diaspora

New configuration file!

Diaspora* now uses TOML for the configuration file. We recommend you to migrate to this new format, as with the next major release (1.0) diaspora* will no longer read the YAML based configuration file at config/diaspora.yml. To do so, please copy config/diaspora.toml.example to config/diaspora.toml and migrate your configuration.

API!

With the release of diaspora* Version 0.9, we now officially support building applications on top of the diaspora* API! Please check out the official API documentation for instructions, and please do file bugs if you notice something that could be improved!

We are looking forward to seeing many creative applications!

The chat integration has been removed

After a discussion with our community on Discourse, we decided to remove the pieces of XMPP chat integration that were put in place a while ago. When we first added the chat support, we merged the implementation in an unfinished state in the hopes that the open issues will be addressed eventually, and the implementation would end up more polished. This ended up not being the case. After careful consideration and discussion, we did not manage to come up with clear reasons why we need a chat implementation, so we decided that the best way forward would be to remove it.

Although the chat was never enabled per default and was marked as experimental, some production pods did set up the integration and offered an XMPP service to their users. After this release, diaspora* will no longer contain a chat applet, so users will no longer be able to use the webchat inside diaspora*. The existing module that is used to enable users to authenticate to Prosody using their diaspora* credentials will continue to work, but contact list synchronization might not work without further changes to the Prosody module, which is developed independently from this project.

Changes around the appserver and related configuration

With this release, we switched from unicorn to puma to run our applications. For podmins running the default setup, this should significantly reduce memory usage, with similar or even better frontend performance! However, as great as this change is, some configuration changes are required.

• The single_process_mode and embed_sidekiq_worker configurations have been removed. This mode was never truly a "single-process" mode, as it just spawned the Background Workers inside the runserver. If you're using script/server to start your pod, this change does not impact you, but if you're running diaspora* using other means, and you relied on this "single"-process mode, please ensure that Sidekiq workers get started.
• The format of the listen configuration has changed. If you have not set that field in your configuration, you can skip this. Otherwise, make sure to adjust your configuration accordingly:
  • Listening to Unix sockets with a relative path has changed from unix:tmp/diaspora.sock into unix://tmp/diaspora.sock.
  • Listening to Unix sockets with an absolute path has changed from unix:/run/diaspora/diaspora.sock to unix:///run/diaspora/diaspora.sock.
  • Listening to a local port has changed from 127.0.0.1:3000 to tcp://127.0.0.1:3000.
• The PORT environment variable and the -p parameter to script/server have been removed. If you used that to run diaspora* on a non-standard port, please use the listen configuration.
• The unicorn_worker configuration has been dropped. With Puma, there should not be a need to increase the number of workers above a single worker in any pod of any size.
• The unicorn_timeout configuration has been renamed to web_timeout.
• If you don't run your pod with script/server, you have to update your setup. If you previously called bin/bundle exec unicorn -c config/unicorn.rb to run diaspora*, you now have to run bin/puma -C config/puma.rb! Please update your systemd-Units or similar accordingly.

Yarn for frontend dependencies

We use yarn to install the frontend dependencies now, so you need to have that installed. See here for how to install it: https://yarnpkg.com/en/docs/install

Suggested Ruby version: 3.3

We recommend setting up new pods using Ruby 3.3, and updating existing pods to this version as well. Ruby 2.7 is EOL and no longer supported.

Changes to script/server for production pods

If you're currently running your production pod with ./script/server in a tmux or something similar, please be careful. We made some internal changes that result in the script no longer automatically restarting the server if it crashes - instead, it will just shut down. We strongly recommend running your pod using your system's unit manager, for example with this systemd unit.

Security

• Fix a potential 2FA brute force attack (CVE-2024-0227).
  Thanks to Christian Reitter (Radically Open Security) and Chris MacNaughton (Centauri Solutions).

Refactor

• Add bootstrapping for using ECMAScript 6 with automatic transpiling for compatibility #7581 #8397
• Remove backporting of mention syntax #7788
• Enable Content-Security-Policy header by default #7781
• Do not show getting started after account import #8036
• Remove the JSXC/Prosody integration #8069 #8341
• Replace factory_girl with factory_bot #8218
• Drop relay support #8243
• Use yarn to manage the frontend dependencies #8364
• Upgrade to latest diaspora_federation, remove support for old federation protocol #8368
• Remove support for therubyracer #8337
• Replace unicorn with puma #8392
• Drop strip_exif flag and always remove exif data from uploaded images #8417
• Replace apparition with cuprite #8418
• Remove i18n-inflector-rails for translations #8420
• Add ruby 3 support #8423 #8426 #8427 #8448
• Add CORS headers to nodeinfo endpoints to allow for client-side fetching #8436
• Replace eye with foreman #8449

