop()
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
-       PIDFILE=`get_config_key "pid_file"`
+       PIDFILE=$(get_config_key pid_file)
        RETVAL=$?
        if [ "$RETVAL" != 0 ]; then
                return $RETVAL
@@ -140,11 +148,11 @@ case "$1" in
        esac
        ;;
   status)
-    PIDFILE=`get_config_key "pid_file"`
-    RETVAL=$?
-    if [ "$RETVAL" != 0 ]; then
-        return $RETVAL
-    fi
+       PIDFILE=$(get_config_key pid_file)
+       RETVAL=$?
+       if [ "$RETVAL" != 0 ]; then
+               return $RETVAL
+       fi
        status_of_proc -p "$PIDFILE" "$PYTHON" "$NAME" && exit 0 || exit $?
        ;;
   #reload|force-reload)
@@ -185,4 +193,4 @@ case "$1" in
        ;;
 esac
 
-:
+: vi:noet:ts=8

Reply via email to