From ebc210793e8ce0923e5ad4eb0ac7af4ead42f114 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Sun, 18 Sep 2016 15:11:34 -0500 Subject: [PATCH 1/9] (doc) Note Runtime Options For Checksums In Error Some folks don't realize this is available. Best for the error to bubble up that the option is available to make users aware. --- .../helpers/functions/Get-CheckSumValid.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 b/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 index ac847be1d0..59aebd9eb2 100644 --- a/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 +++ b/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 @@ -140,7 +140,7 @@ param( return } - Write-Warning "Missing package checksums are not allowed (by default for HTTP/FTP, `n HTTPS when feature 'allowEmptyChecksumsSecure' is disabled) for `n safety and security reasons. Although we strongly advise against it, `n if you need this functionality, please set the feature `n 'allowEmptyChecksums' ('choco feature enable -n `n allowEmptyChecksums') `n or pass in the option '--allow-empty-checksums'." + Write-Warning "Missing package checksums are not allowed (by default for HTTP/FTP, `n HTTPS when feature 'allowEmptyChecksumsSecure' is disabled) for `n safety and security reasons. Although we strongly advise against it, `n if you need this functionality, please set the feature `n 'allowEmptyChecksums' ('choco feature enable -n `n allowEmptyChecksums') `n or pass in the option '--allow-empty-checksums'. You can also pass `n checksums at runtime (recommended). See `choco install -?` for details." Write-Debug "If you are a maintainer attempting to determine the checksum for packaging purposes, please run `n 'choco install checksum' and run 'checksum -t sha256 -f $file' `n Ensure you do this for all remote resources." if ($env:ChocolateyPowerShellHost -eq 'true') { @@ -160,9 +160,9 @@ param( } if ($originalUrl -ne $null -and $originalUrl.ToLower().StartsWith("https")) { - throw "This package downloads over HTTPS but does not yet have package checksums to verify the package. We recommend asking the maintainer to add checksums to this package. In the meantime if you need this package to work correctly, please enable the feature allowEmptyChecksumsSecure or provide the runtime switch '--allowEmptyChecksums'." + throw "This package downloads over HTTPS but does not yet have package checksums to verify the package. We recommend asking the maintainer to add cheksums to this package. In the meantime if you need this package to work correctly, please enable the feature allowEmptyChecksumsSecure, provide the runtime switch '--allow-empty-checksums-secure', or pass in checksums at runtime (recommended - see 'choco install -?' / 'choco upgrade -?' for details)." } else { - throw "Empty checksums are no longer allowed by default for non-secure sources. Please ask the maintainer to add checksums to this package. In the meantime if you need this package to work correctly, please enable the feature allowEmptyChecksums or provide the runtime switch '--allowEmptyChecksums'. It is strongly advised against allowing empty checksums for non-internal HTTP/FTP sources." + throw "Empty checksums are no longer allowed by default for non-secure sources. Please ask the maintainer to add checksums to this package. In the meantime if you need this package to work correctly, please enable the feature allowEmptyChecksums, provide the runtime switch '--allow-empty-checksums', or pass in checksums at runtime (recommended - see 'choco install -?' / 'choco upgrade -?' for details). It is strongly advised against allowing empty checksums for non-internal HTTP/FTP sources." } } From 77be5d8192dc57c9523daf59f70da85cfdda876c Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Sun, 18 Sep 2016 15:11:50 -0500 Subject: [PATCH 2/9] (maint) formatting --- .../helpers/functions/Get-CheckSumValid.ps1 | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 b/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 index 59aebd9eb2..b946329487 100644 --- a/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 +++ b/src/chocolatey.resources/helpers/functions/Get-CheckSumValid.ps1 @@ -18,28 +18,28 @@ function Get-ChecksumValid { Checks a file's checksum versus a passed checksum and checksum type. .DESCRIPTION -Makes a determination if a file meets an expected checksum signature. -This function is usually used when comparing a file that is downloaded +Makes a determination if a file meets an expected checksum signature. +This function is usually used when comparing a file that is downloaded from an official distribution point. If the checksum fails to match the expected output, this function throws an error. -Checksums have been used for years as a means of verification. A -checksum hash is a unique value or signature that corresponds to the -contents of a file. File names and extensions can be altered without -changing the checksum signature. However if you changed the contents of +Checksums have been used for years as a means of verification. A +checksum hash is a unique value or signature that corresponds to the +contents of a file. File