Bug fixes

• Fix multiple photos upload progress bar #7655
• Photo-upload file picker now correctly restricts possible file types #8205
• Make inline code inside links show the link color #8387
• Fix fetching public posts on first account search was missing some data #8390
• Add redirect from mobile UI photo URLs to post when not using mobile UI #8400
• Escape mentions before markdown parsing in mobile UI #8398
• Cleanup duplicate pods in database #8403
• Fix scrolling issue after closing photo viewer on photos page #8404
• Filter unicode emojis from email headers #8421
• Do not show disabled services anymore #8406
• Update search endpoint to be aware of ignored users #8363

Features

• Add client-side cropping of profile image uploads #7581
• Add client-site rescaling of post images if they exceed the maximum possible size #7734
• Add backend for archive import #7660 #8254 #8264 #8010 #8260 #8302 #8298
• For pods running PostgreSQL, make sure that no upper-case/mixed-case tags exist, and create a lower(name) index on tags to speed up ActsAsTaggableOn #8206
• Allow podmins/moderators to see all local public posts to improve moderation #8232 #8320
• Add support for directly paste images to upload them #8237
• Add support for webp images and convert new png/jpg to webp to save space and bandwidth #8358
• Show total and active pods count in the pods list for podmins #8383
• Allow to select multiple aspects when posting on mobile #8217
• Add info links to drawer in mobile UI #8405
• Tell users that there is no help in mobile version, allow to switch to desktop #8407
• Add Smart App Banner on iOS devices #8409
• Add a more detailed modal when reporting a post or a comment #8035
• Re-introduce likes on comments #8203 #8439 #8442
• New redesigned registration page #8285
• Allow comments to be fetched #8441

This release addresses possible security issues when processing images uploaded by users that is affecting some system configurations.

This fix was heavily inspired by Mastodon's fix for GHSA-9928-3cp5-93fm, and while diaspora*s attack surface is significantly smaller and some operating systems do ship a restrictive ImageMagick policy, this release makes sure that everyone is safe.

Thank you Cure53 for finding this issue, thank you Mozilla for paying Cure53 to look into it, and thanks for Mastodon for fixing it.

Bug fixes

• Update binstubs to fix diaspora* being unable to start when multiple bundler versions were available #8392

Refactor

• Fix order-dependent jasmine test failures and switch to random order #8333
• Get rid of some uses of "execute_script" in feature specs #8331
• Fix deprecation warnings for sidekiq 7.0 #8359
• Remove entypo-rails dependency to prepare for rails 6 #8361
• Remove compass-rails dependency which is not supported anymore #8362
• Switch to sassc-rails which speeds up assets:precompile a lot #8362
• Remove markerb dependency which doesn't exist anymore #8365
• Upgrade to rails 6.1 #8366
• Update the suggested Ruby version to 2.7. If you run into trouble during the update and you followed our installation guides, run rvm install 2.7. #8366
• Upgrade to bundler 2 #8366
• Stop checking /.well-known/host-meta, check for /.well-known/nodeinfo instead #8377
• Handle NodeInfo timeouts gracefully #8380

Bug fixes

• Fix that no mails were sent after photo export #8365
• Fix people with quotes in the name causing issues with mail sender #8365

Features

• Render posts and comments as HTML in HTML mails #8365
• Add NodeInfo 2.1 support and also read newer versions of NodeInfo #8379

Security

• Bump Rails to 5.2.7 to address CVE-2022-22577 and CVE-2022-27777 #8350
• Do not allow the user to mass assign their own password and 2fa settings alongside other parameters. Reported by Breno Vitório (@brenu) - thank you! #8351

Bug fixes

• Don't suggest to retry exports on failure #8343

Security

• Update rails to fix CVE-2022-23633 #8336

Refactor

• Cache local posts/comments count for statistics #8241
• Fix html-syntax in some handlebars templates #8251
• Remove chat_enabled flag from archive export #8265
• Change thumbnails in image slideshow to squares #8275
• Replace uglifier with terser for JS compression #8268

Bug fixes

• Ensure the log folder exists #8287
• Limit name length in header #8313
• Fix fallback avatar in hovercards #8316
• Use old person private key for export if relayable author migrated away #8310

Features

• Add tags to tumblr posts #8244
• Add blocks to the archive export #8263
• Allow points and dashes in the username #8266
• Add support for footnotes in markdown #8277
• Send AccountMigration if receiving message to a migrated account #8288
• Add podmin mail address to the footer #8242
• Add username to password-reset mail #8037
• Resend account migration and deletion for closed recipients #8309
• Add sharing status to hovercards #8317
• Migrate photo URLs and cleanup old uploaded photos #8314

Refactor

• Replaced some http:// links in the UI with their https:// counterparts #8207
• Testing: Replaced phantomjs with headless Chrome/Chromium #8234

Bug fixes

• Update comment counter when deleting a comment in the Single Post View #7938
• Link diaspora only poduptime list #8174
• Delete a user's invitation code during account deletion #8202
• Bump mimemagic #8231
• Removed support for defunct Uni Heidelberg OSM tile server, Mapbox is now required if you want to show maps #8215
• Render only two fractional digits in the posts per user/day admin statistics #8227
• Make aspect dropdowns scrollable #8213
• Fix Photo#ownserhip_of_status_message validation #8214

