Changelog

3.0.3 (released February 7, 2021)

Bug fixes

  • Upgrade frameworks, language runtimes, and dependencies to latest available minor version.
  • Increase the size fields of Debian and RPM packages so that extremely large packages can be uploaded.

New Distributions Added

  • Debian Bookworm (12.0), and Trixie (13.0).
  • Fedora 32 and 33.
  • SLES and OpenSUSE 15.2, 15.3.
  • Ubuntu Groovy (20.10) and Ubuntu Hirsute (21.04).

3.0.2 (released March 24, 2020)

Bug fixes

  • Upgrade frameworks to latest available minor version.
  • Prevent minor string leak to Redis.
  • Switch to Node.js 12 runtime for Lambda generator.
  • Improve performance of Python package indexing, lookup, and metadata storage.
  • Fix a bug which prevented automated recurring database and config backups (note: this issue did not affect manual backups).

New Distributions Added

  • SLES 12.4 and 12.5.
  • SLES 15.1.

3.0.1 (released February 3, 2020)

Bug fixes

  • Fix a bug in packagecloud:enterprise HA setup which can cause an infinite redirect

2.0.9 (released January 30, 2020)

Bug fixes

  • Fix a bug in packagecloud:enterprise HA setup which can cause an infinite redirect

3.0.0 (released January 27, 2020)


Note: Customers are very strongly encouraged to upgrade their packagecloud:enterprise 2.0.8 installation to use AWS CloudFront BEFORE upgrading to 3.0.0.

New features

  • packagecloud:enterprise can now be installed and run on Ubuntu Bionic (18.04).

  • Skip pygpgme on CentOS/RHEL 8.0 systems; gpg verification is handled by libdnf.

  • Added support for libzstd compressed RPM packages.

  • Updated the AWS RDS certificate bundle.

  • Support Android APK packages via web-based upload.

  • Gracefully handle Resque shutdown.

  • Performance boost for YUM Metadata requests.

  • Handle NPM scope passed as a header.

Bug fixes

  • Fix cache-control headers on certain repository metadata types to avoid caching

  • Fix bug that prevented correct Chunked Encoding headers in certain cases

  • Fix RubyGem version sorting algorithm

  • Upgrade of frameworks, languages, and runtime dependencies

  • Silence spurious warnings during CLI tasks

  • Clean up potential temporary file leaks in RPM indexer

  • Work around YAJL encoding bug which raises when writing utf8 encoded strings to IO objects.

  • Fix display bug when user account which has uploaded or deleted packages has been deleted

  • Fix Content-Type headers for Debian APT By-Hash metadata

  • Fix potential temporary file leaks in Java uploader


New Distributions Added

  • Added Linux Mint 19.1
  • Added Linux Mint 19.2
  •  Added Linux Mint 19.3
  • Added Ubuntu Disco Dingo (19.04)
  • Added Ubuntu Eoan Ermine (19.10)
  • Added Ubuntu Focal Fossa (20.04)
  • Added Fedora 30
  • Added CentOS/RHEL 8.0
  • Added Debian Bullseye

2.0.8 (released April 19, 2019)

Bug fixes

  • Attempting to install packagecloud:enterprise on AWS Linux 2 resulted in an error due to improper OS detection by the installer. This OS is not officially supported, but this bug has now been fixed.

2.0.7 (released April 12, 2019)

New Features

Bug fixes

  • Timezone tables for the embedded MySQL server are only inserted once or when needed, instead of on every reconfigure.
  • Allows uploads of xbstream backups to S3 greater than 5GB.
  • Old xbstream backups are now properly rotated.

2.0.6 (released March 28, 2019)

Bug fixes

  • Better support for improperly padded ZIP archives.
  • Allows uploads of backups to S3 greater than 5GB.
  • Updated Rails version which addresses CVE-2019-5418, CVE-2019-5419, CVE-2019-5420

2.0.5 (released March 1, 2019)

New Features

Bug fixes

  • Various styling/UI fixes.
  • More information displayed on Java, Node.js and Python package pages.
  • Fix case where RPM indexing would miss some things.
  • Show installed size for RPM and Debian packages.
  • Better download stats on package pages.
  • `packagecloud-ctl reindex-all` is now `packagecloud reindex-everything` and actually reindexes everything.
  • Upgrade xtrabackup version for compatibility with AWS RDS import of xbstream database backups.
  • Primary keys for Downloads, RPM files and Debian files have all been expanded to 64 bits.
  • Fix packagecloud-ctl backup-database-list command.

