Bump version to 2.6.0

58 files changed, 35 insertions, 40 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65acfad3e..211e611ab 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,19 +4,49 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## Unreleased
-
-### Changed
+## 2.6.0
+### Security
+- Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
+- CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
+- Disable XML entity resolution completely to fix a dos vulnerability
 
 ### Added
 - Support for Image activities, namely from Hubzilla
+- Add OAuth scope descriptions
+- Allow lang attribute in status text
+- OnlyMedia Upload Filter
+- Implement MRF policy to reject or delist according to emojis
+- (hardening) Add no_new_privs=yes to OpenRC service files
+- Implement quotes
+- Add unified streaming endpoint
 
 ### Fixed
-
 - rel="me" was missing its cache
+- MediaProxy responses now return a sandbox CSP header
+- Filter context activities using Visibility.visible_for_user?
+- UploadedMedia: Add missing disposition_type to Content-Disposition
+- fix not being able to fetch flash file from remote instance
+- Fix abnormal behaviour when refetching a poll
+- Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"
+- Fix opengraph and twitter card meta tags
+- ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts
+- OEmbed HTML tags are now filtered
+- Restrict attachments to only uploaded files only
+- Fix error 404 when deleting status of a banned user
+- Fix config ownership in dockerfile to pass restriction test
+- Fix user fetch completely broken if featured collection is not in a supported form
+- Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty
+- Fix handling report from a deactivated user
+- Prevent using the .json format to bypass authorized fetch mode
+- Fix mentioning punycode domains when using Markdown
+- Show more informative errors when profile exceeds char limits
 
 ### Removed
 - BREAKING: Support for passwords generated with `crypt(3)` (Gnu Social migration artifact)
+- remove BBS/SSH feature, replaced by an external bridge.
+- Remove a few unused indexes.
+- Cleanup OStatus-era user upgrades and ap_enabled indicator
+- Deprecate Pleroma's audio scrobbling
 
 ## 2.5.4
 
diff --git a/changelog.d/2023-06-deps-update.skip b/changelog.d/2023-06-deps-update.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/2023-06-deps-update.skip
+++ /dev/null
diff --git a/changelog.d/3126.fix b/changelog.d/3126.fix
deleted file mode 100644
index 91d396c89..000000000
--- a/changelog.d/3126.fix
+++ /dev/null
@@ -1 +0,0 @@
-MediaProxy responses now return a sandbox CSP header
diff --git a/changelog.d/3739.skip b/changelog.d/3739.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3739.skip
+++ /dev/null
diff --git a/changelog.d/3801.fix b/changelog.d/3801.fix
deleted file mode 100644
index 8c2ec0199..000000000
--- a/changelog.d/3801.fix
+++ /dev/null
@@ -1 +0,0 @@
-Filter context activities using Visibility.visible_for_user?
diff --git a/changelog.d/3831.skip b/changelog.d/3831.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3831.skip
+++ /dev/null
diff --git a/changelog.d/3848.add b/changelog.d/3848.add
deleted file mode 100644
index d7b1b0a84..000000000
--- a/changelog.d/3848.add
+++ /dev/null
@@ -1 +0,0 @@
-Add OAuth scope descriptions
diff --git a/changelog.d/3870.skip b/changelog.d/3870.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3870.skip
+++ /dev/null
diff --git a/changelog.d/3872.remove b/changelog.d/3872.remove
deleted file mode 100644
index 54cbb660e..000000000
--- a/changelog.d/3872.remove
+++ /dev/null
@@ -1 +0,0 @@
-remove BBS/SSH feature, replaced by an external bridge.
