Commit Graph

371 Commits

Author SHA1 Message Date
Tim Abbott a9cb0bcba6 Release Zulip Server 8.0-beta1. 2023-11-16 16:59:47 -08:00
Tim Abbott 43e9bbe31c docs: Update changelog to cover changes staged for 8.0. 2023-11-16 14:58:23 -08:00
Alex Vandiver 9ba5fe2805 Update version and changelog after 7.5 release. 2023-11-16 18:58:45 +00:00
Alya Abbott 681097fd43 docs: Update server roadmap documentation. 2023-11-15 12:46:10 -08:00
Tim Abbott ffaa8b9ced changelog: Simplify mobile push notification service links. 2023-11-14 17:16:31 -08:00
Anders Kaseorg 4cb2eded68 typos: Fix typos caught by typos.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-10-09 11:55:16 -07:00
Anders Kaseorg 7b4a74cc4d codespell: Fix typos caught by codespell.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-10-09 11:55:15 -07:00
Tim Abbott 1db00be871 docs: Update changelog to cover changes already staged for 8.0. 2023-10-06 10:56:59 -07:00
Tim Abbott a4e0abb216 version: Update version and changelog after 7.4 release. 2023-09-15 18:04:42 -07:00
Anders Kaseorg 48a3588cdb docs: Fix typos caught by ‘typos’.
https://github.com/crate-ci/typos

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-09-06 18:59:05 -07:00
Alex Vandiver 5ca15a36ba version: Update version and changelog after 7.3 release. 2023-08-25 18:21:10 +00:00
Greg Price bb6fe0385e docs: Consistently say "18 months" on compatibility, no specific version numbers.
Previously I've wanted to have this page spell out the concrete
version number that our clients support, rather than the policy we
use for determining that version number, because that's the sort of
question that I feel like as a user I'd want a straight answer to
and would be annoyed if I couldn't get one.

But as the text stands, it's come to look more like it's the policy
(something that's heavyweight to change) than like the value that
the policy currently happens to work out to.  Also, because this page
is kind of chaotically organized (and fixing that is a bigger yak
than I want to shave right now), it repeats the 18-month rule in
three separate places and the current value (version 4.0) is in
a fourth separate place, so it looks internally inconsistent.

Let's therefore take a different tack: like in those other three
spots on this page, state just the policy instead of the value it
currently works out to; but also add a link to help the reader
pin down for themselves what value that does work out to.

This also means we no longer need to update this page as old releases
age and that value advances.

Also fix a typo, and cut the reference to working degraded on
older releases.  Starting earlier this year we finally started
hard-refusing such connections:
  https://github.com/zulip/zulip-mobile/issues/5102
  https://github.com/zulip/zulip-mobile/pull/5633
(which was because there were some swathes of compatibility code
that we could only cut if we completely broke the handling of
ancient servers, and so we preferred to have the app communicate
that break clearly up front.)
2023-08-22 11:29:19 -07:00
Alex Vandiver 9bd340957f changelog: Retitle sections, to allow section anchors. 2023-07-06 16:16:11 -07:00
Alex Vandiver 76b767b154 version: Update version and changelog after 7.2 release. 2023-07-05 20:27:54 +00:00
David Rosa 513eb510aa docs: Rename "private message" -> "direct message".
- Updates instances of "private message", "PM", and "private_message",
  excluding historical references in `overview/changelog.md`.
- Also excludes `/docs/translating` since we would need new
  translations for "direct messages" and "DMs".
2023-06-23 14:36:16 -07:00
Alex Vandiver d46279c41e docs: Clarify that trust of X-Fowarded-Proto is also necessary.
Previously, `X-Forwarded-Proto` did not need to be set, and failure to
set `loadbalancer.ips` would merely result in bad IP-address
rate-limiting and incorrect access logs; after 0935d388f0, however,
failure to do either of those, if Zulip is deployed with `http_only`,
will lead to infinite redirect loops after login.  These are
accompanied by a misleading error, from Tornado, of:

    Forbidden (Origin checking failed - https://zulip.example.com does not match any trusted origins.): /json/events

This is most common with Docker deployments, where deployments use
another docker container, such as nginx or Traefik, to do SSL
termination.  See zulip/docker-zulip#403.