New Distributions Added

  • Linux Mint 19.1 (tessa)

*Docs for AWS RDS xbstream import coming soon!

2.0.4 (released December 13, 2018)

New Features

Bug fixes

  • Improved SBT deployment instructions.
  • Sprockets version bump to address CVE-2018-3760.
  • Rack version bump to address CVE-2018-16470.
  • Loofah version bump to address CVE-2018-16468.
  • Removed telemetry reporting from percona xtrabackup tool, also mitigates CVE-2015-1027 and CVE-2014-2029.
  • Improved error reporting for AAR uploads.
  • Node.js package uploads that contain multiple "package.json" files will no longer fail.
  • Fixed XSS vulnerability.
  • Ruby updated to 2.4.5.

New Distributions Added

  • Fedora 29
  • SLES 15.0
  • openSUSE LEAP 15.0
  • openSUSE LEAP 15.1
  • Elementary OS "juno" 0.5
  • Linux Mint 19 "tara"
  • Ubuntu 18.10 "Cosmic Cuttlefish"


2.0.3 (released September 6, 2018)

Bug fixes

  • Fixed XSS vulnerability.
  • HSTS is now set when HTTPS is enabled.
  • Cookies are now set to Secure: True when HTTPS is enabled.

2.0.2 (released May 20, 2018)

New Features

  • Ability to migrate embedded MySQL to Amazon RDS.
  • Using external MySQL databases with SSL is now supported.
  • SHA256 checksum of package added to all API responses (other checksums are still available via the package details API).
  • Additional error checking for malformed Rubygem archives.
  • Admins can now clear a specific type of queue.
  • Improved error checking/handling for NPM packages' "engines" field.

Performance improvements

  • packagecloud-ctl reconfigure command performance greatly improved.
  • Optimized code paths around Read Token authentication.

Bug fixes

  • API "limit" pagination parameter is now respected in all cases.
  • Indexing of Python repositories no longer occasionally deadlocks the database.
  • Fixed RPM versions API for SUSE packages.
  • Embedded MySQL no longer listens on 127.0.0.1:3306 (only uses a socket file now).
  • Add GPG key endpoint that lets Zypper verify repository metadata signatures.
  • pkg_gpgcheck set to 0 for Zypper repository configurations to work around Zypper bug where gpgkey= urls are not respected. More details available in the SUSE bug reports 1088037 and 954274.
  • Descriptions of packagecloud-ctl queue management commands fixed.

New Distributions Added

  • Fedora 28
  • SLES 12.3
  • Elementary OS "loki" 0.4

2.0.1 (released March 22, 2018)

New Features

  • Additional information about Node.js packages is now displayed on package pages.

Performance improvements

  • YUM indexer efficiency increased significantly for large repositories.
  • APT indexer efficiency increased significantly for large repositories.
  • Deletion of large repositories is now much more efficient.
  • Unnecessary queries removed from repository pages, resulting in faster load times.

Bug fixes

  • A feature added to recent versions of Bundler (1.14 and higher) to warn about an unwritable home directory was resulting in this warning being written out for all bundle-related tasks, including dumping the GPG public key. This issue has now been resolved.
  • A bug in an open source library prevented GPG signatures of repositories with UTF-8 strings in the repository description. This has now been fixed.
  • Python repositories previously incorrectly returned 404s for valid HEAD requests. This has now been fixed.
  • A bug preventing users from manually updating the 'latest' distribution tag for a package has been fixed.
  • Accessing private NPM repositories with the wrong authorization scheme (e.g. Basic instead of Bearer) previously returned a 500. This has been fixed to return a 401.
  • Prevent Debian packages with severely broken version strings from being uploaded.
  • Prevent RPM packages with missing version or release strings from being uploaded.

2.0.0 (released February 26, 2018)

New Distributions Added

  • Fedora 27
  • Ubuntu 18.04
  • LinuxMint Sylvia

New Features

  • Redesigned UI.
  • Support for NPM registries and Node.js packages.
  • Add support for Android Java packages (APK) files and the binary manifests contained within.
  • Allow promote and delete when using package search.
  • Bump all libraries, frameworks, and Ruby to the latest versions.
  • Add support for additional download URLs like: download.rpm to make package managers which string match file extensions happy.
  • Allow user to select master token on repo install pages so the install scripts will use the desired token.
  • Add detection of gnupg to repository install scripts.
  • Handle requests for 6Server and 7Server routing them to el/6 and el/7, respectively.
  • Extended Python License field to allow more verbose License files.
  • Add structured data so that links from packagecloud pasted into chat apps look much nicer :)
  • Improved performance of Debian indexer for "all" arch.

