v2.16.0

We're pleased to be publishing v2.16.0, a new stable release. This release contains bug fixes and some minor updates.

This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. It includes no changes to the database file format.

Many thanks to @csmith, @delthas, donio, @emersion, @KlaasT, @knolley, @Mailaender, and @prdes for reporting issues and helping test.

Config changes

• Added api block for configuring the new HTTP API. If this block is absent, the API is disabled (#2231)
• Added server.additional-isupport for publishing arbitrary ISUPPORT tokens (#2220, #2240)
• Added server.command-aliases to configure aliases for server commands (#2229, #2236)
• Added options to roleplay to customize the NUH's sent for NPC and SCENE. Roleplay remains deprecated and disabled by default. (#2237)

Security

• Mitigated HTTP DoS attacks by rejecting IRC sessions that begin with an HTTP verb, such as POST. If you were relying on this to create IRC sessions via an HTTP client, please open an issue. (#2239)

Added

• Added an HTTP API, providing programmatic access to Ergo functionality (#2231, thanks @KlaasT!)
• Added SAFERATE to 005 ISUPPORT tokens (#2223, thanks @delthas!)
• Added support for ed25519-sha256 for DKIM. However, enabling this algorithm is not recommended since mainstream email providers still do not support it. (#1041, #2242)

Fixed

• Fixed CHATHISTORY TARGETS from MySQL backend reporting incorrect timestamps when the server timezone is not UTC (#2224)
• Fixed batch name parameter in draft/isupport responses (#2253)
• Fixed NS UNREGISTER not deleting the stored push subscriptions (#2254)
• Fixed cases where NS SAREGISTER could create clients without applying the default user modes (#2252, #2254, thanks donio!)
• Improved validation of CHATHISTORY parameters (#2248, #2249, thanks @prdes!)
• Added validation to ensure the MOTD is UTF-8 when enforce-utf8 is enabled (the recommended default) (#2228, #2233, thanks @KlaasT!)
• The client's own QUIT line now respects the server-time capability (#2218, #2219)
• Fixed sending unnecessary replies to certain invalid MODE changes (#2213)
• Improved safety of ISUPPORT length limits (#2241)

Changed

• The draft/message-redaction capability is no longer advertised when allow-individual-delete is disabled (#2215, #2216, thanks @delthas!)
• Receiving the UTF-8 BOM (byte-order mark) at the start of an IRC connection now produces an explicit error (#2244, #2247, thanks @csmith, @Mailaender!)

Internal

• Release builds use Go 1.24.3 (#2217)

v2.16.0-rc1

We're pleased to be publishing the release candidate for v2.16.0 (the official release should follow within a week or so). This release contains bug fixes and some minor updates.

This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. It includes no changes to the database file format.

Many thanks to @csmith, @delthas, donio, @emersion, @KlaasT, @knolley, @Mailaender, and @prdes for reporting issues and helping test.

Config changes

• Added server.additional-isupport for publishing arbitrary ISUPPORT tokens (#2220, #2240)
• Added server.command-aliases to configure aliases for server commands (#2229, #2236)
• Added options to roleplay to customize the NUH's sent for NPC and SCENE. Roleplay remains deprecated and disabled by default. (#2237)

Security

• Mitigated HTTP DoS attacks by rejecting IRC sessions that begin with an HTTP verb, such as POST. If you were relying on this to create IRC sessions via an HTTP client, please open an issue. (#2239)

Added

• Added an HTTP API, providing programmatic access to Ergo functionality (#2231, thanks @KlaasT!)
• Added SAFERATE to 005 ISUPPORT tokens (#2223, thanks @delthas!)
• Added support for ed25519-sha256 for DKIM. However, enabling this algorithm is not recommended since mainstream email providers still do not support it. (#1041, #2242)

Fixed

• Fixed CHATHISTORY TARGETS from MySQL backend reporting incorrect timestamps when the server timezone is not UTC (#2224)
• Fixed batch name parameter in draft/isupport responses (#2253)
• Fixed NS UNREGISTER not deleting the stored push subscriptions (#2254)
• Fixed cases where NS SAREGISTER could create clients without applying the default user modes (#2252, #2254, thanks donio!)
• Improved validation of CHATHISTORY parameters (#2248, #2249, thanks @prdes!)
• Added validation to ensure the MOTD is UTF-8 when enforce-utf8 is enabled (the recommended default) (#2228, #2233, thanks @KlaasT!)
• The client's own QUIT line now respects the server-time capability (#2218, #2219)
• Fixed sending unnecessary replies to certain invalid MODE changes (#2213)
• Improved safety of ISUPPORT length limits (#2241)

Changed

• The draft/message-redaction capability is no longer advertised when allow-individual-delete is disabled (#2215, #2216, thanks @delthas!)
• Receiving the UTF-8 BOM (byte-order mark) at the start of an IRC connection now produces an explicit error (#2244, #2247, thanks @csmith, @Mailaender!)