Update the documentation to reinforce that `loadbalancer.ips` also
controls trust of `X-Forwarded-Proto`, and that failure to set it will
cause the application to not function correctly.
2023-06-23 10:47:14 -07:00
Alex Vandiver e222b53d8a version: Update version and changelog after 7.1 release. 2023-06-13 18:17:04 +00:00
Anders Kaseorg 639efc5ce1 docs: Update Transifex URLs.
https://help.transifex.com/en/articles/7171815-web-application-s-domain-change

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-06-12 17:38:41 -07:00
Alya Abbott 052a109ba4 docs: Improve instructions for reporting bugs.
- Create a dedicated "Reporting bugs" page to learly document
where and how bugs should be reported.
- Drop "Reporting issues" section from the Contributing guide.
- Delete "Bug report guidelines" page.
2023-06-12 14:31:45 -07:00
Tim Abbott 0a7d3d3fe2 Update version following 7.0 release. 2023-05-31 13:04:44 -07:00
Tim Abbott b00ce1bad1 Release Zulip Server 7.0. 2023-05-31 08:48:02 -07:00
Anders Kaseorg e3e2691124 Update version following 7.0-beta3 release.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-05-29 17:14:15 -07:00
Tim Abbott 1af16642d9 Release Zulip Server 7.0-beta3. 2023-05-29 16:35:59 -07:00
Tim Abbott 5f7727888c docs: Fix changelog link to preferred markdown style. 2023-05-29 16:35:19 -07:00
Tim Abbott 00accdc86b docs: Update changelog for changes since 7.0-beta2. 2023-05-29 16:27:29 -07:00
Tim Abbott e26f9180c1 docs: Remove a duplicate changelog line.
This same line appears near the end of the 7.0 list.
2023-05-29 12:25:47 -07:00
Alex Vandiver e6b1384a05 version: Update version and changelog after 6.2 release. 2023-05-19 16:58:55 -04:00
Alex Vandiver 0117d751c2 docs: Explain Zulip Cloud branch in release lifecycle docs.
Partial fix for #25482.
2023-05-15 14:44:11 -07:00
Tim Abbott 3cc3fbc0c3 docs: Update changelog for changes since 7.0-beta1. 2023-05-10 17:26:02 -07:00
Alex Vandiver e5ae55637e install: Remove PostgreSQL 11 support.
Django 4.2 removes this support, so Zulip has not installed with
PostgreSQL 11 since 2c20028aa4.
2023-05-05 13:35:32 -07:00
Tim Abbott 18d8fbc74b docs: Update changelog since 6.0 release. 2023-05-02 17:45:07 -07:00
Karl Stolley 7f06baf360 docs: Polish usage assumptions copy. 2023-05-01 16:37:27 -07:00
Tim Abbott 3f199d570d docs: Update changelog to cover changes already staged for 7.0. 2023-04-02 23:28:10 -07:00
Alex Vandiver 164d58bec9 web: Save a 301 redirect from /help to /help/. 2023-03-24 14:51:01 -07:00
Alex Vandiver 14d19c00d7 web: Save a 301 redirect from /features to /features/. 2023-03-24 14:51:01 -07:00
Alex Vandiver d9daeb13e0 web: Save a needless 301 redirect from /apps to /apps/. 2023-03-24 14:51:01 -07:00
Alex Vandiver a1570ff3dd web: Save a needless 301 redirect from /integrations to /integrations/. 2023-03-24 14:51:01 -07:00
Anders Kaseorg 3a27b12a7d dependencies: Switch to pnpm.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-03-20 15:48:29 -07:00
Chris Bobbe 2a6c423d35 docs: Update mobile/desktop apps' compatability threshold to 4.0, from 3.0
Zulip Server 4.0 is now 22 months old, which is more than 18 months.
Per the general policy in the "Client apps" section below, that
means it's time to drop support for older versions.

