Version bump and changelog for 0.20

CHANGELOG

@@ -10,6 +10,331 @@ This changelog is viewable on the web at https://docs.funkwhale.audio/changelog.
 
 .. towncrier
 
+0.20 (2019-10-04)
+-----------------
+
+Upgrade instructions are available at
+https://docs.funkwhale.audio/index.html
+
+
+Support for genres via tags
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+One of our most requested missing features is now available!
+
+Starting with Funkwhale 0.20,
+Funkwhale will automatically extract genre information from uploaded files and associate it
+with the corresponding tracks in the form of tags (similar to Mastodon or Twitter hashtags).
+Please refer to `our tagging documentation <https://docs.funkwhale.audio/users/upload.html#tagging-files>`_
+for more information regarding the tagging process.
+
+Tags can also be associated with artists and albums, and updated after upload through the UI using
+the edit system released in Funkwhale 0.19. Tags are also fetched when retrieving content
+via federation.
+
+Tags are used in various places to enhance user experience:
+
+- Tags are listed on tracks, albums and artist profiles
+- Each tag has a dedicated page were you can browse corresponding content and quickly start a radio
+- The custom radio builder now supports using tags
+- Subsonic apps that support genres - such as DSub or Ultrasonic - should display this information as well
+
+If you are a pod admin and want to extract tags from already uploaded content, you run `this snippet <https://dev.funkwhale.audio/funkwhale/funkwhale/snippets/43>`_
+and `this snippet <https://dev.funkwhale.audio/funkwhale/funkwhale/snippets/44>`_ in a ``python manage.py shell``.
+
+Content and account reports
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+It is now possible to report content, such as artists, tracks or libraries, as well as user accounts. Such reports are forwarded to the pod moderators,
+who can review it and delete reported content, block accounts or take any other action they deem necessary.
+
+By default, both anonymous and authenticated users can submit these reports. This makes sure moderators can receive and handle
+takedown requests and other reports for illegal content that may be sent by third-parties without an account on the pod. However,
+you can disable anonymous reports completely via your pod settings.
+
+Federation of the reports will be supported in a future release.
+
+For more information about this feature, please check out our documentation:
+
+-  `User documentation <https://docs.funkwhale.audio/moderator/reports.html>`_
+-  `Moderator documentation <https://docs.funkwhale.audio/users/reports.html>`_
+
+Account deletion
+^^^^^^^^^^^^^^^^
+
+Users can now delete their account themselves, without involving an administrator.
+
+The deletion process will remove any local data and objects associated with the account,
+but the username won't be able to new users to avoid impersonation. Deletion is also broadcasted
+to other known servers on the federation.
+
+For more information about this feature, please check out our documentation:
+
+-  `User documentation <https://docs.funkwhale.audio/users/account.html>`_
+
+Landing and about page redesign [Manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In this release, we've completely redesigned the landing and about page, by making it more useful and adapted to your pod
+configuration. Among other things, the landing page will now include:
+
+- your pod and an excerpt from your pod's description
+- your pod banner image, if any
+- your contact email, if any
+- the login form
+- the signup form (if registrations are open on your pod)
+- some basic statistics about your pod
+- a widget including recently uploaded albums, if anonymous access is enabled
+
+The landing page will still include some information about Funkwhale, but in a less intrusive and proeminent way than before.
+
+Additionally, the about page now includes:
+
+- your pod name, description, rules and terms
+- your pod banner image, if any
+- your contact email, if any
+- comprehensive statistics about your pod
+- some info about your pod configuration, such as registration and federation status or the default upload quota for new users
+
+With this redesign, we've added a handful of additional pod settings:
+
+- Pod banner image
+- Contact email
+- Rules
+- Terms of service
+
+We recommend taking a few moments to fill these accordingly to your needs, by visiting ``/manage/settings``.
+
+Allow-list to restrict federation to trusted domains
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The Allow-Listing feature grants pod moderators
+and administrators greater control over federation
+by allowing you to create a pod-wide allow-list.
+
+When allow-listing is enabled, your pod's users will only
+be able to interact with pods included in the allow-list.
+Any messages, activity, uploads, or modifications to
+libraries and playlists will only be shared with pods
+on the allow-list. Pods which are not included in the
+allow-list will not have access to your pod's content
+or messages and will not be able to send anything to
+your pod.
+
+If you want to enable this feature on your pod, or learn more, please refer to `our documentation <https://docs.funkwhale.audio/moderator/listing.html>`_!
+
+Periodic message to incite people to support their pod and Funkwhale
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Users will now be reminded on a regular basis that they can help Funkwhale by donating or contributing.
+
+If specified by the pod admin, a separate and custom message will also be displayed in a similar way to provide instructions and links to support the pod.
+
+Both messages will appear for the first time 15 days after signup, in the notifications tab. For each message, users can schedule a reminder for a later time, or disable the messages entirely.
+
+
+Replaced Daphne by Gunicorn/Uvicorn [manual action required, non-docker only]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To improve the performance, stability and reliability of Funkwhale's web processes,
+we now recommend using Gunicorn and Uvicorn instead of Daphne. This combination unlock new use cases such as:
+
+- zero-downtime upgrades
+- configurable number of web worker processes
+
+Based on our benchmarks, Gunicorn/Unicorn is also faster and more stable under higher workloads compared to Daphne.
+
+To benefit from this enhancement on existing instances, you need to add ``FUNKWHALE_WEB_WORKERS=1`` in your ``.env`` file
+(use a higher number if you want to have more web worker processes).
+
+Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the ``ExecStart=`` line with
+``ExecStart=/srv/funkwhale/virtualenv/bin/gunicorn config.asgi:application -w ${FUNKWHALE_WEB_WORKERS} -k uvicorn.workers.UvicornWorker -b ${FUNKWHALE_API_IP}:${FUNKWHALE_API_PORT}``
+
+Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
+
+
+Content-Security-Policy and additional security headers [manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
+you add the following Content-Security-Policy to your nginx configuration.
+
+..note::
