Opened 2 years ago

Closed 15 months ago

#11793 closed Task/To do item (fixed)

Roundcube 1.2 upgrade

Reported by: https://id.mayfirst.org/srevilak Owned by: https://id.mayfirst.org/srevilak
Priority: Medium Component: Tech
Keywords: roundcube Cc:
Sensitive: no

Description

A new version of roundcube is available. We should upgrade.

From: Thomas Bruederli <thomas@roundcube.net>
To: Roundcube Announce List <announce@lists.roundcube.net>
Subject: [Roundcube Announce] Roundcube Webmail 1.2.0 released
Message-ID: <CAO3naw4MK0RazgSfr2rO5i=_sLBbiPuqbgsbJLKHn1mp_BCnQQ@mail.gmail.com>

Dear subscribers

Today we proudly announce the stable version 1.2.0 of Roundcube
Webmail which is now available for download. It introduces new
features since version 1.1 covering security and PGP encryption
topics:

- PHP7 compatibility
- PGP encryption
- Drag-n-drop attachments from mail preview to compose window
- Mail messages searching with pre-defined date interval
- Improved security measures to protect from brute-force attacks

And of course plenty of small improvements and bug fixes.

There wasn't much feedback on the 1.2-beta version and the release
candidate which we consider a good sign. Some cleanup and
stabilization of the Enigma plugin just happened for the now stable
version.

As already announced with the 1.2-beta release [1], PGP encryption
comes in two flavors: client-side using the Mailvelope browser
extension and server-side with the Enigma plugin using GnuPG on the
server.

Support with the Mailvelope browser plugin comes out of the box and is
automatically enabled if the Mailvelope API is detected in a user’s
browser. The Mailvelope documentation [2] explains how to enable it
for your site.

The features of the Enigma plugin, which comes with the release
package and simply needs to be activated for your Roundcube
installation are explained in Alec's blog post [3].

With the release of Roundcube 1.2.0, the previous stable release
branches 1.0.x and 1.1.x will switch in to LTS low maintenance mode
which means they will only receive important security updates but no
longer any regular improvements from upstream.

See the complete Changelog in our wiki [4] and download the new
packages from https://roundcube.net/download.

Roundcube 1.2.0 is considered stable and we recommend to update all
productive installations of Roundcube. As usual, don’t forget to
backup your data before updating ;-)

Best,
Thomas


[1] https://roundcube.net/news/2015/11/23/roundcube-webmail-1.2-beta-out-now
[2] https://www.mailvelope.com/en/help#watchlist
[3] https://kolabian.wordpress.com/2015/10/13/enigma-plugin-pgp-encryption/
[4] https://github.com/roundcube/roundcubemail/wiki/Changelog

Change History (6)

comment:1 Changed 2 years ago by https://id.mayfirst.org/srevilak

  • Owner set to https://id.mayfirst.org/srevilak
  • Status changed from new to assigned

