Log result_dict

How does that '+' keep coming back?
Bind exception to name
2019-08-20 10:42:17 +01:00 · 2019-08-20 10:26:31 +01:00 · 2019-08-05 16:11:54 +01:00 · 2019-08-05 16:03:37 +01:00 · 2019-08-05 15:12:17 +01:00 · 2019-08-05 15:02:29 +01:00
282 changed files with 4052 additions and 2351 deletions
@@ -49,14 +49,15 @@ steps:


  - command:
-      - "python -m pip install tox"
+      - "apt-get update && apt-get install -y python3.5 python3.5-dev python3-pip libxml2-dev libxslt-dev zlib1g-dev"
+      - "python3.5 -m pip install tox"
      - "tox -e py35-old,codecov"
    label: ":python: 3.5 / SQLite / Old Deps"
    env:
      TRIAL_FLAGS: "-j 2"
    plugins:
      - docker#v3.0.1:
-          image: "python:3.5"
+          image: "ubuntu:xenial"  # We use xenail to get an old sqlite and python
          propagate-environment: true
    retry:
      automatic:
@@ -117,8 +118,10 @@ steps:
          limit: 2

  - label: ":python: 3.5 / :postgres: 9.5"
+    agents:
+      queue: "medium"
    env:
-      TRIAL_FLAGS: "-j 4"
+      TRIAL_FLAGS: "-j 8"
    command:
      - "bash -c 'python -m pip install tox && python -m tox -e py35-postgres,codecov'"
    plugins:
@@ -134,8 +137,10 @@ steps:
          limit: 2

  - label: ":python: 3.7 / :postgres: 9.5"
+    agents:
+      queue: "medium"
    env:
-      TRIAL_FLAGS: "-j 4"
+      TRIAL_FLAGS: "-j 8"
    command:
      - "bash -c 'python -m pip install tox && python -m tox -e py37-postgres,codecov'"
    plugins:
@@ -151,8 +156,10 @@ steps:
          limit: 2

  - label: ":python: 3.7 / :postgres: 11"
+    agents:
+      queue: "medium"
    env:
-      TRIAL_FLAGS: "-j 4"
+      TRIAL_FLAGS: "-j 8"
    command:
      - "bash -c 'python -m pip install tox && python -m tox -e py37-postgres,codecov'"
    plugins:
@@ -214,8 +221,10 @@ steps:
    env:
      POSTGRES: "1"
      WORKERS: "1"
+      BLACKLIST: "synapse-blacklist-with-workers"
    command:
      - "bash .buildkite/merge_base_branch.sh"
+      - "bash -c 'cat /src/sytest-blacklist /src/.buildkite/worker-blacklist > /src/synapse-blacklist-with-workers'"
      - "bash /synapse_sytest.sh"
    plugins:
      - docker#v3.0.1:
@@ -223,7 +232,6 @@ steps:
          propagate-environment: true
          always-pull: true
          workdir: "/src"
-    soft_fail: true
    retry:
      automatic:
        - exit_status: -1
@@ -0,0 +1,34 @@
+# This file serves as a blacklist for SyTest tests that we expect will fail in
+# Synapse when run under worker mode. For more details, see sytest-blacklist.
+
+Message history can be paginated
+
+m.room.history_visibility == "world_readable" allows/forbids appropriately for Guest users
+
+m.room.history_visibility == "world_readable" allows/forbids appropriately for Real users
+
+Can re-join room if re-invited
+
+/upgrade creates a new room
+
+The only membership state included in an initial sync is for all the senders in the timeline
+
+Local device key changes get to remote servers
+
+If remote user leaves room we no longer receive device updates
+
+Forgotten room messages cannot be paginated
+
+Inbound federation can get public room list
+
+Members from the gap are included in gappy incr LL sync
+
+Leaves are present in non-gapped incremental syncs
+
+Old leaves are present in gapped incremental syncs
+
+User sees updates to presence from other users in the incremental sync.
+
+Gapped incremental syncs include all state changes
+
+Old members are included in gappy incr LL sync if they start speaking
@@ -1,5 +1,4 @@
-comment:
-  layout: "diff"
+comment: off

 coverage:
  status:
@@ -1,3 +1,22 @@
+Synapse 1.2.1 (2019-07-26)
+==========================
+
+Security update
+---------------
+
+This release includes *four* security fixes:
+
+- Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms. ([\#5767](https://github.com/matrix-org/synapse/issues/5767))
+- Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely. Thanks to `@lrizika:matrix.org` for identifying and responsibly disclosing this issue. ([0f2ecb961](https://github.com/matrix-org/synapse/commit/0f2ecb961))
+- Prevent an attack where users could be joined or parted from public rooms without their consent. Thanks to @dylangerdaly for identifying and responsibly disclosing this issue. ([\#5744](https://github.com/matrix-org/synapse/issues/5744))
+- Fix a vulnerability where a federated server could spoof read-receipts from
+  users on other servers. Thanks to @dylangerdaly for identifying this issue too. ([\#5743](https://github.com/matrix-org/synapse/issues/5743))
+
+Additionally, the following fix was in Synapse **1.2.0**, but was not correctly
+identified during the original release:
+
+- It was possible for a room moderator to send a redaction for an `m.room.create` event, which would downgrade the room to version 1. Thanks to `/dev/ponies` for identifying and responsibly disclosing this issue! ([\#5701](https://github.com/matrix-org/synapse/issues/5701))
+
 Synapse 1.2.0 (2019-07-25)
 ==========================

@@ -16,6 +35,14 @@ Bugfixes
 Synapse 1.2.0rc1 (2019-07-22)
 =============================

+Security fixes
+--------------
+
+This update included a security fix which was initially incorrectly flagged as
+a regular bug fix.
+
+- It was possible for a room moderator to send a redaction for an `m.room.create` event, which would downgrade the room to version 1. Thanks to `/dev/ponies` for identifying and responsibly disclosing this issue! ([\#5701](https://github.com/matrix-org/synapse/issues/5701))
+
 Features
 --------

@@ -41,7 +68,6 @@ Bugfixes
 - Fix bug in #5626 that prevented the original_event field from actually having the contents of the original event in a call to `/relations`. ([\#5654](https://github.com/matrix-org/synapse/issues/5654))
 - Fix 3PID bind requests being sent to identity servers as `application/x-form-www-urlencoded` data, which is deprecated. ([\#5658](https://github.com/matrix-org/synapse/issues/5658))
 - Fix some problems with authenticating redactions in recent room versions. ([\#5699](https://github.com/matrix-org/synapse/issues/5699), [\#5700](https://github.com/matrix-org/synapse/issues/5700), [\#5707](https://github.com/matrix-org/synapse/issues/5707))
- Ignore redactions of m.room.create events. ([\#5701](https://github.com/matrix-org/synapse/issues/5701))


 Updates to the Docker image
@@ -7,7 +7,6 @@ include demo/README
 include demo/demo.tls.dh
 include demo/*.py
 include demo/*.sh
-include sytest-blacklist

 recursive-include synapse/storage/schema *.sql
 recursive-include synapse/storage/schema *.sql.postgres
@@ -34,6 +33,7 @@ exclude Dockerfile
 exclude .dockerignore
 exclude test_postgresql.sh
 exclude .editorconfig
+exclude sytest-blacklist

