0.20-rc1 (2019-09-24)

This is a release candidate. It's intended to be stable and usable, but can contain some bugs.

Upgrade instructions are available at https://docs.funkwhale.audio/index.html (use FUNKWHALE_VERSION=0.20.0-rc1 as the version number)

Support for genres via tags

One of our most requested missing features is now available!

Starting with Funkwhale 0.20, Funkwhale will automatically extract genre information from uploaded files and associate it with the corresponding tracks in the form of tags (similar to Mastodon or Twitter hashtags). Please refer to our tagging documentation <https://docs.funkwhale.audio/users/upload.html#tagging-files>_ for more information regarding the tagging process.

Tags can also be associated with artists and albums, and updated after upload through the UI using the edit system released in Funkwhale 0.19. Tags are also fetched when retrieving content via federation.

Tags are used in various places to enhance user experience:

  • Tags are listed on tracks, albums and artist profiles
  • Each tag has a dedicated page were you can browse corresponding content and quickly start a radio
  • The custom radio builder now supports using tags
  • Subsonic apps that support genres - such as DSub or Ultrasonic - should display this information as well

If you are a pod admin and want to extract tags from already uploaded content, you run this snippet <https://dev.funkwhale.audio/funkwhale/funkwhale/snippets/43>_ and this snippet <https://dev.funkwhale.audio/funkwhale/funkwhale/snippets/44>_ in a python manage.py shell.

Content and account reports

It is now possible to report content, such as artists, tracks or libraries, as well as user accounts. Such reports are forwarded to the pod moderators, who can review it and delete reported content, block accounts or take any other action they deem necessary.

By default, both anonymous and authenticated users can submit these reports. This makes sure moderators can receive and handle takedown requests and other reports for illegal content that may be sent by third-parties without an account on the pod. However, you can disable anonymous reports completely via your pod settings.

Federation of the reports will be supported in a future release.

For more information about this feature, please check out our documentation:

  • User documentation <https://docs.funkwhale.audio/moderator/reports.html>_
  • Moderator documentation <https://docs.funkwhale.audio/users/reports.html>_

Account deletion

Users can now delete their account themselves, without involving an administrator.

The deletion process will remove any local data and objects associated with the account, but the username won't be able to new users to avoid impersonation. Deletion is also broadcasted to other known servers on the federation.

For more information about this feature, please check out our documentation:

  • User documentation <https://docs.funkwhale.audio/users/account.html>_

Landing and about page redesign [Manual action suggested]

In this release, we've completely redesigned the landing and about page, by making it more useful and adapted to your pod configuration. Among other things, the landing page will now include:

  • your pod and an excerpt from your pod's description
  • your pod banner image, if any
  • your contact email, if any
  • the login form
  • the signup form (if registrations are open on your pod)
  • some basic statistics about your pod
  • a widget including recently uploaded albums, if anonymous access is enabled

The landing page will still include some information about Funkwhale, but in a less intrusive and proeminent way than before.

Additionally, the about page now includes:

  • your pod name, description, rules and terms
  • your pod banner image, if any
  • your contact email, if any
  • comprehensive statistics about your pod
  • some info about your pod configuration, such as registration and federation status or the default upload quota for new users

With this redesign, we've added a handful of additional pod settings:

  • Pod banner image
  • Contact email
  • Rules
  • Terms of service

We recommend taking a few moments to fill these accordingly to your needs, by visiting /manage/settings.

Allow-list to restrict federation to trusted domains

The Allow-Listing feature grants pod moderators and administrators greater control over federation by allowing you to create a pod-wide allow-list.

When allow-listing is enabled, your pod's users will only be able to interact with pods included in the allow-list. Any messages, activity, uploads, or modifications to libraries and playlists will only be shared with pods on the allow-list. Pods which are not included in the allow-list will not have access to your pod's content or messages and will not be able to send anything to your pod.

If you want to enable this feature on your pod, or learn more, please refer to our documentation <https://docs.funkwhale.audio/moderator/listing.html>_!

Periodic message to incite people to support their pod and Funkwhale

Users will now be reminded on a regular basis that they can help Funkwhale by donating or contributing.

If specified by the pod admin, a separate and custom message will also be displayed in a similar way to provide instructions and links to support the pod.

Both messages will appear for the first time 15 days after signup, in the notifications tab. For each message, users can schedule a reminder for a later time, or disable the messages entirely.

Replaced Daphne by Gunicorn/Uvicorn [manual action required, non-docker only]

To improve the performance, stability and reliability of Funkwhale's web processes, we now recommend using Gunicorn and Uvicorn instead of Daphne. This combination unlock new use cases such as:

  • zero-downtime upgrades
  • configurable number of web worker processes

Based on our benchmarks, Gunicorn/Unicorn is also faster and more stable under higher workloads compared to Daphne.

To benefit from this enhancement on existing instances, you need to add FUNKWHALE_WEB_WORKERS=1 in your .env file (use a higher number if you want to have more web worker processes).

Then, edit your /etc/systemd/system/funkwhale-server.service and replace the ExecStart= line with ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}

Then reload the configuration change with sudo systemctl daemon-reload and sudo systemctl restart funkwhale-server.

Content-Security-Policy and additional security headers [manual action suggested]

To improve the security and reduce the attack surface in case of a successfull exploit, we suggest you add the following Content-Security-Policy to your nginx configuration.