comment:2 Changed 16 months ago by https://id.mayfirst.org/srevilak

Code prep for roundcube 1.2 update

New branch, to correspond to new upstream branch

git checkout -b mfpl-release-1.2 origin/release-1.2

Changes unique to the mfpl-release-1.1 branch

0 sunny:roundcube$ git log --oneline 1.1.8...roundcube-1.1.8-mfpl2
a6d688f pear repository should use https, not http
ee8d5ab added
9f5c386 updated composer
0dd3b1b Merge tag '1.1.8' into mfpl-release-1.1
84725d1 Merge tag '1.1.7' into mfpl-release-1.1
1301f37 removed no-longer-needed horde plugins https://support.mayfirst.org/ticket/11299
9a9b4a0 Merge tag '1.1.5' into mfpl-release-1.1
8371aac composer.phar => 72cd6afdfce16f36a9fd786bc1b2f32b851e764f
7168a1b composer.json update.  net_smtp 1.6.3 -> 1.7.1
8fbe0d4 Merge tag '1.1.4' into mfpl-release-1.1
3866416 cp composer.json-dist composer.json
abcf7fff  Missing ^%%$^^&*!#!#@ comma.  Sigh
7d4b092 updated composer.json, based on feedback from roundcube's update.sh
a7f25ba composer.phar Updating to version c9501a4cc164b176de48e44b239e619cfd5f14e5
7b1e960 Merge tag '1.1.3' into mfpl-release-1.1
c037dcc removed variables where we are not overriding default values
e0c4faa Removed "johndoh/sieverules": "dev-release-2.2"
124d783 removed sieverules plugin
2dabb66 usetls
30d92ba first pass at managesieve plugin configuration.  Not working yet.
e840c2a stock config.inc.php
d4e2724 composers's self-modifications, after installing sieve plugin
a3ce719 forbid access to composer.phar, composer.lock, or composer's `vendor' directory
1a9114e added sieverules plugin
016b2ba added johndoh/sieverules
2c136b5 added composer.phar
cdf0876 don't ignore composer files
213378f unmodified composer.json
f697fff Merge tag '1.1.2' into mfpl-release-1.1
47c565e Merge remote-tracking branch 'gmo/mfpl-release-1.1' into mfpl-release-1.1
ab51f8e (fetch_identity_objects): avoid redundant call to unserialize
4fb5a18 Adding two plugins: import_horde_contacts, import_horde_identities
52a3d9c (fetch_identity_objects): avoid redundant call to unserialize
cd41b88 Adding two plugins: import_horde_contacts, import_horde_identities

Cherry picked a change, where I'd added some rewrite rules to .htaccess

0 sunny:roundcube$ git cherry-pick a3ce719e469c9f51fb93c82fd75996588ce06777
[mfpl-release-1.2 5494879] forbid access to composer.phar, composer.lock, or composer's `vendor' directory
 Author: Roundcube Dev <roundcube-dev@stallman.mayfirst.org>
 Date: Sat Jul 4 18:54:00 2015 -0400
 1 file changed, 2 insertions(+)

The plugins/managesieve/config.inc.php we were using was very different from 1.2's plugins/managesieve/config.inc.php.dist. Copied config.inc.php.dist to config.inc.php, and manually merged in our configuration values.

We're only using two plugins

  • new_user_dialog
  • managesieve

Now we've got the managesive plugin configured. new_user_dialog doesn't have a config.inc.php.

Here's a short article on gnupg support in roundcube 1.2

https://kolabian.wordpress.com/2015/10/13/enigma-plugin-pgp-encryption/

In this case, keys are stored on the server, and the plugin runs gpg on the server. I'm not going to enable this yet -- I want to learn more about how it works, and talk things over with the support-team list. Specifically, this

// Keys directory for all users. Default 'enigma/home'.
// Must be writeable by PHP process
$config['enigma_pgp_homedir'] = null;

I'm kind of curious to see if roundcube can verify signed messages, even without keys present.

comment:3 Changed 16 months ago by https://id.mayfirst.org/srevilak

roundcube-dev initial installation

Final check: what's different between the 1.2.4 tag and origin/release-1.2?

0 sunny:managesieve$ git log 1.2.4...origin/release-1.2 

Let's push this to roundcube-dev, and try it out.