Bug fixes

  • RubyGems with different platforms (but the same version) were unable to be uploaded due to a buggy database constraint. This is now fixed.
  • Fix a bug introduced by certain versions of dpkg on Debian systems which generated malformed version strings in package metadata.
  • Parsing debian package metadata may have parsed control.swp files (generated by vim and erroneously included a debian package). Fix this by explicitly checking the filename.
  • Require all debian binary packages to have at least: version, maintainer, and description fields.
  • Fix an issue when uploading JAR packages with no pom.xml file.

1.0.55 (released September 17, 2017)

New Distributions Added

  • LinuxMint 18.2 (sonya)
  • openSUSE LEAP 42.3
  • Fedora 26

New Features

  • All repository indexer jobs now log a lot more useful information.
  • Java package API response now include a download_url field.
  • Link to enterprise documentation added to footer.
  • Improved error-handling for packagecloud-ctl reset-password command.
  • Adds configuration options for tuning Garbage Collection parameters for application and job workers, new defaults should increase performance overall. See the Garbage Collection page for more details.

Bug fixes

  • Fixed bug around handling of Debian DSC packages containing a '+' character in the filename.
  • Fixed bug with Search API pagination.
  • Fixed promotion of Debian DSC packages and Java packages.
  • Fixed a bug around stale repository indexes when all packages have been promoted out of a repository.
  • Names for Master Tokens and Read Tokens have been increased to 255 characters and slashes are no longer allowed. (Slash characters in token names will automatically be replaced with a dash). See Release Notes for instructions.
  • You can no longer accidentally delete web-dl read tokens.
  • Size field is now properly stored for Debian DSC packages.
  • Fixed race condition in Debian Indexer jobs that would cause Release files to occasionally return 404 while they were being generated.
  • Fixed packagecloud-ctl backup-all command.
  • Fixes packagecloud-ctl bootstrap-database command when database does not exist.

1.0.54 (released July 24, 2017)

New Features

  • Adds Java WAR support.
  • API for managing package signing GPG keys. Install the latest package_cloud gem to use (v2.0.43).

Bug fixes

  • Fixes installation instructions for Java SNAPSHOT versions.
  • Improved error handling for package uploads.
  • Fixes bug preventing reliable logged-in sessions from working for deployments with multiple frontends (see the Session Secret documentation for more information).
  • Fixes bug where proxied requests to S3 from python/pip would fail.
  • The bootstrap-database command now returns the correct exit status for all cases.

1.0.53 (released June 7, 2017)

New Features

  • Allows upload of GPG package signing keys to repository (supported only for yum/rpm, for now).

  • Support for using an external GPG agent for keys that need a passphrase, see documentation for External GPG Agent.
  • Better error handling for malformed debian file uploads.

Bug fixes

  • Hitting ESC key now closes modals.

  • Fixes issue where sometimes copy/paste button would copy incorrect text.
  • Fixes issue around zypper configuration file generation.

1.0.52 (released May 12, 2017)

New Features

  • Allow search of Java packages by group.

  • A `destroy_url` field is now included in all API responses.

Bug fixes

  • Fixes Maven uploads from Microsoft Windows platforms.

  • Fixes issue where package promotions from private repositories to private repositories could not be downloaded from the web. (See Release Notes for more information).
  • Adds stricter HTML escaping/sanitization to more parts of the interface.
  • Better error messages for Java package uploads.
  • Better error messages for Python package uploads.
  • Various Stats API fixes for Python and Rubygems packages.

1.0.51 (released May 5, 2017)

Bug fixes

  • Adds extra CSRF protection to critical endpoints for increased security.

1.0.50 (released May 4, 2017)

Bug fixes

  • Fixed XSS vulnerability.

1.0.49 (released April 19, 2017)

Bug fixes

  • Fixed XSS vulnerability.

1.0.48 (released March 28, 2017)

New Features

  • Added support for SLES 42.2 and SUSE 12.2.

  • Add support for Android AAR Java libraries.
  • Added tips for logged in users with links to documentation for common actions.
  • New rubygems may include checksums with stronger SHA algorithms. Support for verifying RubyGems with stronger checksums has been added (previously these gems were simply rejected on upload).
  • Added a way to filter repository pages by package type.
  • Bumped the bundled redis up to 3.2.6. 

