Update release notes

Signed-off-by: James McCoy <jamessan@debian.org>

3 files changed, 164 insertions, 24 deletions

diff --git a/debian/svn_1.10_releasenotes.html b/debian/svn_1.10_releasenotes.html
index c1e711b..aaaeba4 100644
--- a/debian/svn_1.10_releasenotes.html
+++ b/debian/svn_1.10_releasenotes.html
@@ -42,7 +42,12 @@
     </ul>
   </li>
   <li>Getting Subversion
-    <ul>
+      <ul>
+      <!-- The ?update= parameter is used to only offer mirrors that have
+           synced after the specified date. We update it after a security
+           release when the email announcement is less than 24 hours after
+           the upload to /dist/release, in order to prevent offering mirrors
+           that don't carry the just-released artifacts. -->
       <li><a href="/download.cgi?update=201708081800">Source Download</a></li>
       <li><a href="/packages.html">Binary Packages</a></li>
       <li><a href="/docs/release-notes/">Release Notes</a></li>
@@ -52,7 +57,7 @@
     <ul>
       <li><a href="/mailing-lists.html">Mailing Lists</a></li>
       <li><a href="/reporting-issues.html">Reporting Issues</a></li>
-      <li><a href="https://wiki.apache.org/subversion/">Wiki</a></li>
+      <li><a href="https://cwiki.apache.org/confluence/display/SVN/">Wiki</a></li>
       <li><a href="/contributing.html">Getting Involved</a></li>
     </ul>
   </li>
@@ -91,7 +96,7 @@
 </div> <!-- #site-svnbook-block -->
 
 <div id="copyright">
-<p>Copyright &#169; 2017 <a href="https://www.apache.org/">The Apache
+<p>Copyright &#169; 2018 <a href="https://www.apache.org/">The Apache
    Software Foundation</a>, Licensed under
    the <a href="https://www.apache.org/licenses/LICENSE-2.0" >Apache
    License, Version 2.0</a>.  Apache, Apache Subversion, and
@@ -137,8 +142,10 @@
       >Many enhancements and bug fixes</a></li>
   <li><a href="#issues"
       >Known issues in the release</a></li>
+  <!--
   <li><a href="#troubleshooting"
       >Troubleshooting issues specific to this release</a></li>
+  -->
 </ul>
 
 <p>Apache Subversion 1.10 is a superset of all previous Subversion
@@ -207,7 +214,7 @@ and what impact these changes may have.</p>
     <td>any</td>
     <td>1.10</td>
     <td>any</td>
-    <td>Existing authz configurations may need to be adjusted.</td></tr>
+    <td><a href="#authz-compatibility">Existing authz configurations</a> may need to be adjusted.</td></tr>
   <tr>
     <td>
       <a href="#conflict-resolver">New interactive conflict resolver</a>
@@ -319,6 +326,66 @@ should refer to the
 
 </div>  <!-- this-release-is-1.10 -->
 
+<div class="h4" id="authz-compatibility">
+<h4>New path-based authorization compatibility
+  <a class="sectionlink" href="#authz-compatibility"
+    title="Link to this section">&para;</a>
+</h4>
+
+<p>The <a href="#authzperf">improved path-based authorization</a>
+  changes the behaviour of some existing authz files.</p>
+
+<p>The 1.9 and earlier implementations allowed multiple rules for the
+same path:</p>
+
+<pre>
+  [/some/path]
+  userA = r
+  [/some/path]
+  userB = rw
+</pre>
+
+<p>In 1.9 this would define access for both <tt>userA</tt>
+and <tt>userB</tt>, in 1.10 this raises an error and no access is
+possible.</p>
+
+<p>The 1.9 and earlier implementations allowed multiple entries
+matching the same name, alias or group and the last match applied:</p>
+
+<pre>
+  [/some/path]
+  user = rw
+  user = r
+  &alias = rw
+  &alias = r
+  @group = rw
+  @group = r
+</pre>
+
+<p>In 1.9 the final, read-only, match
+for <tt>user</tt>, <tt>&alias</tt> and <tt>@group</tt> would be
+selected while 1.10 combines all the lines to give read-write access.
+The 1.10 implementation may change in future 1.10.x releases, perhaps
+to make this case an error.</p>
+
+<p>The 1.9 implementation combined the global and per-repository rules
+for the same path:</p>
+
+<pre>
+  [/some/path]
+  userA = rw
+  [repository:/some/path]
+  userB = r
+</pre>
+
+<p>In 1.9 this would define access for both <tt>userA</tt>
+and <tt>userB</tt>, in 1.10 the per-repository rule overrides the
+global rule and this only defines access for <tt>userB</tt>.  The 1.10
+implementation may change in future 1.10.x releases, but the exact
+change is still being discussed on the dev mailing list.</p>
+  
+</div>  <!-- authz-compatibility -->
+
 <div class="h4" id="svnadmin-LOCK_PATH-canonical">
 <h4><tt>svnadmin</tt> subcommands print locked paths differently
   <a class="sectionlink" href="#svnadmin-LOCK_PATH-canonical"
@@ -386,6 +453,43 @@ In particular, the behaviour of builds <em>with</em> SASL support is unchanged.<
 
