<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="chrome=1"> <link rel="stylesheet" href="/stylesheets/styles.css"> <link rel="stylesheet" href="/stylesheets/pygment_trac.css"> <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"> <script src="/javascripts/scale.fix.js"></script> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"><!--[if lt IE 9]><script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]--> <title>Blog - pump.io</title> <!-- TODO: apparently this technically isn't allowed to be relative but it seems to work fine, soooo...--> <link rel="alternate" type="application/rss+xml" href="index.rss"> </head> <body> <div class="wrapper"> <header> <h1 class="header"><a href="/">pump.io</a></h1> <p class="header">Social server with an ActivityStreams API</p> <ul> <li><a class="buttons" href="/tryit.html">Try It Now</a></li> <li class="download"><a class="buttons" href="https://pumpio.readthedocs.io/en/latest/sysadmins.html#installation-instructions">Install</a></li> <li><a class="buttons github" href="https://github.com/pump-io/pump.io">View On GitHub</a></li> </ul> <p class="header">This project is maintained by <a class="header name" href="https://github.com/pump-io">pump.io contributors</a></p> </header> <section> <div class="h-feed"> <h2 class="p-name">Blog</h2> <p id="postsFrom">Show only <a href="/blog/2016/">2016</a> <a href="/blog/2017/">2017</a> <a href="/blog/2018/">2018</a> <a href="/blog/2019/">2019</a> <a href="/blog/2020/">2020</a> <a href="/blog/2021/">2021</a> </p> <article class="h-entry" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><a href="/blog/2021/06/pump.io-irc"> <h2 class="p-name">#pump.io is moving IRC networks</h2></a> <p class="post-metadata">Published by AJ Jordan on <a href="/blog/2021/06/">June</a> 1, <a href="/blog/2021/">2021</a> in <a class="p-category" href="/blog/category/community/">community</a> </p> <div class="e-content"><p>The pump.io project has maintained a <code>#pump.io</code> IRC channel <a href="https://github.com/pump-io/pump.io/issues/481#issuecomment-15366249">since 2013</a>. Until now that channel has happily existed on the Freenode IRC network, but due to the recent changes to Freenode, the prior arrangement has become untenable. Therefore, effective June 1st, 2021, the official, canonical home for pump.io's IRC presence is on <a href="https://libera.chat/">Libera.Chat</a> in the <code>#pump.io</code> channel.</p> <p>Libera has extensive documentation for connecting to their network and we encourage everyone to move over to the Libera channel at your earliest convenience. In this interim period, the bot that bridges our XMPP room with our IRC channel has been configured to also bridge the Freenode channel with the Libera channel such that if you send a message in any of those three places (the XMPP room, Freenode channel, or Libera channel) it will show up in the other two. However, this bridging is provided on a best-effort basis - we can't commit to running it long-term, both because we expect that people will eventually abandon the Freenode channel as well as the fact that Freenode itself may force us to sever ties with them if they make <a href="https://www.gentoo.org/news/2021/05/26/gentoo-freenode-channels-hijacked.html">another</a> hostile move to seize channels who have migrated to Libera. Even aside from that, the Libera channel will provide a much better experience because things like nickname tab-completion will work.</p> <p><code>#pump.io</code>'s friendly IRC bot, <a href="https://github.com/pump-io/pumabot">pumabot</a>, has also been configured to connect to Libera instead of Freenode, and all relevant project documentation has been updated. Additionally we are in the process of getting officially registered with Libera, which opens up the possibility of having e.g. pump.io cloaks.</p> <p>Thank you to the Freenode team for 8 wonderful years of IRC hosting - we really appreciate it, and we're so grateful that so many of you have moved to Libera to continue to support the FOSS community.</p> <pre><code>&#x3C;strugee> INFO #pump.io -ChanServ- Information on #pump.io: -ChanServ- Founder : evanpro -ChanServ- Registered : Mar 24 18:34:29 2013 (8y 10w 0d ago) -ChanServ- Mode lock : +ntc-slk -ChanServ- *** End of Info *** </code></pre> <p>See you all on the other side!</p> </div> </article> <hr> <article class="h-entry" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><a href="/blog/2020/09/pump.io-5.1.4-and-5.0.4-security-releases"> <h2 class="p-name">pump.io 5.1.4 and 5.0.4 security releases are now available</h2></a> <p class="post-metadata">Published by AJ Jordan on <a href="/blog/2020/09/">September</a> 18, <a href="/blog/2020/">2020</a> in <a class="p-category" href="/blog/category/releases/">releases</a> and <a class="p-category" href="/blog/category/security/">security</a> </p> <div class="e-content"><p>Another day, another <a href="https://github.com/cure53/DOMPurify">DOMPurify</a> security release.