Bug fixes

  • Adjusted APT contents query to more efficiently generate Contents file metadata.

  • UI adjustments (colors, positioning, etc).
  • Add an additional check to install scripts for a second SSL-related error code that curl can return (code 60).

1.0.47 (released January, 2017)

New Features

  • Added support for Linux Mint 18.1.

  • Added packagecloud-ctl reset-password <user> <password> command.

Bug fixes

  • Minor angular app fixes.

  • Forgot password page will now show a warning if SMTP is not configured.
  • Handle RPMs that have ghost files present in the archive when they should not. This is caused by a buggy librpm that is shipped with CentOS 6.
  • Minor updates to the mirroring instructions tab.
  • Cosmetic updates to the package delete button.
  • Remove the scheme (e.g., http:// or https://) from the origin when generating a release file. Apt's unattended-upgrades cannot handle '://' and crashes when pointed at repositories with this character set in the Release file.
  • Better handling of buggy JAR packages
  • Better handling of malformed Debian packages
  • Fix package promotion for SUSE packages

1.0.46 (released December 2, 2016)

New Features

Bug fixes

  • Fix a bug in the RubyGems package server code which prevented non-ruby platform gems from being served.

  • Fix a bug in the Debian Source Package server code which prevented XZ-archive files from being downloaded.

  • Fix a bug in the SUSE Linux web-ui package download paths preventing downloads of packages when clicking the “Download” button.

  • Added additional error checking to prevent broken Debian packages from being uploaded.

  • A bug in an underlying library caused HEAD requests against AWS S3 to fail. We’ve found a work-around for this bug, fixing HEAD requests against objects stored on AWS S3.

  • Fix minor bug affecting enterprise users who use the local hard drive for storing data which prevented writes in some cases.

1.0.45 (released November 22, 2016)

New Features

1.0.44 (released November 14, 2016)

Bug fixes

  • Extremely long package descriptions are now truncated before save

  • Fixes gpg.key URL in Proxy Configuration

1.0.43 (released November 4, 2016)

New Features

Bug fixes

  • Better error handling during uploads
  • Python repositories are now reindexed when renamed

1.0.42 (released October 17, 2016)

New Features

  • Minor tweaks to better support http/https proxying, such as when using Amazon Elastic Load Balancer.

1.0.41 (released October 5, 2016)

Bug fixes

  • Skip the on-boarding process for users listed in users.yml that aren't already in the database by adding action: 'delete' to individual the user entry.

1.0.40 (released September 22, 2016)

Bug fixes

1.0.39 (released August 10, 2016)

New features

  • Added a dialog for creating master tokens and read tokens from the web UI.

Bug fixes

  • Fixed a bug preventing certain RubyGem packages from being uploaded.
  • Fixed a bug preventing certain RubyGem packages from being deleted.

1.0.38 (released August 3, 2016)

New features

  • Java JAR support added.
  • Repository pages can now have markdown READMEs.
  • Package dependencies are now returned for each package when using the package show API.
  • Statistics API URLs are now returned for each package when using the package show API.
  • Allow the log level to be adjusted to prevent excessive logging. The default log level has been set to 'error' unless otherwise specified with packagecloud_rails['log_level'] in /etc/packagecloud/packagecloud.rb.
  • Add support for Linux Mint 18.
  • Add support for Fedora 24.
  • Add support for the ppcel64 architecture for Debian packages.

Bug fixes

  • Fix rendering of package descriptions
  • Fix bad query that occasionally caused MySQL deadlock errors when marking packages as being indexed.
  • When a user on packagecloud:enterprise is disabled, all collaborations that user had are now deleted.
  • Allow python wheels with periods in the name to be uploaded.
  • Fix handling of ARM-architecture RPM packages.
  • Strip 4-byte UTF-8 characters from description fields to prevent a MySQL error on insertion.
  • Debian packages with unknown architectures are now rejected.

1.0.37 (released May 10, 2016)

Performance improvements

  • Performance improvement for Debian package indexer. Reindex times are significantly reduced for large (> 2000 package) repositories.
  • Improve performance of all package servers. The latency between making a request for a package via apt-get, yum install, pip install, and gem install and receiving a 302 has been reduced by 40-60%.
  • Improve performance of RPM indexer significantly. Repositories with large numbers of packages (> 2000 packages) will have the most noticeable speed increase.