We released 5.0 near the end of 2022-03, so near the end of 2023-09
we can update this further to say 5.0.
2023-03-13 22:08:20 -07:00
Anders Kaseorg 43b4f10578 run-dev: Drop .py from script name.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-03-03 18:02:37 -08:00
Anders Kaseorg 377b8b22c0 puppeteer_tests: Move to web/e2e-tests.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-02-23 16:04:17 -08:00
Anders Kaseorg cea1119423 node_tests: Move to web/tests.
This lets us simplify the long-ish ‘../../static/js’ paths, and will
remove the need for the ‘zrequire’ wrapper.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-02-23 16:04:17 -08:00
Anders Kaseorg c1675913a2 web: Move web app to ‘web’ directory.
Ever since we started bundling the app with webpack, there’s been less
and less overlap between our ‘static’ directory (files belonging to
the frontend app) and Django’s interpretation of the ‘static’
directory (files served directly to the web).

Split the app out to its own ‘web’ directory outside of ‘static’, and
remove all the custom collectstatic --ignore rules.  This makes it
much clearer what’s actually being served to the web, and what’s being
bundled by webpack.  It also shrinks the release tarball by 3%.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-02-23 16:04:17 -08:00
Alessandro Toppi ff89590558 auth: Add JWT-based user API key fetch.
This adds a new endpoint /jwt/fetch_api_key that accepts a JWT and can
be used to fetch API keys for a certain user. The target realm is
inferred from the request and the user email is part of the JWT.

A JSON containing an user API key, delivery email and (optionally)
raw user profile data is returned in response.
The profile data in the response is optional and can be retrieved by
setting the POST param "include_profile" to "true" (default=false).

Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2023-02-03 15:23:35 -08:00
David Rosa 08e9686cd2 contributor docs: Rename "Upgrade or modify Zulip" -> "Upgrade Zulip".
Fixes part of #23984.
2023-01-27 12:41:56 -08:00
David Rosa af39a1a554 contributor docs: Migrate "Modify Zulip" to its own page.
Splits /production/upgrade-or-modify.md to improve the organization
of production documentation.

Fixes #23984.
2023-01-27 12:41:56 -08:00
Alex Vandiver 25c9fcdb4e changelog: Tweak wording to clarify impact to Safari. 2023-01-23 15:07:02 -05:00
Alex Vandiver d38b3ad09c changelog: Fix the link from `.html#` to `.md#`. 2023-01-23 18:58:26 +00:00
Alex Vandiver 4226026dbc version: Update version and changelog after 6.1 release. 2023-01-23 18:52:47 +00:00
Alex Vandiver e351df4095 changelog: Add entry for S3 nginx proxying. 2023-01-10 15:30:57 -08:00
Tim Abbott 88873138ac Update version following 6.0 release. 2022-11-17 16:42:36 -08:00
Tim Abbott f0e5f69c01 Release Zulip Server 6.0. 2022-11-17 11:44:45 -08:00
Tim Abbott d488ca42e6 docs: Update changelog with commits staged for 6.0. 2022-11-16 22:21:18 -08:00
Alex Vandiver c4e5ddd67f version: Update version and changelog after 5.7 release. 2022-11-16 16:03:05 +00:00
Tim Abbott 426c806a87 docs: Document docker-zulip postgres upgrade requirement.
Since this is a hard requirement for upgrading the Docker image, it's
worth highlighting here.
2022-11-04 15:19:57 -07:00
Tim Abbott b62450c7b3 docs: Update changelog for changes merged for 6.0. 2022-10-31 17:10:13 -07:00
Lauryn Menard 20282f8bdf changelog: Make references to "Recent topics" consistent.
Updates the current 6.0 release notes to include information about
the rename to "Recent conversations", and updates past references
to "recent topics" to be consistently formatted as "Recent topics".
2022-10-21 10:28:19 -07:00
Alya Abbott 2ff4143aa4 docs: Copy-edit changelog for clarity. 2022-10-12 22:37:33 -07:00
Tim Abbott 51f59e9c41 docs: Improve a few changelog descriptions. 2022-10-12 17:38:56 -07:00
Tim Abbott c4a527fedf docs: Update changelog with changes staged for 6.0. 2022-10-12 15:01:45 -07:00
Mateusz Mandera 16829bd84b auth: Fix up AzureAD Oauth2 docs and config.
This commit brings AzureAD config in line with other backends:
- SOCIAL_AUTH_AZUREAD_OAUTH2_SECRET gets fetched in computed_settings.py
  instead of default_settings, consistent with github/gitlab/etc.
- SOCIAL_AUTH_AZUREAD_OAUTH2_KEY gets fetched in default_settings via
  get_secret(..., development_only=True) like other social backends, to
  allow easier set up in dev environment, in the dev-secrets.conf file.
- The secret gets renamed from azure_oauth2_secret to
  social_auth_azuread_oauth2_secret to have a consistent naming scheme with
  other social backends and with the SOCIAL_AUTH_AZUREAD_OAUTH2_KEY
  name. This is backwards-incompatible.