</p> <p>DOMPurify - which pump.io uses to protect against cross-site scripting vulnerabilities - today released version 2.0.16, which per the <a href="https://github.com/cure53/DOMPurify/releases/tag/2.0.16">release notes</a> fixes "an mXSS-based bypass caused by nested forms inside MathML" in Chrome. So as we usually do, the pump.io project is publishing a release that makes 2.0.16 the minimum required DOMPurify version, to make sure everyone running pump.io gets this patch.</p> <p>Per our <a href="https://github.com/pump-io/pump.io/wiki/Security">security support policy</a>, we're making patches available for both the current and previous stable releases:</p> <ol> <li>pump.io 5.1.3 has been updated to pump.io 5.1.4</li> <li>pump.io 5.0.3 has been updated to pump.io 5.0.4</li> </ol> <p>All administrators should upgrade as soon as possible since these are security releases. The risk that something will break from the upgrade is extremely low since both 5.1.4 and 5.0.3 are drop-in replacements for their predecessors. If you installed pump.io 5.1 using npm - our recommended configuration - you can upgrade with:</p> <pre><code>$ npm install -g pump.io@5 </code></pre> <p>If you're still running pump.io 5.0, we recommend that you take this opportunity to upgrade to pump.io 5.1 by using the above command - it's a drop-in replacement, and will require no intervention on your part. However, if you want to stick with 5.0 for now, you can install a patched version with:</p> <pre><code>$ npm install -g pump.io@5.0 </code></pre> <p>On the other hand, if you have a source-based install, the above commands won't work and you will need to upgrade however you usually do. This will depend on how exactly you installed pump.io in the first place.</p> <p>If you need help, or if you have questions about these security releases, <a href="https://github.com/pump-io/pump.io/wiki/Community">the community</a> is always happy to help.</p> </div> </article> <hr> <article class="h-entry" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><a href="/blog/2019/10/pump.io-dompurify-security-fixes-available"> <h2 class="p-name">pump.io DOMPurify security fixes available</h2></a> <p class="post-metadata">Published by AJ Jordan on <a href="/blog/2019/10/">October</a> 15, <a href="/blog/2019/">2019</a> in <a class="p-category" href="/blog/category/releases/">releases</a> and <a class="p-category" href="/blog/category/security/">security</a> </p> <div class="e-content"><p>Recently the cross-site-scripting sanitization library that pump.io uses, <a href="https://github.com/cure53/DOMPurify">DOMPurify</a>, published several security advisories for mXSS vulnerabilities affecting browsers based on the Blink rendering engine - you can find the latest one, for example, <a href="https://lists.ruhr-uni-bochum.de/pipermail/dompurify-security/2019-October/000012.html">here</a>. As we've done in the past, the pump.io project is publishing security releases to ensure that everyone is using the latest version of DOMPurify. Per our <a href="https://github.com/pump-io/pump.io/wiki/Security">security support policy</a>, we are providing patches for the current stable release and the previous stable release:</p> <ol> <li>pump.io 5.1.2 has been updated to pump.io 5.1.3</li> <li>pump.io 5.0.2 has been updated to pump.io 5.0.3</li> </ol> <p>As these are security releases we encourage administrators to upgrade as soon as possible. Both 5.1.3 and 5.0.3 are drop-in replacements for their predecessors. If you have pump.io 5.1 installed via npm - our recommended configuration - you can upgrade with:</p> <pre><code>$ npm install -g pump.io@5 </code></pre> <p>If you're on pump.io 5.0, we recommend that you also run the above command to upgrade to 5.1 - it's a drop-in replacement for 5.0. However, if you want to stick with 5.0 for the time being, you can install a patched version with:</p> <pre><code>$ npm install -g pump.io@5.0 </code></pre> <p>Note that if you have a source-based install, the above commands won't work and you will need to upgrade however you usually do - this will depend on how exactly you have pump.io set up.</p> <p>If you need help, or if you have questions about these security releases, get in touch with <a href="https://github.com/pump-io/pump.io/wiki/Community">the community</a>.</p> </div> </article> <hr> <article class="h-entry" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><a href="/blog/2018/05/pump.io-5.1.1-docker-images-and-node-4"> <h2 class="p-name">pump.io 5.1.1, Docker images, and sunsetting Node 4 support</h2></a> <p class="post-metadata">Published by AJ Jordan on <a href="/blog/2018/05/">May</a> 5, <a href="/blog/2018/">2018</a> in <a class="p-category" href="/blog/category/releases/">releases</a> </p> <div class="e-content"><p>It's been a (relatively) long time since we've put anything on this blog, and I think it's high time for an update - especially since there are so many exciting things afoot! Not only is pump.io 5.1.1 now on npm, but we have new experimental Docker images! With <a href="https://medium.com/the-node-js-collection/april-2018-release-updates-from-the-node-js-project-71687e1f7742">upstream having already dropped security support</a>, we're also planning to drop support for Node 4 soon.</p> <p>Let's take these one at a time.