crowdsec (1.0.9-2) unstable; urgency=medium * Backport hub patch from upstream to fix false positives due to substring matches (https://github.com/crowdsecurity/hub/pull/197): + 0009-Improve-http-bad-user-agent-use-regexp-197.patch -- Cyril Brulebois Mon, 03 May 2021 07:29:06 +0000 crowdsec (1.0.9-1) unstable; urgency=medium * New upstream stable release: + Improve documentation. + Fix disabled Central API use case: without Central API credentials in the relevant config file, crowdsec would still try and establish a connection. * Add patch to disable broken scenario (ban-report-ssh_bf_report, #181): + 0008-hub-disable-broken-scenario.patch * Add logrotate config for /var/log/crowdsec{,_api}.log (weekly, 4). -- Cyril Brulebois Mon, 15 Mar 2021 01:19:43 +0100 crowdsec (1.0.8-2) unstable; urgency=medium * Update postinst to also strip ltsich/ when installing symlinks initially (new vendor in recent hub files, in addition to the usual crowdsecurity/). -- Cyril Brulebois Tue, 02 Mar 2021 01:29:29 +0000 crowdsec (1.0.8-1) unstable; urgency=medium * New upstream stable release. * Refresh patches: + 0001-use-a-local-machineid-implementation.patch (unfuzzy) + 0002-add-compatibility-for-older-sqlite-driver.patch * Set cwversion variables through debian/rules (build metadata). * Add patch so that upstream's crowdsec.service is correct on Debian: + 0003-adjust-systemd-unit.patch * Really add lintian overrides for hardening-no-pie warnings. * Ship patterns below /etc/crowdsec/patterns: they're supposed to be stable over time, and it's advised not to modify them, but let's allow for some configurability. * Include a snapshot of hub files from the master branch, at commit d8a8509bdf: hub1. Further updates for a given crowdsec upstream version will be numbered hubN. After a while, they will be generated from a dedicated vX.Y.Z branch instead of from master. * Implement a generate_hub_tarball target in debian/rules to automate generating a tarball for hub files. * Add patch to disable geoip-enrich in the hub files as it requires downloading some files from the network that aren't under the usual MIT license: + 0004-disable-geoip-enrich.patch * Ship a selection of hub files in /usr/share/crowdsec/hub so that crowdsec can be set up without having to download data from the collaborative hub (https://hub.crowdsec.net/). * Ditto for some data files (in /usr/share/crowdsec/data). * Use DH_GOLANG_EXCLUDES to avoid including extra Go files from the hub into the build directory. * Implement an extract_hub_tarball target in debian/rules to automate extracting hub files from the tarball. * Implement an extract_data_tarball target in debian/rules to automate extracting data files from the tarball. * Ship crowdsec-cli (automated Golang naming) as cscli (upstream's preference). * Add patch to adjust the default config: + 0005-adjust-config.patch * Ship config/config.yaml accordingly, along with the config files it references. * Also adjust the hub_branch variable in config.yaml, pointing to the branch related to the current upstream release instead of master. * Create /var/lib/crowdsec/{data,hub} directories. * Implement configure in postinst to generate credentials files: Implement a simple agent setup with a Local API (LAPI), and with an automatic registration to the Central API (CAPI). The latter can be disabled by creating a /etc/crowdsec/online_api_credentials.yaml file containing a comment (e.g. “# no thanks”) before installing this package. * Implement purge in postrm. Drop all of /etc/crowdsec except online_api_credentials.yaml if this file doesn't seem to have been created during CAPI registration (likely because an admin created the file in advance to prevent it). Also remove everything below /var/lib/crowdsec/{data,hub}, along with log files. * Implement custom enable-online-hub and disable-online-hub actions in postinst. The latter is called once automatically to make sure the offline hub is ready to use. See README.Debian for details. * Also enable all items using the offline hub on fresh installation. * Add patch advertising `systemctl restart crowdsec` when updating the configuration: reload doesn't work at the moment (#656 upstream). + 0006-prefer-systemctl-restart.patch * Add patch automating switching from the offline hub to the online hub when `cscli hub update` is called: + 0007-automatically-enable-online-hub.patch * Add lintian override accordingly: uses-dpkg-database-directly. * Add ca-certificates to Depends for the CAPI registration. * Create /etc/machine-id if it doesn't exist already (e.g. in piuparts environments). -- Cyril Brulebois Tue, 02 Mar 2021 00:25:48 +0000 crowdsec (1.0.4-1) unstable; urgency=medium * New upstream release. * Bump copyright years. * Bump golang-github-facebook-ent-dev build-dep. * Swap Maintainer/Uploaders: the current plan is for me to keep in touch with upstream to coordinate packaging work in Debian. Help from fellow members of the Debian Go Packaging Team is very welcome, though! * Fix typos in the long description, and merge upstream's review. * Refresh patch: + 0001-use-a-local-machineid-implementation.patch * Drop patch (merged upstream): + 1001-fix-docker-container-creation-for-metabase-563.patch -- Cyril Brulebois Wed, 03 Feb 2021 08:54:24 +0000 crowdsec (1.0.2-1) unstable; urgency=medium * Initial release (Closes: #972573): start by shipping binaries, while better integration is being worked on with upstream: documentation and assisted configuration are coming up. * Version some build-deps as earlier versions are known not to work. * Use a local machineid implementation instead of depending on an extra package: + 0001-use-a-local-machineid-implementation.patch * Use a syntax that's compatible with version 1.6.0 of the sqlite3 driver: + 0002-add-compatibility-for-older-sqlite-driver.patch * Backport upstream fix for golang-github-docker-docker-dev version currently in unstable: + 1001-fix-docker-container-creation-for-metabase-563.patch * Install all files in the build directory so that the testsuite finds required test data that's scattered all over the place. * Add systemd to Build-Depends for the testsuite, so that it finds the journalctl binary. * Add lintian overrides for the hardening-no-pie warnings: PIE is not relevant for Go packages. -- Cyril Brulebois Thu, 14 Jan 2021 02:46:18 +0000