** New operation mode: proxy

** Command line option precedence

Command line options take precedence over configuration file
statements.

** elif statement

A familiar `elif' statement is supported, e.g.:

if condition-1
  action-list-1
elif condition-2
  action-list-2
elif condition-3
  action-list-3
else
  action-list-4
fi
  
** New CONTROL statement esmtp-auth-delayed.

When set to `yes', this statement instructs Anubis to postpone ESMTP
authentication until MAIL command is issued by the client.  This
allows to change authentication credentials in the SMTP section (see
below).

** SMTP section

The new section "SMTP" is invoked each time an SMTP command
is received. This section may alter the command's argument, using the
"modify command", e.g.:

BEGIN SMTP
regex :extended
modify command [ehlo] "foo.bar.net"
if command ["mail from:"] "<(.*)>(.*)"
  modify command ["mail from:"] "<root@bar.net>\2"
fi
END

It is also allowed to use esmtp-* keywords in this section, provided
that `esmtp-auth-delayed yes' is set in the CONTROL section. Changes
in the ESMTP authentication credentials take effect if they occur
either before receiving MAIL command from the client, or when handling
this command, e.g.:

BEGIN SMTP
if command ["mail from:"] "<smith(\+.*)?@@example.net>"
  esmtp-auth-id smith
  esmtp-password guessme
else
  esmtp-auth no
fi
END

** New keywords: log-facility and log-tag

** Guile output

By default Scheme's standard error and output ports are redirected to
syslog, using priorities `err' and `warning' correspondingly.

** MySQL options file

When using MySQL for Anubis user database, the database parameters and
access credentials are read from the file /etc/my.cnf, section
"anubis".  Additionally, two URL parameters are provided:
"options-file", which sets the name of the options file, and
"options-group", which sets the name of the group.

* Fix threshold calculation in the cleaner module.
* Refuse to start if another copy is already running.

* New command line option --init (-i)

* New format flags: down=N, child=S, sibling=S

* New guile primitives:

- (grecs-node-ident-locus node [full])

Returns the location of the node's identifier.  See below for the meaning
of [full].

- (grecs-node-value-locus node [full])

Returns the location of the node's value.

* Full vs. simplified locations.

There are two flavors of source locations: simplified and full ones.  A
simplified location consists of a file name and line number.  When returned
from a Guile primitive, they are packed in a cons.  A simplified location
shows an approximate location of the object in the configuration file.

A full location provides the exact location of the object.  It consists of
a pair of triplets, which mark the beginning and end of the object.  Each
triplet consists of a file name, line number and column number.  When 
returned from a Guile primitive, each triplet is represented as a list of 
three elements and both triplets are packed in a cons, the start location 
being its car, and the end location being its cdr.

The three functions that return node locations, grecs-node-locus,
grecs-node-ident-locus and grecs-node-value-locus, return simplified
locations by default.  If #t is supplied as the optional second
argument, these functions return full locations.

* Improved documentation.
* Manpages are installed by make install.
* New options for copy-out mode:

** --ignore-devno
Store 0 in the device number fields, instead of the actual device
number.

** --renumber-inodes
Renumber inodes when storing them in the archive.

** --device-independent or --reproducible
Create reproducible archives.  This is equivalent to 
--ignore-devno --renumber-inodes.

* Support for virtual databases

Virtual database is a collection of regular databases defined
in the dicod configuration. Virtual databases can be used to group
databases by languages, or to select the format of the DEFINE
responses depending on whether OPTION MIME has been requested.

Example of defining a virtual database:

  database {
    name "English Translating Database";
    info "Translations from English to other languages";
    handler "virtual";
    database "en-sw";
    database "en-no";
    database "en-pl";
  }  

See the GNU dico manual, subsection 4.3.12.2 "Virtual Databases" for a
detailed discussion.