New features

  • Search was rewritten from the ground up to be much faster and easier to use.
  • Added a badge to repository pages to indicate if a package is currently being indexed. Once the package is indexed, the badge disappears.
  • Added an "indexed" attribute to package API results.
  • Added "download_url" to package API results.
  • Added a delete button to package pages.
  • Enabled SHA256 GPG signatures for Debian Wheezy and above (previously was only Debian Jessie and above).

Bug fixes

  • Fix some broken javascript includes preventing certain front end panels from displaying properly
  • Fix a bug in the RPM indexer where noarch RPM would queue a reindex of the SRPM packages.
  • Fix authentication bug for the RubyGems dependency API. This (and only this) endpoint must be accessible with read tokens and not normal API tokens so that bundler can properly use the endpoint.
  • Fix a small bug for APT Empty Indexes.

1.0.36

1.0.35

  • Add repository collaborations to new and existing users by passing a list of repository paths (:user/:repo) to a user entry in the users seed file /etc/packagecloud/users.yml:
users:
   - { email: 'tester@test.com', name: 'tester', password: 'encrypt_me', collaborations: ['user/repo'] }

1.0.34

  • Fix reindex_debs rake task (additional specs were added to prevent future breakage of this task)
  • Fix a very rare bug when rending RPM Package details pages

1.0.33

  • Embedded install instructions
  • Better error messages for web uploads
  • Display checksums on package pages
  • Remove XZ support (see the Release Notes)
  • Add SHA256 GPG signatures for recent Ubuntu and CentOS distributions
  • Allow users to remove themselves as collaborators from repositories
  • Fix a race condition in the Debian indexer for packages with architecture type all
  • Support RubyGems dependencies API endpoint
  • Added support for S3 Transfer Acceleration (see the S3 guide)
  • Ruby bumped to 2.1.9 with back-ported patch to avoid rare segmentation faults

1.0.32

  • Fix timezone SQL table import bug affecting new installs (upgrades are unaffected).
  • Fix typos in config and users.yml files.

1.0.31

  • Cosmetic changes for displaying long package descriptions, additional package info (like size), website footer, page tiles, and more.
  • Stats API for getting download stats and repository installation stats and docs.

1.0.30

1.0.29

  • Python support

1.0.28

  • CentOS 6 support
  • Fixes bug around mysql not starting up if mysql was already installed on host vm (in some cases)

1.0.27

1.0.26

  • Fixes regression introduced in 1.0.25 for private source file downloads

1.0.25 (yanked)

  • Support for storing packages and repository metadata on the local hard disk instead of AWS S3
  • Add support for Elementary OS
  • Fix bug for subdomain in private repository bundler install scripts

1.0.24

  • Add Bundler tab to install page
  • Fix rubygem installation scripts for private repos
  • Safeguards to prevent partially downloaded install scripts from running

1.0.23

  • Fix a bug in the Fog library preventing users from issuing HEAD requests
  • Rearrange Debian package indexer to avoid race condition for packages with architecture type 'all'
  • Add Ubuntu Wily support
  • Add LinuxMint support
  • Add Raspbian support
  • Add mirroring information to repository pages
  • Several updates to install bash script, remove hostname use for public repos, provide os overrides
  • Update the manual install instructions to make them easier to read and follow
  • Fix minor bug in web-based package upload

1.0.22

  • Add tcmalloc - reducing the memory use baseline by approximately 20%
  • Refactor and reorganize most of the javascript code in the app
  • Performance improvement for buffering large packages (> 350 mb)
  • Performance improvement for processing and storing data about large packages (> 350mb)
  • More error checking when generating config files used by installation scripts

1.0.21

  • Fix NGINX route to prevent certain APIs from hitting the non-API worker processes
  • Pass through NGINX read timeout variable so users can adjust as needed
  • Update disallowed username list
  • Modify repository deletion to not queue a reindex
  • Minor performance enhancements in libraries that process Debian and RPM packages

1.0.20

  • Modify enterprise installer to deal with fixing permissions on previous installations of enterprise
  • Add a set of bootstrap tasks to separate database creation and installation

1.0.19

  • Fix bug in background delete jobs
  • Add buildkite documentation

1.0.18

  • Bump openssl version

1.0.17

  • Fixed some logging bugs affecting background job processing
  • Fix minor permissions bug during enterprise installation
  • Refactor background delete job
  • Add additional packagecloud-ctl commands for queue status and deletion
  • Bump openssl version