X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/d36eda2aa8c5e9d22216d748f32af8083f2a1a69..9a8968eb1173b9cb0d03b607d79652a653192584:/debian/changelog diff --git a/debian/changelog b/debian/changelog index a6c80e5c..308c3e72 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,246 @@ +tripe (1.5.3) experimental; urgency=medium + + * tripe-peer-services (tripe-newpeers): Fix crash when the database + contains `user' records. + + -- Mark Wooding Mon, 23 Sep 2019 11:10:20 +0100 + +tripe (1.5.2) experimental; urgency=medium + + * tripe-wireshark: Dissector package is necessarily architecture + specific. Replace botched architecture-neutral version. + + -- Mark Wooding Sun, 22 Sep 2019 16:22:19 +0100 + +tripe (1.5.1) experimental; urgency=medium + + * tripe: Fix almost completely unusable AEAD support (brown paper bag + moment). + * tripe: Document the errors about unsuitable AEAD schemes. + * tripe: Support AEAD schemes with smaller nonce spaces (down to 40 + bits). + + -- Mark Wooding Sun, 22 Sep 2019 14:52:48 +0100 + +tripe (1.5.0) experimental; urgency=medium + + * Big version bump, because this really isn't a prerelease anymore. And + there's lots of goodies in this version. + * New mobile-peer protocol `knock' is much faster and no longer requires + complex SSH setup. + * Support transport over IPv6. + * Support Catacomb AEAD schemes for bulk crypto. + * python-tripe: Fixed `TripeCommandDispatcher.eping' to send the correct + command. + * tripe-peer-services (connect): Report on connectivity statistics. + * tripe-wireshark: Replaced the old dissector with a new one written in + Lua, which understands the modern protocol. It's unfortunately + slower, but actually works and isn't a nightmare to maintain. + * tripe-ethereal: Deleted this ancient transition package. + + -- Mark Wooding Sun, 22 Sep 2019 01:49:03 +0100 + +tripe (1.0.0pre19.1) experimental; urgency=medium + + * Packaging fixes. (No code change.) + + -- Mark Wooding Mon, 24 Dec 2018 15:53:35 +0000 + +tripe (1.0.0pre19) experimental; urgency=low + + * tripe: Use Catacomb `rand_quick' to collect system-specific entropy, + e.g., from the x86 `rdrand' isntruction. + * tripe: Fix memory leak of key-data objects. + * tripe: Add new `naclbox' bulk-crypto transform based on Salsa20/ChaCha + and Poly1305. + * tripe: Support X25519 and X448 as key-exchange groups. + * tripe-keys: Support Ed25519 and Ed448 signature schemes. + * tripe-keys: Allow more control over key generation. In particular, + arbitrary attributes can now be set on master keys and key-exchange + keys. + * tripe-uslip: Clean up sockets on signal. + * A number of documentation fixes. + + -- Mark Wooding Sun, 14 May 2017 18:18:17 +0100 + +tripe (1.0.0pre18) experimental; urgency=low + + * general: Fixed some 64-bit portability bugs. + * debian: Improve the Debian packaging: there are now explicit versions + on dependencies; the build-depependencies are correct; and there are + separate build-dependencies for the (rather more demanding) + architecture-neutral packages. + * tests: Fixed the server test suite to remove spurious failures. + + -- Mark Wooding Sat, 30 Apr 2016 18:13:31 +0100 + +tripe (1.0.0pre17.1) experimental; urgency=low + + * tests: More warning suppressions. + + -- Mark Wooding Mon, 11 May 2015 00:52:01 +0100 + +tripe (1.0.0pre17) experimental; urgency=low + + * tripe-peer-services: The `tripe-newpeers' program now implements + multiple inheritance of configuration sections. See peers.in(5) for + the details. + * tripe-peer-services: The base configuration now has different timeouts + for active and passive dynamic peers. The thinking behind this is + explained in connect(8). + * tripe: The example `knock' script now works with OpenSSH forced- + commands, as well as custom shells. + * tripe: Include a configuration file for `sshsvc-mkauthkeys', to help + with setting up passive peers. + * tripe-peer-services: Fix a bug which broke the `connect' service's + `KICK' command. + * Attach a `tripe' suffix to most of the manpage names. Some of the + services, in particular, have rather generic names and it's only luck + that there haven't been conflicts yet. + * tripe: New `-W' option for `tripectl' to set the watch list. + + -- Mark Wooding Fri, 08 May 2015 19:22:25 +0100 + +tripe (1.0.0pre16.2) experimental; urgency=low + + * tripe-peer-services: `tripe-ifup' is now more tolerant of errors, and + more useful at reporting them. + * tripe-peer-services: `tripe-ifup' strips any explicit prefix length + from the remote internal address when adding routes naming it as a + gateway. + * tripe-peer-services: `tripe-ifup' explicitly forces the sysctl setting + `net.ipv6.conf.IFACE.disable_ipv6' off before configuring an IPv6 + address as a workaround for some devices which try