 include pyproject.toml
 recursive-include changelog.d *
@@ -0,0 +1 @@
+Synapse now no longer accepts the `-v`/`--verbose`, `-f`/`--log-file`, or `--log-config` command line flags, and removes the deprecated `verbose` and `log_file` configuration file options. Users of these options should migrate their options into the dedicated log configuration.
@@ -0,0 +1 @@
+Use `M_USER_DEACTIVATED` instead of `M_UNKNOWN` for errcode when a deactivated user attempts to login.
@@ -0,0 +1 @@
+Add OpenTracing instrumentation for e2e code paths.
@@ -0,0 +1 @@
+Fix UISIs during homeserver outage.
@@ -0,0 +1 @@
+Make Jaeger fully configurable.
@@ -0,0 +1 @@
+Add precautionary measures to prevent future abuse of `window.opener` in default welcome page.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Improve caching when fetching `get_filtered_current_state_ids`.
@@ -0,0 +1 @@
+Don't accept opentracing data from clients.
@@ -0,0 +1 @@
+Speed up PostgreSQL unit tests in CI.
@@ -0,0 +1 @@
+Update the coding style document.
@@ -0,0 +1 @@
+Improve database query performance when recording retry intervals for remote hosts.
@@ -0,0 +1 @@
+Add a set of opentracing utils.
@@ -0,0 +1 @@
+Fix stack overflow in server key lookup code.
@@ -0,0 +1 @@
+start.sh no longer uses deprecated cli option.
@@ -0,0 +1 @@
+ Synapse now no longer accepts the `-v`/`--verbose`, `-f`/`--log-file`, or `--log-config` command line flags, and removes the deprecated `verbose` and `log_file` configuration file options. Users of these options should migrate their options into the dedicated log configuration.
@@ -0,0 +1 @@
+Cache result of get_version_string to reduce overhead of `/version` federation requests.
@@ -0,0 +1 @@
+Return 'user_type' in admin API user endpoints results.
@@ -0,0 +1 @@
+Add sd_notify hooks to ease systemd integration and allows usage of Type=Notify.
@@ -0,0 +1 @@
+Don't package the sytest test blacklist file.
@@ -0,0 +1 @@
+Replace uses of returnValue with plain return, as returnValue is not needed on Python 3.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Blacklist some flakey tests in worker mode.
@@ -0,0 +1 @@
+Log when we receive an event receipt from an unexpected origin.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Fix some error cases in the caching layer.
@@ -0,0 +1 @@
+Add a prometheus metric for pending cache lookups.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Stop trying to fetch events with event_id=None.
@@ -0,0 +1 @@
+Convert RedactionTestCase to modern test style.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Fix debian packaging scripts to correctly build sid packages.
@@ -0,0 +1 @@
+Allow looping calls to be given arguments.
@@ -0,0 +1 @@
+Remove non-functional 'expire_access_token' setting.
@@ -0,0 +1 @@
+Synapse can now be configured to not join remote rooms of a given "complexity" (currently, state events) over federation. This option can be used to prevent adverse performance on resource-constrained homeservers.
@@ -0,0 +1 @@
+Set the logs emitted when checking typing and presence timeouts to DEBUG level, not INFO.
@@ -0,0 +1 @@
+Remove DelayedCall debugging from the test suite, as it is no longer required in the vast majority of Synapse's tests.
@@ -0,0 +1 @@
+Fix UISIs during homeserver outage.
@@ -0,0 +1 @@
+Remove some spurious exceptions from the logs where we failed to talk to a remote server.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Reduce database IO usage by optimising queries for current membership.
@@ -0,0 +1 @@
+Improve performance when making `.well-known` requests by sharing the SSL options between requests.
@@ -0,0 +1 @@
+Disable codecov GitHub comments on PRs.
@@ -0,0 +1 @@
+Don't allow clients to send tombstone events that reference the room it's sent in.
@@ -0,0 +1 @@
+Deny redactions of events sent in a different room. 
@@ -0,0 +1 @@
+Fix check that tombstone is a state event in push rules.
@@ -0,0 +1 @@
+Deny sending well known state types as non-state events.
@@ -0,0 +1 @@
+Fix error when trying to login as a deactivated user when using a worker to handle login.
@@ -0,0 +1 @@
+Allow defining HTML templates to serve the user on account renewal attempt when using the account validity feature.
@@ -0,0 +1 @@
+Handle incorrectly encoded query params correctly by returning a 400.
@@ -0,0 +1 @@
+Return 502 not 500 when failing to reach any remote server.
@@ -4,7 +4,8 @@ After=matrix-synapse.service
 BindsTo=matrix-synapse.service

 [Service]
-Type=simple
+Type=notify
+NotifyAccess=main
 User=matrix-synapse
 WorkingDirectory=/var/lib/matrix-synapse
 EnvironmentFile=/etc/default/matrix-synapse
@@ -2,7 +2,8 @@
 Description=Synapse Matrix Homeserver

 [Service]
-Type=simple
+Type=notify
+NotifyAccess=main
 User=matrix-synapse
 WorkingDirectory=/var/lib/matrix-synapse
 EnvironmentFile=/etc/default/matrix-synapse
@@ -14,7 +14,9 @@
 Description=Synapse Matrix homeserver

 [Service]
-Type=simple
+Type=notify
+NotifyAccess=main
+ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-abort

 User=synapse
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.2.1) stable; urgency=medium
+
+  * New synapse release 1.2.1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Fri, 26 Jul 2019 11:32:47 +0100
+
 matrix-synapse-py3 (1.2.0) stable; urgency=medium

  [ Amber Brown ]
@@ -29,7 +29,7 @@ for port in 8080 8081 8082; do

    if ! grep -F "Customisation made by demo/start.sh" -q  $DIR/etc/$port.config; then
        printf '\n\n# Customisation made by demo/start.sh\n' >> $DIR/etc/$port.config
-        
+
        echo 'enable_registration: true' >> $DIR/etc/$port.config

        # Warning, this heredoc depends on the interaction of tabs and spaces. Please don't
@@ -43,7 +43,7 @@ for port in 8080 8081 8082; do
 		    tls: true
 		    resources:
 		      - names: [client, federation]
-		
+
 		  - port: $port
 		    tls: false
 		    bind_addresses: ['::1', '127.0.0.1']
@@ -68,7 +68,7 @@ for port in 8080 8081 8082; do

        # Generate tls keys
        openssl req -x509 -newkey rsa:4096 -keyout $DIR/etc/localhost\:$https_port.tls.key -out $DIR/etc/localhost\:$https_port.tls.crt -days 365 -nodes -subj "/O=matrix"
-        
+
        # Ignore keys from the trusted keys server
        echo '# Ignore keys from the trusted keys server' >> $DIR/etc/$port.config
        echo 'trusted_key_servers:' >> $DIR/etc/$port.config
@@ -120,7 +120,6 @@ for port in 8080 8081 8082; do
    python3 -m synapse.app.homeserver \
        --config-path "$DIR/etc/$port.config" \
        -D \
-        -vv \

    popd
 done
@@ -42,6 +42,11 @@ RUN cd dh-virtualenv-1.1 && dpkg-buildpackage -us -uc -b
 ###
 FROM ${distro}

+# Get the distro we want to pull from as a dynamic build variable
+# (We need to define it in each build stage)
+ARG distro=""
+ENV distro ${distro}
+
 # Install the build dependencies
 #
 # NB: keep this list in sync with the list of build-deps in debian/control
@@ -4,7 +4,8 @@

 set -ex

-DIST=`lsb_release -c -s`
+# Get the codename from distro env
+DIST=`cut -d ':' -f2 <<< $distro`

 # we get a read-only copy of the source: make a writeable copy
 cp -aT /synapse/source /synapse/build
@@ -1,4 +1,8 @@
-# Code Style
+Code Style
+==========
+
+Formatting tools
+----------------

 The Synapse codebase uses a number of code formatting tools in order to
 quickly and automatically check for formatting (and sometimes logical) errors
@@ -6,20 +10,20 @@ in code.

 The necessary tools are detailed below.

-## Formatting tools
+- **black**

-The Synapse codebase uses [black](https://pypi.org/project/black/) as an
-opinionated code formatter, ensuring all comitted code is properly
-formatted.
+  The Synapse codebase uses `black <https://pypi.org/project/black/>`_ as an
+  opinionated code formatter, ensuring all comitted code is properly
+  formatted.

-First install ``black`` with::
+  First install ``black`` with::

-  pip install --upgrade black
+    pip install --upgrade black

-Have ``black`` auto-format your code (it shouldn't change any
-functionality) with::
+  Have ``black`` auto-format your code (it shouldn't change any functionality)
+  with::

-  black . --exclude="\.tox|build|env"
+    black . --exclude="\.tox|build|env"

 - **flake8**

@@ -54,17 +58,16 @@ functionality is supported in your editor for a more convenient development
 workflow. It is not, however, recommended to run ``flake8`` on save as it
 takes a while and is very resource intensive.

-## General rules
+General rules
+-------------

 - **Naming**:

  - Use camel case for class and type names
  - Use underscores for functions and variables.

- Use double quotes ``"foo"`` rather than single quotes ``'foo'``.
-
- **Comments**: should follow the `google code style
-  <http://google.github.io/styleguide/pyguide.html?showone=Comments#Comments>`_.
+- **Docstrings**: should follow the `google code style
+  <https://google.github.io/styleguide/pyguide.html#38-comments-and-docstrings>`_.
  This is so that we can generate documentation with `sphinx
  <http://sphinxcontrib-napoleon.readthedocs.org/en/latest/>`_. See the
  `examples
@@ -73,6 +76,8 @@ takes a while and is very resource intensive.

 - **Imports**:

+  - Imports should be sorted by ``isort`` as described above.
+
  - Prefer to import classes and functions rather than packages or modules.

    Example::
@@ -92,25 +97,84 @@ takes a while and is very resource intensive.
    This goes against the advice in the Google style guide, but it means that
    errors in the name are caught early (at import time).

