-This is a minor feature and bugfix release since version 0.8.1,
-released Aug 26 2009. Notable changes this version:
-
-- New script for deleting user accounts. Not particularly safe or
- community-friendly. Better for deleting abusive accounts than for
- users who are 'retiring'.
-- Improved detection of URLs in notices, specifically for punctuation
- chars like ~, :, $, _, -, +, !, @, and %.
-- Removed some extra <dl> semantic HTML code.
-- Correct error in status-network database ini file (having multiple
- statusnet sites with a single codebase)
-- Fixed error output for Twitter posting failures.
-- Fixed bug in Twitter queue handler that requeued inapplicable
- notices ad infinitum.
-- Improve FOAF output for remote users.
-- new commands to join and leave groups.
-- Fixed bug in which you cannot turn off importing friends timelines
- flag.
-- Better error handling in Twitter posting.
-- Show oEmbed data for XHTML files as well as plain HTML.
-- Updated bug database link in README.
-- require HTML tidy extension.
-- add support for HTTP Basic Auth in PHP CGI or FastCGI (e.g. GoDaddy).
-- autofocus input to selected entry elements depending on page.
-- updated layout for filter-by-tag form.
-- better layout for inbox and outbox pages.
-- fix highlighting search terms in attributes of notice list elements.
-- Correctly handle errors in linkback plugin.
-- Updated biz theme.
-- Updated cloudy theme.
-- Don't match '::' as an IPv6 address.
-- Use the same decision logic for deciding whether to mark an
- attachment as an enclosure in RSS or as a paperclip item in Web
- output.
-- Fixed a bug in the Piwik plugin that hard-coded the site ID.
-- Add a param, inreplyto, to notice/new to allow an explicit response
- to another notice.
-- Show username in subject of emails.
-- Check if avatar exists before trying to delete it.
-- Correctly add omb_version to response for request token in OMB.
-- Add a few more SMS carriers.
-- Add a few more notice sources.
-- Vary: header.
-- Improvements to the AutoCompletePlugin.
-- Check for 'dl' before using it.
-- Make it impossible to delete self-subscriptions via the API.
-- Fix pagination of tagged user pages.
-- Make PiwikAnalyticsPlugin work with addPlugin().
-- Removed trailing single space in user nicknames in notice lists.
-- Show context link if a notice starts a conversation.
-- blacklist all files and directories in install dir.
-- handle GoDaddy-style PATH_INFO, including script name.
-- add home_timeline synonym for friends_timeline.
-- Add a popup window for the realtime plugin.
-- Add some more streams for the realtime plugin.
-- Fix a bug that overwrote group creation timestamp on every edit.
-- Moved HTTP error code strings to a class variable.
-- The Twitter API now returns server errors in the correct format.
-- Reset the doctype for HTML output.
-- Fixed a number of notices.
-- Don't show search suggestions for private sites.
-- Some corrections to FBConnect nav overrides.
-- Slightly less database-intensive session management.
-- Updated name of software in installer script.
-- Include long-form attachment URLs if url-shortener is disabled.
-- Include updated localisations for Polish, Greek, Hebrew, Icelandic,
- Norwegian, and Chinese.
-- Include upstream fixes to gettext.php.
-- Correct for regression in Facebook API for updates.
-- Ignore "Sent from my iPhone" (and similar) in mail updates.
-- Use the NICKNAME_FMT constant for detecting nicknames.
-- Check for site servername config'd.
-- Compatibility fix for empty status updates with Twitter API.
-- Option to show files privately (EXPERIMENTAL! Use with caution.)
-- a script to register a new user.
-- a script to make a user admin of a group.
+This is a major feature release since version 0.8.2, released Nov 1 2009.
+It is also a security release since 0.9.0beta4 January 27 2010. Beta
+users are strongly encouraged to upgrade to deal with a security alert.
+
+http://status.net/wiki/Security_alert_0000002
+
+Notable changes this version:
+
+- Records of deleted notices are stored without the notice content.
+- Much of the optional core featureset has been moved to plugins.
+- OpenID support moved from core to a plugin. Helps test the strength of
+ our plugin architecture and makes it easy to disable this
+ functionality for e.g. intranet sites.
+- Many additional hook events (see EVENTS.txt for details).
+- OMB 0.1 support re-implemented using libomb.
+- Re-structure database so notices, messages, bios and group
+ descriptions can be over 140 characters. Limit defined by
+ site administrator as configuration option; can be unlimited.
