Frank DENIS random thoughts.

Pure-FTPd 1.0.22 has been released

Release 1.0.22 of pure-ftpd is now available.

There have been a bunch of changes, but this release also shows that the projects starts moving forward again.

So, what’s new, what’s cool, what sucks?

First, thanks to Taik0, a Catalan translation has been added. Don’t hesitate to provide new translations if you can, although the current scheme lacks flexibility in order to provide accurate translations in some languages. A move to gettext() might happen in the future.

The bogus LDAP schema has of course been fixed. Thanks for packagers that fixed it in their packages meanwhile. Using LDAP over TLS should also work now, thanks to Marc Balmer. A last one about LDAP: FTPStatus should also properly work with the new schema. Pure-FTPd should also compile with recent versions of OpenLDAP without any tweak.

Some overdue updates to the MySQL backend are in: multiple statements, stored procedures and the new hashing scheme are finally supported.

A bunch of compatibility and reliability fixes have been merged in. They should prevent unwanted disconnections during transfers, and improve compatibility with most clients.

Time zones, time zones, time zones… Yes, bogus time zones in log messages is an old one, and while simple workarounds exists, having that fixed in the first place would have been way more convenient. It should be the case now. For good.

An important change: on-demand creation of home directories now applies permissions 0777, combined with the umask. It used to be 0755. It shouldn’t change anything in the default configuration. By the way, on-demand creation of directories with a chroot mark should now work properly.

TLS encryption on the data channel. Yes, this one finally went in, without the GSSAPI part, though. Transfers can now be completely encrypted, both for commands and for data. Of course it requires more CPU power on both sides, compared to plain unencrypted transfers.

For conveniency, you can keep using –tls=1 (or -Y 1), so that clients can pick whatever they want to use. But –tls=2 is still available (enforce encryption on the control channel) and you can now also use –tls=3 to refuse any connection that is not encrypted both on the command and the data channels.

Credits for that feature mainly go to Rajat Upadhyaya from Novell and Christian Cier-Zniewski.

As suggested by Koczka Ferenc, external authentication handlers should know about the encryption status. This has been added, through a new environment variable called AUTHD_ENCRYPTED.

Changes from Arkadiusz Miskiewicz/PLD Linux have been merged in (fix error reporting when TLS is compiled in, but not used, log full path on deletion, sleep before not after password failure).

–with-privsep is now included in –with-everything. It’s also enabled by default in the dialog-based installer.

Per popular request: symbolic links can now be shown as their real targets. Ie. you don’t see symbolic links any more, you see real files and directories instead. This is convenient for crappy FTP clients that don’t know about symbolic links. But it’s not for other things like mirroring. So, it only happens if the compatibility mode (–brokenclientscompatibility or -b) is enabled.