-  - Multiple imports from the same package can be combined onto one line::
-
-      from synapse.types import GroupID, RoomID, UserID
-
-    An effort should be made to keep the individual imports in alphabetical
-    order.
-
-    If the list becomes long, wrap it with parentheses and split it over
-    multiple lines.
-
-  - As per `PEP-8 <https://www.python.org/dev/peps/pep-0008/#imports>`_,
-    imports should be grouped in the following order, with a blank line between
-    each group:
-
-    1. standard library imports
-    2. related third party imports
-    3. local application/library specific imports
-
-  - Imports within each group should be sorted alphabetically by module name.
-
  - Avoid wildcard imports (``from synapse.types import *``) and relative
    imports (``from .types import UserID``).
+
+Configuration file format
+-------------------------
+
+The `sample configuration file <./sample_config.yaml>`_ acts as a reference to
+Synapse's configuration options for server administrators. Remember that many
+readers will be unfamiliar with YAML and server administration in general, so
+that it is important that the file be as easy to understand as possible, which
+includes following a consistent format.
+
+Some guidelines follow:
+
+* Sections should be separated with a heading consisting of a single line
+  prefixed and suffixed with ``##``. There should be **two** blank lines
+  before the section header, and **one** after.
+
+* Each option should be listed in the file with the following format:
+
+  * A comment describing the setting. Each line of this comment should be
+    prefixed with a hash (``#``) and a space.
+
+    The comment should describe the default behaviour (ie, what happens if
+    the setting is omitted), as well as what the effect will be if the
+    setting is changed.
+
+    Often, the comment end with something like "uncomment the
+    following to \<do action>".
+
+  * A line consisting of only ``#``.
+
+  * A commented-out example setting, prefixed with only ``#``.
+
+    For boolean (on/off) options, convention is that this example should be
+    the *opposite* to the default (so the comment will end with "Uncomment
+    the following to enable [or disable] \<feature\>." For other options,
+    the example should give some non-default value which is likely to be
+    useful to the reader.
+
+* There should be a blank line between each option.
+
+* Where several settings are grouped into a single dict, *avoid* the
+  convention where the whole block is commented out, resulting in comment
+  lines starting ``# #``, as this is hard to read and confusing to
+  edit. Instead, leave the top-level config option uncommented, and follow
+  the conventions above for sub-options. Ensure that your code correctly
+  handles the top-level option being set to ``None`` (as it will be if no
+  sub-options are enabled).
+
+* Lines should be wrapped at 80 characters.
+
+Example::
+
+    ## Frobnication ##
+
+    # The frobnicator will ensure that all requests are fully frobnicated.
+    # To enable it, uncomment the following.
+    #
+    #frobnicator_enabled: true
+
+    # By default, the frobnicator will frobnicate with the default frobber.
+    # The following will make it use an alternative frobber.
+    #
+    #frobincator_frobber: special_frobber
+
+    # Settings for the frobber
+    #
+    frobber:
+       # frobbing speed. Defaults to 1.
+       #
+       #speed: 10
+
+       # frobbing distance. Defaults to 1000.
+       #
+       #distance: 100
+
+Note that the sample configuration is generated from the synapse code and is
+maintained by a script, ``scripts-dev/generate_sample_config``. Making sure
+that the output from this script matches the desired format is left as an
+exercise for the reader!
@@ -148,7 +148,7 @@ call any other functions.
        d = more_stuff()
        result = yield d            # also fine, of course

-        defer.returnValue(result)
+        return result

    def nonInlineCallbacksFun():
        logger.debug("just a wrapper really")
@@ -278,6 +278,23 @@ listeners:
 # Used by phonehome stats to group together related servers.
 #server_context: context

+# Resource-constrained Homeserver Settings
+#
+# If limit_remote_rooms.enabled is True, the room complexity will be
+# checked before a user joins a new remote room. If it is above
+# limit_remote_rooms.complexity, it will disallow joining or
+# instantly leave.
+#
+# limit_remote_rooms.complexity_error can be set to customise the text
+# displayed to the user when a room above the complexity threshold has
+# its join cancelled.
+#
+# Uncomment the below lines to enable:
+#limit_remote_rooms:
+#  enabled: True
+#  complexity: 1.0
+#  complexity_error: "This room is too complex."
+
 # Whether to require a user to be in the room to add an alias to it.
 # Defaults to 'true'.
 #
@@ -785,6 +802,16 @@ uploads_path: "DATADIR/uploads"
 #  period: 6w
 #  renew_at: 1w
 #  renew_email_subject: "Renew your %(app)s account"
+#  # Directory in which Synapse will try to find the HTML files to serve to the
+#  # user when trying to renew an account. Optional, defaults to
+#  # synapse/res/templates.
+#  template_dir: "res/templates"
+#  # HTML to be displayed to the user after they successfully renewed their
+#  # account. Optional.
+#  account_renewed_html_path: "account_renewed.html"
+#  # HTML to be displayed when the user tries to renew an account with an invalid
+#  # renewal token. Optional.
+#  invalid_token_html_path: "invalid_token.html"

 # Time that a user's session remains valid for, after they log in.
 #
@@ -925,10 +952,6 @@ uploads_path: "DATADIR/uploads"
 #
 # macaroon_secret_key: <PRIVATE STRING>

-# Used to enable access token expiration.
-#
-#expire_access_token: False
-
 # a secret which is used to calculate HMACs for form values, to stop
 # falsification of values. Must be specified for the User Consent
 # forms to work.
@@ -1430,3 +1453,19 @@ opentracing:
    #
    #homeserver_whitelist:
    #  - ".*"
+
+    # Jaeger can be configured to sample traces at different rates.
+    # All configuration options provided by Jaeger can be set here.
+    # Jaeger's configuration mostly related to trace sampling which
+    # is documented here:
+    # https://www.jaegertracing.io/docs/1.13/sampling/.
+    #
+    #jaeger_config:
+    #  sampler:
+    #    type: const
+    #    param: 1
+
+    #  Logging whether spans were started and reported
+    #
+    #  logging:
+    #    false
@@ -35,4 +35,4 @@ try:
 except ImportError:
    pass

-__version__ = "1.2.0"
+__version__ = "1.2.1"
@@ -22,6 +22,7 @@ from netaddr import IPAddress

 from twisted.internet import defer

+import synapse.logging.opentracing as opentracing
 import synapse.types
 from synapse import event_auth
 from synapse.api.constants import EventTypes, JoinRules, Membership
@@ -128,7 +129,7 @@ class Auth(object):
            )

        self._check_joined_room(member, user_id, room_id)
-        defer.returnValue(member)
+        return member

    @defer.inlineCallbacks
    def check_user_was_in_room(self, room_id, user_id):
@@ -156,13 +157,13 @@ class Auth(object):
            if forgot:
                raise AuthError(403, "User %s not in room %s" % (user_id, room_id))

-        defer.returnValue(member)
+        return member

    @defer.inlineCallbacks
    def check_host_in_room(self, room_id, host):
        with Measure(self.clock, "check_host_in_room"):
            latest_event_ids = yield self.store.is_host_joined(room_id, host)
-            defer.returnValue(latest_event_ids)
+            return latest_event_ids

    def _check_joined_room(self, member, user_id, room_id):
        if not member or member.membership != Membership.JOIN:
@@ -178,6 +179,7 @@ class Auth(object):
    def get_public_keys(self, invite_event):
        return event_auth.get_public_keys(invite_event)

+    @opentracing.trace
    @defer.inlineCallbacks
    def get_user_by_req(
        self, request, allow_guest=False, rights="access", allow_expired=False
@@ -209,6 +211,10 @@ class Auth(object):
            user_id, app_service = yield self._get_appservice_user_id(request)
            if user_id:
                request.authenticated_entity = user_id
+                opentracing.set_tag("authenticated_entity", user_id)
+                # there is at least one other place where authenticated entity is
+                # set. user_id is tagged in case authenticated_entity is clobbered
+                opentracing.set_tag("user_id", user_id)

                if ip_addr and self.hs.config.track_appservice_user_ips:
                    yield self.store.insert_client_ip(
@@ -219,9 +225,7 @@ class Auth(object):
                        device_id="dummy-device",  # stubbed
                    )

-                defer.returnValue(
-                    synapse.types.create_requester(user_id, app_service=app_service)
-                )
+                return synapse.types.create_requester(user_id, app_service=app_service)

            user_info = yield self.get_user_by_access_token(access_token, rights)
            user = user_info["user"]
@@ -262,10 +266,13 @@ class Auth(object):

            request.authenticated_entity = user.to_string()

-            defer.returnValue(
-                synapse.types.create_requester(
-                    user, token_id, is_guest, device_id, app_service=app_service
-                )
+            opentracing.set_tag("authenticated_entity", user.to_string())
+            # there is at least one other place where authenticated entity is
+            # set. user_id is tagged incase authenticated_entity is clobbered
+            opentracing.set_tag("user_id", user.to_string())
+
+            return synapse.types.create_requester(
+                user, token_id, is_guest, device_id, app_service=app_service
            )
        except KeyError:
            raise MissingClientTokenError()
@@ -276,25 +283,25 @@ class Auth(object):
            self.get_access_token_from_request(request)
        )
        if app_service is None:
-            defer.returnValue((None, None))
+            return (None, None)

        if app_service.ip_range_whitelist:
            ip_address = IPAddress(self.hs.get_ip_from_request(request))
            if ip_address not in app_service.ip_range_whitelist:
-                defer.returnValue((None, None))
+                return (None, None)

        if b"user_id" not in request.args:
-            defer.returnValue((app_service.sender, app_service))
+            return (app_service.sender, app_service)

        user_id = request.args[b"user_id"][0].decode("utf8")
        if app_service.sender == user_id:
-            defer.returnValue((app_service.sender, app_service))
+            return (app_service.sender, app_service)

        if not app_service.is_interested_in_user(user_id):
            raise AuthError(403, "Application service cannot masquerade as this user.")
        if not (yield self.store.get_user_by_id(user_id)):
            raise AuthError(403, "Application service has not registered this user")
-        defer.returnValue((user_id, app_service))
+        return (user_id, app_service)