* Support for building with WordNet on Debian-based systems

Debian-based systems provide a package "wordnet-dev", which installs
a shared wordnet library. However, this library is named "libwordnet.so",
instead of the expected "libWN.so". Due to this change, previous
versions of dico were unable to locate the library and build the
wordnet database module. To fix this. the --with-libWN configure
option was introduced. Argument to this option is the base name of the
shared libWN library, without suffix. Optionally, the "lib" prefix
is allowed. For example, to configure on Debian:

  ./configure --with-libWN=wordnet

* Dicoweb: graceful handling of unsupported content types.

New setting ONERROR allows the administrator to configure actions to
take on certain types of errors. In particular,
ONERROR['UNSUPPORTED_CONTENT_TYPE'] defines what to do when a DEFINE 
request returns article in unsupported content type.

* The dictorg module improved

The code has been thorougly revisited to ensure correct handling of
databases in dictd database format. Testsuite is included.

* Default m4 quoting characters changed to [ ]

* Globbing patterns in #include statement

If argument to the #include statement contains wildcard characters (*, [,
], or ?), it is interpreted as shell globbing pattern and all files
matching that pattern are included, in lexicographical order.  If no
matching files are found, the directive is replaced with an empty
line.

* New watcher option 'shell'

The 'shell' option causes watcher command to be executed via
'/bin/sh' (by default it is invoked directly, using the 'execve'
function).  For example:

  watcher {
     path "/etc/httpd/vhosts";
     command "/usr/bin/scanhosts && service httpd restart";
     option (shell);
  }

* Include path

If the argument to the #include (#include_once) statement is not an
absolute file name or globbing pattern, it is looked up in the include
search path.  The order of look up is as follows.  First, directories 
given with '-I' options (see below) are scanned, in the same order as
given on the command line.  If no matching file is found in any of
them, directories in the standard include search path are scanned.

By default, the standard include search path contains two directories:
'$(pkgdatadir)/$(VERSION)' and '$(pkgdatadir)/include', where
$(pkgdatadir) and $(VERSION) stand for the package data directory, and
package version, correspondingly.  It can be redefined at compile time using
the '--with-include-path' to configure, e.g.:

 ./configure --with-include-path='$(sysconfdir)/direvent.d:$(pkgdatadir)/$(VERSION):$(pkgdatadir)/include'

(see the file INSTALL, section "Building and Configuring", for a
detailed discussion of this option).
 
To inspect the actual path at runtime, run 'direvent --help',
and look for the string 'Include search path:' in its output.
  
* New command line option -I (--include)

The '-I DIR' command line option adds DIR to the include search path.
When looking for include files, directories given with '-I' options
are scanned first.  If the file is not found, the directories in the
standard include path are scanned.

* Exponential backoff with jitter

If AWS responds with a RequestLimitExceeded code, eclat retries the
request using exponential backoff with jitter algorithm. The algorithm
is controlled by two values: max-retry-interval and total-retry-timeout.
When the RequestLimitExceeded error is returned, eclat will sleep for
2 seconds and then retry the request. For each subsequent
RequestLimitExceeded error, it will calculate the timeout using the
following formula:

   t = rand(0, min(M, 2 ** N)) + 1

where N is the attempt number, M is the value of max-retry-interval
parameter, 'rand(a,b)' selects the integer random number X such that
0 <= X <= b, and '**' denotes the power operator. The attempts to resend
the request will continue until either a response other than
RequestLimitExceeded is received (be it a response to the query or
another error response), or the total time spent in the retry loop
becomes equal to or greater than total-retry-timeout, whichever occurs
first.

* VPC Support

The following new commands provide full support for manipulating
the EC2 VPC objects:

 lsvpc	        describe-vpcs
 lsvpcattr      describe-vpc-attribute
 mkvpc          create-vpc
 setvpcattr     modify-vpc-attribute
 rmvpc          delete-vpc

* Route table support

The following new commands provide full support for manipulating
the EC2 Route Table objects:

 assocrtab      AssociateRouteTable
 mkrtab         CreateRouteTable
 rmrtab         DeleteRouteTable
 lsrtab         DescribeRouteTables
 disasrtab      DisassociateRouteTable

* Route support

The route subcommand allows you to add, delete and modify routes in
route tables.