+
+    If you are using an S3-compatible store to serve music, you will need to specify the URL of your S3 store in the ``media-src`` and ``img-src`` headers
+
+    .. code-block::
+
+        add_header Content-Security-Policy "...img-src 'self' https://<your-s3-URL> data:;...media-src https://<your-s3-URL> 'self' data:";
+
+**On non-docker setups**, in ``/etc/nginx/sites-available/funkwhale.conf``::
+
+    server {
+
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        location /front/ {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "SAMEORIGIN";
+            # … existing content here
+        }
+
+        # Also create a new location for the embeds to ensure external iframes work
+        # Simply copy-paste the /front/ location, but replace the following lines:
+        location /front/embed.html {
+            add_header X-Frame-Options "ALLOW";
+            alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
+        }
+    }
+
+Then reload nginx with ``systemctl reload nginx``.
+
+**On docker setups**, in ``/srv/funkwhalenginx/funkwhale.template``::
+
+    server {
+
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        location /front/ {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "SAMEORIGIN";
+            # … existing content here
+        }
+
+        # Also create a new location for the embeds to ensure external iframes work
+        # Simply copy-paste the /front/ location, but replace the following lines:
+        location /front/embed.html {
+            add_header X-Frame-Options "ALLOW";
+            alias /frontent/embed.html;
+        }
+    }
+
+Then reload nginx with ``docker-compose restart nginx``.
+
+Rate limiting
+^^^^^^^^^^^^^
+
+With this release, rate-limiting on the API is enabled by default, with high enough limits to ensure
+regular users of the app aren't affected. Requests beyond allowed limits are answered with a 429 HTTP error.
+
+For anonymous requests, the limit is applied to the IP adress of the client, and for authenticated requests, the limit
+is applied to the corresponding user account. By default, anonymous requests get a lower limit than authenticated requests.
+
+You can disable the rate-limiting feature by adding `THROTTLING_ENABLED=false` to your ``.env`` file and restarting the
+services. If you are using the Funkwhale API in your project or app and want to know more about the limits, please consult https://docs.funkwhale.audio/swagger/.
+
+Broken audio streaming when using S3/Minio and DSub [manual action required]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Some Subsonic clients, such as DSub, are sending an Authorization headers which was forwarded
+to the S3 storage when streaming, causing some issues. If you are using S3 or a compatible storage
+such as Minio, please add the following in your nginx ``~ /_protected/media/(.+)`` location::
+
+    # Needed to ensure DSub auth isn't forwarded to S3/Minio, see #932
+    proxy_set_header Authorization "";
+
+And reload your nginx process.
+
+Detail
+^^^^^^
+
+Features:
+
+- Added periodical message to incite people to support their pod and Funkwhale (#839)
+- Admins can now add custom CSS from their pod settings (#879)
+- Allow-list to restrict federation to trusted domains (#853)
+- Content and account reports (#890)
+- Dark theme (#756)
+- Enforce a configurable rate limit on the API to mitigate abuse (#261)
+- Redesign of the landing and about pages (#872)
+- Support for genres, via tags (#432)
+- Users can now delete their account without admin intervention (#852)
+
+
+Enhancements:
+
+- Added a info message on embed wizard when anonymous access to content is disabled (#878)
+- Added Catalan translation files
+- Added Czech translation (#844)
+- Added field to manage user upload quota in Django backend (#903)
+- Added the option to replace the queue's current contents with a selected album or track (#761)
+- Artists with no albums will now show track count on artist card (#895)
+- Ensure API urls answer with and without a trailing slash (#877)
+- Hardcoded list of supported browsers to avoid unexpected regressions (#854)
+- Hardened security thanks to CSP and additional HTTP headers (#880)
+- Improve display of search results by including artist and album data
+- Increase the security of JWT token generation by using DJANGO_SECRET_KEY as well as user-specific salt for the signature
+- Mods can now change a library visibility through the admin UI (#548)
+- New keyboard shortcuts added for enhanced control over audio player (#866)
+- Now refetch remote ActivityPub artists, albums and tracks to avoid local stale data
+- Numbers on the stats page will now be formatted in a human readable way and will update with the locale (#873)
+- Pickup folder.png and folder.jpg files for cover art when importing from CLI (#898)
+- Prevent usage of too weak passwords (#883)
+- Reduced CSS size by 30% using purgecss
+- Replaced Daphne by Gunicorn/Uvicorn to improve stability, flexibility and performance (#862)
+- Simplified embedded docker reverse proxy IP configuration (#834)
+- Support embeds on public playlists
+- Support for M4A/AAC files (#661)
+- Switched from Semantic-UI to Fomentic-UI
+- Add dropdown menu to track table (#531)
+- Display placeholder on homepage when there are no playlists (#892)
+- Make album cards height independent (#710)
+
+
+Bugfixes:
+
+- Added context strings to en_GB translations so that picking the language changes the interface as expected
+- Ensure selected locale is not reset to browser default when refreshing app
+- Fix missing license information on track details page (#913)
+- Fix regression to quota bar color (#897)
+- Fixed a responsive display issues on 1024px wide screens (#904)
+- Fixed album art not being retrieved from Ogg/Opus files
+- Fixed broken embedded player layout after dependency update (#875)
+- Fixed broken external HTTPS request under some scenarios, because of missing PyOpenSSL
+- Fixed broken less listened radio (#912)
+- Fixed broken URL to artist and album on album and track pages (#871)
+- Fixed empty contentType causing client crash in some Subsonic payloads (#893)
+- Fixed import crashing with empty cover file or too long values on some fields
+- Fixed in-place imported files not playing under nginx when filename contains ? or % (#924)
+- Fixed remaining transcoding issue with Subsonic API (#867)
+- Fixed search usability issue when browsing artists, albums, radios and playlists (#902)
+- Improved performance of /artists, /albums and /tracks API endpoints by a factor 2 (#865)
+- Updated docs to ensure streaming works when using Minio/S3 and DSub (#932)
+
+Contributors to this release (translation, development, documentation, reviews, design):
+
+- Amaranthe
+- ButterflyOfFire
+- Ciarán Ainsworth
+- Eliot Berriot
+- Esteban
+- Francesc Galí
+- Freyja Wildes
+- hellekin
+- IISergII
+- jiri-novacek
+- Johannes H.
+- Keunes
+- Koen
+- Manuel Cortez
+- Mehdi
+- Mélanie Chauvel
+- nouts
+- Quentí
+- Reg
+- Rodrigo Leite
+- Romain Failliot
+- SpcCw
+- Sylke Vicious
+- Tobias Reisinger
+- Xaloc
+- Xosé M
+
+
 0.19.1 (2019-06-28)
 -------------------
 