..note::

If you are using an S3-compatible store to serve music, you will need to specify the URL of your S3 store in the ``media-src`` and ``img-src`` headers

.. code-block::

    add_header Content-Security-Policy "...img-src 'self' https://<your-s3-URL> data:;...media-src https://<your-s3-URL> 'self' data:";

On non-docker setups, in /etc/nginx/sites-available/funkwhale.conf::

server {

    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    location /front/ {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header X-Frame-Options "SAMEORIGIN";
        # … existing content here
    }

    # Also create a new location for the embeds to ensure external iframes work
    # Simply copy-paste the /front/ location, but replace the following lines:
    location /front/embed.html {
        add_header X-Frame-Options "ALLOW";
        alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
    }
}

Then reload nginx with systemctl reload nginx.

On docker setups, in /srv/funkwhalenginx/funkwhale.template::

server {

    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    location /front/ {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header X-Frame-Options "SAMEORIGIN";
        # … existing content here
    }

    # Also create a new location for the embeds to ensure external iframes work
    # Simply copy-paste the /front/ location, but replace the following lines:
    location /front/embed.html {
        add_header X-Frame-Options "ALLOW";
        alias /frontent/embed.html;
    }
}

Then reload nginx with docker-compose restart nginx.

Rate limiting

With this release, rate-limiting on the API is enabled by default, with high enough limits to ensure regular users of the app aren't affected. Requests beyond allowed limits are answered with a 429 HTTP error.

For anonymous requests, the limit is applied to the IP adress of the client, and for authenticated requests, the limit is applied to the corresponding user account. By default, anonymous requests get a lower limit than authenticated requests.

You can disable the rate-limiting feature by adding THROTTLING_ENABLED=false to your .env file and restarting the services. If you are using the Funkwhale API in your project or app and want to know more about the limits, please consult https://docs.funkwhale.audio/swagger/.

Upgrade instructions are available at https://docs.funkwhale.audio/index.html

Features:

  • Added periodical message to incite people to support their pod and Funkwhale (#839)
  • Admins can now add custom CSS from their pod settings (#879)
  • Allow-list to restrict federation to trusted domains (#853)
  • Content and account reports (#890)
  • Dark theme (#756)
  • Enforce a configurable rate limit on the API to mitigate abuse (#261)
  • Redesign of the landing and about pages (#872)
  • Support for genres, via tags (#432)
  • Users can now delete their account without admin intervention (#852)

Enhancements:

  • Added Catalan translation files
  • Added Czech translation (#844)
  • Added field to manage user upload quota in Django backend (#903)
  • Added the option to replace the queue's current contents with a selected album or track (#761)
  • Artists with no albums will now show track count on artist card (#895)
  • Ensure API urls answer with and without a trailing slash (#877)
  • Hardcoded list of supported browsers to avoid unexpected regressions (#854)
  • Hardened security thanks to CSP and additional HTTP headers (#880)
  • Improve display of search results by including artist and album data
  • Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature
  • Mods can now change a library visibility through the admin UI (#548)
  • New keyboard shortcuts added for enhanced control over audio player (#866)
  • Now refetch remote ActivityPub artists, albums and tracks to avoid local stale data
  • Numbers on the stats page will now be formatted in a human readable way and will update with the locale (#873)
  • Pickup folder.png and folder.jpg files for cover art when importing from CLI (#898)
  • Prevent usage of too weak passwords (#883)
  • Reduced CSS size by 30% using purgecss
  • Replaced Daphne by Gunicorn/Uvicorn to improve stability, flexibility and performance (#862)
  • Simplified embedded docker reverse proxy IP configuration (#834)
  • Support embeds on public playlists
  • Switched from Semantic-UI to Fomentic-UI
  • Add dropdown menu to track table (#531)

Bugfixes:

  • Added context strings to en_GB translations so that picking the language changes the interface as expected
  • Ensure selected locale is not reset to browser default when refreshing app
  • Fix missing license information on track details page (#913)
  • Fix regression to quota bar color (#897)
  • Fixed a responsive display issues on 1024px wide screens (#904)
  • Fixed album art not being retrieved from Ogg/Opus files
  • Fixed broken embedded player layout after dependency update (#875)
  • Fixed broken external HTTPS request under some scenarios, because of missing PyOpenSSL
  • Fixed broken less listened radio (#912)
  • Fixed broken URL to artist and album on album and track pages (#871)
  • Fixed empty contentType causing client crash in some Subsonic payloads (#893)
  • Fixed remaining transcoding issue with Subsonic API (#867)
  • Fixed search usability issue when browsing artists, albums, radios and playlists (#902)
  • Improved performance of /artists, /albums and /tracks API endpoints by a factor 2 (#865)
  • Make album cards height independent (#710)

Contributors for this release (dev, documentation, reviews and translations):

  • Amaranthe
  • Ciarán Ainsworth
  • Eliot Berriot
  • Esteban
  • Francesc Galí
  • Freyja Wildes
  • GinnyMcQueen
  • hellekin
  • IISergII
  • jiri-novacek
  • Johannes H.
  • Keunes
  • Koen
  • Manuel Cortez
  • Mehdi
  • Mélanie Chauvel
  • Quentí
  • Reg
  • Rodrigo Leite
  • Romain Failliot
  • SpcCw
  • Tobias Reisinger
  • Xaloc