+- Configuration data now optionally stored in the database, which
+ overrides any settings in config files.
+- Twitter integration re-implemented as a plugin.
+- Facebook integration re-implemented as a plugin.
+- Role-based authorization framework. Users can have named roles, and
+ roles can have rights (e.g., to delete notices, change configuration
+ data, or ban uncooperative users). Default roles 'admin' (for
+ configuration) and 'moderator' (for community management) added.
+- Plugin for PubSubHubBub (PuSH) support.
+- Considerable code style cleanup to meet PEAR code standards.
+- Made a common library for HTTP-client access which uses available
+ HTTP libraries where possible.
+- Added statuses/home_timeline method to API.
+- Hooks for plugins to handle notices offline, either by defining
+ their own queue handler scripts or to use a default plugin queue
+ handler script.
+- Plugins can now modify the database schema, adding their own tables
+ or modifying existing ones.
+- Groups API.
+- Twitter API supports Web caching for some methods.
+- Twitter API refactored into one-action-per-method.
+- Realtime plugin supports a tear-off window.
+- FOAF for groups.
+- Moved all JavaScript tags to just before </body> by default,
+ significantly speeding up apparent page load time.
+- Added a Realtime plugin for Orbited server.
+- Added a mobile plugin to give a more mobile-phone-friendly layout
+ when a mobile browser is detected.
+- Use CSS sprites for most common icons.
+- Fixes for images and buttons on Web output.
+- New plugin requires that users validate their email before posting.
+- New plugin UserFlag lets users flag other profiles for review.
+- Considerably better i18n support. Use TranslateWiki to update
+ translations.
+- Notices and profiles now store location information.
+- New plugin, Geonames, for turning location names and lat/long pairs
+ into structured IDs and vice versa. Architecture reusable for other
+ systems.
+- Better check of license compatibility between site licenses.
+- Some improvements in XMPP output.
+- Media upload in the API.
+- Replies appear in the user's inbox.
+- Improved the UI on the bookmarklet.
+- StatusNet identities can be used as OpenID identities.
+- Script to register a user.
+- Script to make someone a group admin.
+- Script to make someone a site admin or moderator.
+- 'login' command.
+- Pluggable authentication.
+- LDAP authentication plugin.
+- Script for console interaction with the site (!).
+- Users don't see group posts from people they've blocked.
+- Admin panel interface for changing site configuration.
+- Users can be sandboxed (limited contributions) or silenced
+ (no contributions) by moderators.
+- Many changes to make language usage more consistent.
+- Sphinx search moved to a plugin.
+- GeoURL plugin.
+- Profile and group lists support hAtom.
+- Massive refactoring of util.js.
+- Mapstraction plugin to show maps on inbox and profile pages.
+- Play/pause buttons for realtime notices.
+- Support for geo microformat.
+- Partial support for feed subscriptions, RSSCloud, PubSubHubBub.
+- Support for geolocation in browser (Chrome, Firefox).
+- Quit trying to negotiate HTML format. Always use text/html.
+ We lose, and so do Web standards. Boo.
+- Better logging of request info.
+- Better output for errors in Web interface.
+- No longer store .mo files; these need to be generated.
+- Minify plugin.
+- Events to allow pluginizing logger.
+- New framework for plugin localization.
+- Gravatar plugin.
+- Add support for "repeats" (similar to Twitter's "retweets").
+- Support for repeats in Twitter API.
+- Better notification of direct messages.
+- New plugin to add "powered by StatusNet" to logo.
+- Returnto works for private sites.
+- Localisation updates, including new Persian translation.
+- CAS authentication plugin
+- Get rid of DB_DataObject native cache (big memory leaker)
+- setconfig.php script to set configuration variables
+- Blacklist plugin, to blacklist URLs and nicknames
+- Users can set flag whether they want to share location
+ both in notice form (for one notice) and profile settings
+ (any notice)
+- notice inboxes moved from normalized notice_inbox table to
+ denormalized inbox table
+- Automatic compression of Memcache
+- Memory caching pluginized
+- Memcache, XCache, APC and Diskcache plugins
+- A script to update user locations
+- cache empty query results
+- A sample plugin to show best plugin practices
+- CacheLog plugin to debug cache accesses
+- Require users to login to view attachments on private sites
+- Plugin to use Mollom spam detection service
+- Plugin for RSSCloud
+- Add an array of default plugins
+- A version action to give credit to contributors and plugin
+ developers
+- Daemon to read IMAP mailbox instead of using a mailbox script
+- Pass session information between SSL and non-SSL server
+ when SSL set to 'sometimes'
+- Major refactoring of queue handlers to manage very
+ large hosting site (like status.net)
+- SubscriptionThrottle plugin to prevent subscription spamming
+- Don't enqueue into plugin or SMS queues when disabled (breaks unqueuehandler if SMS queue isn't attached)
+- Improve name validation checks on local File references
+- fix local file include vulnerability in doc.php
+- Reusing fixed selector name for 'processing' in util.js
+- Removed hAtom pattern from registration page.
