Samizdat 0.6.2 release is dedicated to the memory of Stanislav Markelov
Anastasia Baburova, activists murdered in Moscow on January 19, 2009.
What is Samizdat?
Samizdat is a generic RDF-based engine for building collaboration and
open publishing web sites. Samizdat provides users with means to
cooperate and coordinate on all kinds of activities, including media
activism, resource sharing, education and research, advocacy, and so on.
Samizdat intends to promote values of freedom, openness, equality, and
Samizdat library includes four stand-alone modules that can be used
outside the Samizdat engine: Cache (thread-safe time-limited object
cache with flexible replacement policy), Storage (RDF storage over a
relational database), Sanitize (whitelist XSS filter based on HTMLTidy
and REXML), and Antispam (simple wiki spam filter).
What’s new in Samizdat 0.6.2?
The most important part of this release is the long list of security
improvements in various parts of Samizdat engine. Password encryption is
strong as it gets, HTTPS now gets the emphasis it deserves, cross-site
protection has been tightened, and in general the engine is even more
about user-submitted data than before.
End users will be most interested in the integration with Flowplayer
video player and the thumbnailing capabilities of the new image plugin.
features are enabled by the new plugin mechanism, which, in addition to
different content types, allows to add fancy member profile parameters
alternative access control schemes.
Due to the number of security improvements in this release, it is highly
recommended that all Samizdat installations update to this version. If
not able to update your installation immediately, you should apply the
patches (applicable to vanilla Samizdat 0.6.1) at the first opportunity:
Changes in more detail:
cross-site scripting fixes: several cases of unsanitized
strings are fixed in this release; these vulnerabilities allowed
perform cross-site scripting attacks by publishing specially crafted
or user names (CVE-2009-0359)
passwords: over the past several years, multiple attacks on the MD5
function were demonstrated, making this algorithm less than optimal
password encryption; while Samizdat 0.6.2 still supports old MD5
all new passwords will use salted SHA-512; users of Samizdat sites are
to update their passwords to take advantage of stronger password
HTTPS logins: it is now possible to ensure that all authenticated
access to a
Samizdat site goes only over an encrypted HTTPS connection; comments
https section of config.yaml explain how to make this work
plugins: the new plugin system allows to augment and customize various
of Samizdat engine, including content rendering, member profile
and access control
image thumbnails: new image plugin automatically generates and uses
versions of uploaded images with help of the RMagick library
Flowplayer: flowplayer plugin integrates this free Flash video player
Samizdat pages, allowing to display FLV and MP4/H.264 files inline in
to the usual download link; as of this release, Flowplayer doesn’t
work with free Flash plugins Gnash and SWFdec, more collaboration
these projects is needed to implement a fully free Flash video stack
GPL3: Samizdat license has been upgraded to the latest version of GPL
reads: “You can distribute/modify this program under the terms of the
General Public License version 3 or later.”
Mahoro: instead of relying on inconsistent and untrustworthy content
headers supplied by web browser, Samizdat now uses Mahoro bindings to
library to determine real content type of the uploaded files
Sanitize: due to incompatibility of Tidy/DL bindings with the latest
releases, Sanitize now prefers to invoke tidy binary through a pipe
linking to a shared library; more Tidy errors are now handled and
back to the user, single quote special character is now escaped as
compatibility with browsers that don’t support XHTML 1.0 character
(e.g. Internet Explorer)
member profile: member settings page is split into account, profile,
settings pages; settings page controls UI preferences available both
members and guests; profile page allows to edit public information
member, such as full name (which is now optional) or occupation
the occupation profile plugin); account parameters such as password
are edited on the account page
new translations: Japanese translation has been reviewed and corrected
native speaker and is now enabled by default, bringing the count of
languages up to 10
documentation: several key aspects of Samizdat architecture are
new Dia diagrams and the LVEE’2008 presentation slides
other: exported RSS feeds now include item descriptions, tainted data
is now more robust, more bugfixes and UI improvements
How do I upgrade from Samizdat 0.6.1?
First of all, make sure tidy binary (and not just libtidy shared
installed on your system. By default, sanitize.rb checks for
/usr/local/bin/tidy. On Debian 5.0/lenny or later, run
apt-get install tidy.
Debian 4.0/etch has an old Tidy version that doesn’t support some of the
used in Samizdat 0.6.2, so you may need to install the backported Tidy
Since moderator list is now stored in database, you need to move your
moderators from your yaml config to the database:
CREATE TABLE Role (member INTEGER REFERENCES Member, role TEXT);
CREATE INDEX Role_member_idx ON Role (member);
GRANT INSERT, UPDATE, SELECT ON Role TO samizdat;
INSERT INTO Role (member, role) SELECT id, ‘moderator’ FROM Member
WHERE login IN (‘moderator1’, ‘moderator2’, …);
In the last line, replace (‘moderator1’, ‘moderator2’, …) with your
current moderator list, that can be produced by the following command
grep moderators /etc/samizdat/sites/*|sed “s/, /’, '/g”
You will also need to update your Apache or Lighttpd configuration to
make js/ directory visible via the Web server (see doc/examples/).
Finally, if your access control configuration differs from Samizdat
default (e.g. guests are allowed to post), see defaults.yaml on how
role plugin is configured.
Where to get it?
Project page: http://samizdat.nongnu.org/
Debian package: apt-get install samizdat