names and extensions can be altered without +changing the checksum signature. However if you changed the contents of the file, even one character, the checksum will be different. Checksums are used to provide as a means of cryptographically ensuring -the contents of a file have not been changed. While some cryptographic -algorithms, including MD5 and SHA1, are no longer considered secure -against attack, the goal of a checksum algorithm is to make it +the contents of a file have not been changed. While some cryptographic +algorithms, including MD5 and SHA1, are no longer considered secure +against attack, the goal of a checksum algorithm is to make it extremely difficult (near impossible with better algorithms) to alter the contents of a file (whether by accident or for malicious reasons) and still result in the same checksum signature. -When verifying a checksum using a secure algorithm, if the checksum -matches the expected signature, the contents of the file are identical -to what is expected. +When verifying a checksum using a secure algorithm, if the checksum +matches the expected signature, the contents of the file are identical +to what is expected. .NOTES This uses the checksum.exe tool available separately at @@ -73,23 +73,23 @@ passed Checksum parameter value. .PARAMETER Checksum The expected checksum hash value of the File resource. The checksum type is covered by ChecksumType. - -**NOTE:** Checksums in packages are meant as a measure to validate the -originally intended file that was used in the creation of a package is -the same file that is received at a future date. Since this is used for -other steps in the process related to the community repository, it -ensures that the file a user receives is the same file a maintainer -and a moderator (if applicable), plus any moderation review has -intended for you to receive with this package. If you are looking at a -remote source that uses the same url for updates, you will need to -ensure the package also stays updated in line with those remote -resource updates. You should look into [automatic packaging](https://chocolatey.org/docs/automatic-packages) + +**NOTE:** Checksums in packages are meant as a measure to validate the +originally intended file that was used in the creation of a package is +the same file that is received at a future date. Since this is used for +other steps in the process related to the community repository, it +ensures that the file a user receives is the same file a maintainer +and a moderator (if applicable), plus any moderation review has +intended for you to receive with this package. If you are looking at a +remote source that uses the same url for updates, you will need to +ensure the package also stays updated in line with those remote +resource updates. You should look into [automatic packaging](https://chocolatey.org/docs/automatic-packages) to help provide that functionality. -**NOTE:** To determine checksums, you can get that from the original -site if provided. You can also use the [checksum tool available on -the community feed](https://chocolatey.org/packages/checksum) (`choco install checksum`) -and use it e.g. `checksum -t sha256 -f path\to\file`. Ensure you +**NOTE:** To determine checksums, you can get that from the original +site if provided. You can also use the [checksum tool available on +the community feed](https://chocolatey.org/packages/checksum) (`choco install checksum`) +and use it e.g. `checksum -t sha256 -f path\to\file`. Ensure you provide checksums for all remote resources used. .PARAMETER ChecksumType @@ -99,8 +99,8 @@ The type of checkum that the file is validated with - 'md5', 'sha1', MD5 is not recommended as certain organizations need to use FIPS compliant algorithms for hashing - see https://support.microsoft.com/en-us/kb/811833 for more details. - -The recommendation is to use at least SHA256. + +The recommendation is to use at least SHA256. .PARAMETER IgnoredArguments Allows splatting with arguments that do not apply. Do not use directly. @@ -127,7 +127,7 @@ param( return } - if ($checksum -eq '' -or $checksum -eq $null) { + if ($checksum -eq '' -or $checksum -eq $null) { $allowEmptyChecksums = $env:ChocolateyAllowEmptyChecksums $allowEmptyChecksumsSecure = $env:ChocolateyAllowEmptyChecksumsSecure if ($allowEmptyChecksums -eq 'true') { @@ -143,7 +143,7 @@ param( Write-Warning "Missing package checksums are not allowed (by default for HTTP/FTP, `n HTTPS when feature 'allowEmptyChecksumsSecure' is disabled) for `n safety and security reasons. Although we strongly advise against it, `n if you need this functionality, please set the feature `n 'allowEmptyChecksums' ('choco feature enable -n `n allowEmptyChecksums') `n or pass in the option '--allow-empty-checksums'. You can also pass `n checksums at runtime (recommended). See `choco install -?