Internal

• Release builds use Go 1.24.3 (#2217)

v2.15.0

We're pleased to be publishing v2.15.0, a new stable release. This release adds support for mobile push notifications, via the draft/webpush specification. More information on this is available in the manual and user guide. This feature is still considered to be in an experimental state; default.yaml ships with it disabled, and its configuration may have backwards-incompatible changes in the future.

This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading.

This release includes a database change. If you have datastore.autoupgrade set to true in your configuration, it will be automatically applied when you restart Ergo. Otherwise, you can update the database manually by running ergo upgradedb (see the manual for complete instructions).

Many thanks to @delthas, @donatj, donio, @emersion, and @eskimo for contributing patches and helping test.

Config changes

• Added webpush block to the config file to configure push notifications. See default.yaml for an example. Note that at this time, default.yaml ships with support for push notifications disabled; operators can enable them by setting webpush.enabled: true. In the absence of such a block, push notifications are disabled.
• We recommend the addition of "WEBPUSH": 1 to fakelag.command-budgets, to speed up mobile reattach when web push is enabled. See default.yaml for an example.

Added

• Added support for the draft/webpush specification (#2205, thanks @emersion, @eskimo!)
• Added support for the draft/extended-isupport specification (#2184, thanks @emersion!)
• UBAN ADD now accepts REQUIRE-SASL with NUH masks, i.e. k-lines (#2198, #2199)
• Ergo now publishes the SAFELIST ISUPPORT parameter (#2196, thanks @delthas!)

Fixed

• Fixed incorrect parameters when pushing 005 (ISUPPORT) updates to clients on rehash (#2177, #2184)

Internal

• Official release builds use Go 1.23.5
• Added a unique identifier to identify connections in debug logs. This has no privacy implications in a standard, non-debug configuration of Ergo. (#2206, thanks donio!)
• Added support for Solaris on amd64 CPUs (#2183)

v2.15.0-rc1

We're pleased to be publishing the release candidate for v2.15.0 (the official release should follow within two weeks or so). This release adds support for mobile push notifications, via the draft/webpush specification. More information on this is available in the manual and user guide. This feature is still considered to be in an experimental state; default.yaml ships with it disabled, and its configuration may have backwards-incompatible changes in the future.

This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading.

This release includes a database change. If you have datastore.autoupgrade set to true in your configuration, it will be automatically applied when you restart Ergo. Otherwise, you can update the database manually by running ergo upgradedb (see the manual for complete instructions).

Many thanks to @delthas, @donatj, donio, @emersion, and @eskimo for contributing patches and helping test.

Config changes

• Added webpush block to the config file to configure push notifications. See default.yaml for an example. Note that at this time, default.yaml ships with support for push notifications disabled; operators can enable them by setting webpush.enabled: true. In the absence of such a block, push notifications are disabled.
• We recommend the addition of "WEBPUSH": 1 to fakelag.command-budgets, to speed up mobile reattach when web push is enabled. See default.yaml for an example.

Added

• Added support for the draft/webpush specification (#2205, thanks @emersion, @eskimo!)
• Added support for the draft/extended-isupport specification (#2184, thanks @emersion!)
• UBAN ADD now accepts REQUIRE-SASL with NUH masks, i.e. k-lines (#2198, #2199)
• Ergo now publishes the SAFELIST ISUPPORT parameter (#2196, thanks @delthas!)

Fixed

• Fixed incorrect parameters when pushing 005 (ISUPPORT) updates to clients on rehash (#2184)

Internal

• Official release builds use Go 1.23.4
• Added a unique identifier to identify connections in debug logs. This has no privacy implications in a standard, non-debug configuration of Ergo. (#2206, thanks donio!)
• Added support for Solaris on amd64 CPUs (#2183)

v2.14.0

We're pleased to be publishing v2.14.0, a new stable release. This release contains primarily bug fixes, with the addition of some new authentication mechanisms for integrating with web clients.

This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. It includes no changes to the database file format.

Many thanks to @al3xandros, donio, @eeeeeta, @emersion, @Eriner, @eskimo, @Herringway, @jwheare, @knolley, @mengzhuo, pathof, @poVoq, @progval, @RNDpacman, and @xnaas for contributing patches, reporting issues, and helping test.