+- restructuring of User::registerNew() lost password munging
+- Add a script to clear the cache for a given key
+- buggy fetch for site owner
+- Added missing concat of </li> in Realtime response
+- Updated XHR binded events to work better in jQuery 1.4.1. Using .live() for event delegation instead of jQuery.data() and checking to see if an element was previously binded.
+- Updated jQuery Form Plugin from v2.17 to v2.36
+- Updated jQuery JavaScript Library from v1.3.2 to v1.4.1
+- move schema.type.php to typeschema.php like other files
+- Add Really Simple Discovery (RSD) support
+- Add a robots.txt URL to the site root
+- error clearing tags for profiles from memcached
+- on exceptions, stomp logs the error and reenqueues
+- add lat, lon, location and remove closing tag from geocode.php
+- Use passed-in lat long in geocode.php
+- better handling of null responses from geonames.org
+- Globalized form notice data geo values
+- Using jQuery chaining in FormNoticeXHR
+- Using form object instead of form_id and find(). Slightly faster and easier to read.
+- removed describeTable from base class, and fixed it up in pgsql
+- getTableDef() mostly working in postgres
+- move the schema DDL sql off into seperate files for each db we support
+- plugin to limit number of registered users
+- add hooks for user registration
+- live fast, die young in bash scripts
+- for single-user mode, retrieve either site owner or defined nickname
+- method to get the site owner
+- define a constant for the 'owner' role of a site
+- add simple cache getter/setter static functions to Memcached_DataObject
+- Adds notice author's name to @title in Realtime response
+- Hides .author from XHR response in showstream
+- Hides .author from XHR response in showstream
+- Fix more fatal errors in queue edge cases
+- Don't attempt to resend XMPP messages that can't be broadcast due to the profile being deleted.
+- Wrap each bit of distrib queue handler's saving operation in a try/catch; log exceptions but let everything else continue.
+- Log exceptions from queuedaemon.php if they're not already caught
+- Move sessions settings to its own panel
+- Fixes for status_network db object .ini and tag setter script
+- Add a script to set tags for sites
+- Adjust API authentication to also check for OAuth protocol params in the HTTP Authorization header, as defined in OAuth HTTP Authorization Scheme.
+- Last-chance distribution if enqueueing fails
+- Manual failover for stomp queues.
+- lost config in index.php made all traffic go to master
+- "Revert "move RW setup above user get in index.php so remember_me works""
+- Revert "move RW setup above user get in index.php so remember_me works"
+- move RW setup above user get in index.php so remember_me works
+- hide most DB_DataObject errors
+- always set up database_rw, regardless, so cached sessions work
+- update mysqltimestamps on insert and update
+- additional debugging data for Sessions
+- 'Sign in with Twitter' button img
+- Update to biz theme
+- Remove redundant session token field from form (was already being added by base class).
+- 'Sign in with Twitter' button img
+- Can now set $config['queue']['stomp_persistent'] = false; to explicitly disable persistence when we queue items
+- Showing processing indicator for form_repeat on submit instead of form
+- Removed avatar from repeat of username (matches noticelist)
+- Removed unused variable assignment for avatar URL and added missing fn
+- Don't preemptively close existing DB connections for web views (needed to keep # of conns from going insane on multi-site queue daemons, so just doing for CLI) May, or may not, help with mystery session problems
+- dropping the setcookie() call from common_ensure_session() since we're pretty sure it's unnecessary
+- append '/' on cookie path for now (may still need some refactoring)
+- set session cookie correctly
+- Fix for Mapstraction plugin's zoomed map links
+- debug log line for control channel sub
+- Move faceboookapp.js to the Facebook plugin
+- fix for fix for bad realtime JS load
+- default 24-hour expiry on Memcached objects where not specified.