` for details." Write-Debug "If you are a maintainer attempting to determine the checksum for packaging purposes, please run `n 'choco install checksum' and run 'checksum -t sha256 -f $file' `n Ensure you do this for all remote resources." - if ($env:ChocolateyPowerShellHost -eq 'true') { + if ($env:ChocolateyPowerShellHost -eq 'true') { $statement = "The integrity of the file '$([System.IO.Path]::GetFileName($file))'" if ($originalUrl -ne $null -and $originalUrl -ne '') { $statement += " from '$originalUrl'" @@ -158,7 +158,7 @@ param( if ($selection -eq 0) { return } } - + if ($originalUrl -ne $null -and $originalUrl.ToLower().StartsWith("https")) { throw "This package downloads over HTTPS but does not yet have package checksums to verify the package. We recommend asking the maintainer to add cheksums to this package. In the meantime if you need this package to work correctly, please enable the feature allowEmptyChecksumsSecure, provide the runtime switch '--allow-empty-checksums-secure', or pass in checksums at runtime (recommended - see 'choco install -?' / 'choco upgrade -?' for details)." } else { From 396f6fb5b475a65ebf3c2efd45df1f53499eff44 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Sun, 18 Sep 2016 17:14:57 -0500 Subject: [PATCH 3/9] (doc) add licensed changelog --- CHANGELOG_LICENSED.md | 194 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 194 insertions(+) create mode 100644 CHANGELOG_LICENSED.md diff --git a/CHANGELOG_LICENSED.md b/CHANGELOG_LICENSED.md new file mode 100644 index 0000000000..0d34749d37 --- /dev/null +++ b/CHANGELOG_LICENSED.md @@ -0,0 +1,194 @@ +# Chocolatey Licensed CHANGELOG + +If you have a licensed edition of Chocolatey, refer to this in tandem with [Chocolatey Open source CHANGELOG](https://github.com/chocolatey/choco/blob/master/CHANGELOG.md). + +## 1.6.1 (Sep 8, 2016) + +### BUG FIXES + + * Package Builder (Choco New): + * Fix - Do not error on missing appsearch table in MSI. + * Fix - Do not add similarly named items from AppSearch table to template properties more than once + + +## 1.6.0 (Sep 8, 2016) + +Some really big improvements are now available in v1.6.0. We are excited to share them with you! + +### FEATURES + + * Licensed Enhancements: + * install/upgrade - pass sensitive arguments that are not shown/logged in Chocolatey to an installer - useful when you want to pass passwords but don't want them logged. Need Chocolatey v0.10.1+. + * AutoUninstaller - determine type from original executable when FOSS is not able to detect installer type. + * Package Builder (Choco New): + * Now supports downloading from url/url64 and determining whether to keep those files remote. + * Switch to use original file location instead of copying into package + * Specify both 32-bit/64-bit file + * Work with zip files + +### BUG FIXES + + * Fix - changes related to working directory fixes for [#937](https://github.com/chocolatey/choco/issues/937) + * Fix - double chocolatey folder name is not also applied to the passed in file name - see [#908](https://github.com/chocolatey/choco/issues/908) + * Package Builder (Choco New): + * Fix - remove parentheses from package names + * Fix - keep template updated + * Package Internalizer (Choco Download): + * Fix - handle downloaded files with the same name Sometimes the file name is the same when the architecture is different. Handle that by using the url counter for all additional files with the same name. + +### IMPROVEMENTS + + * Remind About Upcoming Expiration - when the license is expiring within a month's time, remind the user about renewal + * Package Builder (Choco New): + * Handle -forcex86 with package creation + * Add shimgen ignore for exes + * Use ProductVersion when version 0.0.0.0 + * Remove the word "installer" from package name + * Allow specifying name of the package + * Allow template override with warning + * Show MSI properties in install script (commented) + * Ensure `ALLUSERS=1` when an MSI is set to per user by default + * Automatically checksum files + * Allow files to stay remote - use remote helpers when files stay remote + * Package Internalizer (Choco Download): + * handle variables in urls set like ${word} + * Append `-UseOriginalLocation` to the end of the arguments passed to Install-ChocolateyPackage. Work with splatting properly as well + + +## 1.5.1 (Aug 9, 2016) + +### BUG FIXES + + * Fix - Valid Exit Codes do not support values bigger than Int32.MaxValue. - see [#900](https://github.com/chocolatey/choco/issues/900) + +### IMPROVEMENTS + + * Package Internalizer (Choco Download) - specify resources location (when not embedding into package) + + +## 1.5.0 (July 21, 2016) + +### FEATURES + + * [Business] Recompiled packages support aka Package Internalizer - Download a package and all remote resources, recompiling the package to use local resources instead. + * Synchronize w/Programs and Features - Chocolatey synchronizes manually uninstalled software with package state. + +### BUG FIXES + + * Fix - Silent Args being passed as a string array cause package failure - see [#808](https://github.com/chocolatey/choco/issues/808) + +### IMPROVEMENTS + + * VirusTotal - allow skipping check entirely - [#786](https://github.com/chocolatey/choco/issues/786) + * Trial allows more features to work, but in a way that is not automatable. + + +## 1.4.2 (June 20, 2016) + +### BUG FIXES + + * Fix - Logging is broken in some packages due to new TEMP