to turn IPv6 off + globally if they can't get a route. + + -- Mark Wooding Sat, 14 Mar 2015 19:35:18 +0000 + +tripe (1.0.0pre16.1) experimental; urgency=low + + * tripe: Diagnose a mismatch between two peers' choice of bulk crypto + transforms. + + -- Mark Wooding Tue, 17 Feb 2015 21:33:47 +0000 + +tripe (1.0.0pre16) experimental; urgency=low + + * pathmtu: Use `IP_PMTUDISC_PROBE' rather than `..._DO' when doing + Linux-specific probing: this prevents inexplicable `EMSGSIZE' failures + from write(2). + * tripe: New bulk-crypto transform `iiv', which (a) reduces encryption + overhead and (b) is fully deterministic, closing a possible + kleptographic channel. + * tripe: Improve logging options in the client and startup scripts. + * tripe: Ship experimental systemd units as examples. + * tripe-peer-services: `conntrack' supports newer GLib bindings. + * tripe-peer-services: `connect' now only polls its database once a minute + (rather than once a second). + * tripemon: Support for newer Gtk bindings. + * tripemon: More distinctive highlighting of entry fields with invalid + contents. + * tripemon: Show per-peer crypto details in info sheet. + * tripemon: Support new options in `Add peer' dialogue. + + -- Mark Wooding Sun, 20 Jul 2014 21:48:23 +0100 + +tripe (1.0.0pre15) experimental; urgency=low + + * Allow network masks in the `laddr' and `raddr' lists. + + -- Mark Wooding Sat, 19 Apr 2014 14:34:22 +0100 + +tripe (1.0.0pre14) experimental; urgency=low + + * Abolish the `watch' service. Its functionality has been absorbed into + `connect', and the postinst script now attempts to remove the obsolete + symbolic link from /etc/tripe/services. + * Many internal build changes. + + -- Mark Wooding Tue, 28 Jan 2014 15:39:24 +0000 + +tripe (1.0.0pre13) experimental; urgency=low + + * Compare MAC tags in constant time. (Fixes a timing attack performed + by an adversary who can watch the timestamp on the server log.) + + -- Mark Wooding Mon, 27 May 2013 22:58:31 +0100 + +tripe (1.0.0pre12.2) experimental; urgency=low + + * New `tripe-keys' command: `check' reports on keys which will expire + soon, so that someone remembers to refresh them. + + -- Mark Wooding Thu, 07 Feb 2013 10:37:01 +0000 + +tripe (1.0.0pre12.1) experimental; urgency=low + + * Extract Wireshark version number from `wireshark-common' rather than + `wireshark': the latter need not be installed. + + -- Mark Wooding Sat, 12 Jan 2013 22:30:32 +0000 + +tripe (1.0.0pre12) experimental; urgency=low + + * tripe-peer-services: Add machinery for notifying a peer that we no + longer require its services. + + -- Mark Wooding Sat, 05 Jan 2013 07:50:33 +0000 + +tripe (1.0.0pre11.1) experimental; urgency=low + + * tripe: Fix segfault from PEERINFO command. + * tripe: Include missing documentation of ADD command's `-priv' option. + * tripe: Fix warning message which didn't match documentation. + + -- Mark Wooding Sat, 15 Dec 2012 14:14:36 +0000 + +tripe (1.0.0pre11) experimental; urgency=low + + * Fix log/permissions foul-up. Move the logs to /var/log/tripe, and + arrange for that directory to exist with the correct permissions. + Don't try to open the log until after dropping privileges, so as to + provide a check that we can reopen them later. + * New peer option `mobile' can be set in peers.d files to indicate that + the peer's IP address and/or port are highly volatile and the server + should try to keep up with changes by attempting to decrypt incoming + packets using any available mobile keys. + * tripe: Mobile peers: track changes in remote address automatically. + * pathmtu: New mode uses raw sockets for portability. + * tripe-peer-services: Support IPv6 interface configuration. (There's + still no support for sending encrypted packets over IPv6.) + * tripe: Randomize exponential backoff for retransmission. [mdw/backoff] + * tripe: Support multiple private keys and cipher suites in the same + server. + + -- Mark Wooding Tue, 18 Sep 2012 03:39:52 +0100 + +tripe (1.0.0pre10) experimental; urgency=low + + * Overhaul SLIP error handling. + * Have conntrack tear VPN down in some networks. + + -- Mark Wooding Fri, 22 Apr 2011 16:48:31 +0100 + +tripe (1.0.0pre9) experimental; urgency=low + + * Make conntrack rather more robust against errors. + * Logically separate key tags from peer names. + + -- Mark Wooding Mon, 17 May 2010 20:27:33 +0100 + +tripe (1.0.0pre8.1) experimental; urgency=low + + * Whoops. conntrack was almost completely broken. Fix it a lot. + + -- Mark Wooding Sat, 15 May 2010 20:06:12 +0100 + +tripe (1.0.0pre8) experimental; urgency=low + + * Many changes, enhancements and bug fixes. Like, way too many to list + here. + + -- Mark Wooding Sun, 09 May 2010 15:32:30 +0100 + tripe (1.0.0pre7) experimental; urgency=low * Support SLIP encapsulation.