\ No newline at end of file
diff --git a/changelog.d/3873.fix b/changelog.d/3873.fix
deleted file mode 100644
index 4699f7b58..000000000
--- a/changelog.d/3873.fix
+++ /dev/null
@@ -1 +0,0 @@
-UploadedMedia: Add missing disposition_type to Content-Disposition
\ No newline at end of file
diff --git a/changelog.d/3874.remove b/changelog.d/3874.remove
deleted file mode 100644
index a81f744bf..000000000
--- a/changelog.d/3874.remove
+++ /dev/null
@@ -1 +0,0 @@
-Remove a few unused indexes.
diff --git a/changelog.d/3876.skip b/changelog.d/3876.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3876.skip
+++ /dev/null
diff --git a/changelog.d/3877.skip b/changelog.d/3877.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3877.skip
+++ /dev/null
diff --git a/changelog.d/3878.skip b/changelog.d/3878.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3878.skip
+++ /dev/null
diff --git a/changelog.d/3879.fix b/changelog.d/3879.fix
deleted file mode 100644
index 7c58cc3c2..000000000
--- a/changelog.d/3879.fix
+++ /dev/null
@@ -1 +0,0 @@
-fix not being able to fetch flash file from remote instance
\ No newline at end of file
diff --git a/changelog.d/3880.remove b/changelog.d/3880.remove
deleted file mode 100644
index 113c76c85..000000000
--- a/changelog.d/3880.remove
+++ /dev/null
@@ -1 +0,0 @@
-Cleanup OStatus-era user upgrades and ap_enabled indicator
\ No newline at end of file
diff --git a/changelog.d/3882.add b/changelog.d/3882.add
deleted file mode 100644
index 4712de1dc..000000000
--- a/changelog.d/3882.add
+++ /dev/null
@@ -1 +0,0 @@
-Allow lang attribute in status text
diff --git a/changelog.d/3883.fix b/changelog.d/3883.fix
deleted file mode 100644
index 6824f2013..000000000
--- a/changelog.d/3883.fix
+++ /dev/null
@@ -1 +0,0 @@
-Fix abnormal behaviour when refetching a poll
diff --git a/changelog.d/3884.fix b/changelog.d/3884.fix
deleted file mode 100644
index f8dbb2bbf..000000000
--- a/changelog.d/3884.fix
+++ /dev/null
@@ -1 +0,0 @@
-Allow non-HTTP(s) URIs in "url" fields for compatibility with "FEP-fffd: Proxy Objects"
\ No newline at end of file
diff --git a/changelog.d/3885.fix b/changelog.d/3885.fix
deleted file mode 100644
index c5fbb0ed4..000000000
--- a/changelog.d/3885.fix
+++ /dev/null
@@ -1 +0,0 @@
-Fix opengraph and twitter card meta tags
diff --git a/changelog.d/3888.fix b/changelog.d/3888.fix
deleted file mode 100644
index 886aa7b39..000000000
--- a/changelog.d/3888.fix
+++ /dev/null
@@ -1 +0,0 @@
-ForceMentionsInContent: fix double mentions for Mastodon/Misskey posts
\ No newline at end of file
diff --git a/changelog.d/3891.fix b/changelog.d/3891.fix
deleted file mode 100644
index f1fb62d82..000000000
--- a/changelog.d/3891.fix
+++ /dev/null
@@ -1 +0,0 @@
-OEmbed HTML tags are now filtered
diff --git a/changelog.d/3893.skip b/changelog.d/3893.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3893.skip
+++ /dev/null
diff --git a/changelog.d/3897.add b/changelog.d/3897.add
deleted file mode 100644
index 5c4402f45..000000000
--- a/changelog.d/3897.add
+++ /dev/null
@@ -1 +0,0 @@
-OnlyMedia Upload Filter
diff --git a/changelog.d/3899.skip b/changelog.d/3899.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3899.skip
+++ /dev/null
diff --git a/changelog.d/3901.security b/changelog.d/3901.security
deleted file mode 100644
index a3d8bd01f..000000000
--- a/changelog.d/3901.security
+++ /dev/null
@@ -1 +0,0 @@
-Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
diff --git a/changelog.d/3902.skip b/changelog.d/3902.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3902.skip
+++ /dev/null
diff --git a/changelog.d/3909.skip b/changelog.d/3909.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/3909.skip
+++ /dev/null