directory - [#813](https://github.com/chocolatey/choco/issues/813) + +### IMPROVEMENTS + + * Ensure log file path exists - [#758](https://github.com/chocolatey/choco/issues/758) + + +## 1.4.1 (June 14, 2016) + +### BUG FIXES + + * PowerShell v2 assembly was not loading. There was a dependency on an incorrect version of PowerShell assemblies, causing it to only attempt to load System.Management.Automation v3 and above - [#799](https://github.com/chocolatey/choco/issues/799) + + +## 1.4.0 (June 13, 2016) + +### FEATURES + + * BETA Testers - Recompiled packages support - Download a package and all remote resources, recompiling the package to use local resources instead. + * BETA Testers - Synchronize w/Programs and Features - Chocolatey synchronizes manually uninstalled software with package state. + * [Business] Create Packages from Installers aka Package Builder! Create packages directly from software installers in seconds! **Chocolatey for Business can automatically create packages for all the software your organization uses in under 5 minutes!** + * New Command! choco support - quickly see how you can contact support - [#745](https://github.com/chocolatey/choco/issues/745) + * Web functions for local files support - [#781](https://github.com/chocolatey/choco/issues/781) + +### IMPROVEMENTS + + * Support FIPS compliant algorithms [#446](https://github.com/chocolatey/choco/issues/446) + + +## 1.3.2 (May 28, 2016) + +### BUG FIXES + + * Get-WebFile name changes related to [#753](https://github.com/chocolatey/choco/issues/753) + +### IMPROVEMENTS + + * Clarified options with version and better messaging. + + +## 1.3.1 (May 9, 2016) + +### BUG FIXES + + * Get-WebFile name changes related to [#727](https://github.com/chocolatey/choco/issues/727) + +### IMPROVEMENTS + + * Report directory switch override. + + +## 1.3.0 (May 2, 2016) + +### FEATURES + + * Ubiquitous Install Directory Switch! When working with properly formed packages that use Install-ChocolateyPackage (or Install-ChocolateyInstallPackage), Chocolatey is able to override the native installer's directory from one single option you provide to Chocolatey. You no longer need to know what the installer type is and provide that through install arguments. See `choco install -?` and `--install-directory` option for details. + * Generic Virus Scanner - for organizations that don't want to run checks using VirusTotal, we've provided a way for organizations to use their own virus scanner. See `choco config list` for details. + + ### BUG FIXES + +* Fix - Content Length check may error if original location is changed. This means the permanent download location will not error on other checks. +* Fix - Original remote file name can be affected if original url has changed or is unavailable. + +### IMPROVEMENTS + + * Virus Scanner exits as soon as possible on files too big for the scanner. If the file is over 500MB, the scanner cannot upload the file, so it should not ask whether it can try to upload prior to failing on the size check (previous behavior). + + +## 1.2.0 (March 14, 2016) + +### FEATURES + + * Virus scanning for Pro users! See the [post](https://www.kickstarter.com/projects/ferventcoder/chocolatey-the-alternative-windows-store-like-yum/posts/1518468) for details! + +## 1.1.0 (February 12, 2016) + +### IMPROVEMENTS + + * License can now be in user profile (like `c:\Users\yourname\chocolatey.license.xml`). This is great for roaming user profiles and in multiple machine usage scenarios. + * Download cache can be controlled with a feature flag and/or a command option. See `choco feature` and `choco install -h` for more details. + +### For BETA Testers + + * Virus Check improvements + * Throw if virus check has not been done before. + * Messaging is clarified + * Skip or run virus check with command options - see `choco install -h` for details. + +## 1.0.2 (February 5, 2016) + +### BUG FIXES + +* Fix - PowerShell 5 respects Cmdlet aliases, causing overrides on functions not ready (Install-ChocolateyPackage). See the [post](https://www.kickstarter.com/projects/ferventcoder/chocolatey-the-alternative-windows-store-like-yum/posts/1484093) for details. + +## 1.0.1 (February 2, 2016) + +### BUG FIXES + +* Fix - License location validation is incorrect. + +## 1.0.0 (February 1, 2016) + +### FEATURES + +* Alternate Permanent Download Location - see the [post](https://www.kickstarter.com/projects/ferventcoder/chocolatey-the-alternative-windows-store-like-yum/posts/1479944) for details. From 558c845138d0ee60c03a6edc5161f378b162d4e3 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Mon, 19 Sep 2016 09:39:10 -0500 Subject: [PATCH 4/9] (GH-458) Warn To Verbose Log For Now We want to provide the TLS warning in a way that doesn't have people just blindly ignoring future warnings, so we need a way to toggle the warning off once someone has accepted they have read and understood the warning. For now we will log to verbose so that it is at least present in logs, and when folks run at verbose. --- .../infrastructure.app/runners/GenericRunner.cs | 2 +- .../infrastructure.app/services/PowershellService.cs | 2 +- .../infrastructure/registration/SecurityProtocol.cs | 9 +++++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/chocolatey/infrastructure.app/runners/GenericRunner.cs b/src/chocolatey/infrastructure.app/runners/GenericRunner.cs index 283abd919d..1ced5d50f2 100644 --- a/src/chocolatey/infrastructure.app/runners/GenericRunner.cs +++ b/src/chocolatey/infrastructure.app/runners/GenericRunner.cs @@ -136,7 +136,7 @@ public void run(ChocolateyConfiguration config, Container container, bool isCons fail_when_license_is_missing_or_invalid_if_requested(config); - SecurityProtocol.set_protocol(); + SecurityProtocol.set_protocol(config, provideWarning:true); EventManager.publish(new PreRunMessage(config)); diff --git a/src/chocolatey/infrastructure.app/services/PowershellService.cs b/src/chocolatey/infrastructure.app/services/PowershellService.cs index 4a9bbc016b..55de1e2847 100644 --- a/src/chocolatey/infrastructure.app/services/PowershellService.cs +++ b/src/chocolatey/infrastructure.app/services/PowershellService.cs @@ -479,7 +479,7 @@ public void prepare_powershell_environment(IPackage package, ChocolateyConfigura } } - SecurityProtocol.set_protocol(); + SecurityProtocol.set_protocol(configuration, provideWarning:false); } private ResolveEventHandler _handler = null; diff --git a/src/chocolatey/infrastructure/registration/SecurityProtocol.cs b/src/chocolatey/infrastructure/registration/SecurityProtocol.cs index b568f31859..4e61566608 100644 --- a/src/chocolatey/infrastructure/registration/SecurityProtocol.cs +++ b/src/chocolatey/infrastructure/registration/SecurityProtocol.cs @@ -17,6 +17,7 @@ namespace chocolatey.infrastructure.registration { using System; using System.Net; + using app.configuration; using logging; public sealed class SecurityProtocol @@ -24,7 +25,7 @@ public sealed class SecurityProtocol private const int TLS_1_1 = 768; private const int TLS_1_2 = 3072; - public static void set_protocol() + public static void set_protocol(ChocolateyConfiguration config, bool provideWarning) { try { @@ -39,7 +40,10 @@ public static void set_protocol() catch (Exception) { ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Ssl3; - "chocolatey".Log().Warn(ChocolateyLoggers.Important, + //todo: provide this warning with the ability to opt out of seeing it again so we can move it up to more prominent visibility and not just the verbose log + if (provideWarning) + { + "chocolatey".Log().Warn(ChocolateyLoggers.Verbose, @" !!WARNING!! Choco prefers to use TLS v1.2 if it is available, but this client is running on .NET 4.0, which uses an older SSL. It's using TLS 1.0 or @@ -48,6 +52,7 @@ public static void set_protocol() Chaining. Upgrade to at least .NET 4.5 at your earliest convenience. For more information you should visit https://www.howsmyssl.com/"); + } } From fe6a4ab59c93a5ee08365b7562cc8dcae274bab9 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Mon, 19 Sep 2016 09:44:51 -0500 Subject: [PATCH 5/9] (doc) update licensed changelog --- CHANGELOG_LICENSED.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG_LICENSED.md b/CHANGELOG_LICENSED.md index 0d34749d37..acd0a673ca 100644 --- a/CHANGELOG_LICENSED.md +++ b/CHANGELOG_LICENSED.md @@ -1,6 +1,8 @@ # Chocolatey Licensed CHANGELOG -If you have a licensed edition of Chocolatey, refer to this in tandem with [Chocolatey Open source CHANGELOG](https://github.com/chocolatey/choco/blob/master/CHANGELOG.md). +This covers changes for the "chocolatey.extension" package, where the licensed editions of Chocolatey get their enhanced functionality. + +**NOTE**: If you have a licensed edition of Chocolatey, refer to this in tandem with [Chocolatey Open source CHANGELOG](https://github.com/chocolatey/choco/blob/master/CHANGELOG.md). ## 1.6.1 (Sep 8, 2016) From b18075125a6dd699aa6c725b69bf95b2826590e0 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Mon, 19 Sep 2016 09:45:46 -0500 Subject: [PATCH 6/9] (doc) add CHANGELOG title/summary Add a title and summary to the CHANGELOG, also noting that there is a licensed version CHANGELOG as well and providing a link to that CHANGELOG. --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cff9fe97c8..a09249c430 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# Chocolatey Open Source CHANGELOG + +This covers changes for the "chocolatey" and "chocolatey.lib" packages, which are available as FOSS. + +**NOTE**: If you have a licensed edition of Chocolatey ("chocolatey.extension"), refer to this in tandem with [Chocolatey Licensed CHANGELOG](https://github.com/chocolatey/choco/blob/master/CHANGELOG_LICENSED.md). + ## [0.10.0](https://github.com/chocolatey/choco/issues?q=milestone%3A0.10.0+is%3Aclosed) (August 11, 2016) What was planned for 0.9.10.4 is now 0.10.0. This is due partly to a breaking change we are making for security purposes and a move to provide better a better versioning scheme for the remainder of the sub-v1 versions of Chocolatey. Instead of 0.y.z.0 being considered where major verions occur in the sub 1 series, 0.y.0 will now be considered where those major versions occur. We also are moving right along towards v1 (and hope to be there in 2017). From 