The instructions for setting it up are updated to fit how this is
currently done in AzureAD.
2022-09-06 11:58:08 -07:00
David Rosa 5cac44be06 docs: Reorganize sections and pages about contributing to Zulip.
We should rearrange Zulip's developer docs to make it easier to
find the documentation that new contributors need.

Name changes
Rename "Code contribution guide" section -> "Contributing to Zulip".
Rename "Contributing to Zulip" page -> "Contributing guide".

Organizational changes to the newly-named "Contributing to Zulip":
Move up "Contributing to Zulip", as the third link in sidebar index.
Move up renamed "Contributing guide" page to the top of this section.
Move up "Zulip code of Conduct", as the second link of this section.
Move down "Licensing", as the last link of this section.
Move "Accessibility" just below "HTML and CSS" in Subsystems section.

Update all links according to the changes above.
Redirects should be added as needed.

Fixes: #22517.
2022-08-25 11:24:57 -07:00
Tim Abbott 5d3e4d3e56 version: Update version and changelog after 5.6 release. 2022-08-24 16:36:50 -07:00
Tim Abbott 5ae0b08b6c docs: Fix codespell linter error. 2022-07-30 10:10:07 -07:00
Tim Abbott 6682c2a427 docs: Update changelog with changes staged for 6.0.
We'll be merging a lot more features for the 6.0 release, but this
should cover everything merged since 5.0 and not backported to 5.x
and thus already released.
2022-07-30 09:57:55 -07:00
Matt Keller 9ce900f2b4 version: Update version after 5.5 release. 2022-07-21 19:30:30 -07:00
Alex Vandiver 760420b3bb version: Update version and changelog after 5.4 release. 2022-07-12 06:23:28 +00:00
Anders Kaseorg 25f6b53e90 docs: Capitalize Handlebars consistently.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-06-27 13:35:10 -07:00
Alex Vandiver 1ff30bba7c changelog: Use consistent date format. 2022-06-24 18:15:19 -07:00
Alex Vandiver 6ac3104b10 changelog: Make Zulip 4.8 - 4.11 headings consistent. 2022-06-24 18:15:19 -07:00
Alex Vandiver 9ad74739aa version: Update version and changelog after 5.3 release. 2022-06-21 20:48:24 +00:00
Alex Vandiver 625ff57450 version: Update version and changelog after 5.2 release. 2022-05-03 18:00:01 -07:00
Anders Kaseorg cc30ed8ec7 actions: Delete zerver.lib.actions.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-04-14 17:14:38 -07:00
Greg Price 60e09834a3 docs: Update apps' compatibility threshold to 3.0, from 2.1.0.
Zulip Server 3.0 is now about 21 months old, which is more than
18 months.  Per the general policy in the "Client apps" section
below, that means it's time to drop support for older versions.

