lint

Allow continuing on despite queued assets
newsfile
2025-10-24 11:12:25 +01:00 · 2025-10-24 10:36:40 +01:00 · 2025-10-21 14:31:35 +01:00 · 2025-10-21 14:30:54 +01:00 · 2025-10-21 14:18:40 +01:00 · 2025-10-21 14:17:53 +01:00
19 changed files with 29 additions and 80 deletions
@@ -1,50 +1,3 @@
-# Synapse 1.141.0rc2 (2025-10-28)
-
-## Deprecation of MacOS Python wheels
-
-The team has decided to deprecate and eventually stop publishing python wheels
-for MacOS. This is a burden on the team, and we're not aware of any parties
-that use them. Synapse docker images will continue to work on MacOS, as will
-building Synapse from source (though note this requires a Rust compiler).
-
-Publishing MacOS Python wheels will continue for the next few releases. If you
-do make use of these wheels downstream, please reach out to us in
-[#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org). We'd
-love to hear from you!
-
-
-## Bugfixes
-
- Fix users being unable to log in if their password, or the server's configured pepper, was too long. ([\#19101](https://github.com/element-hq/synapse/issues/19101))
-
-
-
-
-# Synapse 1.141.0rc1 (2025-10-21)
-
-## Features
-
- Allow using [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) behavior without the opt-in registration flag. Contributed by @tulir @ Beeper. ([\#19031](https://github.com/element-hq/synapse/issues/19031))
- Stabilized support for [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326): Device masquerading for appservices. Contributed by @tulir @ Beeper. ([\#19033](https://github.com/element-hq/synapse/issues/19033))
-
-## Bugfixes
-
- Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be `reload`-ed more than once when running under systemd. ([\#19060](https://github.com/element-hq/synapse/issues/19060))
- Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long. ([\#19078](https://github.com/element-hq/synapse/issues/19078))
-
-## Updates to the Docker image
-
- Update docker image to use Debian trixie as the base and thus Python 3.13. ([\#19064](https://github.com/element-hq/synapse/issues/19064))
-
-## Internal Changes
-
- Move unique snowflake homeserver background tasks to `start_background_tasks` (the standard pattern for this kind of thing). ([\#19037](https://github.com/element-hq/synapse/issues/19037))
- Drop a deprecated field of the `PyGitHub` dependency in the release script and raise the dependency's minimum version to `1.59.0`. ([\#19039](https://github.com/element-hq/synapse/issues/19039))
- Update TODO list of conflicting areas where we encounter metrics being clobbered (`ApplicationService`). ([\#19040](https://github.com/element-hq/synapse/issues/19040))
-
-
-
-
 # Synapse 1.140.0 (2025-10-14)

 ## Compatibility notice for users of `synapse-s3-storage-provider`
@@ -0,0 +1 @@
+Allow using [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) behavior without the opt-in registration flag. Contributed by @tulir @ Beeper.
@@ -0,0 +1 @@
+Stabilized support for [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326): Device masquerading for appservices. Contributed by @tulir @ Beeper.
@@ -0,0 +1 @@
+Move unique snowflake homeserver background tasks to `start_background_tasks` (the standard pattern for this kind of thing).
@@ -0,0 +1 @@
+Drop a deprecated field of the `PyGitHub` dependency in the release script and raise the dependency's minimum version to `1.59.0`.
@@ -0,0 +1 @@
+Update TODO list of conflicting areas where we encounter metrics being clobbered (`ApplicationService`).
@@ -0,0 +1 @@
+Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be `reload`-ed more than once when running under systemd.
@@ -0,0 +1 @@
+Update docker image to use Debian trixie as the base and thus Python 3.13.
@@ -0,0 +1 @@
+Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long.
@@ -0,0 +1 @@
+Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.
@@ -0,0 +1 @@
+Warn the developer when they are releasing Synapse if a release workflow has been queued for over 15 minutes.
@@ -1,15 +1,3 @@
-matrix-synapse-py3 (1.141.0~rc2) stable; urgency=medium
-
-  * New Synapse release 1.141.0rc2.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 28 Oct 2025 10:20:26 +0000
-
-matrix-synapse-py3 (1.141.0~rc1) stable; urgency=medium
-
-  * New Synapse release 1.141.0rc1.
-
- -- Synapse Packaging team <packages@matrix.org>  Tue, 21 Oct 2025 11:01:44 +0100
-
 matrix-synapse-py3 (1.140.0) stable; urgency=medium