0 sunny:managesieve$ git push gmo mfpl-release-1.2
Counting objects: 22, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (21/21), done.
Writing objects: 100% (22/22), 479.31 KiB | 0 bytes/s, done.
Total 22 (delta 12), reused 0 (delta 0)
remote: -------------------- Monkeysphere warning -------------------
remote: Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
remote: An OpenPGP key matching the ssh key offered by the host was found:
remote: 
remote: pub   2048R/0x7289694B648C92DA 2010-09-10
remote: uid                 [ unknown] ssh://moses.mayfirst.org
remote: sig!3        0x7289694B648C92DA 2010-09-10  ssh://moses.mayfirst.org
remote: sig!      X  0xCCD2ED94D21739E9 2010-11-13  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!      X  0xCCD2ED94D21739E9 2012-09-21  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!         0xA014C05A607B7535 2014-01-09  James McClelland <jamie@mayfirst.org>
remote: sig!      X  0xCCD2ED94D21739E9 2014-09-24  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: RSA key fingerprint is 58:c3:18:4b:11:e2:ab:17:e0:34:66:b5:f6:7a:81:4a.
remote: 
remote: -------------------- ssh continues below --------------------
remote: Host key verification failed.
remote: fatal: The remote end hung up unexpectedly
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
 * [new branch]      mfpl-release-1.2 -> mfpl-release-1.2
0 sunny:managesieve$ git push gmo --tags
Counting objects: 1, done.
Writing objects: 100% (1/1), 820 bytes | 0 bytes/s, done.
Total 1 (delta 0), reused 0 (delta 0)
remote: -------------------- Monkeysphere warning -------------------
remote: Monkeysphere found OpenPGP keys for this hostname, but none had full validity.
remote: An OpenPGP key matching the ssh key offered by the host was found:
remote: 
remote: pub   2048R/0x7289694B648C92DA 2010-09-10
remote: uid                 [ unknown] ssh://moses.mayfirst.org
remote: sig!3        0x7289694B648C92DA 2010-09-10  ssh://moses.mayfirst.org
remote: sig!      X  0xCCD2ED94D21739E9 2010-11-13  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!      X  0xCCD2ED94D21739E9 2012-09-21  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: sig!         0xA014C05A607B7535 2014-01-09  James McClelland <jamie@mayfirst.org>
remote: sig!      X  0xCCD2ED94D21739E9 2014-09-24  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
remote: RSA key fingerprint is 58:c3:18:4b:11:e2:ab:17:e0:34:66:b5:f6:7a:81:4a.
remote: 
remote: -------------------- ssh continues below --------------------
remote: Host key verification failed.
remote: fatal: The remote end hung up unexpectedly
To ssh://gitosis@git.mayfirst.org/mfpl/roundcube
 * [new tag]         roundcube-1.2.4-mfpl1 -> roundcube-1.2.4-mfpl1

Pull code down to roundcube-dev

0 roundcube-code@stallman:/srv/roundcube-dev$ git fetch gmo
remote: Counting objects: 8582, done.
remote: Compressing objects: 100% (3003/3003), done.
Receiving objects: 100% (7280/7280), 3.25 MiB | 1.53 MiB/s, done.
remote: Total 7280 (delta 5077), reused 6167 (delta 4013)
Resolving deltas: 100% (5077/5077), completed with 513 local objects.
From git://git.mayfirst.org/mfpl/roundcube
 * [new branch]      mfpl-release-1.2 -> gmo/mfpl-release-1.2
 * [new tag]         roundcube-1.2.4-mfpl1 -> roundcube-1.2.4-mfpl1
 * [new tag]         1.2-beta   -> 1.2-beta
 * [new tag]         1.2-rc     -> 1.2-rc
 * [new tag]         1.2.0      -> 1.2.0
 * [new tag]         1.2.1      -> 1.2.1
 * [new tag]         1.2.2      -> 1.2.2
 * [new tag]         1.2.3      -> 1.2.3
 * [new tag]         1.2.4      -> 1.2.4

0 roundcube-code@stallman:/srv/roundcube-dev$ git tag -v roundcube-1.2.4-mfpl1

0 roundcube-code@stallman:/srv/roundcube-dev$ git checkout roundcube-1.2.4-mfpl1
Previous HEAD position was a6d688f... pear repository should use https, not http
HEAD is now at 862a5e4... configuration changes for managesieve