 </div>  <!-- svnserve-use-sasl -->
 
+<div class="h4" id="new-ca-keys">
+<h4>New CA keys may be required
+  <a class="sectionlink" href="#new-ca-keys"
+    title="Link to this section">&para;</a>
+</h4>
+
+<p>
+Some binary distributions of this new Subversion version
+may link to a newer OpenSSL version than previous distributions.
+This may lead to different behavior.
+</p>
+
+<p>
+Especially, some distributions may link this Subversion release to OpenSSL 1.1 instead of OpenSSL 1.0.
+OpenSSL 1.1 does not allow md5 hashes for CA keys anymore.
+When using client certificates signed by such a CA,
+the new Subversion client may fail with <tt>An error occurred during SSL communication</tt>.
+You can analyze the underlying cause by first converting the client certificate from p12 to pem by
+<pre>
+openssl pkcs12 -in path/to/svn/cert.p12 -out cert.pem
+</pre>
+and then testing the SSL connection by
+<pre>
+openssl s_client -connect example.com:443 -servername example.com -cert cert.pem
+</pre>
+If this test connection fails with <tt>ca md too weak</tt>
+then creating new CA keys using sha256 instead of md5
+and corresponding new client certificates should solve the problem.
+</p>
+
+<p>
+See also <a href="/faq.html#ssl-communication-error">When performing Subversion operations
+over SSL, I get the error <tt>An error occurred during SSL communication</tt></a>
+</p>
+
+</div>  <!-- new-ca-keys -->
+
 </div>  <!-- compat-misc -->
 
 </div>  <!-- compatibility -->
@@ -402,7 +506,8 @@ In particular, the behaviour of builds <em>with</em> SASL support is unchanged.<
      title="Link to this section">&para;</a>
 </h3>
 <p> Subversion 1.10 provides a new implementation of path-based authorization
-    with improved performance and wildcard support.</p>
+    with improved performance and wildcard support. There are some
+    <a href="#authz-compatibility">compatibility</a> issues.</p>
 
 <p>Existing authz rules come in two flavours, repository-specific and global:
    <pre>
@@ -1031,10 +1136,34 @@ capability.</p>
 </h2>
 
 <p>There are some known issues in the Subversion 1.10 releases.  These
-may be fixed in later 1.10.x releases.</p>
+may be fixed in later 1.10.x releases.  Selected issues are listed here;
+see the <a href="https://issues.apache.org/jira/projects/SVN">issue
+tracker</a> for details and for other issues.</p>
+
+<div class="h3" id="issue-svn-4741">
+<h3>
+  <a href="https://issues.apache.org/jira/browse/SVN-4741">SVN-4741</a>:
+  authz group cannot refer to multiple groups
+  <a class="sectionlink" href="#issue-svn-4741"
+    title="Link to this section">&para;</a>
+</h3>
+<p>Broken in 1.10.0. Fixed in 1.10.1.</p>
+</div>
+
+<div class="h3" id="issue-svn-4762">
+<h3>
+  <a href="https://issues.apache.org/jira/browse/SVN-4762">SVN-4762</a>:
+  authz doesn't combine global and repository rules
+  <a class="sectionlink" href="#issue-svn-4762"
+    title="Link to this section">&para;</a>
+</h3>
+<p>Broken in 1.10.0 and 1.10.1.  See also
+  <a href="#authz-compatibility">path-based authorization compatibility</a>.</p>
+</div>
 
 </div>  <!-- issues -->
 
+<!-- (This section only makes sense when there are some issues listed in it.)
 <div class="h2" id="troubleshooting">
 <h2>Troubleshooting issues specific to this release
   <a class="sectionlink" href="#troubleshooting"
@@ -1050,7 +1179,8 @@ if they occur.</p>
 