    @defer.inlineCallbacks
    def get_user_by_access_token(self, token, rights="access"):
@@ -330,7 +337,7 @@ class Auth(object):
                        msg="Access token has expired", soft_logout=True
                    )

-                defer.returnValue(r)
+                return r

        # otherwise it needs to be a valid macaroon
        try:
@@ -378,7 +385,7 @@ class Auth(object):
                }
            else:
                raise RuntimeError("Unknown rights setting %s", rights)
-            defer.returnValue(ret)
+            return ret
        except (
            _InvalidMacaroonException,
            pymacaroons.exceptions.MacaroonException,
@@ -414,21 +421,16 @@ class Auth(object):
        try:
            user_id = self.get_user_id_from_macaroon(macaroon)

-            has_expiry = False
            guest = False
            for caveat in macaroon.caveats:
-                if caveat.caveat_id.startswith("time "):
-                    has_expiry = True
-                elif caveat.caveat_id == "guest = true":
+                if caveat.caveat_id == "guest = true":
                    guest = True

-            self.validate_macaroon(
-                macaroon, rights, self.hs.config.expire_access_token, user_id=user_id
-            )
+            self.validate_macaroon(macaroon, rights, user_id=user_id)
        except (pymacaroons.exceptions.MacaroonException, TypeError, ValueError):
            raise InvalidClientTokenError("Invalid macaroon passed.")

-        if not has_expiry and rights == "access":
+        if rights == "access":
            self.token_cache[token] = (user_id, guest)

        return user_id, guest
@@ -454,7 +456,7 @@ class Auth(object):
                return caveat.caveat_id[len(user_prefix) :]
        raise InvalidClientTokenError("No user caveat in macaroon")

-    def validate_macaroon(self, macaroon, type_string, verify_expiry, user_id):
+    def validate_macaroon(self, macaroon, type_string, user_id):
        """
        validate that a Macaroon is understood by and was signed by this server.

@@ -462,7 +464,6 @@ class Auth(object):
            macaroon(pymacaroons.Macaroon): The macaroon to validate
            type_string(str): The kind of token required (e.g. "access",
                              "delete_pusher")
-            verify_expiry(bool): Whether to verify whether the macaroon has expired.
            user_id (str): The user_id required
        """
        v = pymacaroons.Verifier()
@@ -475,19 +476,7 @@ class Auth(object):
        v.satisfy_exact("type = " + type_string)
        v.satisfy_exact("user_id = %s" % user_id)
        v.satisfy_exact("guest = true")
-
-        # verify_expiry should really always be True, but there exist access
-        # tokens in the wild which expire when they should not, so we can't
-        # enforce expiry yet (so we have to allow any caveat starting with
-        # 'time < ' in access tokens).
-        #
-        # On the other hand, short-term login tokens (as used by CAS login, for
-        # example) have an expiry time which we do want to enforce.
-
-        if verify_expiry:
-            v.satisfy_general(self._verify_expiry)
-        else:
-            v.satisfy_general(lambda c: c.startswith("time < "))
+        v.satisfy_general(self._verify_expiry)

        # access_tokens include a nonce for uniqueness: any value is acceptable
        v.satisfy_general(lambda c: c.startswith("nonce = "))
@@ -506,7 +495,7 @@ class Auth(object):
    def _look_up_user_by_access_token(self, token):
        ret = yield self.store.get_user_by_access_token(token)
        if not ret:
-            defer.returnValue(None)
+            return None

        # we use ret.get() below because *lots* of unit tests stub out
        # get_user_by_access_token in a way where it only returns a couple of
@@ -518,7 +507,7 @@ class Auth(object):
            "device_id": ret.get("device_id"),
            "valid_until_ms": ret.get("valid_until_ms"),
        }
-        defer.returnValue(user_info)
+        return user_info

    def get_appservice_by_req(self, request):
        token = self.get_access_token_from_request(request)
@@ -543,7 +532,7 @@ class Auth(object):
    @defer.inlineCallbacks
    def compute_auth_events(self, event, current_state_ids, for_verification=False):
        if event.type == EventTypes.Create:
-            defer.returnValue([])
+            return []

        auth_ids = []

@@ -604,7 +593,7 @@ class Auth(object):
            if member_event.content["membership"] == Membership.JOIN:
                auth_ids.append(member_event.event_id)

-        defer.returnValue(auth_ids)
+        return auth_ids

    @defer.inlineCallbacks
    def check_can_change_room_list(self, room_id, user):
@@ -618,7 +607,7 @@ class Auth(object):

        is_admin = yield self.is_server_admin(user)
        if is_admin:
-            defer.returnValue(True)
+            return True

        user_id = user.to_string()
        yield self.check_joined_room(room_id, user_id)
@@ -712,7 +701,7 @@ class Auth(object):
            #  * The user is a guest user, and has joined the room
            # else it will throw.
            member_event = yield self.check_user_was_in_room(room_id, user_id)
-            defer.returnValue((member_event.membership, member_event.event_id))
+            return (member_event.membership, member_event.event_id)
        except AuthError:
            visibility = yield self.state.get_current_state(
                room_id, EventTypes.RoomHistoryVisibility, ""
@@ -721,7 +710,7 @@ class Auth(object):
                visibility
                and visibility.content["history_visibility"] == "world_readable"
            ):
-                defer.returnValue((Membership.JOIN, None))
+                return (Membership.JOIN, None)
                return
            raise AuthError(
                403, "Guest access not allowed", errcode=Codes.GUEST_ACCESS_FORBIDDEN
@@ -61,6 +61,7 @@ class Codes(object):
    INCOMPATIBLE_ROOM_VERSION = "M_INCOMPATIBLE_ROOM_VERSION"
    WRONG_ROOM_KEYS_VERSION = "M_WRONG_ROOM_KEYS_VERSION"
    EXPIRED_ACCOUNT = "ORG_MATRIX_EXPIRED_ACCOUNT"
+    USER_DEACTIVATED = "M_USER_DEACTIVATED"


 class CodeMessageException(RuntimeError):
@@ -151,7 +152,7 @@ class UserDeactivatedError(SynapseError):
            msg (str): The human-readable error message
        """
        super(UserDeactivatedError, self).__init__(
-            code=http_client.FORBIDDEN, msg=msg, errcode=Codes.UNKNOWN
+            code=http_client.FORBIDDEN, msg=msg, errcode=Codes.USER_DEACTIVATED
        )


@@ -132,7 +132,7 @@ class Filtering(object):
    @defer.inlineCallbacks
    def get_user_filter(self, user_localpart, filter_id):
        result = yield self.store.get_user_filter(user_localpart, filter_id)
-        defer.returnValue(FilterCollection(result))
+        return FilterCollection(result)

    def add_user_filter(self, user_localpart, user_filter):
        self.check_valid_filter(user_filter)
@@ -15,10 +15,12 @@

 import gc
 import logging
+import os
 import signal
 import sys
 import traceback

+import sdnotify
 from daemonize import Daemonize

 from twisted.internet import defer, error, reactor
@@ -242,9 +244,16 @@ def start(hs, listeners=None):
        if hasattr(signal, "SIGHUP"):

            def handle_sighup(*args, **kwargs):
+                # Tell systemd our state, if we're using it. This will silently fail if
+                # we're not using systemd.
+                sd_channel = sdnotify.SystemdNotifier()
+                sd_channel.notify("RELOADING=1")
+
                for i in _sighup_callbacks:
                    i(hs)

+                sd_channel.notify("READY=1")
+
            signal.signal(signal.SIGHUP, handle_sighup)

            register_sighup(refresh_certificate)
@@ -260,6 +269,7 @@ def start(hs, listeners=None):
        hs.get_datastore().start_profiling()

        setup_sentry(hs)
+        setup_sdnotify(hs)
    except Exception:
        traceback.print_exc(file=sys.stderr)
        reactor = hs.get_reactor()
@@ -292,6 +302,25 @@ def setup_sentry(hs):
        scope.set_tag("worker_name", name)


+def setup_sdnotify(hs):
+    """Adds process state hooks to tell systemd what we are up to.
+    """
+
+    # Tell systemd our state, if we're using it. This will silently fail if
+    # we're not using systemd.
+    sd_channel = sdnotify.SystemdNotifier()
+
+    hs.get_reactor().addSystemEventTrigger(
+        "after",
+        "startup",
+        lambda: sd_channel.notify("READY=1\nMAINPID=%s" % (os.getpid())),
+    )
+
+    hs.get_reactor().addSystemEventTrigger(
+        "before", "shutdown", lambda: sd_channel.notify("STOPPING=1")
+    )
+
+
 def install_dns_limiter(reactor, max_dns_requests_in_flight=100):
    """Replaces the resolver with one that limits the number of in flight DNS
    requests.
@@ -168,7 +168,9 @@ def start(config_options):
    )

    ps.setup()
-    reactor.callWhenRunning(_base.start, ps, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ps, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-appservice", config)

@@ -194,7 +194,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-client-reader", config)

@@ -193,7 +193,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-event-creator", config)