Config changes

• Added accounts.oauth2 and accounts.jwt-auth blocks for configuring OAuth2 and JWT authentication (#2004)
• Added protocol and local-address options to accounts.registration.email-verification, to force emails to be sent over IPv4 (or IPv6) or to force the use of a particular source address (#2142)
• Added limits.realnamelen, a configurable limit on the length of realnames. If unset, no limit is enforced beyond the IRC protocol line length limits (the previous behavior). (#2123, thanks @eskimo!)
• Added the accept-hostname option to the webirc config block, allowing Ergo to accept hostnames passed from reverse proxies on the WEBIRC line. Note that this will have no effect under the default/recommended configuration, in which cloaks are used instead (#1686, #2146, thanks @RNDpacman!)
• The default/recommended value of limits.chan-list-modes (the size limit for ban/except/invite lists) was raised to 100 (#2081, #2165, #2167)

Added

• Added support for the OAUTHBEARER SASL mechanism, allowing Ergo to interoperate with Gamja and an OAuth2 provider (#2004, #2122, thanks @emersion!)
• Added support for the IRCV3BEARER SASL mechanism, allowing Ergo to accept OAuth2 or JWT bearer tokens (#2158)
• Added support for the legacy rfc1459 and rfc1459-strict casemappings (#2099, #2159, thanks @xnaas!)
• The new ergo defaultconfig subcommand prints a copy of the default config file to standard output (#2157, #2160, thanks @al3xandros!)

Fixed

• Even with allow-truncation: false (the recommended default), some oversized messages were being accepted and relayed with truncation. These messages will now be rejected with 417 ERR_INPUTTOOLONG as expected (#2170)
• NICK and QUIT from invisible members of auditorium channels are no longer recorded in history (#2133, #2137, thanks @knolley and @poVoq!)
• If channel registration was disabled, registered channels could become inaccessible after rehash; this has been fixed (#2130, thanks @eeeeeta!)
• Attempts to use unrecognized SASL mechanisms no longer count against the login throttle, improving compatibility with Pidgin (#2156, thanks donio and pathof!)
• Fixed database autoupgrade on Windows, which was previously broken due to the use of a colon in the backup filename (#2139, #2140, thanks @Herringway!)
• Fixed handling of NS CERT ADD <user> <fp> when an unprivileged user invokes it on themself (#2128, #2098, thanks @Eriner!)
• Fixed missing human-readable trailing parameters for two multiline FAIL messages (#2043, #2162, thanks @jwheare and @progval!)
• Fixed symbol sent by 353 RPL_NAMREPLY for secret channels (#2144, #2145, thanks savoyard!)

Changed

• Trying to claim a registered nickname that is also actually in use by another client now produces 433 ERR_NICKNAMEINUSE as expected (#2135, #2136, thanks savoyard!)
• SAMODE now overrides the enforcement of limits.chan-list-modes (the size limit for ban/except/invite lists) (#2081, #2165)
• Certain unsuccessful MODE changes no longer send 324 RPL_CHANNELMODEIS and 329 RPL_CREATIONTIME (#2163)
• Debug logging for environment variable configuration overrides no longer prints the value, only the key (#2129, #2132, thanks @eeeeeta!)

Internal

• Official release builds use Go 1.22.4
• Added a linux/riscv64 release (#2172, #2173, thanks @mengzhuo!)

v2.14.0-rc2

Due to the discovery of a bug (predating v2.14.0-rc1), we are releasing a new release candidate for v2.14.0 (the official release should follow within a week or so).

Please see the changelog for v2.14.0-rc1 for other changes since v2.13.1.

Fixed

• Even with allow-truncation: false (the recommended default), some oversized messages were being accepted and relayed with truncation. These messages will now be rejected with 417 ERR_INPUTTOOLONG as expected (#2170)

v2.14.0-rc1

We're pleased to be publishing the release candidate for v2.14.0 (the official release should follow within two weeks or so). This release contains primarily bug fixes, with the addition of some new authentication mechanisms for integrating with web clients.

This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading. It includes no changes to the database file format.

Many thanks to @al3xandros, donio, @eeeeeta, @emersion, @Eriner, @eskimo, @Herringway, @jwheare, @knolley, pathof, @poVoq, @progval, @RNDpacman, and @xnaas for contributing patches, reporting issues, and helping test.

Config changes

• Added accounts.oauth2 and accounts.jwt-auth blocks for configuring OAuth2 and JWT authentication (#2004)
• Added protocol and local-address options to accounts.registration.email-verification, to force emails to be sent over IPv4 (or IPv6) or to force the use of a particular source address (#2142)
• Added limits.realnamelen, a configurable limit on the length of realnames. If unset, no limit is enforced beyond the IRC protocol line length limits (the previous behavior). (#2123, thanks @eskimo!)
• Added the accept-hostname option to the webirc config block, allowing Ergo to accept hostnames passed from reverse proxies on the WEBIRC line. Note that this will have no effect under the default/recommended configuration, in which cloaks are used instead (#1686, #2146, thanks @RNDpacman!)
• The default/recommended value of limits.chan-list-modes (the size limit for ban/except/invite lists) was raised to 100 (#2081, #2165, #2167)

Added

• Added support for the OAUTHBEARER SASL mechanism, allowing Ergo to interoperate with Gamja and an OAuth2 provider (#2004, #2122, thanks @emersion!)
• Added support for the IRCV3BEARER SASL mechanism, allowing Ergo to accept OAuth2 or JWT bearer tokens (#2158)
• Added support for the legacy rfc1459 and rfc1459-strict casemappings (#2099, #2159, thanks @xnaas!)
• The new ergo defaultconfig subcommand prints a copy of the default config file to standard output (#2157, #2160, thanks @al3xandros!)

