Collaborative office suite, end-to-end encrypted and open-source.
This minor release is primarily intended to fix some minor issues that were introduced or detected following our 3.25.0 release, but it also includes some major improvements that we want to test and stabilize before our upcoming 4.0.0 release.
Features
offline
mode to the server so that anyone developing features in CryptPad can test its offline and caching features by disabling the websocket components of the server. Use npm run offline
to launch in this mode.Bug fixes
postMessage
API by which CryptPad's different iframes and workers communicate could not serialize certain error messages after recent changes. We've added some special logic to send such messages in a valid format as well as some extra error handling to better recover from and report failed transmissions.To update from 3.25.0 to 3.25.1:
git checkout 3.25.1
bower update
and npm i
Zyzomys pedunculatus image courtesy of Wikimedia commons
This is the last major release of our 3.0.0 release cycle. We wanted to mark the occasion with some big improvements to keep everyone happy in case we need to take some more time to prepare our upcoming 4.0.0 release.
This update introduces some major database optimizations that should decrease both CPU and disk usage over time as users request resources and prime an on-disk cache for the next time.
We've also introduce the ability to archive illegal or otherwise objectionable material from the admin panel assuming you possess the ability to load the content in question. It's also possible to restore archived content via an adjacent form field on the admin panel as long as it has not been permanently deleted. Due to a quirk in how ownership of uploaded files works, restored files will not retain their "owners" property. We hope to fix this in a future release.
We've also made some minor changes to the example NGINX config file provided in cryptpad/docs/example.nginx.confg
, specifically in this commit. CryptPad will probably work if you don't apply these changes to your nginx conf, but some functional improvements depend on the exposed headers.
To upgrade from 3.24.0 to 3.25.0:
3.25.0
tag or the main
branch)bower update
and npm install
.enter
and esc
keypresses after closing a modal was overly zealous and stopped listening after any keypress. This made it so that any prompt with an input field did not correctly submit or cancel when pressing enter
or esc
after typing some text.Image courtesy of Wikimedia commons
We are once again working to develop some significant new features. This release is fairly small but includes some significant changes to detect and handle a variety of errors.
This release includes some minor corrections the recommended NGINX configuration supplied in cryptpad/docs/example.nginx.conf
.
To update from 3.23.2 to 3.24.0:
3.24.0
tag or the main
branch using git
.bower update
and npm install
.sessionStorage
for the purpose of passing important information to editors opened in a new tab stopped working. This meant that when you created a document in a folder, the resulting new tab would not receive the argument describing where it should be stored, and would instead save it to the default location. We've addressed this by replacing our usage of sessionStorage with a new format for passing the same arguments via the hash in the new document's URL.window.print
API also failed in a variety of cases. We've updated the relevant CSP headers to only be applied on the sheet editor (to support XSLX export) but allow printing elsewhere. We've also updated some print styles to provide more appealing results."IS_NEW_PAD"
could return an error but that clients would incorrectly interpret such a response as a false
. This has been corrected.A number of instance administrators reported issues following our 3.23.1 release. We suspect the issues were caused by applying the recommended update steps out of order which would result in the incorrect HTTP header values getting cached for the most recent version of a file. Since the most recently updated headers modified some security settings, this caused a catastrophic error on clients receiving the incorrect headers which caused them to fail to load under certain circumstances.
Regardless of the reasons behind this, we want CryptPad to be resilient against misconfiguration. This minor release includes a number of measures to override the unruly caching mechanisms employed internally by two of our most stubborn dependencies (CKEditor and OnlyOffice). Deploying 3.23.2 should force these editors to load the most recent versions of these dependencies according to the same policies as the rest of CryptPad and instruct clients to ignore any incorrect server responses they might have cached over the last few updates.
This release also includes a number of bug fixes which had been tested in the meantime.
Other bug fixes
We've implemented some measures to correct any team data that might have become corrupted due to the issues described above. Access rights from duplicated teams should be merged back into one set of cryptographic keys wherever possible. In cases where this isn't possible your role in the team will be automatically downgraded to the rank conferred by the keys you still have. For instance, somebody listed as an administrator who only has the keys required to view the team will downgrade themself to be a viewer. Subsequent promotions back to your previous team role should restore your possession of the required keys.
To update to 3.23.2 from 3.23.0 or 3.23.1:
Perform the same upgrade steps listed for 3.23.0 including the most recent configuration changes listed in `cryptpad/docs/example.nginx.conf...
bower update
npm install
service nginx reload
to apply its config changesWe discovered a number of minor bugs after deploying 3.23.0. This minor release addresses them.
Features
Bug fixes
To update from 3.23.0 to 3.23.1:
git checkout 3.20.1
bower update
and npm i
Image courtesy of Wikimedia commons
We plan to produce an updated installation guide for CryptPad instance administrators to coincide with the release of our 4.0.0 release. As we get closer to the end of the alphabet we're working to simplify the process of configuring instances. This release features several new admin panel features intended to supersede the usage of the server configuration file and provide the ability to modify instance settings at runtime.
We also spent some time finalizing some major improvements to the history mode which is available in most of our document editors. More on that in the Features section.
This release introduces some behaviour which may require manual configuration on the part of the administrator. Read the following sections carefully or proceed at your own risk!
When a user employs the destroy functionality to make a pad unavailable it isn't typically deleted. Instead it is made unavailable by moving it into the server's archive directory. Archived files are intended to be removed after another configurable amount of time (archiveRetentionTime
in your config file). The deletion of old files from your archive is handled by evict-inactive.js
, which can be found in cryptpad/scripts/
. Up until now this script needed to be run manually (typically as a cron job) with node ./scripts/evict-inactive.js
. Since this isn't widely known we decided to integrate it directly into the server by automatically running the script once per day.