@@ -175,7 +175,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-federation-reader", config)

@@ -198,7 +198,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-federation-sender", config)

@@ -70,12 +70,12 @@ class PresenceStatusStubServlet(RestServlet):
        except HttpResponseException as e:
            raise e.to_synapse_error()

-        defer.returnValue((200, result))
+        return (200, result)

    @defer.inlineCallbacks
    def on_PUT(self, request, user_id):
        yield self.auth.get_user_by_req(request)
-        defer.returnValue((200, {}))
+        return (200, {})


 class KeyUploadServlet(RestServlet):
@@ -126,11 +126,11 @@ class KeyUploadServlet(RestServlet):
                self.main_uri + request.uri.decode("ascii"), body, headers=headers
            )

-            defer.returnValue((200, result))
+            return (200, result)
        else:
            # Just interested in counts.
            result = yield self.store.count_e2e_one_time_keys(user_id, device_id)
-            defer.returnValue((200, {"one_time_key_counts": result}))
+            return (200, {"one_time_key_counts": result})


 class FrontendProxySlavedStore(
@@ -247,7 +247,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-frontend-proxy", config)

@@ -406,7 +406,7 @@ def setup(config_options):
        if provision:
            yield acme.provision_certificate()

-        defer.returnValue(provision)
+        return provision

    @defer.inlineCallbacks
    def reprovision_acme():
@@ -447,7 +447,7 @@ def setup(config_options):
                reactor.stop()
            sys.exit(1)

-    reactor.callWhenRunning(start)
+    reactor.addSystemEventTrigger("before", "startup", start)

    return hs

@@ -161,7 +161,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-media-repository", config)

@@ -216,7 +216,7 @@ def start(config_options):
        _base.start(ps, config.worker_listeners)
        ps.get_pusherpool().start()

-    reactor.callWhenRunning(start)
+    reactor.addSystemEventTrigger("before", "startup", start)

    _base.start_worker_reactor("synapse-pusher", config)

@@ -451,7 +451,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-synchrotron", config)

@@ -224,7 +224,9 @@ def start(config_options):
    )

    ss.setup()
-    reactor.callWhenRunning(_base.start, ss, config.worker_listeners)
+    reactor.addSystemEventTrigger(
+        "before", "startup", _base.start, ss, config.worker_listeners
+    )

    _base.start_worker_reactor("synapse-user-dir", config)

@@ -175,21 +175,21 @@ class ApplicationService(object):
    @defer.inlineCallbacks
    def _matches_user(self, event, store):
        if not event:
-            defer.returnValue(False)
+            return False

        if self.is_interested_in_user(event.sender):
-            defer.returnValue(True)
+            return True
        # also check m.room.member state key
        if event.type == EventTypes.Member and self.is_interested_in_user(
            event.state_key
        ):
-            defer.returnValue(True)
+            return True

        if not store:
-            defer.returnValue(False)
+            return False

        does_match = yield self._matches_user_in_member_list(event.room_id, store)
-        defer.returnValue(does_match)
+        return does_match

    @cachedInlineCallbacks(num_args=1, cache_context=True)
    def _matches_user_in_member_list(self, room_id, store, cache_context):
@@ -200,8 +200,8 @@ class ApplicationService(object):
        # check joined member events
        for user_id in member_list:
            if self.is_interested_in_user(user_id):
-                defer.returnValue(True)
-        defer.returnValue(False)
+                return True
+        return False

    def _matches_room_id(self, event):
        if hasattr(event, "room_id"):
@@ -211,13 +211,13 @@ class ApplicationService(object):
    @defer.inlineCallbacks
    def _matches_aliases(self, event, store):
        if not store or not event:
-            defer.returnValue(False)
+            return False

        alias_list = yield store.get_aliases_for_room(event.room_id)
        for alias in alias_list:
            if self.is_interested_in_alias(alias):
-                defer.returnValue(True)
-        defer.returnValue(False)
+                return True
+        return False

    @defer.inlineCallbacks
    def is_interested(self, event, store=None):
@@ -231,15 +231,15 @@ class ApplicationService(object):
        """
        # Do cheap checks first
        if self._matches_room_id(event):
-            defer.returnValue(True)
+            return True

        if (yield self._matches_aliases(event, store)):
-            defer.returnValue(True)
+            return True

        if (yield self._matches_user(event, store)):
-            defer.returnValue(True)
+            return True

-        defer.returnValue(False)
+        return False

    def is_interested_in_user(self, user_id):
        return (
@@ -97,40 +97,40 @@ class ApplicationServiceApi(SimpleHttpClient):
    @defer.inlineCallbacks
    def query_user(self, service, user_id):
        if service.url is None:
-            defer.returnValue(False)
+            return False
        uri = service.url + ("/users/%s" % urllib.parse.quote(user_id))
        response = None
        try:
            response = yield self.get_json(uri, {"access_token": service.hs_token})
            if response is not None:  # just an empty json object
-                defer.returnValue(True)
+                return True
        except CodeMessageException as e:
            if e.code == 404:
-                defer.returnValue(False)
+                return False
                return
            logger.warning("query_user to %s received %s", uri, e.code)
        except Exception as ex:
            logger.warning("query_user to %s threw exception %s", uri, ex)
-        defer.returnValue(False)
+        return False

    @defer.inlineCallbacks
    def query_alias(self, service, alias):
        if service.url is None:
-            defer.returnValue(False)
+            return False
        uri = service.url + ("/rooms/%s" % urllib.parse.quote(alias))
        response = None
        try:
            response = yield self.get_json(uri, {"access_token": service.hs_token})
            if response is not None:  # just an empty json object
-                defer.returnValue(True)
+                return True
        except CodeMessageException as e:
            logger.warning("query_alias to %s received %s", uri, e.code)
            if e.code == 404:
-                defer.returnValue(False)
+                return False
                return
        except Exception as ex:
            logger.warning("query_alias to %s threw exception %s", uri, ex)
-        defer.returnValue(False)
+        return False

    @defer.inlineCallbacks
    def query_3pe(self, service, kind, protocol, fields):
@@ -141,7 +141,7 @@ class ApplicationServiceApi(SimpleHttpClient):
        else:
            raise ValueError("Unrecognised 'kind' argument %r to query_3pe()", kind)
        if service.url is None:
-            defer.returnValue([])
+            return []

        uri = "%s%s/thirdparty/%s/%s" % (
            service.url,
@@ -155,7 +155,7 @@ class ApplicationServiceApi(SimpleHttpClient):
                logger.warning(
                    "query_3pe to %s returned an invalid response %r", uri, response
                )
-                defer.returnValue([])
+                return []

            ret = []
            for r in response:
@@ -166,14 +166,14 @@ class ApplicationServiceApi(SimpleHttpClient):
                        "query_3pe to %s returned an invalid result %r", uri, r
                    )

-            defer.returnValue(ret)
+            return ret
        except Exception as ex:
            logger.warning("query_3pe to %s threw exception %s", uri, ex)
-            defer.returnValue([])
+            return []

    def get_3pe_protocol(self, service, protocol):
        if service.url is None:
-            defer.returnValue({})
+            return {}

        @defer.inlineCallbacks
        def _get():
@@ -189,7 +189,7 @@ class ApplicationServiceApi(SimpleHttpClient):
                    logger.warning(
                        "query_3pe_protocol to %s did not return a" " valid result", uri
                    )
-                    defer.returnValue(None)
+                    return None

                for instance in info.get("instances", []):
                    network_id = instance.get("network_id", None)
@@ -198,10 +198,10 @@ class ApplicationServiceApi(SimpleHttpClient):
                            service.id, network_id
                        ).to_string()

-                defer.returnValue(info)
+                return info
            except Exception as ex:
                logger.warning("query_3pe_protocol to %s threw exception %s", uri, ex)
-                defer.returnValue(None)
+                return None

        key = (service.id, protocol)
        return self.protocol_meta_cache.wrap(key, _get)
@@ -209,7 +209,7 @@ class ApplicationServiceApi(SimpleHttpClient):
    @defer.inlineCallbacks
    def push_bulk(self, service, events, txn_id=None):
        if service.url is None:
-            defer.returnValue(True)
+            return True

        events = self._serialize(events)

@@ -229,14 +229,14 @@ class ApplicationServiceApi(SimpleHttpClient):
            )
            sent_transactions_counter.labels(service.id).inc()
            sent_events_counter.labels(service.id).inc(len(events))
-            defer.returnValue(True)
+            return True
            return
        except CodeMessageException as e:
            logger.warning("push_bulk to %s received %s", uri, e.code)
        except Exception as ex:
            logger.warning("push_bulk to %s threw exception %s", uri, ex)
        failed_transactions_counter.labels(service.id).inc()
-        defer.returnValue(False)
+        return False

    def _serialize(self, events):
        time_now = self.clock.time_msec()
@@ -193,7 +193,7 @@ class _TransactionController(object):
    @defer.inlineCallbacks
    def _is_service_up(self, service):
        state = yield self.store.get_appservice_state(service)
-        defer.returnValue(state == ApplicationServiceState.UP or state is None)
+        return state == ApplicationServiceState.UP or state is None


 class _Recoverer(object):
@@ -208,7 +208,7 @@ class _Recoverer(object):
                r.service.id,
            )
            r.recover()
-        defer.returnValue(recoverers)
+        return recoverers

    def __init__(self, clock, store, as_api, service, callback):
        self.clock = clock
@@ -116,8 +116,6 @@ class KeyConfig(Config):
            seed = bytes(self.signing_key[0])
            self.macaroon_secret_key = hashlib.sha256(seed).digest()

