Halloween

The information below is a copy/paste of the RELEASE NOTES since the last release. GitHub also offers a browseable interface: 43.33.2...43.60.6 A more polished version is at https://wiki.freephile.org/wiki/Meza/Halloween_release

Commits

HEAD -> dev origin/dev

• bd8551e (2025-10-30) Greg Rundlett: Make lint-files.sh script more quiet By default only show warnings and errors.
  We introduce a -v or --verbose option if you want to show success
  messages too.
  Add --help with usage

  • Modified: src/scripts/lint-files.sh

• 979fe60 (2025-10-30) Greg Rundlett: Fix yaml linting errors

  • Modified: .github/workflows/release-notes.yml
  • Modified: src/playbooks/create-wiki.yml
  • Modified: src/playbooks/debug.yml
  • Modified: src/playbooks/migrate-wikis.yml
  • Modified: src/roles/configure-wiki/tasks/main.yml
  • Modified: src/roles/delete-wiki-wrapper/tasks/main.yml
  • Modified: src/roles/imagemagick/tasks/setup-Debian.yml
  • Modified: src/roles/imagemagick/tasks/setup-RedHat.yml

• 99d9597 (2025-10-30) Greg Rundlett: Improve linting configuration Ignore 'collections' which is 3rd-party code.

  • Modified: .ansible-lint
  • Modified: .yamllint

• ff9e66b (2025-10-30) GitHub Action: Auto-update CHANGELOG and release notes - Updated CHANGELOG with latest commits

• Generated RELEASE_NOTES-HEAD.md
• Automated by GitHub Actions
  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md

• 51e8d6f (2025-10-30) Greg Rundlett: We don't need no stinkin' badges

  • Modified: README.md

• 1e87757 (2025-10-30) GitHub Action: Auto-update CHANGELOG and release notes - Updated CHANGELOG with latest commits

• Generated RELEASE_NOTES-HEAD.md
• Automated by GitHub Actions
  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md

• a6a76f6 (2025-10-30) Greg Rundlett: process the dev branch

  • Modified: .github/workflows/yamllint.yml

• 09a7a3c (2025-10-30) GitHub Action: Auto-update CHANGELOG and release notes - Updated CHANGELOG with latest commits

• Generated RELEASE_NOTES-HEAD.md
• Automated by GitHub Actions
  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md

• b19e5f5 (2025-10-30) Greg Rundlett: Major enhancements: Create wiki logging, etc. "meza create wiki" logging implementation

---

The new create-wiki logging mirrors the deploy logging architecture with both transactional and processing logs.
Transactional log: /opt/data-meza/logs/create-wiki/create-wiki.log (tracks operations with metadata)
Processing log: /opt/data-meza/logs/create-wiki-output/{env}-{timestamp}.log (captures ansible output)
/opt/data-meza/logs/
├── create-wiki/ # Transactional logs
│ └── create-wiki.log # Audit trail
└── create-wiki-output/ # Processing logs
├── demo-2025-10-29_175734.log
└── prod-2025-10-29_180234.log
Added two new commands:
sudo meza create-wiki-tail

• tells you what log its tailing and provides a way to check status on the create wiki process in real-time
  sudo meza create-wiki-log
• tells you the path of the process log e.g.
  /opt/data-meza/logs/create-wiki-output/monolith-2025-10-29_225319.log
  Meza.py uses paths from paths.yml

---

• Single Source of Truth: All paths defined in paths.yml, easy to maintain
• Removed hardcoded path definitions from meza.py
• Consistency: Python CLI uses same paths as Ansible roles
• Deterministic: No fallbacks, clear failures
• Jinja2 Template Support: variables found in yaml are resolved. {{ m_install }} resolves to 'opt'
• Error Handling: Clear error messages for configuration issues such as paths.yml missing
• new m_logs_create_wiki variable in paths.yml to define the location of the "meza create wiki" log
  Verify-wiki enhanced

---

wiki_id and wiki_name (as well as password) are passed by extra_vars in meza.py when it calls create-wiki-promptless playbook.
create-wiki playbook now prompts for Admin password and passes it on to the 'create-admin-account' task list in verify-wiki.
src/roles/verify-wiki/tasks/import-wiki-sql.yml is enhanced with output about wiki creation status
and the set_fact section was improved to clarify what's happening:

• New wiki was created (truly new, not from backup)
• Wiki created but from backup/import
• Wiki already existed
  BEFORE the created_new_wiki flag logic was problematic.
  Admin Account creation

---

The admin account creation was hardcoded to only work for wikis with wiki_id == "demo"
Removed wiki_id restriction: Changed from when: wiki_id == "demo" to run for any new wiki
Updated prompts: Made the messages generic to work for any wiki name
Fixes Issue #217
Fixes Issue #220