** Create route:

 eclat route rtb-12345678 add CIDR gw ID

** Delete route:

 eclat route rtb-12345678 del CIDR

** ReplaceRoute

 eclat route rtb-12345678 repl CIDR gw ID
 
* Subnet support

The following new commands provide full support for manipulating
the EC2 Subnet objects:

 mksubnet       create-subnet 
 rmsubnet       delete-subnet
 lssubnet       describe-subnets
 setsubnetattr  modify-subnet-attribute

* Internet Gateway support
 
The following new commands provide full support for manipulating
the EC2 Internet Gateway objects:

 lsigw          describe-internet-gateways
 mkigw          create-internet-gateway
 rmigw          delete-internet-gateway
 atigw          attach-internet-gateway
 deigw          detach-internet-gateway

Initial release.

* Implement heartbeat event

* Add auxiliary program: ifactive

* Fix file descriptor leak

* The program is installed in /usr/bin

Prior versions went to /usr/sbin, you will need to remove them
manually.

* Print /etc/issue before the prompt
* Sleep after incorrect password is input
* New options: -i (--issue), -s (--sleep), -c (--clear)
* Add a manpage
* Improve error checking and reporting

* The --callout-socket option

New option --callout-socket=URL instructs mailfromd to use URL to pass
callout requests to the callout server listening on URL. It is
equivalent to the callout-url configuration statement, which it
overrides.

This option is used by mtasim to avoid clobbering the existing callout
sockets when starting new mailfromd instance.

* NS lookup NFL functions

This release implements the following new MFL functions:

number primitive_hasns (string DOM)
  Returns 1 if the domain DOM has at least one NS record and 0
  otherwise. Throws an error if DNS lookup fails.

require 'dns'
number hasns (string DOM)
  Same as above, but returns 0 on DNS lookup failures.

string getns (string DOM ; number RESOLVE, number SORT)

  Returns a whitespace-separated list of all the NS records for
  the domain DOM. If optional parameter RESOLVE is 1, the returned list
  contains IP addresses. Optional SORT controls whether the entries are
  sorted.

* Bugfixes
** Callout functions return true on checking the null return address (<>)
** Arguments in transaction between mailfromd and calloutd are quoted
** Avoid false failures in testsuite due to libadns warnings
** configure --with-dbm=T accepts any T supported by mailutils
** The 'dbdel' built-in silently ignores non-existing keys

* Support for Guile version 2.2.0 and later

Support for prior versions has been withdrawn.

* New scheme functions

** mu-encoder-port port name . args

Create encoding port using Mailutils filter <name> with optional arguments
<args>. The <port> argument must be a port opened either for writing
or for reading, but not both. The returned port will have the same
mode as <port>.

If <port> is open for reading, data will be read from it, passed through the
filter and returned. If it is open for writing, data written to the returned
port will be passed through filter and its output will be written to <port>.

** mu-decoder-port port name . args

Create decoding port using Mailutils filter <name> with optional arguments
<args>. The <port> argument must be a port opened either for writing
or for reading, but not both. The returned port will have the same
mode as <port>.

If <port> is open for reading, data will be read from it, passed through the
filter and returned. If it is open for writing, data written to the returned
port will be passed through filter and its output will be written to <port>.

** mu-header-decode hdr [charset]

Decode the header value hdr, encoded as per RFC 2047.
Optional charset defaults to "utf-8".

** mu-header-encode hdr [encoding [charset]]

Encode the string <hdr> as per RFC 2047.
Allowed values for <encoding> are "base64" and "quoted-printable".
Default is selected depending on number of printable characters in <hdr>.
Optional charset defaults to "utf-8".

* Introduced support for Python 3.x

* Define sieve variables from the command line

The sieve utility now allows you to supply initial values for
RFC 5229 variables using the --variable command line option, e.g.

  sieve --variable mailbox=outgoing 

* Support for Berkeley DB versions 5 and 6

* headline variable in the mail utility

The new %D specifier has been implemented, which allows the user to
supply arbitrary strftime(3) format string for outputting message
date/time. E.g.:

  set headline="%4m %20D{%Y-%m-%dT%H:%M:%S} %18f %s"

In simplified form, %D can be followed by a single time format
specifier. E.g. %DH can be used instead of %D{%H}.

