We're pleased to be publishing the release candidate for v2.19.0 (the official release should follow within a week or so). This release contains IRCv3 specification-related updates, bug fixes, and minor enhancements.
This release includes changes to the config file format, one of which is not backwards-compatible (see below to determine whether you are affected). It includes no changes to the database file format.
Many thanks to @andymandias, @emersion, @englut, @Jokler, @jwheare, @KlaasT, @SAY-5, @skizzerz, @ValwareIRC, and @whitequark for helpful discussions, contributing patches, reporting issues, and helping test.
Compatibility breaks
- The
extjwtconfiguration block now takesalgorithm(hmac,rsa, oreddsa) and eitherkeyorkey-fileto configure the signing key (seedefault.yamlfor examples). If you are usingextjwt, the suggested upgrade path is to add the new keys before upgrading (duplicating the legacy keyssecretand/orrsa-private-key-file), upgrade Ergo, then once the new version is confirmed stable, delete the legacy keys. (#2385) - JWTs accepted via the
IRCV3BEARERSASL mechanism now require an expiration time. (#2385) - Incoming batch IDs for
draft/multilineare now validated for conformance with the specification's grammar, i.e. they MUST contain only ASCII alphanumerics and hyphens (#2391, thanks @ValwareIRC!)
Security
- Fixed channel metadata being readable by non-joined users (including for invite-only or otherwise private channels) (#2382)
- Fixed registered secret channels appearing in unprivileged
NS INFOoutput (#2405, thanks dzwdz!)
Config changes
- The
extjwtconfiguration block now takesalgorithm(hmac,rsa, oreddsa) and eitherkeyorkey-fileto configure the signing key (seedefault.yamlfor examples) (#2385) - Added an optional
validate-audtojwt-auth; if present, JWTs submitted via SASL IRCV3BEARER are required to contain one of the whitelistedaudclaims (#2385) - Added
authtokenblock to configure the newdraft/authtokenmechanism for external service integration (#2385) - Added
sockettoauth-scriptandip-check-script, allowing the script protocol to run over Unix domain socket instead of subprocess execution (#2280)
Added
- Added support for draft/authtoken, a proposed IRCv3 extension allowing secure integration with external services (#2385, thanks @skizzerz, @whitequark!)
- Added support for draft/whoami, a proposed IRCv3 extension allowing clients to track their message source ("NUH") (#2417)
- HTTP cookies are harvested from the initial websocket handshake; if a websocket client sends
SASL EXTERNAL, they can be passed to anauth-scriptfor validation (future versions of Ergo may implement some form of native HTTP cookie authentication) (#2185, thanks @emersion!) - Added new API endpoints:
/v1/whois(analogue of theWHOIScommand to get information about an active nickname),/v1/ns/saget(retrieves user account settings), and/v1/ns/saset(modifies user account settings) (#2387, #2421, thanks @KlaasT!)
Fixed
- Fixed a race condition where an always-on client's channel join might not be persisted (#2398)
- Fixed the
bottag being omitted from replayed DMs and echo messages (#2393, #2395, thanks @andymandias!) - Fixed client-only tags attached to
RELAYMSGnot being stored in history (#2407, thanks @Jokler!) - Fixed handling of labeled
QUITmessages (#2402, thanks @progval!) - Fixed handling of oversized
CAP REQmessages (#2411, #2414, thanks @SAY-5!) - Fixed a case where fakelag might be imposed unnecessarily after a large multiline message (#2409)
- Fixed handling of invalid API bearer token configurations (#2380)
Changed
- Updated to draft/metadata-3; the updates are largely but not completely compatible with
draft/metadata-2. To simplify the upgrade process,draft/metadata-2is still advertised, but with thedraft/metadata-3behavior. (#2416, thanks @skizzerz!) - Ergo now adds the
draft/chathistory-endtochathistorybatches to indicate the end of pagination (either the tag or an empty batch indicates the end of pagination; future versions of Ergo may return batches shorter than the pagination window that do not indicate the end of pagination) (#2379, thanks @emersion!) - Updated to the ratified cap
no-implicit-names(#2390, thanks @englut!)
Internal
- Release builds use Go 1.26.5
- Updated the recommended AppArmor profile in
distrib/(#2401, thanks @tacerus!) - Established a security policy, including provisions for private vulnerability reporting on GitHub