3f19e0f58183e4d48dc5a9babac6d4bcd91df9c8 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Mon, 19 Sep 2016 10:14:02 -0500 Subject: [PATCH 7/9] (doc) update CHANGELOG/nuspec Release notes for 0.10.1. --- CHANGELOG.md | 47 ++++++++++++++++++++++++++++++ nuget/chocolatey/chocolatey.nuspec | 47 ++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a09249c430..655f82d1c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,53 @@ This covers changes for the "chocolatey" and "chocolatey.lib" packages, which ar **NOTE**: If you have a licensed edition of Chocolatey ("chocolatey.extension"), refer to this in tandem with [Chocolatey Licensed CHANGELOG](https://github.com/chocolatey/choco/blob/master/CHANGELOG_LICENSED.md). +## [0.10.1](https://github.com/chocolatey/choco/issues?q=milestone%3A0.10.1+is%3Aclosed) (September 19, 2016) + +We're dubbing this the "Shhh! Keep that secret please" release. We've found that when passing in passwords and other sensitive arguments, those items can end up in the logs in clear text. We've addressed this in [#948](https://github.com/chocolatey/choco/issues/948) and [#953](https://github.com/chocolatey/choco/issues/953). When it comes to passing sensitive arguments through to native installers, you can set up environment variables with those sensitive args and pass those arguments directly through to `Start-ChocolateyProcessAsAdmin`. If you prefer a better experience, the licensed version allows passing sensitive options directly through choco.exe as `--install-arguments-sensitive` and `--package-parameters-sensitive`. Read more in the [Licensed CHANGELOG](https://github.com/chocolatey/choco/blob/master/CHANGELOG_LICENSED.md). + +Perhaps the biggest improvement in this release is that Chocolatey will automatically look to see if it can download binaries over HTTPS when provided an HTTP url. If so, Chocolatey will switch to downloading the binaries over SSL. This provides better security in downloading and knowing you are getting the binary from the source location instead of a possible man in the middle location, especially when the package does not provide checksums for verification. + +Another improvement you may not even notice, but we think you will love is that Chocolatey now supports TLS v1.2 transport which presents a nice transparent increase in security. You will need to have at least .NET Framework 4.5 installed to take advantage of this feature. + +### FEATURES + + * [Security] Support TLS v1.2 - see [#458](https://github.com/chocolatey/choco/issues/458) + * [Security] Attempt to download packages via HTTPS connection - see [#746](https://github.com/chocolatey/choco/issues/746) + * [Security] Pro/Business - Pass sensitive arguments to installers - see [#948](https://github.com/chocolatey/choco/issues/948) + * Search (and info) by version - see [#935](https://github.com/chocolatey/choco/issues/935) + +### BUG FIXES + + * [Security] Fix - Passwords in command line options are logged in clear text - see [#953](https://github.com/chocolatey/choco/issues/953) + * [Security] Fix - For PowerShell v2 - if switch down to SSLv3 protocol fails, go back to original protocol - see [#958](https://github.com/chocolatey/choco/issues/958) + * Fix - Unzipping to ProgramFiles/System32 is Subject to File System Redirection - see [#960](https://github.com/chocolatey/choco/issues/960) + * Fix - Run without login - see [#945](https://github.com/chocolatey/choco/issues/945) + * Fix - Support Long Paths - see [#934](https://github.com/chocolatey/choco/issues/934) + * Fix - help should not issue warning about elevated command shell - see [#893](https://github.com/chocolatey/choco/issues/893) + * Fix - Licensed Feed cannot be disabled - see [#959](https://github.com/chocolatey/choco/issues/959) + * Fix - Choco with unknown command should show help menu - see [#938](https://github.com/chocolatey/choco/issues/938) + * Fix - Get-FtpFile error when file is missing (called through Get-ChocolateyWebFile) - see [#920](https://github.com/chocolatey/choco/issues/920) + * Fix - Skip Get-WebFileName for FTP - see [#957](https://github.com/chocolatey/choco/issues/957) + * Fix - Chocolatey-InstallChocolateyPackage fix for double chocolatey folder name is not also applied to the passed in file name - see [#908](https://github.com/chocolatey/choco/issues/908) + * Fix - Start-ProcessAsAdmin - working directory should be from the location of the executable - see [#937](https://github.com/chocolatey/choco/issues/937) + * [POSH Host] Fix - PowerShell Host - Package scripts setting values can affect packages that depend on them - see [#719](https://github.com/chocolatey/choco/issues/719) + * Fix - Transactional install - pending check may fail if the lib folder doesn't exist - see [#954](https://github.com/chocolatey/choco/issues/954) + * Fix - Start-ChocolateyProcessAsAdmin Module Import for PowerShell causes errors - see [#901](https://github.com/chocolatey/choco/issues/901) + +### IMPROVEMENTS + + * Transactional Install - Improve concurrent operations (pending) - see [#943](https://github.com/chocolatey/choco/issues/943) + * Uninstall-ChocolateyPackage should set