DirectAdmin v1.663 RC

fln

Administrator
Staff member
Joined
Aug 30, 2021
Messages
985
We are happy to announce the release of DirectAdmin 1.663 RC.

Highlights of this release is file system usage information in the System Information page and initial support for security.txt (RFC 9116). In addition to new features this release has important fixes and improvements.

Full release change log can be found here:

DirectAdmin 1.663

The update should be automatically available for all installations subscribed to the beta release channel.

We appreciate all the feedback on forums and issues reported in the ticketing system.

Thanks!
 
Nice job on security.txt feature :) doing it manually now, that’s going to save some time :)
 
The bad news about security.txt is that this data can be used for spam users' existing accounts. Do we have companies list who have access to this file?
 
Does the security.txt feature also signs it with PGP and creates the PGP Public key file on the right place?
No.

PGP signing with auto-generated keys is useless because it does not allow establishing a chain of trust. Auto generating PGP keys and signing would be identical to using self-signed certificates for HTTPS. PGP is useful if you have other means to prove the key should be trusted. This part (signing the security.txt contents) of the spec is mostly ignored, examples:
Just serving it over HTTPS is enough to prove it is really served by the owner of the website.
The bad news about security.txt is that this data can be used for spam users' existing accounts. Do we have companies list who have access to this file?
Security txt contents is publicly available for everyone.
 
Last edited:
PGP signing with auto-generated keys is useless because it does not allow establishing a chain of trust. Auto generating PGP keys and signing would be identical to using self-signed certificates for HTTPS. PGP is useful if you have other means to prove the key should be trusted. This part (signing the security.txt contents) of the spec is mostly ignored, examples:
Just serving it over HTTPS is enough to prove it is really served by the owner of the website.
Ok cool. I thought maybe DA also created a keyserver / WKD. But off course people can also do this self. :) I know it is not nessecary I was just wandering :)

Thanks
 
can you add supporting of old and new backups for restore from DA:
Invalid filename: user.reseller.agro.tar.zst. The file must be of the form: username.tar.gz
my bad, it was name issue, but check also extension support, I already recreated backups as tar.gz and don't have zst to test.
 
Last edited:
@ahmed_hv it does work on our test servers. Maybe you are using legacy license?
 

Users of legacy licenses may continue to run the DirectAdmin service with the understanding that their codebase will receive limited maintenance. For the purposes of licensing infrastucture compatibility, security fixes, and other development, the legacy codebase will increase version number in accordance with our changelog. However, it should not be assumed that items listed in the changelog are guaranteed to exist in the legacy codebase.

All new features should be considered not available in the legacy code base, but we include fixes and some of the features to support easy transition from legacy licenses (one way only).
 
All new features should be considered not available in the legacy code base, but we include fixes and some of the features to support easy transition from legacy licenses (one way only).
Even if you block new features for us LLC, it won't really convince me to buy (a) license(s), even though I only currently have 2 LL in use for personal use...

Do you really think we all read the "licensing agreement" regularly..... it's like the 5,989-page Apple T&C, who really reads that every update?!

Maybe you can pop up a window when an admin logs in to persuade them to read it after each update??‍♂️
 
Even if you block new features for us LLC
It is already known for a long time that LL would not get new features, only updates and upgrades. Until now then with the cutbacks on the databases. So I don't know why everybody's wondering now about not getting the new features. It's also stated at the forum in the past in discussions. It's nothing new or unkown.
I personally won't discuss here further about this, as this is a release thread, not a discussion thread. Just wanted to point out it's known for years already.
 
No.

PGP signing with auto-generated keys is useless because it does not allow establishing a chain of trust. Auto generating PGP keys and signing would be identical to using self-signed certificates for HTTPS. PGP is useful if you have other means to prove the key should be trusted. This part (signing the security.txt contents) of the spec is mostly ignored, examples:
Just serving it over HTTPS is enough to prove it is really served by the owner of the website.

Security txt contents is publicly available for everyone.
If I only use Google Workspace to maintain my email service, do I need to activate this security.txt? Thank you.
 
Back
Top