crowdsec (1.0.9-2) unstable; urgency=medium

  * Backport hub patch from upstream to fix false positives due to
    substring matches (https://github.com/crowdsecurity/hub/pull/197):
     + 0009-Improve-http-bad-user-agent-use-regexp-197.patch

 -- Cyril Brulebois <cyril@debamax.com>  Mon, 03 May 2021 07:29:06 +0000

crowdsec (1.0.9-1) unstable; urgency=medium

  * New upstream stable release:
     + Improve documentation.
     + Fix disabled Central API use case: without Central API credentials
       in the relevant config file, crowdsec would still try and establish
       a connection.
  * Add patch to disable broken scenario (ban-report-ssh_bf_report, #181):
     + 0008-hub-disable-broken-scenario.patch
  * Add logrotate config for /var/log/crowdsec{,_api}.log (weekly, 4).

 -- Cyril Brulebois <cyril@debamax.com>  Mon, 15 Mar 2021 01:19:43 +0100

crowdsec (1.0.8-2) unstable; urgency=medium

  * Update postinst to also strip ltsich/ when installing symlinks
    initially (new vendor in recent hub files, in addition to the usual
    crowdsecurity/).

 -- Cyril Brulebois <cyril@debamax.com>  Tue, 02 Mar 2021 01:29:29 +0000

crowdsec (1.0.8-1) unstable; urgency=medium

  * New upstream stable release.
  * Refresh patches:
     + 0001-use-a-local-machineid-implementation.patch (unfuzzy)
     + 0002-add-compatibility-for-older-sqlite-driver.patch
  * Set cwversion variables through debian/rules (build metadata).
  * Add patch so that upstream's crowdsec.service is correct on Debian:
     + 0003-adjust-systemd-unit.patch
  * Really add lintian overrides for hardening-no-pie warnings.
  * Ship patterns below /etc/crowdsec/patterns: they're supposed to be
    stable over time, and it's advised not to modify them, but let's allow
    for some configurability.
  * Include a snapshot of hub files from the master branch, at commit
    d8a8509bdf: hub1. Further updates for a given crowdsec upstream
    version will be numbered hubN. After a while, they will be generated
    from a dedicated vX.Y.Z branch instead of from master.
  * Implement a generate_hub_tarball target in debian/rules to automate
    generating a tarball for hub files.
  * Add patch to disable geoip-enrich in the hub files as it requires
    downloading some files from the network that aren't under the usual
    MIT license:
     + 0004-disable-geoip-enrich.patch
  * Ship a selection of hub files in /usr/share/crowdsec/hub so that
    crowdsec can be set up without having to download data from the
    collaborative hub (https://hub.crowdsec.net/).
  * Ditto for some data files (in /usr/share/crowdsec/data).
  * Use DH_GOLANG_EXCLUDES to avoid including extra Go files from the
    hub into the build directory.
  * Implement an extract_hub_tarball target in debian/rules to automate
    extracting hub files from the tarball.
  * Implement an extract_data_tarball target in debian/rules to automate
    extracting data files from the tarball.
  * Ship crowdsec-cli (automated Golang naming) as cscli (upstream's
    preference).
  * Add patch to adjust the default config:
     + 0005-adjust-config.patch
  * Ship config/config.yaml accordingly, along with the config files it
    references.
  * Also adjust the hub_branch variable in config.yaml, pointing to the
    branch related to the current upstream release instead of master.
  * Create /var/lib/crowdsec/{data,hub} directories.
  * Implement configure in postinst to generate credentials files:
    Implement a simple agent setup with a Local API (LAPI), and with an
    automatic registration to the Central API (CAPI). The latter can be
    disabled by creating a /etc/crowdsec/online_api_credentials.yaml file
    containing a comment (e.g. “# no thanks”) before installing this
    package.
  * Implement purge in postrm. Drop all of /etc/crowdsec except
    online_api_credentials.yaml if this file doesn't seem to have been
    created during CAPI registration (likely because an admin created the
    file in advance to prevent it). Also remove everything below
    /var/lib/crowdsec/{data,hub}, along with log files.
  * Implement custom enable-online-hub and disable-online-hub actions in
    postinst. The latter is called once automatically to make sure the
    offline hub is ready to use. See README.Debian for details.
  * Also enable all items using the offline hub on fresh installation.
  * Add patch advertising `systemctl restart crowdsec` when updating the
    configuration: reload doesn't work at the moment (#656 upstream).
     + 0006-prefer-systemctl-restart.patch
  * Add patch automating switching from the offline hub to the online hub
    when `cscli hub update` is called:
     + 0007-automatically-enable-online-hub.patch
  * Add lintian override accordingly: uses-dpkg-database-directly.
  * Add ca-certificates to Depends for the CAPI registration.
  * Create /etc/machine-id if it doesn't exist already (e.g. in piuparts
    environments).

 -- Cyril Brulebois <cyril@debamax.com>  Tue, 02 Mar 2021 00:25:48 +0000

crowdsec (1.0.4-1) unstable; urgency=medium

  * New upstream release.
  * Bump copyright years.
  * Bump golang-github-facebook-ent-dev build-dep.
  * Swap Maintainer/Uploaders: the current plan is for me to keep in touch
    with upstream to coordinate packaging work in Debian. Help from fellow
    members of the Debian Go Packaging Team is very welcome, though!
  * Fix typos in the long description, and merge upstream's review.
  * Refresh patch:
     + 0001-use-a-local-machineid-implementation.patch
  * Drop patch (merged upstream):
     + 1001-fix-docker-container-creation-for-metabase-563.patch

 -- Cyril Brulebois <cyril@debamax.com>  Wed, 03 Feb 2021 08:54:24 +0000

crowdsec (1.0.2-1) unstable; urgency=medium

  * Initial release (Closes: #972573): start by shipping binaries,
    while better integration is being worked on with upstream:
    documentation and assisted configuration are coming up.
  * Version some build-deps as earlier versions are known not to work.
  * Use a local machineid implementation instead of depending on an
    extra package:
     + 0001-use-a-local-machineid-implementation.patch
  * Use a syntax that's compatible with version 1.6.0 of the sqlite3
    driver:
     + 0002-add-compatibility-for-older-sqlite-driver.patch
  * Backport upstream fix for golang-github-docker-docker-dev version
    currently in unstable:
     + 1001-fix-docker-container-creation-for-metabase-563.patch
  * Install all files in the build directory so that the testsuite finds
    required test data that's scattered all over the place.
  * Add systemd to Build-Depends for the testsuite, so that it finds
    the journalctl binary.
  * Add lintian overrides for the hardening-no-pie warnings: PIE is not
    relevant for Go packages.

 -- Cyril Brulebois <cyril@debamax.com>  Thu, 14 Jan 2021 02:46:18 +0000
