Announcing Offpunk 1.8

Message ID
DKIM signature
Download raw message
# Releasing Offpunk 1.8, "community edition"

This release is very special as it is the first release driven by the
community. I’ve received non-trivial patches from 4 contributors. Wow,
thank you. I guess that we can now safely say that there’s such a thing
as an "offpunk community".

## Move to sourcehut.

With this release, we officially move everything to sourcehut. Git,
mailing-lists and tickets. The fact that I received all those patches on
the sourcehut mailing-list illustrates that this is a good decision. I’m
really sorry for having changed so often.

More explanations about that here:

I’m also deeply grateful for the people contributing to offpunk-users.
The list is alive and useful. The community is growing. I also see
offpunk mentionned on Mastodon. When I started Offpunk, it was a tool
only for myself. But it is a great feeling to see it could be useful to
others. I have this quite familiar feeling that the project is slowly
escaping me to become a true community project. Which is great (even if
I plan to stay the benevolent dictator ;-) )

## Security fix

For several months, a potential security issue had been reported against
offpunk. It would have been theoritically possible to craft an url that
could, in some circumstances, run a shell command. This was never proved
to work and the issue was not entirely clear to me.

Maeve Sproule offered a much needed fix for this problem, working
tirelessy on his patch and closing the infamous bug #9. Which was also
the last bug opened on notabug. Fixing this bug was needed in order to
fully migrate to sourcehut.

As a result, upgrading to 1.8 is highly recommended.

## Finger protocol

Sotiris Papatheodorou implemented support for the finger protocol, which
seems to be all the rage those days in the smolnet community. Thanks a
lot. For finger related bugs and features in offpunk, contact him!

## Bug fixes and small improvements

Marty Oehme and Ben Winston managed quite an achievement: they caught
differents bug I didn’t know abound and fixed them. I only had to
accept their patches. Thanks a lot for this!

## Full changelog

- Official URL is now https://sr.ht/~lioploum/offpunk/
- SECURITY: Avoid passing improperly-escaped paths to shell (fixes notabug #9) (by Maeve Sproule)
- Add support for the finger protocol (by Sotiris Papatheodorou)
- "restricted" mode has been removed because unmaintained (code cleanup)
- "set accept_bad_ssl_certificates True" allows to lower HTTPS SSL requirements (also with --assume-yes)
- Accept "localhost" as a valid URL
- Better feedback when --sync an URL which is streaming
- Removed cgi dependency (soon deprecated)
- Fix: crash with some svg data:image (which are now ignored)
- Fix images from "full" mode not being downloaded
- Fix a crash when ls on empty page (thanks Marty Oehme)
- Fix: A variable was not initialised without python-cryptography
- Fix: "cp raw" was not accessing the temp_file correctly
- Fix: ANSI handling off arrows in readline (by Ben Winston)

## For packagers

No change in dependencies nor in the packaging format. Upgrade should be

Ploum - Lionel Dricot
Blog: https://www.ploum.net
Livres: https://ploum.net/livres.html
Reply to thread Export thread (mbox)