* Bugfixes

** Fix alignment specifiers in the headline variable (mail utility)
** Fix eventual segmentation violation in imap4d

It occurred when a recently started subprocess received a termination
signal before initializing its I/O subsystem. Most often this happens
when the master process is being shut down.

** Fix endianness bug in string to IP conversion
** Force terminating null character in the output of mh_format
** Fix bug in base64 encoder - don't return immediately upon receiving eof
** Fix command expansion in wordsplit

Initial release.

* Add README, improve meta-data

First actual release.

* Add missing symbol

pam_innetgr lacked pam_sm_setcred

* SysV-style Init 

GNU Pies can now be used as init process daemon - the first process
started during booting.  The configuration can be supplied both as
a traditional /etc/inittab file or as a native GNU Pies configuration
file.  The control interface provides extensive monitoring and
management capabilities.

* Control interface

The running GNU Pies instance can be queried and reconfigured on the
fly via a TCP socket (either UNIX or INET).  Special utility, piesctl,
is included, which provides  command line interface for inspecting
the state of components, reloading configuration (including addition
or removal of configuration files on the fly), stopping and restarting
components, etc.

* Changes in configuration

Two new flags are provided:

- siggroup

This flag instructs pies to send termination signal to the process
group of the process being stopped.

- nullinput

Do not close standard input.  Redirect it from /dev/null
instead.   Use this option with commands that require their standard
input to be open (e.g. pppd nodetach).

** String concatenation

The adjacent string concatenation feature proved to create more
problems than solutions (in particular, with the "env" statement)
and was removed.

* Configuration file raddb/config

The syslog statement takes an optional 4th argument specifying syslog
tag to use, e.g.:

    channel default {
	    syslog local1.info radiusd;
    };

* New attributes

** GNU-Server-Address

Holds IP address of the RADIUS server that recieved the
request. Notice, that the value of this attribute is "0.0.0.0" if
there are no `listen' statement in your `raddb/config'.
    
** GNU-Server-Port

Holds UDP port number of the RADIUS server that recieved the request.

* Automake function AM_GNU_RADIUS is provided, for checking if
GNU Radius is installed from configure.ac scripts.

* Guile support requires Gule version 1.8 or later.

* Bugfixes
** Pass NAS-IP-Address to mlc_stop_query	
	

* rushlast and rushwho

Select the most suitable time representation for the duration field,
depending on the requested width.

* chroot handling

If chroot is requested, re-read the password database after chrooting.

* Supplementary user groups

Set supplementary groups when switching to user privileges.

* Change provisions for interactive shell usage

Interactive rules are marked with the keyword "interactive".  Only
such rules are considered when rush is invoked without the -c option.
The support of the old (global) "interactive" keyword is discontinued.

* The env statement

The env statement can contain references to the unmodified environment
variables.  E.g. this is now valid:

  env PATH=/sbin:$PATH

* Testsuite is provided
  
* Minor fix in TXPMUX code.

* Fix CVE-2013-6889

* Manpages are provided

* Support SNMPv3
* Default SNMP version is 2c
* Use newer Grecs
* Drop unneeded dependencies
* Variable assignments in expressions
* Detection of SNMP counter overflows
* Comma operator
* Support for indexed MIBs

This feature allows you to use symbolic names instead of the fixed MIBs
for MIBs that are part of SNMP subtrees.  For example, to get number of
packets sent over eth0 into variable "out", you would do the following:

    table iftable IF-MIB::ifDescr;
    variable out "IF-MIB::ifOutUcastPkts.$iftable[eth1]";

The first statement converts the subtree into a "table" named "iftable".
The second statement references an entry in this table that has
the value "eth1".  For example, if the SNMP tree has the following MIB

    IF-MIB::ifDescr.10: eth0

then the expression "$iftable[eth]" yields "10"

* Assertion syntax changed.