-        self.expire_access_token = config.get("expire_access_token", False)
-
        # a secret which is used to calculate HMACs for form values, to stop
        # falsification of values
        self.form_secret = config.get("form_secret", None)
@@ -144,10 +142,6 @@ class KeyConfig(Config):
        #
        %(macaroon_secret_key)s

-        # Used to enable access token expiration.
-        #
-        #expire_access_token: False
-
        # a secret which is used to calculate HMACs for form values, to stop
        # falsification of values. Must be specified for the User Consent
        # forms to work.
@@ -12,6 +12,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
 import logging
 import logging.config
 import os
@@ -75,10 +76,8 @@ root:

 class LoggingConfig(Config):
    def read_config(self, config, **kwargs):
-        self.verbosity = config.get("verbose", 0)
-        self.no_redirect_stdio = config.get("no_redirect_stdio", False)
        self.log_config = self.abspath(config.get("log_config"))
-        self.log_file = self.abspath(config.get("log_file"))
+        self.no_redirect_stdio = config.get("no_redirect_stdio", False)

    def generate_config_section(self, config_dir_path, server_name, **kwargs):
        log_config = os.path.join(config_dir_path, server_name + ".log.config")
@@ -94,38 +93,12 @@ class LoggingConfig(Config):
        )

    def read_arguments(self, args):
-        if args.verbose is not None:
-            self.verbosity = args.verbose
        if args.no_redirect_stdio is not None:
            self.no_redirect_stdio = args.no_redirect_stdio
-        if args.log_config is not None:
-            self.log_config = args.log_config
-        if args.log_file is not None:
-            self.log_file = args.log_file

    @staticmethod
    def add_arguments(parser):
        logging_group = parser.add_argument_group("logging")
-        logging_group.add_argument(
-            "-v",
-            "--verbose",
-            dest="verbose",
-            action="count",
-            help="The verbosity level. Specify multiple times to increase "
-            "verbosity. (Ignored if --log-config is specified.)",
-        )
-        logging_group.add_argument(
-            "-f",
-            "--log-file",
-            dest="log_file",
-            help="File to log to. (Ignored if --log-config is specified.)",
-        )
-        logging_group.add_argument(
-            "--log-config",
-            dest="log_config",
-            default=None,
-            help="Python logging config file",
-        )
        logging_group.add_argument(
            "-n",
            "--no-redirect-stdio",
@@ -153,58 +126,29 @@ def setup_logging(config, use_worker_options=False):
        config (LoggingConfig | synapse.config.workers.WorkerConfig):
            configuration data

-        use_worker_options (bool): True to use 'worker_log_config' and
-            'worker_log_file' options instead of 'log_config' and 'log_file'.
+        use_worker_options (bool): True to use the 'worker_log_config' option
+            instead of 'log_config'.

        register_sighup (func | None): Function to call to register a
            sighup handler.
    """
    log_config = config.worker_log_config if use_worker_options else config.log_config
-    log_file = config.worker_log_file if use_worker_options else config.log_file
-
-    log_format = (
-        "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s"
-        " - %(message)s"
-    )

    if log_config is None:
-        # We don't have a logfile, so fall back to the 'verbosity' param from
-        # the config or cmdline. (Note that we generate a log config for new
-        # installs, so this will be an unusual case)
-        level = logging.INFO
-        level_for_storage = logging.INFO
-        if config.verbosity:
-            level = logging.DEBUG
-            if config.verbosity > 1:
-                level_for_storage = logging.DEBUG
+        log_format = (
+            "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s"
+            " - %(message)s"
+        )

        logger = logging.getLogger("")
-        logger.setLevel(level)
-
-        logging.getLogger("synapse.storage.SQL").setLevel(level_for_storage)
+        logger.setLevel(logging.INFO)
+        logging.getLogger("synapse.storage.SQL").setLevel(logging.INFO)

        formatter = logging.Formatter(log_format)
-        if log_file:
-            # TODO: Customisable file size / backup count
-            handler = logging.handlers.RotatingFileHandler(
-                log_file, maxBytes=(1000 * 1000 * 100), backupCount=3, encoding="utf8"
-            )
-
-            def sighup(signum, stack):
-                logger.info("Closing log file due to SIGHUP")
-                handler.doRollover()
-                logger.info("Opened new log file due to SIGHUP")
-
-        else:
-            handler = logging.StreamHandler()
-
-            def sighup(*args):
-                pass

+        handler = logging.StreamHandler()
        handler.setFormatter(formatter)
-
        handler.addFilter(LoggingContextFilter(request=""))
-
        logger.addHandler(handler)
    else:

@@ -218,8 +162,7 @@ def setup_logging(config, use_worker_options=False):
            logging.info("Reloaded log config from %s due to SIGHUP", log_config)

        load_log_config()
-
-    appbase.register_sighup(sighup)
+        appbase.register_sighup(sighup)

    # make sure that the first thing we log is a thing we can grep backwards
    # for
@@ -13,8 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import os
 from distutils.util import strtobool

+import pkg_resources
+
 from synapse.config._base import Config, ConfigError
 from synapse.types import RoomAlias
 from synapse.util.stringutils import random_string_with_symbols
@@ -41,8 +44,36 @@ class AccountValidityConfig(Config):

            self.startup_job_max_delta = self.period * 10.0 / 100.0

-        if self.renew_by_email_enabled and "public_baseurl" not in synapse_config:
-            raise ConfigError("Can't send renewal emails without 'public_baseurl'")
+        if self.renew_by_email_enabled:
+            if "public_baseurl" not in synapse_config:
+                raise ConfigError("Can't send renewal emails without 'public_baseurl'")
+
+        template_dir = config.get("template_dir")
+
+        if not template_dir:
+            template_dir = pkg_resources.resource_filename("synapse", "res/templates")
+
+        if "account_renewed_html_path" in config:
+            file_path = os.path.join(template_dir, config["account_renewed_html_path"])
+
+            self.account_renewed_html_content = self.read_file(
+                file_path, "account_validity.account_renewed_html_path"
+            )
+        else:
+            self.account_renewed_html_content = (
+                "<html><body>Your account has been successfully renewed.</body><html>"
+            )
+
+        if "invalid_token_html_path" in config:
+            file_path = os.path.join(template_dir, config["invalid_token_html_path"])
+
+            self.invalid_token_html_content = self.read_file(
+                file_path, "account_validity.invalid_token_html_path"
+            )
+        else:
+            self.invalid_token_html_content = (
+                "<html><body>Invalid renewal token.</body><html>"
+            )


 class RegistrationConfig(Config):
@@ -145,6 +176,16 @@ class RegistrationConfig(Config):
        #  period: 6w
        #  renew_at: 1w
        #  renew_email_subject: "Renew your %%(app)s account"
+        #  # Directory in which Synapse will try to find the HTML files to serve to the
+        #  # user when trying to renew an account. Optional, defaults to
+        #  # synapse/res/templates.
+        #  template_dir: "res/templates"
+        #  # HTML to be displayed to the user after they successfully renewed their
+        #  # account. Optional.
+        #  account_renewed_html_path: "account_renewed.html"
+        #  # HTML to be displayed when the user tries to renew an account with an invalid
+        #  # renewal token. Optional.
+        #  invalid_token_html_path: "invalid_token.html"

        # Time that a user's session remains valid for, after they log in.
        #
@@ -18,6 +18,7 @@
 import logging
 import os.path

+import attr
 from netaddr import IPSet

 from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
@@ -38,6 +39,12 @@ DEFAULT_BIND_ADDRESSES = ["::", "0.0.0.0"]

 DEFAULT_ROOM_VERSION = "4"

+ROOM_COMPLEXITY_TOO_GREAT = (
+    "Your homeserver is unable to join rooms this large or complex. "
+    "Please speak to your server administrator, or upgrade your instance "
+    "to join this room."
+)
+

 class ServerConfig(Config):
    def read_config(self, config, **kwargs):
@@ -247,6 +254,23 @@ class ServerConfig(Config):

        self.gc_thresholds = read_gc_thresholds(config.get("gc_thresholds", None))

+        @attr.s
+        class LimitRemoteRoomsConfig(object):
+            enabled = attr.ib(
+                validator=attr.validators.instance_of(bool), default=False
+            )
+            complexity = attr.ib(
+                validator=attr.validators.instance_of((int, float)), default=1.0
+            )
+            complexity_error = attr.ib(
+                validator=attr.validators.instance_of(str),
+                default=ROOM_COMPLEXITY_TOO_GREAT,
+            )
+
+        self.limit_remote_rooms = LimitRemoteRoomsConfig(
+            **config.get("limit_remote_rooms", {})
+        )
+
        bind_port = config.get("bind_port")
        if bind_port:
            if config.get("no_tls", False):
@@ -617,6 +641,23 @@ class ServerConfig(Config):
        # Used by phonehome stats to group together related servers.
        #server_context: context