</p> <h3>pump.io 5.1.1</h3> <p>Several months ago I <a href="https://github.com/pump-io/pump.io/pull/1438">landed</a> a patch from contributor <a href="https://github.com/vxcamiloxv">Camilo QS</a> fixing a bug in pump.io's session handling in a route serving uploads. This bug made it so that non-public uploads would always return HTTP 403 Unauthorized, even if the user actually <em>was</em> authorized. Clearly, this makes uploads unusable for people who don't like to post everything publicly. <a href="https://identi.ca/evan">Evan</a> suggested that we should backport this bugfix since it's so high-impact, and I agree. So that's what pump.io 5.1.1 contains: a bugfix for uploads. Since it's a patch release 5.1.1 is a drop-in replacement for any 5.x pump.io release, so I'd highly encourage administrators to upgrade as soon as it's convenient. We'd also love it if you <a href="https://github.com/pump-io/pump.io/issues">file any bugs you find</a>, and feel free to get in touch with the <a href="https://github.com/pump-io/pump.io/wiki/Community">community</a> if you need help or have questions. As a reminder, you can subscribe to our <a href="https://lists.strugee.net/mailman/listinfo/pumpio-announce">low-volume announce mailing list</a> to get email when we put out new releases like this. Also, I would be remiss if I didn't mention that my signing key setup has changed temporarily - see <a href="https://strugee.net/blog/2018/04/new-temporary-signing-keys">here</a> if you want to cryptographically verify the 5.1.1 release.</p> <p>If you're on an npm-based install, you can upgrade with <code>npm install -g pump.io@5.1.1</code>. If you're on a source-based install, you can upgrade by integrating the latest commits in the <code>5.1.x</code> branch. See <a href="https://github.com/pump-io/pump.io/blob/master/CHANGELOG.md#511---2018-05-05">here</a> for the changelog.</p> <p>But that's not all. pump.io 5.1.1 also includes another exciting change: with this release, we've integrated automation to relase pump.io Docker images too.</p> <h3>Docker images</h3> <p>We've wanted to release pump.io Docker images for <a href="https://github.com/pump-io/pump.io/issues/789">a long time</a>. But Docker has a well-known problem: security vulnerabilities in Docker Hub images <a href="https://www.infoq.com/news/2015/05/Docker-Image-Vulnerabilities">are</a> <a href="https://blog.acolyer.org/2017/04/03/a-study-of-security-vulnerabilities-on-docker-hub/">rampant</a>. Even though we've had a <code>Dockerfile</code> in the repository <a href="https://github.com/pump-io/pump.io/pull/1348">for a while</a> thanks to contributor <a href="https://github.com/JanKoppe">thunfisch</a>, we didn't want to release official Docker images if we weren't sure we could always provide security support for them.</p> <p>Unfortunately, Docker the company has done very little to address this problem. Most of their solutions are aimed at image consumers, not authors. Docker Hub has <em>some</em> capacity for automatically rebuilding images, but unfortunately, it's not enough and you end up having to roll everything yourself anwyay. Pretty disappointing - so we had to get creative.</p> <p>Our solution to this problem is to utilize Travis CI's <a href="https://docs.travis-ci.com/user/cron-jobs/">cron functionality</a>. Every day, Travis will automatically trigger jobs that do nothing but build pump.io Docker images. These images are then pushed to Docker Hub. If nothing has changed, Docker Hub recognizes that the "new" images are actually identical with what's already there, and nothing happens. But if there <em>has</em> been a change, like a native dependency receiving a security update, then the image ID will change and Docker Hub will accept the updated image. This cronjob is enabled for the <code>5.1.x</code> branch and master (which as a side effect, means that alpha Docker images are published within 24 hours of a git push), and in the future it will be enabled on all branches that we actively support. Thus, Docker users can easily set up automation to ensure that they're running insecure images for, at most, 24 hours.</p> <p>If you're interested in trying out the Docker images, we'd love to know how it goes. They should still be treated as experimental at the moment, and early feedback would be super useful. You can read more details in our <a href="https://pumpio.readthedocs.io/en/latest/installation/about-docker-images.html">ReadTheDocs documentation</a>.</p> <p>Note that there are still more changes that we'd like to make to the Docker images. These changes didn't make it into the 5.1.1 packaging since they felt too invasive for a patch release. Instead we plan to make them in the next release, which is planned to be semver-major. Which brings me neatly to the last topic...