unrecognized fileType to exe - see [#964](https://github.com/chocolatey/choco/issues/964) + * Powershell functions - Allow access to package title, not only ID - see [#925](https://github.com/chocolatey/choco/issues/925) + * Option to apply package parameters / install arguments to dependent packages - see [#839](https://github.com/chocolatey/choco/issues/839) + * Get-ChocolateyWebFile download check enhancements - see [#952](https://github.com/chocolatey/choco/issues/952) + * Do not treat unknown checksum types as MD5 - see [#932](https://github.com/chocolatey/choco/issues/932) + * Pro/Business - Install-ChocolateyPackage - UseOriginalLocation - see [#950](https://github.com/chocolatey/choco/issues/950) + * Auto determine checksum type - see [#922](https://github.com/chocolatey/choco/issues/922) + * Ensure PowerShell functions have parameter name parity - see [#941](https://github.com/chocolatey/choco/issues/941) + * Output from installer should go to verbose log - see [#940](https://github.com/chocolatey/choco/issues/940) + + ## [0.10.0](https://github.com/chocolatey/choco/issues?q=milestone%3A0.10.0+is%3Aclosed) (August 11, 2016) What was planned for 0.9.10.4 is now 0.10.0. This is due partly to a breaking change we are making for security purposes and a move to provide better a better versioning scheme for the remainder of the sub-v1 versions of Chocolatey. Instead of 0.y.z.0 being considered where major verions occur in the sub 1 series, 0.y.0 will now be considered where those major versions occur. We also are moving right along towards v1 (and hope to be there in 2017). diff --git a/nuget/chocolatey/chocolatey.nuspec b/nuget/chocolatey/chocolatey.nuspec index 03bdbc18ab..f0ab885fac 100644 --- a/nuget/chocolatey/chocolatey.nuspec +++ b/nuget/chocolatey/chocolatey.nuspec @@ -55,6 +55,53 @@ In that mess there is a link to the [PowerShell Chocolatey module reference](htt See all - https://github.com/chocolatey/choco/blob/stable/CHANGELOG.md +## 0.10.1 + +We're dubbing this the "Shhh! Keep that secret please" release. We've found that when passing in passwords and other sensitive arguments, those items can end up in the logs in clear text. We've addressed this in [#948](https://github.com/chocolatey/choco/issues/948) and [#953](https://github.com/chocolatey/choco/issues/953). When it comes to passing sensitive arguments through to native installers, you can set up environment variables with those sensitive args and pass those arguments directly through to `Start-ChocolateyProcessAsAdmin`. If you prefer a better experience, the licensed version allows passing sensitive options directly through choco.exe as `--install-arguments-sensitive` and `--package-parameters-sensitive`. Read more in the [Licensed CHANGELOG](https://github.com/chocolatey/choco/blob/master/CHANGELOG_LICENSED.md). + +Perhaps the biggest improvement in this release is that Chocolatey will automatically look to see if it can download binaries over HTTPS when provided an HTTP url. If so, Chocolatey will switch to downloading the binaries over SSL. This provides better security in downloading and knowing you are getting the binary from the source location instead of a possible man in the middle location, especially when the package does not provide checksums for verification. + +Another improvement you may not even notice, but we think you will love is that Chocolatey now supports TLS v1.2 transport which presents a nice transparent increase in security. You will need to have at least .NET Framework 4.5 installed to take advantage of this feature. + +### FEATURES + + * [Security] Support TLS v1.2 - see [#458](https://github.com/chocolatey/choco/issues/458) + * [Security] Attempt to download packages via HTTPS connection - see [#746](https://github.com/chocolatey/choco/issues/746) + * [Security] Pro/Business - Pass sensitive arguments to installers - see [#948](https://github.com/chocolatey/choco/issues/948) + * Search (and info) by version - see [#935](https://github.com/chocolatey/choco/issues/935) + +### BUG FIXES + + * [Security] Fix - Passwords in command line options are logged in clear text - see [#953](https://github.com/chocolatey/choco/issues/953) + * [Security] Fix - For PowerShell v2 - if switch down to SSLv3 protocol fails, go back to original protocol - see [#958](https://github.com/chocolatey/choco/issues/958) + * Fix - Unzipping to ProgramFiles/System32 is Subject to File System Redirection - see [#960](https://github.com/chocolatey/choco/issues/960) + * Fix - Run without login - see [#945](https://github.com/chocolatey/choco/issues/945) + * Fix - Support Long Paths - see [#934](https://github.com/chocolatey/choco/issues/934) + * Fix - help should not issue warning about elevated command shell - see [#893](https://github.com/chocolatey/choco/issues/893) + * Fix - Licensed Feed cannot be disabled - see [#959](https://github.com/chocolatey/choco/issues/959) + * Fix - Choco with unknown command should show help menu - see [#938](https://github.com/chocolatey/choco/issues/938) + * Fix - Get-FtpFile error when file is missing (called through Get-ChocolateyWebFile) - see [#920](https://github.com/chocolatey/choco/issues/920) + * Fix - Skip Get-WebFileName for FTP - see [#957](https://github.com/chocolatey/choco/issues/957) + * Fix - Chocolatey-InstallChocolateyPackage fix for double chocolatey folder name is not also applied to the passed in file name - see [#908](https://github.com/chocolatey/choco/issues/908) + * Fix - Start-ProcessAsAdmin - working directory should be from the location of the executable - see [#937](https://github.com/chocolatey/choco/issues/937) + * [POSH Host] Fix - PowerShell Host - Package scripts setting values can affect packages that depend on them - see [#719](https://github.com/chocolatey/choco/issues/719) + * Fix - Transactional install - pending check may fail if the lib folder doesn't exist - see [#954](https://github.com/chocolatey/choco/issues/954) + * Fix - Start-ChocolateyProcessAsAdmin Module Import for PowerShell causes errors - see [#901](https://github.com/chocolatey/choco/issues/901) + +### IMPROVEMENTS + + * Transactional Install - Improve concurrent operations (pending) - see [#943](https://github.com/chocolatey/choco/issues/943) + * Uninstall-ChocolateyPackage should set unrecognized fileType to exe - see [#964](https://github.com/chocolatey/choco/issues/964) + * Powershell functions - Allow access to package title, not only ID - see [#925](https://github.com/chocolatey/choco/issues/925) + * Option to apply package parameters / install arguments to dependent packages - see [#839](https://github.com/chocolatey/choco/issues/839) + * Get-ChocolateyWebFile download check enhancements - see [#952](https://github.com/chocolatey/choco/issues/952) + * Do not treat unknown checksum types as MD5 - see [#932](https://github.com/chocolatey/choco/issues/932) + * Pro/Business - Install-ChocolateyPackage - UseOriginalLocation - see [#950](https://github.com/chocolatey/choco/issues/950) + * Auto determine checksum type - see [#922](https://github.com/chocolatey/choco/issues/922) + * Ensure PowerShell functions have parameter name parity - see [#941](https://github.com/chocolatey/choco/issues/941) + * Output from installer should go to verbose log - see [#940](https://github.com/chocolatey/choco/issues/940) + + ## 0.10.0 What was planned for 0.9.10.4 is now 0.10.0. This is due partly to a breaking change we are making for security purposes and a move to provide better a better versioning scheme for the remainder of the sub-v1 versions of Chocolatey. Instead of 0.y.z.0 being considered where major verions occur in the sub 1 series, 0.y.0 will now be considered where those major versions occur. We also are moving right along towards v1 (and hope to be there in 2017). From 894c3fc625b21bd654956d3151e57cbbb9377408 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Mon, 19 Sep 2016 12:23:53 -0500 Subject: [PATCH 8/9] (GH-943) Remove Transaction Lock Even on Failure Whether or not the package is successful, remove the lock on the pending file. Otherwise the failed install cleanup will not work properly. --- .../services/ChocolateyPackageService.cs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/chocolatey/infrastructure.app/services/ChocolateyPackageService.cs b/src/chocolatey/infrastructure.app/services/ChocolateyPackageService.cs index 9e8f5ab478..7c98ab7257 100644 --- a/src/chocolatey/infrastructure.app/services/ChocolateyPackageService.cs +++ b/src/chocolatey/infrastructure.app/services/ChocolateyPackageService.cs @@ -412,6 +412,8 @@ public void handle_package_result(PackageResult packageResult, ChocolateyConfigu ensure_bad_package_path_is_clean(config, packageResult); EventManager.publish(new HandlePackageResultCompletedMessage(packageResult, config, commandName)); + remove_pending(packageResult, config); + if (!packageResult.Success) { this.Log().Error(ChocolateyLoggers.Important, "The {0} of {1} was NOT successful.".format_with(commandName.to_string(), packageResult.Name)); @@ -421,9 +423,7 @@ public void handle_package_result(PackageResult packageResult, ChocolateyConfigu } remove_rollback_if_exists(packageResult); - - if (packageResult.Success) remove_pending(packageResult, config); - + this.Log().Info(ChocolateyLoggers.Important, " The {0} of {1} was successful.".format_with(commandName.to_string(), packageResult.Name)); var installLocation = Environment.GetEnvironmentVariable(ApplicationParameters.Environment.ChocolateyPackageInstallLocation); @@ -1193,7 +1193,7 @@ public void remove_pending(PackageResult packageResult, ChocolateyConfiguration fileLock.Dispose(); } - if (_fileSystem.file_exists(pendingFile)) _fileSystem.delete_file(pendingFile); + if (packageResult.Success && _fileSystem.file_exists(pendingFile)) _fileSystem.delete_file(pendingFile); } private IEnumerable get_environment_before(ChocolateyConfiguration config, bool allowLogging = true) From 1971ea1a2c2143372c6a23699a621871db681ca0 Mon Sep 17 00:00:00 2001 From: Rob Reynolds Date: Mon, 19 Sep 2016 12:24:02 -0500 Subject: [PATCH 9/9] (version) 0.10.1 --- .uppercut | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.uppercut b/.uppercut index 4c52c45f0c..3bfb6e79cd 100644 --- a/.uppercut +++ b/.uppercut @@ -17,7 +17,7 @@ - +