 <p>There are no known issues specific to this release at the moment.</p>
 
-</div>  <!-- troubleshooting -->
+</div>  < !-- troubleshooting -- >
+-->
 
 <div class="h2" id="svn-1.9-old-stable">
 <h2>Subversion 1.9.x is now the old stable version
diff --git a/debian/svn_1.8_releasenotes.html b/debian/svn_1.8_releasenotes.html
index ead65ad..22d288d 100644
--- a/debian/svn_1.8_releasenotes.html
+++ b/debian/svn_1.8_releasenotes.html
@@ -42,7 +42,12 @@
     </ul>
   </li>
   <li>Getting Subversion
-    <ul>
+      <ul>
+      <!-- The ?update= parameter is used to only offer mirrors that have
+           synced after the specified date. We update it after a security
+           release when the email announcement is less than 24 hours after
+           the upload to /dist/release, in order to prevent offering mirrors
+           that don't carry the just-released artifacts. -->
       <li><a href="/download.cgi?update=201708081800">Source Download</a></li>
       <li><a href="/packages.html">Binary Packages</a></li>
       <li><a href="/docs/release-notes/">Release Notes</a></li>
@@ -52,7 +57,7 @@
     <ul>
       <li><a href="/mailing-lists.html">Mailing Lists</a></li>
       <li><a href="/reporting-issues.html">Reporting Issues</a></li>
-      <li><a href="https://wiki.apache.org/subversion/">Wiki</a></li>
+      <li><a href="https://cwiki.apache.org/confluence/display/SVN/">Wiki</a></li>
       <li><a href="/contributing.html">Getting Involved</a></li>
     </ul>
   </li>
@@ -91,7 +96,7 @@
 </div> <!-- #site-svnbook-block -->
 
 <div id="copyright">
-<p>Copyright &#169; 2017 <a href="https://www.apache.org/">The Apache
+<p>Copyright &#169; 2018 <a href="https://www.apache.org/">The Apache
    Software Foundation</a>, Licensed under
    the <a href="https://www.apache.org/licenses/LICENSE-2.0" >Apache
    License, Version 2.0</a>.  Apache, Apache Subversion, and
@@ -1087,34 +1092,34 @@ copy. This cache allows the working copy to access properties inherited
 from the repository without contacting the repository.</p>
 
 <p>For the full details about inheritable properties see the
-<a href="https://wiki.apache.org/subversion/InheritedProperties"
+<a href="https://cwiki.apache.org/confluence/display/SVN/InheritedProperties"
 >design wiki</a>. Some of this wiki is intended for Subversion developers
 and will be of little interest to most users.  If you fall into the latter
 group you can focus on these particular sections:</p>
 
 <ul>
   <li>
-    <a href="https://wiki.apache.org/subversion/InheritedProperties#Differentiating_.27Inheritable.27_Vs._.27Normal.27_Properties">
+    <a href="https://cwiki.apache.org/confluence/display/SVN/InheritedProperties#InheritedProperties-Differentiating'Inheritable'Vs.'Normal'Properties">
     Differentiating 'Inheritable' Vs. 'Normal' Properties</a>
   </li>
   <li>
-    <a href="https://wiki.apache.org/subversion/InheritedProperties#General_Inheritance_Rules">
+    <a href="https://cwiki.apache.org/confluence/display/SVN/InheritedProperties#InheritedProperties-GeneralInheritanceRules">
     General Inheritance Rules</a>
   </li>
   <li>
-    <a href="https://wiki.apache.org/subversion/InheritedProperties#Repository_Inheritance_Rules">
+    <a href="https://cwiki.apache.org/confluence/display/SVN/InheritedProperties#InheritedProperties-RepositoryInheritanceRules">
     Repository Inheritance Rules</a>
   </li>
   <li>
-    <a href="https://wiki.apache.org/subversion/InheritedProperties#Working_Copy_Inheritance_Rules">
+    <a href="https://cwiki.apache.org/confluence/display/SVN/InheritedProperties#InheritedProperties-WorkingCopyInheritanceRules">
     Working Copy Inheritance Rules</a>
   </li>
   <li>
-    <a href="https://wiki.apache.org/subversion/InheritedProperties#Authentication">
+    <a href="https://cwiki.apache.org/confluence/display/SVN/InheritedProperties#InheritedProperties-Authentication">
     Authentication</a>
   </li>
   <li>
-    <a href="https://wiki.apache.org/subversion/InheritedProperties#Subcommand_Changes">
+    <a href="https://cwiki.apache.org/confluence/display/SVN/InheritedProperties#InheritedProperties-SubcommandChanges">
     Subcommand Changes</a>
   </li>
 </ul>
@@ -1138,10 +1143,10 @@ The <tt>svn:global-ignores</tt> property extends the
 <tt>global-ignores</tt> configuration setting as well as the
 <tt>svn:ignore</tt> property.</p>
 
