Changelog¶

All notable changes to Repod are documented here.

[1.0.1] — 2026-05-16¶

ClamAV: Replaced clamscan (OOM-killed at 1 GB limit) with clamd daemon — signatures loaded once in memory. Container memory limit raised to 2.5 GB. gpg-agent added to both Enterprise and Community Dockerfiles.
GPG key generation: Fixed NameError: Path is not defined and gpg-agent not installed errors. Added --pinentry-mode loopback and _ensure_gnupg_permissions(). Key generation now works reliably via the UI.
ClamAV manual update: freshclam now called with --log=/dev/null to avoid Permission denied on /var/log/clamav/freshclam.log (backend runs as appuser, not clamav).
Community reprepro: Fixed packages database contains unused error by running reprepro clearvanished after conf/distributions was regenerated. conf/distributions now auto-generated with all 4 distributions (jammy, noble, focal, bookworm) including GPG SignWith.
Community edition: Removed 8 enterprise service files (cve_enrichment, security_decisions, sla_alerts, sbom, ldap_auth, email_notifications, security_sync, retention) from Community source code — changing REPOD_EDITION environment variable no longer unlocks Enterprise features.

Auto-init distributions: Both Enterprise and Community backends automatically initialize conf/distributions and run reprepro export on first startup — no manual "Init distributions" button needed.
clamd daemon: entrypoint.sh now starts the clamd daemon at container boot. appuser is added to the clamav group so freshclam can write to the database directory.

First stable production release, including the Community Edition (MIT).

Community Edition — open-source (MIT licence). Includes the full upload pipeline (antivirus scan, CVE analysis, GPG signing, dependency check), package management, JWT + API token authentication, 5-role RBAC, LDAP/AD integration, audit logging, and the web UI.
Enterprise Edition — adds CVE review queue with CISO approval workflow, SBOM export (CycloneDX 1.5 + SPDX 2.3), configurable CVE policy, SLA tracking, scheduled security sync, package retention, and advanced settings.
Enterprise endpoints are present in the Community router set and return HTTP 402 Payment Required with a structured upgrade message. The API surface is identical between editions.

Docker socket removed — the backend no longer mounts /var/run/docker.sock. GPG signing operations now use a shared volume (/repos/gnupg), eliminating a container escape vector.
JWT secret validated at startup — the application refuses to start in production mode if JWT_SECRET_KEY is missing or set to the default value.
Swagger UI disabled in production — /docs, /redoc, and /openapi.json return 404 when ENV=production.
Reset tokens hashed — password reset tokens are stored as SHA-256 hashes only. The plaintext token is never persisted. Reset links expire after 30 minutes.
LDAP TLS certificate verification — enabled by default (verify_cert: true). A warning is logged to the console if disabled.
Secrets masked in settings API — smtp_password and bind_password are returned as •••••••• in GET /settings/.
Password policy enforced — minimum 8 characters, at least one uppercase letter, at least one digit or special character. Enforced at user creation, password change, and password reset.
Resource limits — backend container limited to 1 GB RAM and 1.5 CPUs in docker-compose.yaml.

Full SSE streaming upload via POST /upload/stream — real-time step-by-step progress.
Standard JSON upload via POST /upload/ (legacy, preserved for backward compatibility).
Six-step validation pipeline: format, SHA-256 provenance, antivirus scan, CVE analysis (with EPSS/KEV enrichment), GPG signature, dependency check.
CVE policy engine with per-severity actions (block, review, warn, allow).
Webhook notification on pending_review — notifies CISO team immediately when a package enters the review queue.

Rate limits applied to high-impact endpoints:

Append-only JSONL audit log (/repos/audit/YYYY-MM-DD.jsonl), one file per day. Logged actions include:

Compatible with OpenLDAP (uid) and Active Directory (sAMAccountName).
Five group mappings: one per role (group_admin, group_maintainer, group_uploader, group_auditor, group_reader).
Auto-provisioning: creates a local user record on first successful LDAP login.
Role sync: if a user's LDAP group changes, the role is updated on the next login.
POST /settings/test-ldap — test the LDAP connection and bind without saving.
TLS options: plain, STARTTLS, LDAPS, with optional custom CA bundle (ca_bundle_path).

Production compose file (community/docker-compose.yaml) separated from development.
docker-compose.dev.yml for local development with hot-reload.
TRUSTED_PROXIES environment variable for reverse proxy IP whitelisting.
app_url setting in settings.json for constructing correct reset links.
Scheduler (Enterprise) runs three cron jobs: security sync (03:00), SLA check (08:00), retention (02:00). All configurable. Hot-reconfigurable via PATCH /settings/.

Bilingual documentation (English + French) covering installation, administration, API reference, security dossier, reverse proxy, and compliance.
NIS2 and ANSSI SecNumCloud compliance mapping.
How-to guides: LDAP, backup/restore, GPG key rotation, migration from Artifactory/Nexus.

Beta release — internal testing.

Alpha release.