  * New Synapse release 1.140.0.
@@ -3815,7 +3815,7 @@ This setting has the following sub-options:

 * `localdb_enabled` (boolean): Set to false to disable authentication against the local password database. This is ignored if `enabled` is false, and is only useful if you have other `password_providers`. Defaults to `true`.

-* `pepper` (string|null): A secret random string that will be appended to user's passwords before they are hashed. This improves the security of short passwords. DO NOT CHANGE THIS AFTER INITIAL SETUP! Defaults to `null`.
+* `pepper` (string|null): Set the value here to a secret random string for extra security. DO NOT CHANGE THIS AFTER INITIAL SETUP! Defaults to `null`.

 * `policy` (object): Define and enforce a password policy, such as minimum lengths for passwords, etc. This is an implementation of MSC2000.

@@ -101,7 +101,7 @@ module-name = "synapse.synapse_rust"

 [tool.poetry]
 name = "matrix-synapse"
-version = "1.141.0rc2"
+version = "1.140.0"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "AGPL-3.0-or-later OR LicenseRef-Element-Commercial"
@@ -1,5 +1,5 @@
 $schema: https://element-hq.github.io/synapse/latest/schema/v1/meta.schema.json
-$id: https://element-hq.github.io/synapse/schema/synapse/v1.141/synapse-config.schema.json
+$id: https://element-hq.github.io/synapse/schema/synapse/v1.140/synapse-config.schema.json
 type: object
 properties:
  modules:
@@ -4695,9 +4695,8 @@ properties:
      pepper:
        type: ["string", "null"]
        description: >-
-          A secret random string that will be appended to user's passwords
-          before they are hashed. This improves the security of short passwords.
-          DO NOT CHANGE THIS AFTER INITIAL SETUP!
+          Set the value here to a secret random string for extra security. DO
+          NOT CHANGE THIS AFTER INITIAL SETUP!
        default: null
      policy:
        type: object
@@ -596,6 +596,16 @@ def _wait_for_actions(gh_token: Optional[str]) -> None:
        if len(resp["workflow_runs"]) == 0:
            continue

+        # Warn the user if any workflows are still queued. They might need to fix something.
+        if any(workflow["status"] == "queued" for workflow in resp["workflow_runs"]):
+            _notify("Warning: at least one release workflow is still queued...")
+            if not click.confirm("Continue waiting for queued assets?", default=True):
+                click.echo(
+                    "Continuing on with the release. Note that you may need to upload missing assets manually later."
+                )
+                break
+            continue
+
        if all(
            workflow["status"] != "in_progress" for workflow in resp["workflow_runs"]
        ):
@@ -77,7 +77,7 @@ def main() -> None:
    if len(bytes_to_hash) > 72:
        # bcrypt only looks at the first 72 bytes
        print(
-            f"Password + pepper is too long ({len(bytes_to_hash)} bytes); truncating to 72 bytes for bcrypt. "
+            f"Password is too long ({len(bytes_to_hash)} bytes); truncating to 72 bytes for bcrypt. "
            "This is expected behaviour and will not affect a user's ability to log in. 72 bytes is "
            "sufficient entropy for a password."
        )
@@ -1691,7 +1691,7 @@ class AuthHandler:
                #
                # Note: we explicitly DO NOT log the length of the user's password here.
                logger.debug(
-                    "Password + pepper is too long; truncating to 72 bytes for bcrypt. "
+                    "Password is too long; truncating to 72 bytes for bcrypt. "
                    "This is expected behaviour and will not affect a user's ability to log in. 72 bytes is "
                    "sufficient entropy for a password."
                )
@@ -1720,20 +1720,9 @@ class AuthHandler:
        def _do_validate_hash(checked_hash: bytes) -> bool:
            # Normalise the Unicode in the password
            pw = unicodedata.normalize("NFKC", password)
-            password_pepper = self.hs.config.auth.password_pepper
-
-            bytes_to_hash = pw.encode("utf8") + password_pepper.encode("utf8")
-            if len(bytes_to_hash) > 72:
-                # bcrypt only looks at the first 72 bytes
-                logger.debug(
-                    "Password + pepper is too long; truncating to 72 bytes for bcrypt. "
-                    "This is expected behaviour and will not affect a user's ability to log in. 72 bytes is "
-                    "sufficient entropy for a password."
-                )
-                bytes_to_hash = bytes_to_hash[:72]