Update composer dependencies

0 roundcube-code@stallman:/srv/roundcube-dev$ php composer.phar update --no-dev
Loading composer repositories with package information
Initializing PEAR repository https://pear.php.net
Updating dependencies                                          
Package operations: 7 installs, 1 update, 7 removals
  - Removing pear-pear.php.net/pear (1.10.3)
  - Removing pear-pear.php.net/xml_util (1.4.2)
  - Removing pear-pear.php.net/archive_tar (1.4.2)
  - Removing pear-pear.php.net/structures_graph (1.1.1)
  - Removing pear-pear.php.net/console_getopt (1.4.1)
  - Removing patchwork/utf8 (dev-master)
  - Removing pear-pear.php.net/net_sieve (1.3.4)
  - Removing pear-pear.php.net/mail_mime (1.9.0)
  - Installing pear-pear.php.net/mail_mime (1.10.0): Downloading (100%)  - Installing pear-pear.php.net/console_commandline (1.2.2): Downloading (100%)  - Installing pear-pear.php.net/crypt_gpg (1.4.3): Downloading (100%)    Skipped installation of bin bin/crypt-gpg-pinentry for package pear-pear.php.net/crypt_gpg: name conflicts with an existing file
  - Installing pear/pear_exception (dev-master 8c18719): Cloning 8c18719fda
  - Installing pear/net_socket (dev-trunk bbe6a12): Cloning bbe6a12bb4
  - Installing pear/console_getopt (v1.4.1): Downloading (100%)         
  - Installing pear/pear-core-minimal (v1.10.3): Downloading (100%)         
  - Installing roundcube/net_sieve (1.5.4): Downloading (100%)         
Writing lock file
Generating autoload files
0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
Updating database schema (2015111100)... [OK]
WARNING: unable to update composer.json!
Please replace the 'require' section in your composer.json with the following:
    "require": {
        "php": ">=5.3.7",
        "pear/pear-core-minimal": "~1.10.1",
        "roundcube/plugin-installer": "~0.1.6",
        "pear-pear.php.net/net_socket": "~1.0.12",
        "pear-pear.php.net/auth_sasl": "~1.0.6",
        "pear-pear.php.net/net_idna2": "~0.1.1",
        "pear-pear.php.net/mail_mime": "~1.10.0",
        "pear-pear.php.net/net_smtp": "~1.7.1",
        "pear-pear.php.net/crypt_gpg": "~1.4.2",
        "roundcube/net_sieve": "~1.5.0"
    }

NOTE: Update dependencies by running `php composer.phar update --no-dev`
This instance of Roundcube is up-to-date.
Have fun!

This require section matches the require section in composer.json, OK.

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/indexcontacts.sh 

0 roundcube-dev@stallman:/srv/roundcube-dev$ php bin/gc.sh 

comment:4 Changed 16 months ago by https://id.mayfirst.org/srevilak

problem #1: rewrite rules

First attempt at logging in took me to https://roundcube.dev.mayfirst.org/aUXik9M3OOuz6vdv/?_task=mail, where I got a 404:

The requested URL /aUXik9M3OOuz6vdv/ was not found on this server.

Made this change to apache2/sites-available/roundcube.dev.mayfirst.org

-RewriteRule ^/[a-f0-9]{16}/(.*) /$1
+RewriteRule ^/[A-Za-z0-9]{16}/(.*) /$1

Restarted apache. That solved the 404 error. Looks like roundcube added more entropy to the use_secure_urls features.

We'll need to make a corresponding change to roundcube.mayfirst.org, when we upgrade.

comment:5 Changed 15 months ago by https://id.mayfirst.org/srevilak

roundcube.mayfirst.org upgrade

Updated the RewriteRule for use_secure_urls.

Installed new code

0 roundcube-code@stallman:/srv/roundcube$ git fetch gmo
remote: Counting objects: 8582, done.
remote: Compressing objects: 100% (3003/3003), done.
remote: Total 7280 (delta 5077), reused 6167 (delta 4013)
Receiving objects: 100% (7280/7280), 3.25 MiB | 921.00 KiB/s, done.
Resolving deltas: 100% (5077/5077), completed with 513 local objects.
From git://git.mayfirst.org/mfpl/roundcube
 * [new branch]      mfpl-release-1.2 -> gmo/mfpl-release-1.2
 * [new tag]         roundcube-1.2.4-mfpl1 -> roundcube-1.2.4-mfpl1
 * [new tag]         1.2-beta   -> 1.2-beta
 * [new tag]         1.2-rc     -> 1.2-rc
 * [new tag]         1.2.0      -> 1.2.0
 * [new tag]         1.2.1      -> 1.2.1
 * [new tag]         1.2.2      -> 1.2.2
 * [new tag]         1.2.3      -> 1.2.3
 * [new tag]         1.2.4      -> 1.2.4