• Modified: config/paths.yml
• Modified: src/playbooks/create-wiki-promptless.yml
• Modified: src/playbooks/create-wiki.yml
• Modified: src/roles/create-wiki-wrapper/tasks/main.yml
• Modified: src/roles/mediawiki/tasks/main.yml
• Modified: src/roles/verify-wiki/tasks/create-admin-account.yml
• Modified: src/roles/verify-wiki/tasks/import-wiki-sql.yml
• Modified: src/scripts/meza.py

• 465eaee (2025-10-29) Greg Rundlett: Fix the CHANGELOG automation - fix the updateCHANGELOG.sh script (used by Continuous Integration)

• Update the entire CHANGELOG for consistent 'pretty' formatting
• Limit the CHANGELOG to start at 2022-01-01 for length
  [skip ci] chicken and egg problem
  Fixes Issue #219
  • Modified: CHANGELOG
  • Modified: src/scripts/updateCHANGELOG.sh

• 6e51cc5 (2025-10-29) GitHub Action: Auto-update CHANGELOG and release notes - Updated CHANGELOG with latest commits

• Generated RELEASE_NOTES-HEAD.md
• Automated by GitHub Actions
  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md

• a799fa8 (2025-10-29) Greg Rundlett: Prompt for credentials when creating Admin acct When Meza creates an Admin account, whether for the initial 'demo'
  or for any new wiki, prompt for the secure password and do not log it.
  This way it is only known to the user, and not a vulnerability.
  Note: the way that this is executed in the role hierarchy is that
  verify-wiki runs import-wiki-sql tasks for new wikis, which in turn
  runs init-wiki tasks. Since 'init-wiki.yml' ONLY creates an Admin account
  it was renamed 'create-admin-account.yml'
  Fixes Issue #217

  • Added: src/roles/verify-wiki/tasks/create-admin-account.yml
  • Modified: src/roles/verify-wiki/tasks/import-wiki-sql.yml
  • Deleted: src/roles/verify-wiki/tasks/init-wiki.yml

• de0798e (2025-10-24) GitHub Action: Auto-update CHANGELOG and release notes - Updated CHANGELOG with latest commits

• Generated RELEASE_NOTES-HEAD.md
• Automated by GitHub Actions
  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md

• 43cfde0 (2025-10-24) Greg Rundlett: Automated RELEASE NOTES and Changelog w/ Actions see .github/RELEASE_AUTOMATION.md for details
  Though GitHub Actions, we integrated automatic Changelog and RELEASE
  NOTES generation.
  For pull requests and commits.
  • Added: .github/RELEASE_AUTOMATION.md
  • Added: .github/workflows/advanced-release-management.yml
  • Added: .github/workflows/manual-release-notes.yml
  • Added: .github/workflows/release-notes.yml
  • Added: src/scripts/release-helper.sh

Meza 43.58.2

• 31f360d (2025-10-24) Greg Rundlett: Expand help.md to all meza commands
  • Modified: manual/meza-cmd/MIGRATION.md
  • Modified: manual/meza-cmd/help.md
  • Modified: manual/meza-cmd/install.md

Meza 43.58.1

• 9071e05 (2025-10-24) Greg Rundlett: Correct help content about deploy command There is no 'install monolith' command.

  • Modified: manual/meza-cmd/MIGRATION.md
  • Modified: manual/meza-cmd/help.md
  • Modified: manual/meza-cmd/install.md

• 1effac3 (2025-10-24) Greg Rundlett: Update Changelog and RELEASE NOTES-HEAD

  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md

Meza 43.57.1

• d91c7a7 (2025-10-24) Greg Rundlett: Re-enable WatchAnalytics Fixes Issue #214

  • Modified: config/MezaCoreExtensions.yml

• 4541968 (2025-10-24) Greg Rundlett: minor tweaks to Quick Start section (curl not ready yet)
  whitespace changes in meza.py

  • Modified: manual/meza-cmd/index.md
  • Modified: src/scripts/meza.py

Meza 43.56.1

• 53d45c4 (2025-10-23) Greg Rundlett: Add Maintence script runner Remove the 'cleanup-upload-stash' playbook and replace it with a general purpose MediaWiki Maintenance script runner: run-maintenance.yml
  Update maint command doc
  Backward compatibility is retained for invoking cleanupUploadStash
  • Modified: manual/meza-cmd/maint.md
  • Modified: src/playbooks/cleanup-upload-stash.yml
  • Added: src/playbooks/run-maintenance.yml
  • Modified: src/scripts/meza.py

Meza 43.55.1

• a590d27 (2025-10-23) Greg Rundlett: Add LinkTarget extension
  • Modified: config/MezaCoreExtensions.yml