            return bcrypt.checkpw(
-                bytes_to_hash,
+                pw.encode("utf8") + self.hs.config.auth.password_pepper.encode("utf8"),
                checked_hash,
            )

@@ -96,7 +96,7 @@ logger = logging.getLogger(__name__)
 # Here we have the names of the cookies, and the options we use to set them.
 _SESSION_COOKIES = [
    (b"oidc_session", b"HttpOnly; Secure; SameSite=None"),
-    (b"oidc_session_no_samesite", b"HttpOnly"),
+    (b"oidc_session_no_samesite", b"HttpOnly; Secure"),
 ]
Author	SHA1	Message	Date
Andrew Morgan	9cd8166843	lint	2025-10-24 11:12:25 +01:00
Andrew Morgan	b5c66dea20	Allow continuing on despite queued assets	2025-10-24 10:36:40 +01:00
Andrew Morgan	7cd9678e7d	newsfile	2025-10-21 14:31:35 +01:00
Andrew Morgan	889ffd9375	Have the release script warn if a workflow is queued for >15m	2025-10-21 14:30:54 +01:00
Andrew Morgan	6c16734cf3	Revert "newsfile" This reverts commit `4427908340`. This should not have been committed to `develop`.	2025-10-21 14:18:40 +01:00
Andrew Morgan	4427908340	newsfile	2025-10-21 14:17:53 +01:00
Kieran Lane	2f65b9e001	Update `oidc_session_no_samesite` cookie to be `Secure` (#19079 )	2025-10-21 13:35:55 +01:00
				`@@ -0,0 +1 @@`
				`Allow using [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) behavior without the opt-in registration flag. Contributed by @tulir @ Beeper.`
				`@@ -0,0 +1 @@`
				`Stabilized support for [MSC4326](https://github.com/matrix-org/matrix-spec-proposals/pull/4326): Device masquerading for appservices. Contributed by @tulir @ Beeper.`
				`@@ -0,0 +1 @@`
				Move unique snowflake homeserver background tasks to `start_background_tasks` (the standard pattern for this kind of thing).
				`@@ -0,0 +1 @@`
				Drop a deprecated field of the `PyGitHub` dependency in the release script and raise the dependency's minimum version to `1.59.0`.
				`@@ -0,0 +1 @@`
				Update TODO list of conflicting areas where we encounter metrics being clobbered (`ApplicationService`).
				`@@ -0,0 +1 @@`
				Fix a bug introduced in 1.136.0 that would prevent Synapse from being able to be `reload`-ed more than once when running under systemd.
				`@@ -0,0 +1 @@`
				`Update docker image to use Debian trixie as the base and thus Python 3.13.`
				`@@ -0,0 +1 @@`
				`Fix a bug introduced in 1.140.0 where an internal server error could be raised when hashing user passwords that are too long.`
				`@@ -0,0 +1 @@`
				Fix the `oidc_session_no_samesite` cookie to have the `Secure` attribute, so the only difference between it and the paired `oidc_session` cookie, is the configuration of the `SameSite` attribute as described in the comments / cookie names. Contributed by @kieranlane.