0 roundcube-code@stallman:/srv/roundcube$ git tag -v roundcube-1.2.4-mfpl1

0 roundcube-code@stallman:/srv/roundcube$ git checkout roundcube-1.2.4-mfpl1
Previous HEAD position was a6d688f... pear repository should use https, not http
HEAD is now at 862a5e4... configuration changes for managesieve

Updated composer dependencies

0 roundcube-code@stallman:/srv/roundcube$ php composer.phar update --no-dev
Loading composer repositories with package information
Initializing PEAR repository https://pear.php.net
Updating dependencies                                          
Package operations: 7 installs, 1 update, 7 removals
  - Removing pear-pear.php.net/pear (1.10.3)
  - Removing pear-pear.php.net/xml_util (1.4.2)
  - Removing pear-pear.php.net/archive_tar (1.4.2)
  - Removing pear-pear.php.net/structures_graph (1.1.1)
  - Removing pear-pear.php.net/console_getopt (1.4.1)
  - Removing patchwork/utf8 (dev-master)
  - Removing pear-pear.php.net/net_sieve (1.3.4)
  - Removing pear-pear.php.net/mail_mime (1.9.0)
  - Installing pear-pear.php.net/mail_mime (1.10.0): Loading from cache  - Installing pear-pear.php.net/console_commandline (1.2.2): Loading from cache  - Installing pear-pear.php.net/crypt_gpg (1.4.3): Loading from cache    Skipped installation of bin bin/crypt-gpg-pinentry for package pear-pear.php.net/crypt_gpg: name conflicts with an existing file
  - Installing pear/pear_exception (dev-master 8c18719): Cloning 8c18719fda
  - Installing pear/net_socket (dev-trunk bbe6a12): Cloning bbe6a12bb4
  - Installing pear/console_getopt (v1.4.1): Loading from cache
  - Installing pear/pear-core-minimal (v1.10.3): Loading from cache
  - Installing roundcube/net_sieve (1.5.4): Loading from cache
Writing lock file
Generating autoload files

Update scripts

0 roundcube@stallman:/srv/roundcube$ php bin/update.sh 
What version are you upgrading from? Type '?' if you don't know.
?
Executing database schema update.
Updating database schema (2015111100)... [OK]
WARNING: unable to update composer.json!
Please replace the 'require' section in your composer.json with the following:
    "require": {
        "php": ">=5.3.7",
        "pear/pear-core-minimal": "~1.10.1",
        "roundcube/plugin-installer": "~0.1.6",
        "pear-pear.php.net/net_socket": "~1.0.12",
        "pear-pear.php.net/auth_sasl": "~1.0.6",
        "pear-pear.php.net/net_idna2": "~0.1.1",
        "pear-pear.php.net/mail_mime": "~1.10.0",
        "pear-pear.php.net/net_smtp": "~1.7.1",
        "pear-pear.php.net/crypt_gpg": "~1.4.2",
        "roundcube/net_sieve": "~1.5.0"
    }

NOTE: Update dependencies by running `php composer.phar update --no-dev`
This instance of Roundcube is up-to-date.
Have fun!
0 roundcube@stallman:/srv/roundcube$


0 roundcube@stallman:/srv/roundcube$ php bin/indexcontacts.sh

0 roundcube@stallman:/srv/roundcube$ php bin/gc.sh 

comment:6 Changed 15 months ago by https://id.mayfirst.org/srevilak

  • Resolution set to fixed
  • Status changed from assigned to closed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.