Meza 43.54.4

• 6eb271e (2025-10-23) Greg Rundlett: Update Changelog and RELEASE NOTES

  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md

• 0fb72fa (2025-10-23) Greg Rundlett: Update Changelog and RELEASE NOTES

  • Modified: CHANGELOG
  • Modified: RELEASE_NOTES-HEAD.md
  • Modified: manual/meza-cmd/index.md

Meza 43.54.3

• ce3ed9b (2025-10-23) Greg Rundlett: Correct the quick start section Add curl command for running getmeza.sh
  curl -L https://raw.githubusercontent.com/nasa/meza/master/src/scripts/getmeza.sh | bash
  Fixes Issue #211
  • Modified: manual/meza-cmd/index.md

Meza 4...

v43.33.2

Highlights

• MediaWiki 1.43.x and SemanticMediaWiki 6.x See below for all the upgraded extensions.
• Meza now includes all MediaWiki bundled extensions and skins* You actually need to pull tag 43.35.1
• A new config option m_install_netdata: false determines whether Netdata is installed for greater integration with environments with other monitoring/alerting solutions.
• New CI/CD pipelines, tools and procedures Add new linting workflow in #155 This GitHub Action will automatically lint all YAML files on commit subjecting those commits to a "pass/fail" grade. There is a new badge displayed in the README file that indicates whether the current tests are passing. A Passing grade should be the norm! Therefore, we have also implemented a pre-commit hook that will run in your local repository, rejecting commits when lint-files.sh fails. There are lingering cleanup issues in Ansible playbooks so you must skip the pre-commit hook with git commit --no-verify. Furthermore, to install the linters, developers must setup a Python Virtual Environment (.venv) in their local repository.
• The new lint script ./src/scripts/lint-files.sh will lint all ansible and YAML files in the project automatically via the pre-commit hook; or on demand. See the documentation in LINTING.md. The linting configuration rules for the project are set in .yamllint and for Ansible linting, in .ansible-lint.
• Improved community relations with issue templates adopting the new GitHub issue workflow in Issue #169 and Issue #170
• Security focus:
  • Create an official security policy SECURITY.md for reporting vulnerabilities.
  • Avoid directory traversal attack with overhaul of backup/download in pull/180
  • Prevent null byte injection
  • Prevent unauthorized file access during backup downloads
• Improve Meza's Python style, quality and maintainability
  • Fix Pylint warnings
  • Fix Imports outside toplevel
  • Fix PEP8 formatting
  • Fixed all the C0301 "line too long" warnings
  • Use Python 3.6 f-strings instead of .format()
  • Convert tabs to spaces
• Developers should create a Python Virtual Environment to make available the necessary tools for quality control.
• Improved Elasticsearch, Elastica and CirrusSearch in this merge commit
  • Make Index rebuilds safe and faster
  • Metastore updates and indexing improvements
  • Prepare for conversion to OpenSearch
  • new configs: elasticsearch_index_retry_initial: 5 and elasticsearch_index_retry_max: 5. These can also be read from Environment variables RETRY_INITIAL and RETRY_MAX
  • Set elasticsearch_reindex: true in your inventory, host_vars, or group_vars when you want the reindex tasks to run.
  • Set mediawiki_cirrus_metastore_upgrade: true if you want to upgrade the CirrusSearch metastore.

Ansible

• Upgraded Ansible to 2.16.3 (final release for RHEL 8.10 / Rocky Linux), which supports the modern Ansible Galaxy. (See Issue #108 for background on old CentOS repo problems that were fixed.)
• YAML Inventory Support Switched to YAML format for Ansible inventory, improving compatibility and maintainability.
• Task debugging enabled by default enable_task_debugger = true added to ansible.cfg for easy debugging in play logs.
• Deprecation warnings are enabled in ansible.cfg
• Add symlink in project root directory to config/ansible.cfg because some tools expect it there
• Fix collections_path variable name in ansible.cfg

Security and Compliance

• Strengthened backup script validation
• Improved user management, and permissions which will support multi-platform compatibility.
  • Removed m_meza_owner in favor of ansible_user
  • Renamed m_meza_group to m_group
  • Variables m_htdocs_owner and m_logs_owner which were assigned m_user resolve to 'meza-ansible'
• linux-user.sh script enhancements for managing Linux users and groups
  • mf_add_ssh_user() automatically adds meza-ansible to required groups
  • Detects and adds to apache/www-data group for web file access
  • Ensures wheel group membership for sudo access
  • Provides user feedback when groups are added
• New verify-permissions playbook and role
  • Verifies group memberships, directory permissions, and write access
  • Provides detailed output for troubleshooting
  • First cd /opt/meza/config
  • You do not need the env extra-var if you set it in your hosts file
  • ansible-playbook -i /opt/conf-meza/secret/monolith/hosts ../src/playbooks/verify-permissions.yml -e "env=monolith"
  • Sticky bit (2775) on all data dirs for consistent group inheritance
  • Covers: m_meza_data, m_cache_directory, m_logs, m_backups
  1. Replaced hardcoded values in roles and playbooks:
  • Changed "meza-ansible" to "{{ ansible_user }}"
  • Changed "apache" to "{{ user_apache }}"
  • Changed "wheel" to "{{ group_wheel }}"
  2. Improved group detection and fallback in Meza.py
  3. Enhanced lock file management in Meza.py
• Added SBOM generation. A Software Bill of Materials (SBOM) is like an ingredient list for your software. It's a detailed inventory that shows exactly what components, libraries, and dependencies make up your software installation, including their versions, licenses, and known vulnerabilities for better automated compliance, auditing and transparency in the software supply chain.
• All upstream (official NASA) Meza changes are incorporated.