-<p>The <a href="https://wiki.apache.org/subversion/Inheritable-Ignores-AutoProps#Auto-Props_Format"
+<p>The <a href="https://cwiki.apache.org/confluence/display/SVN/Inheritable-Ignores-AutoProps#Inheritable-Ignores-AutoProps-Auto-PropsFormat"
 >format</a> of <tt>svn:auto-props</tt> property values
 is the same as for the <tt>auto-props</tt> runtime configuration.
-The <a href="https://wiki.apache.org/subversion/Inheritable-Ignores-AutoProps#Ignores_Format"
+The <a href="https://cwiki.apache.org/confluence/display/SVN/Inheritable-Ignores-AutoProps#Inheritable-Ignores-AutoProps-IgnoresFormat"
 >format</a> of <tt>svn:global-ignores</tt> property values is the
 same as for the <tt>svn:ignore</tt> property.</p>
 
@@ -1173,10 +1178,10 @@ property that applies to the path.</p>
 override any identical patterns in the <tt>auto-props</tt> runtime
 config. When multiple <tt>svn:auto-props</tt> properties
 apply to a file, the pattern from the nearest inheritable property takes
-precedence. See <a href="https://wiki.apache.org/subversion/Inheritable-Ignores-AutoProps#Auto-Props_Hierarchy_and_Precedence"
+precedence. See <a href="https://cwiki.apache.org/confluence/display/SVN/Inheritable-Ignores-AutoProps#Inheritable-Ignores-AutoProps-Auto-PropsHierarchyandPrecedence"
 >this section of design wiki</a> for a full explanation.</p>
 
-<p>The <a href="https://wiki.apache.org/subversion/Inheritable-Ignores-AutoProps#Auto-Props_Hierarchy_and_Precedence"
+<p>The <a href="https://cwiki.apache.org/confluence/display/SVN/Inheritable-Ignores-AutoProps#Inheritable-Ignores-AutoProps-Auto-PropsHierarchyandPrecedence"
 >design wiki</a> for the repository dictated configuration feature was
 originally written for developers, but will prove useful to any repository
 administrator who wants to use the feature.</p>
diff --git a/debian/svn_1.9_releasenotes.html b/debian/svn_1.9_releasenotes.html
index 9cf3a02..4317f81 100644
--- a/debian/svn_1.9_releasenotes.html
+++ b/debian/svn_1.9_releasenotes.html
@@ -42,7 +42,12 @@
     </ul>
   </li>
   <li>Getting Subversion
-    <ul>
+      <ul>
+      <!-- The ?update= parameter is used to only offer mirrors that have
+           synced after the specified date. We update it after a security
+           release when the email announcement is less than 24 hours after
+           the upload to /dist/release, in order to prevent offering mirrors
+           that don't carry the just-released artifacts. -->
       <li><a href="/download.cgi?update=201708081800">Source Download</a></li>
       <li><a href="/packages.html">Binary Packages</a></li>
       <li><a href="/docs/release-notes/">Release Notes</a></li>
@@ -52,7 +57,7 @@
     <ul>
       <li><a href="/mailing-lists.html">Mailing Lists</a></li>
       <li><a href="/reporting-issues.html">Reporting Issues</a></li>
-      <li><a href="https://wiki.apache.org/subversion/">Wiki</a></li>
+      <li><a href="https://cwiki.apache.org/confluence/display/SVN/">Wiki</a></li>
       <li><a href="/contributing.html">Getting Involved</a></li>
     </ul>
   </li>
@@ -91,7 +96,7 @@
 </div> <!-- #site-svnbook-block -->
 
 <div id="copyright">
-<p>Copyright &#169; 2017 <a href="https://www.apache.org/">The Apache
+<p>Copyright &#169; 2018 <a href="https://www.apache.org/">The Apache
    Software Foundation</a>, Licensed under
    the <a href="https://www.apache.org/licenses/LICENSE-2.0" >Apache
    License, Version 2.0</a>.  Apache, Apache Subversion, and