We released 4.0 in 2021-05, so around 2022-11 we can update this
further to say 4.0.
2022-04-14 11:54:23 -07:00
Alex Vandiver 104e11c4fd version: Update version and changelog after 5.1 release. 2022-04-01 23:17:11 -07:00
Anders Kaseorg 7de1e7c477 changelog: Remove broken link.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-03-30 20:37:31 -07:00
Tim Abbott c8dba33408 docs: Fix broken link in changelog. 2022-03-29 09:52:07 -07:00
Tim Abbott 6ea9947991 docs: Run prettier on changelog. 2022-03-29 09:24:06 -07:00
Tim Abbott 12e8f0f5ea version: Update version following 5.0 release. 2022-03-29 08:36:41 -07:00
Tim Abbott d308c694ba Release Zulip Server 5.0. 2022-03-29 08:13:34 -07:00
Tim Abbott 219e213c60 docs: Update changelog with changes since 5.0-rc1. 2022-03-24 17:44:58 -07:00
Aman Agrawal 9a7fadbbeb zulip-icons: Move custom icons to shared folder. 2022-03-22 16:14:56 -07:00
Tim Abbott bcbba0b20d docs: Fix changelog typo. 2022-03-15 22:17:53 -07:00
Tim Abbott 63cac121ba docs: Update changelog for changes merged in recent months. 2022-03-15 22:12:59 -07:00
Alex Vandiver f77204be14 version: Update version and changelog after 4.11 release. 2022-03-15 14:24:53 -07:00
Anders Kaseorg 75525f5b53 docs: Convert .html#fragment links to .md#fragment.
This uses the myst_heading_anchors option to automatically generate
header anchors and make Sphinx aware of them.  See
https://myst-parser.readthedocs.io/en/latest/syntax/optional.html#auto-generated-header-anchors.

Note: to be compatible with GitHub, MyST-Parser uses a slightly
different convention for .md fragment links than .html fragment links
when punctuation is involved.  This does not affect the generated
fragment links in the HTML output.

Fixes #13264.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-28 16:28:31 -08:00
Alex Vandiver 2e435d2e9a version: Update version and changelog after 4.10 release. 2022-02-25 14:10:20 -08:00
Anders Kaseorg c19d6fb3ef docs: Clean redundant relative links.
We previously had a convention of redundantly including the directory
in relative links to reduce mistakes when moving content from one file
to another.  However, these days we have a broken link checker in
test-documentation, and after #21237, MyST-Parser will check relative
links (including fragments) when you run build-docs.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-24 16:12:18 -08:00
Anders Kaseorg 21cd1c10b3 docs: Add missing space in “time zone”.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-24 14:05:12 -08:00
Anders Kaseorg b3260bd610 docs: Use Debian and Ubuntu version numbers over development codenames.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-23 12:04:24 -08:00
Anders Kaseorg 1fa2761790 upgrade-zulip-stage-2: Remove create_large_indexes optimization.
This was only used for upgrading from Zulip < 1.9.0, which is no
longer possible because Zulip < 2.1.0 had no common supported
platforms with current main.

If we ever want this optimization for a future migration, it would be
better implemented using Django merge migrations.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-23 11:59:45 -08:00
jai2201 67625d6c7b message_feed: Remove the parenthesis around edited notices.
They were found to not particularly improve the UI.

