Beta Information

2018-06-24 (5.09-12)

ZendTo can now do secure encryption and decryption of drop-offs. All the user sees is a tick-box in the "new drop-off" form which, if ticked, will ask for a passphrase. When the recipients come to download the drop-off, they will be prompted for the passphrase as necessary. I have implemented this as carefully and securely as I can. If the sender and recipients lose the passphrase, there is no way to recover the contents of the files. The passphrase is never stored in any way on the ZendTo server or in its database. There are new preferences.php settings to control how and if encryption is applied to new drop-offs.

Note: upgrading to this version requires the latest PHP you can get hold of. Don't worry, download and run the beta version of the installer (see below). This will upgrade your system and will only overwrite configuration settings that cannot be avoided.

For those in the EU, and those with users in the EU, I have added an optional "GDPR and cookies consent" pop-up. If you enable it, the users can ignore it, but they can't dismiss it and then ignore it (it chucks them off to another web page).

I have added a "Download All Files" button to the pages that let you download drop-offs. Please do let me know when you hit situations in which it doesn't work!
There are some security fixes to the actual ZendTo application.
The main focus of this beta is the new installer support for SuSE Linux Enterprise Server 12 (tested on SLES 12sp3) and openSUSE Leap 15.
I have also changed the packaging so the (*.mo) compiled language files are no longer included, as these are built during the rpm and deb's post-installation script which now calls makelanguages.

The installer no longer rebuilds PHP. On all supported systems it installs at least PHP 7.1 which does not need patching. To migrate an existing installation over to the new PHP, simply download the installer and run stage 2, the "install PHP" part, then stage 5 "configure apache and php" to ensure your php.ini is configured correctly.

The latest betas I believe to be stable are:

However, I strongly advise you to use the beta installer on a fresh system.

The file at http://zend.to/files/ZendTo-Version-Beta will tell you the latest beta version number.


About the Installer

Instead of the old VM images, I have written an installer which will automate (almost!) the entire process is installing ZendTo on to a blank server installation.

It talks to you along the way, asks if you want to do each of the 8 steps, and asks you to confirm the odd question or two. It pauses quite a bit so you can see what it's doing, giving you the chance to stop it temporarily (Ctrl-S) to read what it's done before you continue (Ctrl-Q).

It is also modular, so you can run each of the 8 parts alone; you may want to do this when, for example, there is an update to PHP5 and you want to just rebuild PHP with "big uploads" support.

The parts are:

  1. Install web server and development tools.
  2. Rebuild PHP from source, including support for uploads >4GB.
  3. Install and configure virus scanner, including SELinux support for it.
  4. Configure firewall holes for ssh, http and https.
  5. Configure web server and PHP.
  6. Install ZendTo itself and configure email sending & usage stats graphing.
  7. Configure SELinux on CentOS and RedHat 5, 6 & 7.

I have tested the installer on:

  • CentOS 6, 7
  • RedHat Enterprise Linux 6, 7
  • Ubuntu Server 14, 16, 18
  • Debian 8, 9
  • SUSE Enterprise Linux Server 16
  • openSUSE Leap 15

There are 2 things the installer does not currently do:

  • Generate a production-ready SSL certificate for the website. It does create the SSL website, but only with a self-signed certificate. You might want to look at letsencrypt.org as a very good (fully automatic) way of getting free SSL certificates.
  • Configure MySQL, as new installations will not need it anyway.

Other New Features

The other main new features of interest are:

  • Fixed all known vulnerabilities.
  • Written automatic upgrader for preferences.php file, described below at the end of the 'How To Get It' section.
  • Added new setting 'warnDaysBeforeDeletion'. If set, when no one has picked up a drop-off, the recipients will be reminded daily for the last few days before the drop-off expires.
  • Added support for Google's new (beta) Invisible reCaptcha. Switching to this reCaptcha means that most of the time, your users will never see a CAPTCHA at all. Instructions on where to sign up are in preferences.php.
  • Added a new "How Secure is ZendTo" page, which you will want to customise for your site. This is linked from the main menu, the template is in templates/security.tpl.
  • 'SQLite3' is now the default database type. It requires no configuration and works on everything except CentOS/RedHat 5.
  • Moved all writable directories such as cache & templates_c to /var/zendto, so /opt/zendto is now entirely read-only to the web server.
  • Drastically reduced the changes made by installation of the Ubuntu/Debian .deb package. Almost all of it has been moved to the new installer.

How To Get It

You can download the new installer now. Then just unpack it and run it as root with

tar xzf install-beta.ZendTo.tgz
cd install.ZendTo
./install.sh

If you look inside its Ubuntu-Debian or CentOS-RedHat directories, you will see the 8 stages. The main install.sh will ask you whether you want to run each stage and will walk you through what it is doing. Feel free to pause (Ctrl-S) or stop it (Ctrl-C) at any time; if you stop it you can just re-run it. Each of the 8 stages can be run independently at any time by just running that particular stage number's script.

There is 1 command-line option that can be used on either install.sh or any its stages: "--defaults" tells the installer to just use the default values it suggests, and not to pause long at any point. It will run entirely unattended.

After you have installed the package (or just updated to the new rpm/deb/tgz package), you will find the new upgrader for preferences.php in /opt/zendto/bin/upgrade_preferences_php. Run it on its own (after installing/upgrading to the new version) and it will show you how to use it. It will automatically copy all your old preferences.php settings into a new file, while keeping your comments, extra "define"s you may have added, and such like.

Tell Me What You Think

Please do tell me what you think of this upgrade, and in particular the new installer. Please report all bugs, issues, suggestions and so on.

The mailing list would be the best place, so we can all discuss them, but otherwise you can of course email me too.