Features

• Support and recommend TOML as configuration format #8132

Refactor

• Update the suggested Ruby version to 2.6. If you run into trouble during the update and you followed our installation guides, run rvm install 2.6. #7929

Bug fixes

• Don't link to deleted users in admin user stats #8063
• Properly validate a profile's gender field length instead of failing with a database error. #8127

Security

• Fixes USN-4274-1, a potential Denial-of-Service vulnerability in Nokogiri. #8108

Refactor

• Set better example values for unicorn stdout/stderr log settings #8058
• Replace dependency on rails-assets.org with custom gems cache at gems.diasporafoundation.org #8087

Bug fixes

• Fix error while trying to fetch some sites with invalid OpenGraph data #8049
• Don't show sign up link on mobile when registrations are disabled #8060

Features

• Add cronjob to cleanup pending photos which were never posted #8041

Refactor

• Harmonize markdown titles sizes #8029

Bug fixes

• Improve handling of mixed case hostnames while fetching OpenGraph data #8021
• Fix "remember me" with two factor authentication enabled #8031

Features

• Add line mentioning diaspora* on the splash page #7966
• Improve communication about signing up on closed pods #7896

Refactor

• Enable paranoid mode for devise #8003
• Refactor likes cucumber test #8002

Bug fixes

• Fix old photos without remote url for export #8012

Features

• Add a manifest.json file as a first step to make diaspora* a Progressive Web App #7998
• Allow web+diaspora:// links to link to a profile with only the diaspora ID #8000
• Support TOTP two factor authentication #7751

Refactor

• Replace dandelion.jpg with a public domain photo #7976

Bug fixes

• Fix incorrect post sorting on tag streams and tag searches for tags containing the word "activity" #7959

Refactor

• Improve public stream performance and cleanup unused indexes #7944
• Improve wording of "Toggle mobile" #7926

Bug fixes

• Do not autofollow back a user you are ignoring #7913
• Fix photos gallery when too many thumbnails are shown #7943
• Fix extended profile visibility switch showing the wrong state #7955

Features

• Support ignore users on mobile #7884

Refactor

• Make setting up a development environment 9001% easier by adding a Docker-based setup #7870
• Improve web+diaspora:// handler description #7909
• Move comment timestamp next to author name #7905
• Sharpen small and medium thumbnails #7924
• Show full-res image in Desktop's full-screen image view #7890

Bug fixes

• Ignore invalid URLs for camo #7922
• Unliking a post did not update the participation icon without a reload #7882
• Fix broken Instagram embedding #7920

Features

• Add the ability to assign roles in the admin panel #7868
• Improve memory usage with libjemalloc if available #7919

Fixes a potential cross-site scripting issue with maliciously crafted OpenGraph metadata on the mobile interface.

Refactor

• Remove mention of deprecated statistic.json #7867
• Add quotes in database.yml.example to fields that may contain special characters #7875
• Removed broken, and thus deprecated, Facebook integration #7874

Bug fixes

• Add compatibility with macOS to script/configure_bundler #7830
• Fix comment and like notifications on posts without text #7857 #7853
• Fix issue with some language fallbacks not working correctly #7861
• Make sure URLs are encoded before sending them to camo #7871

Features

• Add web+diaspora:// link handler #7826

Refactor

• Add unique index to poll participations on poll_id and author_id #7798
• Add 'completed at' date to account migrations #7805
• Handle duplicates for TagFollowing on account merging #7807
• Add link to the pod in the email footer #7814

Bug fixes

• Fix compatibility with newer glibc versions #7828
• Allow fonts to be served from asset host in CSP #7825

Features

• Support fetching StatusMessage by Poll GUID #7815
• Always include link to diaspora in facebook cross-posts #7774

Refactor

• Remove the 'make contacts in this aspect visible to each other' option #7769
• Remove the requirement to have at least two users to disable the /podmin redirect #7783
• Randomize start times of daily Sidekiq-Cron jobs #7787

Bug fixes

• Prefill conversation form on contacts page only with mutual contacts #7744
• Fix profiles sometimes not loading properly in background tabs #7740
• Show error message when creating posts with invalid aspects #7742
• Fix mention syntax backport for two immediately consecutive mentions #7777
• Fix link to 'make yourself an admin' #7783
• Fix calculation of content lengths when cross-posting to twitter #7791

Features

• Make public stream accessible for logged out users #7775
• Add account-merging support when receiving an account migration #7803

Fixes a possible cross-site scripting issue with maliciously crafted OpenGraph metadata.

Refactor

• Don't print a warning when starting the server outside a Git repo #7712
• Make script/server work on readonly filesystems #7719
• Add camo paths to the robots.txt #7726

Bug fixes

• Prevent duplicate mention notifications when the post is received twice #7721
• Fixed a compatiblitiy issue with non-diaspora* webfingers #7718
• Don't retry federation for accounts without a valid public key #7717
• Fix stream generation for tagged posts with many followed tags #7715
• Fix incomplete Occitan date localizations #7731

Features

• Add basic html5 audio/video embedding support #6418
• Add the back-to-top button to all pages #7729