The assertion statement takes a single argument, which must be a
string consisting of the following three parts:

   <oid: string> [!]<opcode>[/i] <value: string>

The <opcode> part can be either an arithmetical operator (=, <, <=, >,
>=), or any of the following string operators:

    eq          string equality
    ne          string inequality
    prefix      oid value must begin with <value>
    suffix      oid value must end with <value>
    glob        <value> is a glob(7) pattern that oid value must match
    
Each of these can be suffixed with "/i" to request case-insensitive comparison.

A "!" in front of opcode reverts its meaning.   

The <value> part must not include the type prefix.

* new module: ldap

* mailutils: Requires 2.99.98 or later

* Fix heap-buffer-overrun with --one-top-level.
Bug introduced with the addition of that option in 1.28.

* Support for zstd compression

New option '--zstd' instructs tar to use zstd as compression program.
When listing, extractng and comparing, zstd compressed archives are
recognized automatically.
When '-a' option is in effect, zstd compression is selected if the
destination archive name ends in '.zst' or '.tzst'.

* The -K option interacts properly with member names given in the command line

Names of members to extract can be specified along with the "-K NAME"
option. In this case, tar will extract NAME and those of named members
that appear in the archive after it, which is consistent with the
semantics of the option.

Previous versions of tar extracted NAME, those of named members that
appeared before it, and everything after it.

* Fix CVE-2018-20482

When creating archives with the --sparse option, previous versions of
tar would loop endlessly if a sparse file had been truncated while
being archived.

Rewrite as a stand-alone snmpd agent.

* Minor change

* Support for Varnish 6.0.2

* req.http.X-VMOD-DBRW-Error

This header is set to 1 by dbrw.rewrite to indicate that an error
occurred during the rewrite.

* New flags: regex and eq

One of this flags can appear in the fourth column of the returned data
set. The 'eq' flag instructs dbrw.rewrite to use exact string match,
instead of regular expressions. The 'regex' flag instructs it to use
regular expression matching. It is the default.

* Improve error handling in mysql submodule

Previously, error codes ER_PARSE_ERROR and ER_EMPTY_QUERY were treated
as permanent conditions, causing mysql connection to be closed and
disabled. This is no longer the case, as they both can well mean a
transient condition (e.g. ER_PARSE_ERROR returned for the 'Illegal mix
of collations' error).

* Support for Varnish 6.0.2

* Support for Varnish 6.0.2

* Support for Varnish 6.0.2

* Implements upload protocol version 1.2

* Input file locations include start and end columns.

* When available, uses inotify(7) to watch the input spools.

The use of inotify allows wydawca to act immediately upon finished
uploads without the need of external notifications.  This makes the
TCP-based notification unnecessary on GNU/Linux systems.

* Requires Mailutils 3.4

* The "periodic" subcommand

The new subcommand "periodic" is responsible for maintaining the job database.
It finishes up pending glacier jobs, dowloading the results (both inventory
listings and requested files) and removes expired jobs. It should be run as a
cronjob.

* When run on an EC2 instance, credentials can be obtained from the EC2 metadata

* Directory validity is controlled using the LastInventoryDate field

Implements restart mode.

The restart mode is a special feature of sentinel mode, controlled by
the new options --restart-on-exit and --restart-on-signal. In this
mode genrc will restart the subsidiary program if it exits with a
predefined status code or terminates on a predefined signal. Use this
feature to ensure the service provided by the program controlled by
genrc won't get terminated because of hitting a bug or encountering an
unforeseen external condition.

For example:

  genrc --command=COMMAND \
        --sentinel \
	--restart-on-exit='!0' --restart-on-signal='!TERM,QUIT' start

This will ensure that the COMMAND will be restarted immediately after
it terminates, unless it exits with the status 0 or terminates on
SIGTERM or SIGQUIT.

	- New option --server-root for the source = apache configuration
	  statement

	- Prefer apachectl over invoking httpd directly.

* Fix cyclic inclusion detection