+        # Resource-constrained Homeserver Settings
+        #
+        # If limit_remote_rooms.enabled is True, the room complexity will be
+        # checked before a user joins a new remote room. If it is above
+        # limit_remote_rooms.complexity, it will disallow joining or
+        # instantly leave.
+        #
+        # limit_remote_rooms.complexity_error can be set to customise the text
+        # displayed to the user when a room above the complexity threshold has
+        # its join cancelled.
+        #
+        # Uncomment the below lines to enable:
+        #limit_remote_rooms:
+        #  enabled: True
+        #  complexity: 1.0
+        #  complexity_error: "This room is too complex."
+
        # Whether to require a user to be in the room to add an alias to it.
        # Defaults to 'true'.
        #
@@ -23,6 +23,12 @@ class TracerConfig(Config):
            opentracing_config = {}

        self.opentracer_enabled = opentracing_config.get("enabled", False)
+
+        self.jaeger_config = opentracing_config.get(
+            "jaeger_config",
+            {"sampler": {"type": "const", "param": 1}, "logging": False},
+        )
+
        if not self.opentracer_enabled:
            return

@@ -56,4 +62,20 @@ class TracerConfig(Config):
            #
            #homeserver_whitelist:
            #  - ".*"
+
+            # Jaeger can be configured to sample traces at different rates.
+            # All configuration options provided by Jaeger can be set here.
+            # Jaeger's configuration mostly related to trace sampling which
+            # is documented here:
+            # https://www.jaegertracing.io/docs/1.13/sampling/.
+            #
+            #jaeger_config:
+            #  sampler:
+            #    type: const
+            #    param: 1
+
+            #  Logging whether spans were started and reported
+            #
+            #  logging:
+            #    false
        """
@@ -31,7 +31,6 @@ class WorkerConfig(Config):
        self.worker_listeners = config.get("worker_listeners", [])
        self.worker_daemonize = config.get("worker_daemonize")
        self.worker_pid_file = config.get("worker_pid_file")
-        self.worker_log_file = config.get("worker_log_file")
        self.worker_log_config = config.get("worker_log_config")

        # The host used to connect to the main synapse
@@ -78,9 +77,5 @@ class WorkerConfig(Config):

        if args.daemonize is not None:
            self.worker_daemonize = args.daemonize
-        if args.log_config is not None:
-            self.worker_log_config = args.log_config
-        if args.log_file is not None:
-            self.worker_log_file = args.log_file
        if args.manhole is not None:
            self.worker_manhole = args.worker_manhole
@@ -31,6 +31,7 @@ from twisted.internet.ssl import (
    platformTrust,
 )
 from twisted.python.failure import Failure
+from twisted.web.iweb import IPolicyForHTTPS

 logger = logging.getLogger(__name__)

@@ -74,6 +75,7 @@ class ServerContextFactory(ContextFactory):
        return self._context


+@implementer(IPolicyForHTTPS)
 class ClientTLSOptionsFactory(object):
    """Factory for Twisted SSLClientConnectionCreators that are used to make connections
    to remote servers for federation.
@@ -146,6 +148,12 @@ class ClientTLSOptionsFactory(object):
            f = Failure()
            tls_protocol.failVerification(f)

+    def creatorForNetloc(self, hostname, port):
+        """Implements the IPolicyForHTTPS interace so that this can be passed
+        directly to agents.
+        """
+        return self.get_options(hostname)
+

@implementer(IOpenSSLClientConnectionCreator)
 class SSLClientConnectionCreator(object):
@@ -238,27 +238,9 @@ class Keyring(object):
        """

        try:
-            # create a deferred for each server we're going to look up the keys
-            # for; we'll resolve them once we have completed our lookups.
-            # These will be passed into wait_for_previous_lookups to block
-            # any other lookups until we have finished.
-            # The deferreds are called with no logcontext.
-            server_to_deferred = {
-                rq.server_name: defer.Deferred() for rq in verify_requests
-            }
+            ctx = LoggingContext.current_context()

-            # We want to wait for any previous lookups to complete before
-            # proceeding.
-            yield self.wait_for_previous_lookups(server_to_deferred)
-
-            # Actually start fetching keys.
-            self._get_server_verify_keys(verify_requests)
-
-            # When we've finished fetching all the keys for a given server_name,
-            # resolve the deferred passed to `wait_for_previous_lookups` so that
-            # any lookups waiting will proceed.
-            #
-            # map from server name to a set of request ids
+            # map from server name to a set of outstanding request ids
            server_to_request_ids = {}

            for verify_request in verify_requests:
@@ -266,40 +248,61 @@ class Keyring(object):
                request_id = id(verify_request)
                server_to_request_ids.setdefault(server_name, set()).add(request_id)

-            def remove_deferreds(res, verify_request):
+            # Wait for any previous lookups to complete before proceeding.
+            yield self.wait_for_previous_lookups(server_to_request_ids.keys())
+
+            # take out a lock on each of the servers by sticking a Deferred in
+            # key_downloads
+            for server_name in server_to_request_ids.keys():
+                self.key_downloads[server_name] = defer.Deferred()
+                logger.debug("Got key lookup lock on %s", server_name)
+
+            # When we've finished fetching all the keys for a given server_name,
+            # drop the lock by resolving the deferred in key_downloads.
+            def drop_server_lock(server_name):
+                d = self.key_downloads.pop(server_name)
+                d.callback(None)
+
+            def lookup_done(res, verify_request):
                server_name = verify_request.server_name
-                request_id = id(verify_request)
-                server_to_request_ids[server_name].discard(request_id)
-                if not server_to_request_ids[server_name]:
-                    d = server_to_deferred.pop(server_name, None)
-                    if d:
-                        d.callback(None)
+                server_requests = server_to_request_ids[server_name]
+                server_requests.remove(id(verify_request))
+
+                # if there are no more requests for this server, we can drop the lock.
+                if not server_requests:
+                    with PreserveLoggingContext(ctx):
+                        logger.debug("Releasing key lookup lock on %s", server_name)
+
+                    # ... but not immediately, as that can cause stack explosions if
+                    # we get a long queue of lookups.
+                    self.clock.call_later(0, drop_server_lock, server_name)
+
                return res

            for verify_request in verify_requests:
-                verify_request.key_ready.addBoth(remove_deferreds, verify_request)
+                verify_request.key_ready.addBoth(lookup_done, verify_request)
+
+            # Actually start fetching keys.
+            self._get_server_verify_keys(verify_requests)
        except Exception:
            logger.exception("Error starting key lookups")

    @defer.inlineCallbacks
-    def wait_for_previous_lookups(self, server_to_deferred):
+    def wait_for_previous_lookups(self, server_names):
        """Waits for any previous key lookups for the given servers to finish.

        Args:
-            server_to_deferred (dict[str, Deferred]): server_name to deferred which gets
-                resolved once we've finished looking up keys for that server.
-                The Deferreds should be regular twisted ones which call their
-                callbacks with no logcontext.
+            server_names (Iterable[str]): list of servers which we want to look up

-        Returns: a Deferred which resolves once all key lookups for the given
-            servers have completed. Follows the synapse rules of logcontext
-            preservation.
+        Returns:
+            Deferred[None]: resolves once all key lookups for the given servers have
+                completed. Follows the synapse rules of logcontext preservation.
        """
        loop_count = 1
        while True:
            wait_on = [
                (server_name, self.key_downloads[server_name])
-                for server_name in server_to_deferred.keys()
+                for server_name in server_names
                if server_name in self.key_downloads
            ]
            if not wait_on:
@@ -314,19 +317,6 @@ class Keyring(object):

            loop_count += 1

-        ctx = LoggingContext.current_context()
-
-        def rm(r, server_name_):
-            with PreserveLoggingContext(ctx):
-                logger.debug("Releasing key lookup lock on %s", server_name_)
-                self.key_downloads.pop(server_name_, None)
-            return r
-
-        for server_name, deferred in server_to_deferred.items():
-            logger.debug("Got key lookup lock on %s", server_name)
-            self.key_downloads[server_name] = deferred
-            deferred.addBoth(rm, server_name)
-
    def _get_server_verify_keys(self, verify_requests):
        """Tries to find at least one key for each verify request

@@ -472,7 +462,7 @@ class StoreKeyFetcher(KeyFetcher):
        keys = {}
        for (server_name, key_id), key in res.items():
            keys.setdefault(server_name, {})[key_id] = key
-        defer.returnValue(keys)
+        return keys


 class BaseV2KeyFetcher(object):
@@ -576,7 +566,7 @@ class BaseV2KeyFetcher(object):
            ).addErrback(unwrapFirstError)
        )

