Tigris upgrade July 7

Tigris.Org will be upgraded to release 5.3.0.167.1 (that is, 5.3.0 patch 1), beginning at 9:30pm PDT.

The primary purpose of this upgrade is to repair additional mail delivery problems, such as non-delivery.

Release notes for the new base release and patch level are available at OpenCollabnet:

• CollabNet Enterprise Edition 5.3.0
• CollabNet Enterprise Edition 5.3.0, patch 1

Key fixes and upgrades for Tigris users:

• An assortment of Subversion performance improvements
• Proper delivery of single-part Discussion messages
• Discussions can be marked to automatically trust new subscribers
• Auto-deletion of unmoderated and soft-deleted Discussion messages (per-forum setting)
• Configurable size limits on RSS feeds of Discussions
• Time-range deletion controls for Discussion moderators
• Continued improvements in spam blocking and spamhaus deflecting

Other interesting stuff:

• New versions of Subversion (1.6.0) and ViewVC (1.0.7)
• Latest Subversion and Apache security fixes

Site outage

The Tigris.Org site outage last week was traced, over the long weekend, to one missing file related to the recent patch application. The site experienced an additional brief outage to fix that, and the site seems to be healthy now.

Mail-list posting control and CAPTCHA

With the Patch 3 (May 20) update to Tigris (and in some cases, some other, recent upgrades), we introduced several new features to Tigris mail-list management, including posting control and CAPTCHA.

With Posting Control, the mail list administrator can control who is allowed to post to the list. With the Patch 3 changes, this includes separate controls for posts coming via email and posts coming via web. So, for example, the commits@ and issues@ lists in your projects receive internally generated postings (neither web nor email), so you might choose to block posting to them from either source. Then, set the reply-to for these lists to your dev@ list, and you’ve automatically directed all discussion into the light of day.

You know what CAPTCHA is, even if you don’t know you know: it’s those hard-to-read little “type in this word” things that are springing up all over the web. A CAPTCHA guarding the web posting page helps to protect the list against robots and spam: hopefully, they won’t be able to read the image and enter the text.

As embodied in Tigris, CAPTCHA allows the list owner to choose among a range of options:

• By default, CAPTCHA is required for web posts made by people who aren’t logged in (so-called “anonymous” web posts). This is the lowest level of security available, but it covers all the cases we’ve recently experienced.
• If a higher degree of security is wanted, the list admin can require CAPTCHA for all web posts.

With posting control and CAPTCHA, you should be able to become virtually spam-free.

Upgrade May 20

Tigris will be down for an upgrade-patch the evening of May 20 (Pacific time). Precise schedule details will be available shortly.

This patch continues our series of repairs and improvements in several areas, perhaps most notably in the Discussion Services:

Discussions Services:

• Large messages no longer turned into pseudo-attachments (final fix; a partial form is already in place on Tigris)
• Increase default maximum message size limit (to ~10MB)
• Separate “non-logged-in web user” and “non-registered email user” (extensive Discussion configuration changes; see an upcoming post here)
• Provide “allow future posts from this sender” during email-mediated moderation (final fix; temporary fix already in place on Tigris)
• Allow centrally enforcd use of CAPTCHA for anonymous web posts (post about planned Tigris policies upcoming here)
• Enforce security and spam protections on the “other recipients” field of the web-post form (final fix; temporary fix already in place on Tigris)
• Better handling (RFC 2047) of accents and non-English characters in reply-to headers

Subversion:

• Svnsync now does not choke on certain data
• Non-expiring passwords no longer expire anyway

Wiki:

• Security enhancement relating to a guest-access Denial of Service
• Security enhancement to block server-side test

Site:

• Performance enhancements in page loading, particularly for clients with high latency or low bandwidth
• Project News RSS URL backwards-compatibility redirect

Project Pages:

• Now able to invoke a Project Tracker “named saved query”
• Project Pages: Project Tracker “Return to list view” now works
• Now able to use a Project Tracker “saved query” containing an apostrophe

Project Tracker:

• Mixed-field queries with null fields now work
• API: protect against embedded invalid XML data
• API: annotate private (non-accessible to this user) related artifacts
• API: proper pagination of long result lists

Yahoo blockages clear

Yahoo mail services have notified us that the spam-related mail blockages are now cleared. Yahoo-based subscribers should be receiving Tigris email properly again.

Scattered mail failures

We’ve discovered that selected email addresses at Yahoo have been blocked (by Yahoo) due to the spam that leaked through our lists lately. Now that we have the leakage under control, we are working with Yahoo to clear up the blockage.

Watch here (or follow tigrisdotorg on Twitter) for further details.

At this time, these Yahoo addresses are the last ones we know of with such blocking. If you have any evidence of other addresses being blocked, please let us know, by email to “feedback” at Tigris dot Org.

Service semi-outage

For about half the day today, Tigris.Org was spottily unavailable, and a great deal of mail that should have passed through Tigris was queued up at the sending sites. The site itself was actually fit as a fiddle, but the DNS arrangements suffered a service interruption due to some damage to the local network backbone.

Service was restored mid-afternoon, and CollabNet (our hosts) are taking extra steps to make sure this sort of thing doesn’t happen again.