Update changelog for Zulip 1.4.1 and 1.4.2 releases.

The main purpose of the "var" convention is to make it easy to write stuff
inside of our git repo when running a dev instance, and then "var" gets
excluded from checkins. For production, that's not as much of a concern.
For upgrades we don't want to be changing the directory around and confusing
matters, especially with the extra moving part of nginx configs (which have
their own issues in terms of being overwritten by accident when admins go to
S3).

docs/changelog.md

@@ -4,6 +4,19 @@ All notable changes to the Zulip server are documented in this file.
 
 ### Unreleased
 
+### 1.4.2 - 2016-09-27
+- Upgraded Django to version 1.8.15 (with the Zulip patches applied),
+  fixing a CSRF vulnerability in Django (see
+  https://www.djangoproject.com/weblog/2016/sep/26/security-releases/),
+  and a number of other Django bugs from past Django stable releases
+  that largely affects parts of Django that are not used by Zulip.
+- Fixed buggy logrotate configuration.
+
+### 1.4.1 - 2016-09-03
+- Fixed settings bug upgrading from pre-1.4.0 releases to 1.4.0.
+- Fixed local file uploads integration being broken for new 1.4.0
+  installations.
+
 ### 1.4 - 2016-08-25
 
 - Migrated Zulip's python dependencies to be installed via a virtualenv,

puppet/zulip/files/logrotate/zulip

@@ -1,7 +1,7 @@
 /var/log/zulip/server.log /var/log/zulip/workers.log /var/log/zulip/manage.log {
 	missingok
 	rotate 10
-	size 1GB
+	size 1G
 	compress
 	delaycompress
 	notifempty

requirements/common.txt

@@ -1,6 +1,6 @@
 -r ipython.txt
 # Django itself; we use a slightly patched version
-git+https://github.com/zulip/truncated-django.git
+git+https://github.com/zulip/truncated-django-1.8.15.git@cbf4fa3aef1b17f37d75a70e57f9b69a0f99ed5c#egg=Django==1.8.15
 
 GitPython==0.3.2.1
 

scripts/lib/upgrade-zulip-stage-2

@@ -42,6 +42,14 @@ if not args.skip_puppet:
     subprocess.check_call(["apt-get", "update"])
     subprocess.check_call(["apt-get", "-y", "upgrade"])
 
+if not os.path.exists((os.path.join(deploy_path, "zproject/prod_settings"))):
+    subprocess.check_call(["ln", "-nsf", "/etc/zulip/settings.py",
+                           os.path.join(deploy_path, "zproject/prod_settings.py")])
+
+# delete local_settings.py symlink if it exists, as it is now prod_settings.py
+if os.path.exists((os.path.join(deploy_path, "zproject/local_settings.py"))):
+    subprocess.check_call(["rm", os.path.join(deploy_path, "zproject/local_settings.py")])
+
 subprocess.check_call([os.path.join(deploy_path, "scripts", "lib", "create-production-venv"),
                        os.path.join(deploy_path, "zulip-venv")])
 

tools/travis/success-http-headers.txt

@@ -24,7 +24,6 @@ Reusing existing connection to localhost:443.
   Content-Type: text/html; charset=utf-8
   Transfer-Encoding: chunked
   Connection: keep-alive
-  Cache-Control: max-age=0
   Strict-Transport-Security: max-age=15768000
 Length: unspecified [text/html]
 Saving to: ‘/tmp/index.html’

zproject/prod_settings_template.py

@@ -155,7 +155,7 @@ INLINE_IMAGE_PREVIEW = True
 # https://github.com/zulip/zulip/issues/291 for discussion of a better
 # solution that won't be automatically reverted by the Zulip upgrade
 # script), and then restart nginx.
-LOCAL_UPLOADS_DIR = "/home/zulip/var/uploads"
+LOCAL_UPLOADS_DIR = "/home/zulip/uploads"
 #S3_AUTH_UPLOADS_BUCKET = ""
 #S3_AVATAR_BUCKET = ""