diff --git a/changelog.d/akkoma-xml-remote-entities.security b/changelog.d/akkoma-xml-remote-entities.security
deleted file mode 100644
index 5e6725e5b..000000000
--- a/changelog.d/akkoma-xml-remote-entities.security
+++ /dev/null
@@ -1 +0,0 @@
-Fix XML External Entity (XXE) loading vulnerability allowing to fetch arbitary files from the server's filesystem
diff --git a/changelog.d/amd64-runner.skip b/changelog.d/amd64-runner.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/amd64-runner.skip
+++ /dev/null
diff --git a/changelog.d/attachment-type-check.fix b/changelog.d/attachment-type-check.fix
deleted file mode 100644
index 9e14b75f1..000000000
--- a/changelog.d/attachment-type-check.fix
+++ /dev/null
@@ -1 +0,0 @@
-Restrict attachments to only uploaded files only
diff --git a/changelog.d/changelog-improve.skip b/changelog.d/changelog-improve.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/changelog-improve.skip
+++ /dev/null
diff --git a/changelog.d/check-attachment-attribution.security b/changelog.d/check-attachment-attribution.security
deleted file mode 100644
index e0e46525b..000000000
--- a/changelog.d/check-attachment-attribution.security
+++ /dev/null
@@ -1 +0,0 @@
-CommonAPI: Prevent users from accessing media of other users by creating a status with reused attachment ID
diff --git a/changelog.d/delete-status-of-banned-user.fix b/changelog.d/delete-status-of-banned-user.fix
deleted file mode 100644
index 1fa6a29d8..000000000
--- a/changelog.d/delete-status-of-banned-user.fix
+++ /dev/null
@@ -1 +0,0 @@
-Fix error 404 when deleting status of a banned user
diff --git a/changelog.d/deprecate-scrobbles.remove b/changelog.d/deprecate-scrobbles.remove
deleted file mode 100644
index c453a9784..000000000
--- a/changelog.d/deprecate-scrobbles.remove
+++ /dev/null
@@ -1 +0,0 @@
-Deprecate Pleroma's audio scrobbling
diff --git a/changelog.d/disable-xml-entity-resolution.security b/changelog.d/disable-xml-entity-resolution.security
deleted file mode 100644
index db8e12f67..000000000
--- a/changelog.d/disable-xml-entity-resolution.security
+++ /dev/null
@@ -1 +0,0 @@
-Disable XML entity resolution completely to fix a dos vulnerability
diff --git a/changelog.d/distro-docs-elixir-1.11.skip b/changelog.d/distro-docs-elixir-1.11.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/distro-docs-elixir-1.11.skip
+++ /dev/null
diff --git a/changelog.d/dockerfile-config-perms.fix b/changelog.d/dockerfile-config-perms.fix
deleted file mode 100644
index 49ea5becb..000000000
--- a/changelog.d/dockerfile-config-perms.fix
+++ /dev/null
@@ -1 +0,0 @@
-- Fix config ownership in dockerfile to pass restriction test
diff --git a/changelog.d/emoji-pack-sanitization.security b/changelog.d/emoji-pack-sanitization.security
deleted file mode 100644
index f3218abd4..000000000
--- a/changelog.d/emoji-pack-sanitization.security
+++ /dev/null
@@ -1 +0,0 @@
-Emoji pack loader sanitizes pack names
diff --git a/changelog.d/emoji-policy.add b/changelog.d/emoji-policy.add
deleted file mode 100644
index 45510c4f6..000000000
--- a/changelog.d/emoji-policy.add
+++ /dev/null
@@ -1 +0,0 @@
-Implement MRF policy to reject or delist according to emojis
diff --git a/changelog.d/featured-collection-shouldnt-break-user-fetch.fix b/changelog.d/featured-collection-shouldnt-break-user-fetch.fix
deleted file mode 100644
index e8ce288cc..000000000
--- a/changelog.d/featured-collection-shouldnt-break-user-fetch.fix
+++ /dev/null
@@ -1 +0,0 @@
-Fix user fetch completely broken if featured collection is not in a supported form
diff --git a/changelog.d/fix-object-test.fix b/changelog.d/fix-object-test.fix
deleted file mode 100644
index 5eea719f0..000000000
--- a/changelog.d/fix-object-test.fix
