-*- text -*-

This version of cfengine focuses on security and efficiency. Several
new features have been added to network communication by cfd:

* Encrypted transfers
* Better authentication (by user)
* More efficient transfers over single connection

Other things like Tripwire functionality for md5 checksums has been
added for convenience.

* Regular expression libraries use Posix extended regular expressions.
  This means that you might have to make changes to escape characters
  in your configuration files in order for them to run.  

* User authentication based on pidentd and key exchange for secure lines

* Allow DES-encrypted communication between client and server.  

* Remote copy protocol semantics will are not compatible with 1.4.x, 
  owing optimizations which should improve performance on large transfers.  

* This version also works on NT, using the cygwin-32
  libraries available from http://www.cygnus.com


Upgrading
----------

Please be careful installing this version of cfengine, even if you
have been following the beta versions. There are changes in threading
policy and protocol which make remote file transfers much more
efficient and reliable with cfd. The new threading policy makes it
impossible to support the old protocol simultenously. If you rely on
cfd for all copying, then upgrading should be done with caution.  If
you only have a few hosts, upgrading by hand should not be difficult,
but if you have many, you might want to think about this: Here are
some hints for a safe upgrade.

* Copy the new cfengine files to NEWcfengine NEWcfd NEWcfrun
  and make sure that they are all copied to every host before
  running them.

* At some time of day or night when no remote copying is taking
  place, use a process command in cfengine to kill the old
  cfd, then move the NEW files to cfengine, cfd and cfrun
  and restart cfd.

This should take care of all hosts which are alive. If any hosts are
down, they will not be upgraded and they will not be able to speak to
cfd when they come up again, unless they read cfengine from an NFS
server.

NT
--

The port to NT has been done with my two students: Bjoern Gustafson
and Joergen Kjensli.

Cfengine 1.5.0 will compile and run on Windows NT, if you have the
cygwin32 Free Software installed. Some documentation about the port
will be available soon, including tips on the configuration of cygwin.

Cfengine can set ACLs on files, but will not work correctly on
directories yet. This will be fixed shortly, a long with some
reasonable documentation.

We have not had sufficient opportunity to test cfengine on NT, at the
College, since we do not use NT for any real tasks, so please treat
this as beta quality software and work somewhat defensively. It should
be possible for us to test it more next year.

Regular expressions
-------------------

As of 1.5.0 cfengine requires a posix regular expression library.
In most modern systems this will work automatically, but on old legacy
systems it might cause problems compiling. If your host does not
support regcomp() and regexec(), regex.h, you should collect
the GNU regular expression library (excerpted from the C library) 

    rx-1.5.tar.gz

or later. This should cure the problem. 

On solaris machines I have experienced trouble
with header files getting mixed up. rxposix.h and regex.h.
You should probably not install the GNU library on a solaris
machine, where the regex library seems to work well.

On NT with the cygwin32 library, it was necessary to compile
GNU librx on the system. The existing regex functions compiled
but did not work.

DES Encryption
---------------

You can arrange to encrypt transferred files by symmetric cipher, if
you have the OpenSSL libraries installed, or a later version (now
called OpenSSL http://www.OpenSSL.org).  The secure=true option
instigates encrypted transfer.  A new program cfkey can be used to
generate a key file on one host.

cfkey > /var/run/cfengine/keys

or 

cfkey > /etc/cfengine/keys

This same file must then be distributed to all participating hosts.
The server can REQUIRE hosts to perform encrypted transfer with
secure=true in cfd.conf.

AIX and pthreads
----------------

AIX prior to 4.2 does not have a POSIX correct version of the pthread
library. Although the threading support should work now on AIX 4.2,
the reliability of the daemon in mulitithreaded mode might not be
optimal. Signal support is not handled properly, so the daemon might
terminate badly.

Known bugs
----------

For some reason, cfd seems to hang when copying itself from one host
to another, on solaris.

The handling of the network interface has grown increasingly
difficult. Apart from the fact the internet sockets and ioctl calls
are amongst the ugliest, actually disgusting, APIs I have ever
encountered, many OSes are going over to routing sockets which I do
not know anything about, so this will have to wait.

If anyone who understands the new route structures for routing sockets
would like to send me a patch to read and set routes netmasks and
brodcast addresses, I would be for ever grateful.

Mark


Automake/Autoconf Setup
=======================

With V1.6, automake is used to generate the Makefiles for CFEngine.
Since the distribution of CFEngine includes the Makefile.in files, the
average user will not need to know any of this.  However, those who
choose to make changes to CFEngine should understand how automake
(v1.4) and autoconf (v2.3) work.

Maintenance of CFEngine, therefore, will now involve maintaining the
Makefile.am files along with the configure.in file.  While the
configure.in file is still (largely) the same as it was before, the
Makefile.am files are greatly simplified from the previous Makefile.in
files.

The following are some notes on maintaining CFEngine:

* The AUTHORS file simply lists some information about CFEngine
authors and what they've done to the code.  Choose any format that
you like, but keep with the format of others.

* The acconfig.h file is used by autoheader (part of autoconf) for
generating the src/conf.h.in file.  Maintain this file instead of the
conf.h variants.

* The configure.in file is the master configuration script and has a
number of parts to it to maintain.

** Remember to adjust the VERSION in AM_INIT_AUTOMAKE.  This should be
the place where the 

* The bin/changelog.sh file is a quickie shell to generate an HTML
file from a text file 