</p> <h3>Sunsetting Node 4, 5, and 7 support</h3> <p>We had a good run, but it's time to say goodbye: Node.js upstream has <a href="https://medium.com/the-node-js-collection/april-2018-release-updates-from-the-node-js-project-71687e1f7742">marked</a> Node 4.x as end-of-life, and in accordance with our <a href="https://github.com/pump-io/pump.io/wiki/Node.js-version-support">version policy</a>, we're doing the same. Since this is a semver-major change, we're also taking the opportunity to drop support for Node 5.x and Node 7.x. These changes have been made as of commit <a href="https://github.com/pump-io/pump.io/commit/32ad78812ed767621418b8dd57f11ce86a01b49f">32ad78</a>, and soon we'll be ripping out old code used to support these versions, as well as upgrading dependencies that have recently started requiring newer Nodes.</p> <p>Anyone still on these versions is encouraged to upgrade as soon as possible, as Node.js upstream is no longer providing security support for them. Administrators can use the <a href="https://github.com/nodesource/distributions">NodeSource</a> packages, or they can try out our new Docker images, which use a modern Node version internally.</p> <p>Please reach out to the <a href="https://github.com/pump-io/pump.io/wiki/Community">community</a> if you need any help making the transition. And good luck!</p> </div> </article> <hr> <article class="h-entry" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><a href="/blog/2018/01/pump.io-5.1-stable-published-to-npm"> <h2 class="p-name">pump.io 5.1 stable published to npm</h2></a> <p class="post-metadata">Published by AJ Jordan on <a href="/blog/2018/01/">January</a> 6, <a href="/blog/2018/">2018</a> in <a class="p-category" href="/blog/category/releases/">releases</a> </p> <div class="e-content"><p>Last night I officially published pump.io 5.1 to npm as a stable release!</p> <p>As I wrote in the beta announcement, this release contains a variety of improvements:</p> <ul> <li><a href="/blog/2017/08/zero-downtime-restarts-have-landed">Zero-downtime restarts</a>, which allows administrators to seamlessly roll over to new configurations and codebases</li> <li>The daemon now generates startup log warnings on bad configurations, including insecure <code>secret</code> values and internal parameters</li> <li>An official <code>Dockerfile</code> is now included with the release</li> <li>The logged-out mobile homepage's menu icon is no longer incorrectly styled as black</li> <li>An authorization problem with SockJS connections has been fixed</li> </ul> <p>5.1 stable <em>does</em> include one change the beta didn't: a bump to the version of the <code>gm</code> npm package which we depend on. This bump was done as a precautionary measure, as previous versions of <code>gm</code> depended on a version of the <code>debug</code> module which was vulnerable to denial-of-service security bugs.</p> <p>As a project, we addressed these bugs <a href="/blog/2017/10/denial-of-service-security-fixes-now-available">back in October</a> when we issued security releases for all supported release branches, and at the time we confirmed that the vulnerable function wasn't used by <code>gm</code>. Today's <code>gm</code> bump does <em>not</em> constitute a security release; instead, we're just bumping the version as a precautionary measure in case we missed something in October's assessment of the situation.</p> <p>Aside from the <code>gm</code> bump, there are (as usual) miscellaneous version bumps included in this release. We've also started tracking test suite coverage information as well as overhauled our <a href="https://pumpio.readthedocs.io/">documentation on ReadTheDocs</a>, moving most of the in-repository documentation there.</p> <p>If you want even more details of this release, you can also check out <a href="https://github.com/pump-io/pump.io/blob/master/CHANGELOG.md#510---2018-01-05">the changelog</a>.</p> <p>pump 5.1 is a drop-in replacement for 5.0. That means if you're using our recommended installation method and installing from npm, you can upgrade with <code>npm install -g pump.io@5.1</code>. If you have a source-based install, you should merge and/or switch to the <code>v5.1.0</code> tag. And as always, if you encounter any problems, please feel free to reach out to the <a href="https://github.com/pump-io/pump.io/wiki/Community">community</a> or <a href="https://github.com/pump-io/pump.io/issues">file bugs you find</a>.</p> <p>Finally, I would be remiss if I didn't point out that pump.io has a <strong>brand-new announcement mailing list</strong>! While the blog is great for announcing new releases, not everyone finds it convenient to check. Also, if we issue new betas in the middle of a release cycle, these aren't typically announced on the blog. Therefore in the future <em>all</em> new releases will be announced on the mailing list, not just initial betas. If you want to subscribe to the mailing list, you may do so <a href="https://lists.strugee.net/mailman/listinfo/pumpio-announce">here</a> - you'll get announcements of new features only, not e.g. feature announcements as seen on this blog. I hope people find this service useful!</p> </div> </article> <hr> <div id="pages-footer"> <p><span class="disabled-arrow">←</span> ⋅ Page 1 out of 5 ⋅<a href="page/2">→</a></p> </div> </div> </section> <footer> <p><small>Hosted on <a href="https://pages.github.com">GitHub Pages</a> using the Dinky theme</small></p> </footer> </div><!--[if !IE]><script>fixScale(document);</script><![endif]--> </body> </html>