+If you install from .deb files then much of this work is automated.
+
+* 4.x -> 5.0
+
+** Web Confirmation Strings
+
+The syntax of confirmation strings for online registrations has changed and old
+ones no longer work. This only affects users who registered before the upgrade
+but have not yet confirmed their login. You can delete such half-created users
+with 'disorder deluser USERNAME' (as an administrative user, for instance as
+root on the server) and they can start the registration process again.
+
+** Handling Of Configuration Changes
+
+There is a new mechanism to ensure that the search database and aliases are
+reconstructed if any options that affect them change. Unfortunately this means
+that the reconstruction step always takes place on upgrade from 4.3 or earlier,
+as those versions don't record sufficient information for the server to tell
+whether it needs to reconstruct or not.
+
+The result will be a log message of the form:
+
+new database parameter string dbparams-0-sha256:61609f3e6395ec8dee317ee216fe2848d70c249d347dd03c6a219441a13dd456 - removing old data
+
+...and a slower rescan on startup. Subsequent restarts should not have this
+problem (unless of course you change a relevant option).
+
+** Deprecation Notices
+
+The player --wait-for-device option is deprecated and will be removed in a
+future version.
+
+The 'lock' option no longer does anything. You must delete it from any
+configuration files that contain it. The full set of deprecated options is:
+ allow
+ gap
+ lock
+ prefsync
+ restrict
+ trust
+
+* 3.0 -> 4.x
+
+If you customized any of the templates, you will pretty much have to start from
+scratch as the web interface has been rewritten. See disorder.cgi(8) for a
+starting point.
+
+The 'gap' directive will no longer work. You must delete it from any
+configuration files that contain it.
+
+You may prefer to remove any 'smtp_server' directive you have, as the web
+interface will now use the local sendmail executable if available.
+
+If you want to be able to do use management over non-local connections (thereby
+potentially exposing passwords!) you must set 'remote_userman' to 'yes'.
+
+* 2.0 -> 3.0
+
+** Authentication
+
+Users are now stored in the database rather than in 'allow' directives in a
+private configuration file. 'allow' is still understood in this version, but
+is only used to populate the database on startup. After the first (successful)
+run of the server the remaining 'allow' directives should be deleted.
+
+'restrict' and 'trust' are replaced by a system of per-user rights. The
+default user rights are based on the 'restrict' setting, and the rights of
+users created frow 'allow' directives preserve the meaning of 'trust', but
+after the first run you should remove these directives and (optionally) add a
+'default_rights' directive.
+
+'allow', 'restrict' and 'trust' will stop working entirely in a future version
+but for now they will generate harmless error messages. Remove them and the
+error messages will go away.
+
+See README for new setup instructions for the web interface.
+
+** Other Server Configuration
+
+Sensible defaults for 'stopword', 'player' and 'tracklength' are now built into
+the server. If you haven't modified the values from the example or Debian
+configuration files then you can remove them.
+
+'gap' now defaults to 0 seconds instead of 2.
+
+The sound output API is now configured with the 'api' command although
+'speaker_backend' still works. If you use 'api alsa' then you may need to
+change your 'mixer' and 'channel' settings.
+
+** Web Interface
+
+The web interface no longer uses HTTP basic authentication and the web server
+configuration imposing access control on it should be removed. Users now log
+in using their main DisOrder password and the one in the htpassed file is now
+obsolete. You should revisit the web interface setup instructions in README
+from scratch.
+
+As part of this, the DisOrder URL has changed from (e.g.)
+
+ http://yourserver/cgi-bin/disorder/disorder
+
+to just
+
+ http://yourserver/cgi-bin/disorder
+
+** Checklist
+
+ * delete default 'stopword', 'player' and 'tracklength' directives
+ * set 'gap' if you want a non-0 inter-track gap
+ * set 'api' and maybe 'mixer' and 'channel'
+ * perhaps add 'default_rights' directive
+ * delete 'allow', 'restrict' and 'trust' directives after first run
+ * follow new web interface setup in README
+