Fixes #21043.
2022-02-10 13:52:24 -08:00
Anders Kaseorg b0ce4f1bce docs: Fix many spelling mistakes.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-07 18:51:06 -08:00
Anders Kaseorg d8f4e0ffb9 webhooks: Correct OpsGenie to Opsgenie.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-02-07 18:51:06 -08:00
Alex Vandiver 7ec2a2cde7 version: Update version and changelog after 4.9 release. 2022-01-24 18:46:46 -08:00
Alex Vandiver a5496f4098 CVE-2021-43799: Set a secure Erlang cookie.
The RabbitMQ docs state ([1]):

    RabbitMQ nodes and CLI tools (e.g. rabbitmqctl) use a cookie to
    determine whether they are allowed to communicate with each
    other. [...] The cookie is just a string of alphanumeric
    characters up to 255 characters in size. It is usually stored in a
    local file.

...and goes on to state (emphasis ours):

    If the file does not exist, Erlang VM will try to create one with
    a randomly generated value when the RabbitMQ server starts
    up. Using such generated cookie files are **appropriate in
    development environments only.**

The auto-generated cookie does not use cryptographic sources of
randomness, and generates 20 characters of `[A-Z]`.  Because of a
semi-predictable seed, the entropy of this password is thus less than
the idealized 26^20 = 94 bits of entropy; in actuality, it is 36 bits
of entropy, or potentially as low as 20 if the performance of the
server is known.

These sizes are well within the scope of remote brute-force attacks.

On provision, install, and upgrade, replace the default insecure
20-character Erlang cookie with a cryptographically secure
255-character string (the max length allowed).

[1] https://www.rabbitmq.com/clustering.html#erlang-cookie
2022-01-25 02:13:53 +00:00
Alex Vandiver a46f6df91e CVE-2021-43799: Write rabbitmq configuration before starting.
Zulip writes a `rabbitmq.config` configuration file which locks down
RabbitMQ to listen only on localhost:5672, as well as the RabbitMQ
distribution port, on localhost:25672.

The "distribution port" is part of Erlang's clustering configuration;
while it is documented that the protocol is fundamentally
insecure ([1], [2]) and can result in remote arbitrary execution of
code, by default the RabbitMQ configuration on Debian and Ubuntu
leaves it publicly accessible, with weak credentials.

The configuration file that Zulip writes, while effective, is only
written _after_ the package has been installed and the service
started, which leaves the port exposed until RabbitMQ or system
restart.

Ensure that rabbitmq's `/etc/rabbitmq/rabbitmq.config` is written
before rabbitmq is installed or starts, and that changes to that file
trigger a restart of the service, such that the ports are only ever
bound to localhost.  This does not mitigate existing installs, since
it does not force a rabbitmq restart.

[1] https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html
[2] https://www.erlang.org/doc/reference_manual/distributed.html#distributed-erlang-system
2022-01-25 01:48:05 +00:00
Alex Vandiver 43d63bd5a1 puppet: Always set the RabbitMQ nodename to zulip@localhost.
This is required in order to lock down the RabbitMQ port to only
listen on localhost.  If the nodename is `rabbit@hostname`, in most
circumstances the hostname will resolve to an external IP, which the
rabbitmq port will not be bound to.

Installs which used `rabbit@hostname`, due to RabbitMQ having been
installed before Zulip, would not have functioned if the host or
RabbitMQ service was restarted, as the localhost restrictions in the
RabbitMQ configuration would have made rabbitmqctl (and Zulip cron
jobs that call it) unable to find the rabbitmq server.

The previous commit ensures that configure-rabbitmq is re-run after
the nodename has changed.  However, rabbitmq needs to be stopped
before `rabbitmq-env.conf` is changed; we use an `onlyif` on an `exec`
to print the warning about the node change, and let the subsequent
config change and notify of the service and configure-rabbitmq to
complete the re-configuration.
2022-01-25 01:48:02 +00:00
Anders Kaseorg 1696144df7 docs: Consistently hyphenate “self-host” and “self-service”.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-05 16:21:35 -08:00
Anders Kaseorg 1d3520db12 webhooks: Remove space from UptimeRobot.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-12-22 14:05:17 -08:00