+++ /dev/null
@@ -1 +0,0 @@
-Correctly handle the situation when a poll has both "anyOf" and "oneOf" but one of them being empty
diff --git a/changelog.d/gentoo_otp.skip b/changelog.d/gentoo_otp.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/gentoo_otp.skip
+++ /dev/null
diff --git a/changelog.d/gentoo_otp_hotfix.skip b/changelog.d/gentoo_otp_hotfix.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/gentoo_otp_hotfix.skip
+++ /dev/null
diff --git a/changelog.d/gentoo_otp_intro.skip b/changelog.d/gentoo_otp_intro.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/gentoo_otp_intro.skip
+++ /dev/null
diff --git a/changelog.d/handle-report-from-deactivated-user.fix b/changelog.d/handle-report-from-deactivated-user.fix
deleted file mode 100644
index 6692d1aa8..000000000
--- a/changelog.d/handle-report-from-deactivated-user.fix
+++ /dev/null
@@ -1 +0,0 @@
-Fix handling report from a deactivated user
diff --git a/changelog.d/lint.skip b/changelog.d/lint.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/lint.skip
+++ /dev/null
diff --git a/changelog.d/media-altdomain.skip b/changelog.d/media-altdomain.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/media-altdomain.skip
+++ /dev/null
diff --git a/changelog.d/no_new_privs.add b/changelog.d/no_new_privs.add
deleted file mode 100644
index b67396a4b..000000000
--- a/changelog.d/no_new_privs.add
+++ /dev/null
@@ -1 +0,0 @@
-(hardening) Add no_new_privs=yes to OpenRC service files
diff --git a/changelog.d/otp_perms.security b/changelog.d/otp_perms.security
deleted file mode 100644
index a3da1c677..000000000
--- a/changelog.d/otp_perms.security
+++ /dev/null
@@ -1 +0,0 @@
-- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
\ No newline at end of file
diff --git a/changelog.d/pipeline-triggers.skip b/changelog.d/pipeline-triggers.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/pipeline-triggers.skip
+++ /dev/null
diff --git a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix b/changelog.d/prevent-bypassing-authorized-fetch-mode.fix
deleted file mode 100644
index 12f7260d7..000000000
--- a/changelog.d/prevent-bypassing-authorized-fetch-mode.fix
+++ /dev/null
@@ -1 +0,0 @@
-Prevent using the .json format to bypass authorized fetch mode
\ No newline at end of file
diff --git a/changelog.d/punycode-mention.fix b/changelog.d/punycode-mention.fix
deleted file mode 100644
index f013c2dac..000000000
--- a/changelog.d/punycode-mention.fix
+++ /dev/null
@@ -1 +0,0 @@
-Fix mentioning punycode domains when using Markdown
diff --git a/changelog.d/quote.add b/changelog.d/quote.add
deleted file mode 100644
index 1c368ae75..000000000
--- a/changelog.d/quote.add
+++ /dev/null
@@ -1 +0,0 @@
-Implement quotes
diff --git a/changelog.d/testfix-system-config-use.skip b/changelog.d/testfix-system-config-use.skip
deleted file mode 100644
index e69de29bb..000000000
--- a/changelog.d/testfix-system-config-use.skip
+++ /dev/null
diff --git a/changelog.d/unified-streaming.add b/changelog.d/unified-streaming.add
deleted file mode 100644
index 84821fcc8..000000000
--- a/changelog.d/unified-streaming.add
+++ /dev/null
@@ -1 +0,0 @@
-Add unified streaming endpoint
diff --git a/changelog.d/update-credentials-limit-error.fix b/changelog.d/update-credentials-limit-error.fix
deleted file mode 100644
index 7682f958e..000000000
--- a/changelog.d/update-credentials-limit-error.fix
+++ /dev/null
@@ -1 +0,0 @@
-Show more informative errors when profile exceeds char limits
diff --git a/mix.exs b/mix.exs
index b071e7c7b..082b39e55 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("2.5.54"),
+      version: version("2.6.0"),
       elixir: "~> 1.11",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix] ++ Mix.compilers(),