-        defer.returnValue(verify_keys)
+        return verify_keys


 class PerspectivesKeyFetcher(BaseV2KeyFetcher):
@@ -598,7 +588,7 @@ class PerspectivesKeyFetcher(BaseV2KeyFetcher):
                result = yield self.get_server_verify_key_v2_indirect(
                    keys_to_fetch, key_server
                )
-                defer.returnValue(result)
+                return result
            except KeyLookupError as e:
                logger.warning(
                    "Key lookup failed from %r: %s", key_server.server_name, e
@@ -611,7 +601,7 @@ class PerspectivesKeyFetcher(BaseV2KeyFetcher):
                    str(e),
                )

-            defer.returnValue({})
+            return {}

        results = yield make_deferred_yieldable(
            defer.gatherResults(
@@ -625,7 +615,7 @@ class PerspectivesKeyFetcher(BaseV2KeyFetcher):
            for server_name, keys in result.items():
                union_of_keys.setdefault(server_name, {}).update(keys)

-        defer.returnValue(union_of_keys)
+        return union_of_keys

    @defer.inlineCallbacks
    def get_server_verify_key_v2_indirect(self, keys_to_fetch, key_server):
@@ -711,7 +701,7 @@ class PerspectivesKeyFetcher(BaseV2KeyFetcher):
            perspective_name, time_now_ms, added_keys
        )

-        defer.returnValue(keys)
+        return keys

    def _validate_perspectives_response(self, key_server, response):
        """Optionally check the signature on the result of a /key/query request
@@ -853,7 +843,7 @@ class ServerKeyFetcher(BaseV2KeyFetcher):
            )
            keys.update(response_keys)

-        defer.returnValue(keys)
+        return keys


@defer.inlineCallbacks
@@ -144,15 +144,13 @@ class EventBuilder(object):
        if self._origin_server_ts is not None:
            event_dict["origin_server_ts"] = self._origin_server_ts

-        defer.returnValue(
-            create_local_event_from_event_dict(
-                clock=self._clock,
-                hostname=self._hostname,
-                signing_key=self._signing_key,
-                format_version=self.format_version,
-                event_dict=event_dict,
-                internal_metadata_dict=self.internal_metadata.get_dict(),
-            )
+        return create_local_event_from_event_dict(
+            clock=self._clock,
+            hostname=self._hostname,
+            signing_key=self._signing_key,
+            format_version=self.format_version,
+            event_dict=event_dict,
+            internal_metadata_dict=self.internal_metadata.get_dict(),
        )


@@ -133,19 +133,17 @@ class EventContext(object):
        else:
            prev_state_id = None

-        defer.returnValue(
-            {
-                "prev_state_id": prev_state_id,
-                "event_type": event.type,
-                "event_state_key": event.state_key if event.is_state() else None,
-                "state_group": self.state_group,
-                "rejected": self.rejected,
-                "prev_group": self.prev_group,
-                "delta_ids": _encode_state_dict(self.delta_ids),
-                "prev_state_events": self.prev_state_events,
-                "app_service_id": self.app_service.id if self.app_service else None,
-            }
-        )
+        return {
+            "prev_state_id": prev_state_id,
+            "event_type": event.type,
+            "event_state_key": event.state_key if event.is_state() else None,
+            "state_group": self.state_group,
+            "rejected": self.rejected,
+            "prev_group": self.prev_group,
+            "delta_ids": _encode_state_dict(self.delta_ids),
+            "prev_state_events": self.prev_state_events,
+            "app_service_id": self.app_service.id if self.app_service else None,
+        }

    @staticmethod
    def deserialize(store, input):
@@ -202,7 +200,7 @@ class EventContext(object):

        yield make_deferred_yieldable(self._fetching_state_deferred)

-        defer.returnValue(self._current_state_ids)
+        return self._current_state_ids

    @defer.inlineCallbacks
    def get_prev_state_ids(self, store):
@@ -222,7 +220,7 @@ class EventContext(object):

        yield make_deferred_yieldable(self._fetching_state_deferred)

-        defer.returnValue(self._prev_state_ids)
+        return self._prev_state_ids

    def get_cached_current_state_ids(self):
        """Gets the current state IDs if we have them already cached.
@@ -51,7 +51,7 @@ class ThirdPartyEventRules(object):
            defer.Deferred[bool]: True if the event should be allowed, False if not.
        """
        if self.third_party_rules is None:
-            defer.returnValue(True)
+            return True

        prev_state_ids = yield context.get_prev_state_ids(self.store)

@@ -61,7 +61,7 @@ class ThirdPartyEventRules(object):
            state_events[key] = yield self.store.get_event(event_id, allow_none=True)

        ret = yield self.third_party_rules.check_event_allowed(event, state_events)
-        defer.returnValue(ret)
+        return ret

    @defer.inlineCallbacks
    def on_create_room(self, requester, config, is_requester_admin):
@@ -98,7 +98,7 @@ class ThirdPartyEventRules(object):
        """

        if self.third_party_rules is None:
-            defer.returnValue(True)
+            return True

        state_ids = yield self.store.get_filtered_current_state_ids(room_id)
        room_state_events = yield self.store.get_events(state_ids.values())
@@ -110,4 +110,4 @@ class ThirdPartyEventRules(object):
        ret = yield self.third_party_rules.check_threepid_can_be_invited(
            medium, address, state_events
        )
-        defer.returnValue(ret)
+        return ret
@@ -360,7 +360,7 @@ class EventClientSerializer(object):
        """
        # To handle the case of presence events and the like
        if not isinstance(event, EventBase):
-            defer.returnValue(event)
+            return event

        event_id = event.event_id
        serialized_event = serialize_event(event, time_now, **kwargs)
@@ -406,7 +406,7 @@ class EventClientSerializer(object):
                    "sender": edit.sender,
                }

-        defer.returnValue(serialized_event)
+        return serialized_event

    def serialize_events(self, events, time_now, **kwargs):
        """Serializes multiple events.
@@ -95,10 +95,10 @@ class EventValidator(object):

        elif event.type == EventTypes.Topic:
            self._ensure_strings(event.content, ["topic"])
-
+            self._ensure_state_event(event)
        elif event.type == EventTypes.Name:
            self._ensure_strings(event.content, ["name"])
-
+            self._ensure_state_event(event)
        elif event.type == EventTypes.Member:
            if "membership" not in event.content:
                raise SynapseError(400, "Content has not membership key")
@@ -106,9 +106,25 @@ class EventValidator(object):
            if event.content["membership"] not in Membership.LIST:
                raise SynapseError(400, "Invalid membership key")

+            self._ensure_state_event(event)
+        elif event.type == EventTypes.Tombstone:
+            if "replacement_room" not in event.content:
+                raise SynapseError(400, "Content has no replacement_room key")
+
+            if event.content["replacement_room"] == event.room_id:
+                raise SynapseError(
+                    400, "Tombstone cannot reference the room it was sent in"
+                )
+
+            self._ensure_state_event(event)
+
    def _ensure_strings(self, d, keys):
        for s in keys:
            if s not in d:
                raise SynapseError(400, "'%s' not in content" % (s,))
            if not isinstance(d[s], string_types):
                raise SynapseError(400, "'%s' not a string type" % (s,))
+
+    def _ensure_state_event(self, event):
+        if not event.is_state():
+            raise SynapseError(400, "'%s' must be state events" % (event.type,))
@@ -106,7 +106,7 @@ class FederationBase(object):
                    "Failed to find copy of %s with valid signature", pdu.event_id
                )

-            defer.returnValue(res)
+            return res

        handle = preserve_fn(handle_check_result)
        deferreds2 = [handle(pdu, deferred) for pdu, deferred in zip(pdus, deferreds)]
@@ -116,9 +116,9 @@ class FederationBase(object):
        ).addErrback(unwrapFirstError)

        if include_none:
-            defer.returnValue(valid_pdus)
+            return valid_pdus
        else:
-            defer.returnValue([p for p in valid_pdus if p])
+            return [p for p in valid_pdus if p]

    def _check_sigs_and_hash(self, room_version, pdu):
        return make_deferred_yieldable(
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				Synapse now no longer accepts the `-v`/`--verbose`, `-f`/`--log-file`, or `--log-config` command line flags, and removes the deprecated `verbose` and `log_file` configuration file options. Users of these options should migrate their options into the dedicated log configuration.
				`@@ -0,0 +1 @@`
				Use `M_USER_DEACTIVATED` instead of `M_UNKNOWN` for errcode when a deactivated user attempts to login.
				`@@ -0,0 +1 @@`
				`Add OpenTracing instrumentation for e2e code paths.`
				`@@ -0,0 +1 @@`
				Add precautionary measures to prevent future abuse of `window.opener` in default welcome page.
				`@@ -0,0 +1 @@`
				`Reduce database IO usage by optimising queries for current membership.`
				`@@ -0,0 +1 @@`
				Improve caching when fetching `get_filtered_current_state_ids`.
				`@@ -0,0 +1 @@`
				`Don't accept opentracing data from clients.`
				`@@ -0,0 +1 @@`
				`Improve database query performance when recording retry intervals for remote hosts.`
				`@@ -0,0 +1 @@`
				`Fix stack overflow in server key lookup code.`
				`@@ -0,0 +1 @@`
				`start.sh no longer uses deprecated cli option.`