github drakkan/sftpgo v2.7.0
on GitHub

3 days ago

v2.7.0

New Features

  • SFTPD: Added support for Post-Quantum Traditional Hybrid Key Exchange through the newly added algorithm mlkem768x25519-sha256.
  • JWT: replaced lestrrat-go/jwx with lightweight wrapper around go-jose. Implementing our own wrapper simplifies the codebase and improves maintainability. Moreover, go-jose depends only on the standard library, resulting in a leaner dependency that still meets all our requirements.
  • WebUI: add French and German translations.
  • Public shares: show disclaimer on login page.
  • Enable setting password change requirements in user templates.
  • DataProvider: preserve the initial sort order for related resources (such as folders and groups), improving compatibility and predictability when managing them with Terraform.
  • Various internal refactoring, bug fixes, and minor improvements.

Bug Fixes

  • OIDC: allow login if the password method is disabled.
  • OIDC: ensure token username adheres to configured naming conventions.

Backward incompatible changes

  • Removed Git support. Hosting Git repositories over SSH falls outside the intended scope of a file transfer solution, and the use of external commands introduces unnecessary security risks by increasing the attack surface. For example, a user could upload a Git repository containing custom hooks to their SFTPGo folder; when they push to the repository, a Git pre-receive hook shell script would be executed with the privileges of the sftpgo user. Thanks to @hyperreality for the detailed report.
  • Removed rsync support. In the previous versions, rsync was executed as an external command, which means we have no insight into or control over what it actually does. From a security perspective, this is far from ideal. To be clear, there's nothing inherently wrong with rsync itself. However, if we were to support it properly within SFTPGo, we would need to implement the low-level protocol internally rather than relying on launching an external process. This would ensure it works seamlessly with any storage backend, just as SFTP does, for example. We recommend using one of the many alternatives that rely on the SFTP protocol, such as rclone.
  • Remove startsubsys command: SFTPGo is not designed to be used as an OpenSSH subsystem: many features do not work correctly in subsystem mode. The functionality was added after a user request in the pkg/sftp repository to demonstrate that it was feasible using pkg/sftp, not for actual practical use.
  • Removed legacy data retention REST API, use the EventManager instead.
  • EventManager: Placeholder names must now use the format {{.VirtualPath}} (previously {{VirtualPath}}). Existing placeholders are automatically converted during update.

Windows binaries

Starting with this release, Windows binaries for SFTPGo will no longer be signed.
Over the past year, we’ve been using Azure Trusted Signing to obtain a personal code signing certificate. Unfortunately, due to changes in Azure’s policies, renewing that certificate is no longer possible.

For this release, I manually downloaded and signed the Windows installer generated via GitHub Actions using a new company certificate, which required offline signing. However, the binaries included in the installer are not individually signed.

Since manually downloading and signing each new installer is not a sustainable process, future Windows releases may be distributed without code signing.

We understand that signed binaries can make installation easier and build trust, and we’ll keep evaluating possible solutions for automated and transparent signing in the future.

Check out latest releases or
releases around drakkan/sftpgo v2.7.0

Don't miss a new sftpgo release

NewReleases is sending notifications on new releases.

Get notifications