Fixed

• NICK and QUIT from invisible members of auditorium channels are no longer recorded in history (#2133, #2137, thanks @knolley and @poVoq!)
• If channel registration was disabled, registered channels could become inaccessible after rehash; this has been fixed (#2130, thanks @eeeeeta!)
• Attempts to use unrecognized SASL mechanisms no longer count against the login throttle, improving compatibility with Pidgin (#2156, thanks donio and pathof!)
• Fixed database autoupgrade on Windows, which was previously broken due to the use of a colon in the backup filename (#2139, #2140, thanks @Herringway!)
• Fixed handling of NS CERT ADD <user> <fp> when an unprivileged user invokes it on themself (#2128, #2098, thanks @Eriner!)
• Fixed missing human-readable trailing parameters for two multiline FAIL messages (#2043, #2162, thanks @jwheare and @progval!)
• Fixed symbol sent by 353 RPL_NAMREPLY for secret channels (#2144, #2145, thanks savoyard!)

Changed

• Trying to claim a registered nickname that is also actually in use by another client now produces 433 ERR_NICKNAMEINUSE as expected (#2135, #2136, thanks savoyard!)
• SAMODE now overrides the enforcement of limits.chan-list-modes (the size limit for ban/except/invite lists) (#2081, #2165)
• Certain unsuccessful MODE changes no longer send 324 RPL_CHANNELMODEIS and 329 RPL_CREATIONTIME (#2163)
• Debug logging for environment variable configuration overrides no longer prints the value, only the key (#2129, #2132, thanks @eeeeeta!)

Internal

• Official release builds use Go 1.22.4

v2.13.1

Ergo 2.13.1 is a bugfix release, fixing an exploitable deadlock that could lead to a denial of service. We regret the oversight.

This release includes no changes to the config file format or database format.

Security

• Fixed an exploitable deadlock that could lead to a denial of service (#2149)

Internal

• Official release builds use Go 1.22.2

v2.13.0

We're pleased to be publishing v2.13.0, a new stable release. This is a bugfix release that fixes some issues, including a crash.

This release includes no changes to the config file format or database format.

Many thanks to @dallemon, @jwheare, @Mikaela, @nealey, and @Sheikah45 for contributing patches, reporting issues, and helping test.

Fixed

• Fixed a (hopefully rare) crash when persisting always-on client statuses (#2113, #2117, thanks @Sheikah45!)
• Fixed not being able to message channels with / (or the configured RELAYMSG separator) in their names (#2114, thanks @Mikaela!)
• Verification emails now always include a Message-ID header, improving compatibility with Gmail (#2108, #2110)
• Improved human-readable description of REDACT_FORBIDDEN (#2101, thanks @jwheare!)

Removed

• Removed numerics associated with the retired ACC spec (#2109, #2111, thanks @jwheare!)

Internal

• Upgraded the Docker base image from Alpine 3.13 to 3.19. The resulting images are incompatible with Docker 19.x and lower (all currently non-EOL Docker versions should be supported). (#2103)
• Official release builds use Go 1.21.6

v2.13.0-rc1

We're pleased to be publishing the release candidate for v2.13.0 (the official release should follow within a week or so). This is a bugfix release that fixes some issues, including a crash.

This release includes no changes to the config file format or database format.

Many thanks to @dallemon, @jwheare, @Mikaela, and @Sheikah45 for contributing patches, reporting issues, and helping test.

Fixed

• Fixed a (hopefully rare) crash when persisting always-on client statuses (#2113, #2117, thanks @Sheikah45!)
• Fixed not being able to message channels with / (or the configured RELAYMSG separator) in their names (#2114, thanks @Mikaela!)
• Verification emails now always include a Message-ID header, improving compatibility with Gmail (#2108, #2110)
• Improved human-readable description of REDACT_FORBIDDEN (#2101, thanks @jwheare!)

Removed

• Removed numerics associated with the retired ACC spec (#2109, #2111, thanks @jwheare!)

Internal

• Upgraded the Docker base image from Alpine 3.13 to 3.19. The resulting images are incompatible with Docker 19.x and lower (all currently non-EOL Docker versions should be supported). (#2103)
• Official release builds use Go 1.21.5