api/funkwhale_api/__init__.py

 # -*- coding: utf-8 -*-
-__version__ = "0.20.0-rc1"
+__version__ = "0.20.0"
 __version_info__ = tuple(
     [
         int(num) if num.isdigit() else num

changes/changelog.d/261.feature

-Enforce a configurable rate limit on the API to mitigate abuse (#261)

changes/changelog.d/432.feature

-Support for genres, via tags (#432)

changes/changelog.d/548.enhancement

-Mods can now change a library visibility through the admin UI (#548)

changes/changelog.d/661.enhancement

-Support for M4A/AAC files (#661)

changes/changelog.d/710.add-track-dropdown

-Add dropdown menu to track table (#531)

changes/changelog.d/710.make-album-cards-independent

-Make album cards height independent (#710)

changes/changelog.d/756.feature

-Dark theme (#756)

changes/changelog.d/761.enhancement

-Added the option to replace the queue's current contents with a selected album or track (#761)
\ No newline at end of file

changes/changelog.d/834.enhancement

-Simplified embedded docker reverse proxy IP configuration (#834)

changes/changelog.d/839.feature

-Added periodical message to incite people to support their pod and Funkwhale (#839)

changes/changelog.d/844.enhancement

-Added Czech translation (#844)

changes/changelog.d/845.enhancement

-Added Catalan translation files

changes/changelog.d/846.bugfix

-Added context strings to en_GB translations so that picking the language changes the interface as expected

changes/changelog.d/852.feature

-Users can now delete their account without admin intervention (#852)

changes/changelog.d/853.feature

-Allow-list to restrict federation to trusted domains (#853)

changes/changelog.d/854.enhancement

-Hardcoded list of supported browsers to avoid unexpected regressions (#854)

changes/changelog.d/862.enhancement

-Replaced Daphne by Gunicorn/Uvicorn to improve stability, flexibility and performance (#862)

changes/changelog.d/865.bugfix

-Improved performance of /artists, /albums and /tracks API endpoints by a factor 2 (#865)