Git (Version Control)

• Adopted pre-commit hooks, and worked on Docker-based testing.
• Introduce requirements.yml and ansible.cfg changes to install community collections we depend on
• Ignore venv .venv for Python virtual environments
• Ignore Geerlingguy for 3rd-party playbooks

Linting (Quality Assurance)

• improved linting (yamllint, ansible-lint)

• Added Ansible + YAML linting instructions for GitHub Copilot AI agent
• Added .ansible-lint.yml for linting configuration
• Added LINTING.md for linting guidelines
• Added lint-files.sh script for manual and automatic file linting
• Added yamllint workflow (GitHub Actions) in Issue #155 to create a Quality gate that automatically checks commits to main for YAML syntax errors. A new badge in the project README.md displays the current linting status.

Critical Fixes

• Fixed maintenance script quoting, resolved Ansible linting errors, and improved memcache installation logic.
• Make PHP Memory Limit configurable New default in apache-php role for php_memory_limit which mirrors PHP's own default of 128M See Issue #145, and Issue #151
• Fixed deprecated wfGetDB() upstream in SemanticMediaWiki and SemanticExtraSpecialProperties Issue #149
• Add measures to block AI bots ( Issue #156 ) which can cause inordinate server load similar to a DDOS attack. Using Extension:Lockdown to block anonymous access to resource-heavy pages like Special:RecentChangesLinked and History, we accomplish the same measures as Extension:CrawlerProtection
• Ensure AbuseFilter loads required libraries via composer merge fixes Issue #168

Documentation & Release Tracking

• Added ongoing release notes file (RELEASE_NOTES-HEAD.md) and improved documentation for workflows.
• Added page on the freephile wiki to conveniently display all RELEASE_NOTES for Meza 43.x

• .github/copilot-instructions.md Instructions for GitHub CoPilot AI assistant
• .github/ISSUE_TEMPLATE/bug_report.md new bug report template
• .github/ISSUE_TEMPLATE/custom.md new custom template
• .github/ISSUE_TEMPLATE/feature_request.md new feature request template
• LINTING.md New Linting tools documentation
• README.md Project README
• RELEASE_NOTES-43.25.11.md Release Notes covering 39.6.1 - 43.25.11
• RELEASE_NOTES-43.29.1.md Release Notes covering 43.25.11- 43.29.1
• RELEASE_NOTES-HEAD.md New "Living" Release Notes, "the latest" - updated during a release.
• RELEASE-NOTES.md Original Release Notes
• SECURITY.md New Security Poli...

REL 1_43.23.1

What's Changed

• Avoid directory traversal attack by @freephile in #180

Full Changelog: 43.22.1...43.23.1

REL 1_43 / SMW 5 prod

What's Changed

• Add new YAML linting workflow by @freephile in #155
• Update issue templates to new GitHub workflow by @freephile in #169
• Create Security Policy by @freephile in #175
• A whole lot more - will be updated in the RELEASE NOTES shortly.

Full Changelog: 39.x-merged...43.22.1

43.10.1

REL 1_43 and SMW 5

I've been running and tweaking this codebase for months. It's time to make it official. I'm still planning on additional services like metricbeat and filebeat from Elastic - while closely following the work upstream at WMF for their conversion to OpenSearch.

Full Changelog: 43.9.0...43.10.1

REL 1_43 / SMW 5 beta

This is a beta release of an upgrade of MediaWiki to the 1.43 LTS release and a corresponding upgrade to Semantic MediaWiki 5.x-alpha as well as upgrades to all the included extensions and platform components such as ElasticSearch. Along the way, we've added features such as automated TLS certificates through Let's Encrypt's Certbot and a Kibana dashboard for better management of your ElasticSearch indexes.

Full Changelog: 39.8.0...43.7.1

MediaWiki REL1_39 upgrade to Meza

Final delivery to NASA GRC-ATF

See RELEASE NOTES and CHANGELOG for details.

v39.2.0-beta

This is a release candidate.

This is a walk-through of the Release process in GitHub

Full Changelog: 39.1.0...39.2.0