The same eviction process is also responsible for scanning your server's database for inactive documents (defined as those which haven't been accessed in a number of days specified in your config under inactiveTime
). Such inactive documents are archived unless they have been stored within a registered users drive. Starting with this release we have added the ability to specify the number of days before an account will be considered inactive (accountRetentionTime
). This will take into account whether they added any new documents to their drive, or whether any of the existing documents were accessed or modified by other users.
If you prefer to run the eviction script manually you can disable its integration into the server by adding disableIntegratedEviction: true
to your config file. An example is given in cryptpad/config/config.example.js
. If you want this process to run manually you may set the same value to false
, or comment it out if you prefer. Likewise, if you prefer to never remove accounts and their data due to account inactivity, you may also comment it out.
If you haven't been manually running the eviction scripts we recommend that you carefully review all of the values mentioned above to ensure that you will not be surprised by the sudden and unintended removal of any data. As a reminder, they are:
inactiveTime
(number of days before a file is considered inactive)archiveRetentionTime
(number of days that an archived file will be retained before it is permanently deleted)accountRetentionTime
(number of days of inactivity before an account is considered inactive and eligible for deletion)disableIntegratedEviction
(true if you prefer to run the eviction process manually or not at all, false or nothing if you want the server to handle eviction)After some testing on our part we've included an update to the example NGINX config file available in cryptpad/docs/example.nginx.conf
which will enable a relatively new browser API which is required for XLSX export from our sheet editor. The relevant lines can be found beneath the comment # Enable SharedArrayBuffer in Firefox (for .xlsx export)
.
Up until now the configuration file found in cryptpad/config/config.js
has been the primary means of configuring a CryptPad instance. Unfortunately, as the server's behaviour becomes increasingly complex due to interest in a broad variety of use-cases this config file tends to grow. The kinds of questions that administrators ask via email, GitHub issues, and via our Matrix channel often suggest that admins haven't read through the comments in these files. Additionally, changes to the server's configuration can only be applied by restarting the server, which is increasingly disruptive as the service becomes more popular. To address these issues we've decided to start improving the instance admin panel such that it becomes the predominant means of modifying common server behaviours.
We've started by making it possible to update storage settings from the User storage section of the admin panel. Administrators can now update the default storage limit for users registered on the instance from the default quota of 50MB. It's also possible to allocate storage limits to particular users on the basis of their Public Signing Key, which can be found at the top of the Accounts section on the settings page.
Storage limits configured in this way will supercede those set via the server's config file, such that any modifications to a quota already set in the file will be ignored once you have modified or removed that user's quota via the admin panel. Admins are also able to view the parameters of all existing custom quotas loaded from either source.
Once you've reviewed these settings and you're ready to update from 3.22.0 to 3.23.0:
bower update
npm install
service nginx reload
to apply its config changesImage courtesy of Wikimedia Commons
We've been working on some long-term projects that we hope to deliver over the course of the next few releases. In the meantime, this release includes a number of minor improvements.
To upgrade from 3.21.0 to 3.22.0:
bower update
This release was developed over a longer period than usual due to holidays, our yearly company seminar, and generally working on some important software-adjacent projects. As such, we opted not to aim for any major features and instead introduce some minor improvements and address some users' complaints.
We've had a few disgruntled administrators contact us about our apparent failure to provide a docker image or to otherwise support their preferred configuration. With that in mind, this is a periodic reminder that CryptPad is provided to the public under the terms of the AGPL (found within this repository in the LICENSE file) which implies on our part no warranty, liability, or responsibility to configure your server for you. We do our best to provide the necessary information to correctly launch your own instance of the software given our limited budget, however, all such files are provided AS IS and are only intended to function under the narrow circumstances of usage which we recommend within the comments of the provided example configuration files.
With that said, the vast majority of our community acts kindly and courteously towards us and each other. We really do appreciate it, and we'll continue to help you to the best of our ability. With that in mind, we're happy to announce that we've written and deployed a first version of our user guide, available at https://docs.cryptpad.fr. The work that went into this was funded by NLnet foundation as an NGI Zero PET (Privacy-Enhancing Technology) grant. We are currently working on two more guides intended for developers and administrators, and will deploy them to the same domain as they are completed. In the meantime we have begun to update our README, GitHub wiki, and other resources to reflect the current recommended practices and remove references to unsupported configurations.
If you're only reading this for instructions on how to update your instance from 3.20.1 to 3.21.0:
bower update
npm install
Once again we've decided to follow up our last major release with a minor "revenge" release that we wanted to make available as soon as possible. We expect to deploy and release version 3.21.0 on Tuesday, July 28th, 2020.
Features
Bug fixes
lodash
as a dependency of the linters that we use to validate our code. Unless you were actively using those linters while developing CryptPad this should have no effect for you.To update from 3.20.0 to 3.20.1:
git checkout 3.20.1
bower update
and npm i
Upland moa image courtesy of Wikimedia commons
We've held off on deploying any major features while we work towards deploying some documentation we've been busy organizing. This release features a wide range of minor features intended to address a number of github issues and frequent causes of support tickets.
This release features a modification to the recommended Content Security Policy headers as demonstrated in ./cryptpad/docs/example.nginx.conf
. CryptPad will work without making this change, however, we highly recommend updating your instance's nginx.conf as it will mitigate a variety of potential security vulnerabilities.
Otherwise, we've introduced a new client-side dependency (Mathjax) and changed some server-side code that will require a server restart.
To update from 3.19.1 to 3.20.0:
nginx.conf
bower update