From 741cd8e8af4c0f9d870786aa2d6146a5e2712bda Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Fri, 12 Nov 2021 14:33:45 -0500
Subject: [PATCH 1/3] changelog updates

---
 CHANGELOG.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b488308..cb6ac41f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,11 +1,9 @@
 # Changelog
 All notable changes to Ergo will be documented in this file.
 
-## [2.8.0-rc1] - 2021-11-03
+## [2.8.0] - 2021-11-14
 
-We're pleased to be publishing the release candidate for 2.8.0 (the official release should follow in a week or so).
-
-This release contains many fixes and enhancements, plus one major user-facing feature: user-initiated password resets via e-mail (#734).
+We're pleased to be publishing Ergo 2.8.0. This release contains many fixes and enhancements, plus one major user-facing feature: user-initiated password resets via e-mail (#734).
 
 This release includes changes to the config file format, all of which are fully backwards-compatible and do not require updating the file before upgrading.
 
@@ -42,6 +40,7 @@ Many thanks to [@ajaspers](https://github.com/ajaspers), [@delthas](https://gith
 * Fixed several pagination bugs in `CHATHISTORY` (#1676, thanks [@emersion](https://github.com/emersion)!)
 * Fixed support for kicking multiple users from a channel on the same line, the `TARGMAX` 005 parameter that advertises this, and the default kick message (#1748, #1777, #1776), thanks [@ProgVal](https://github.com/ProgVal)!)
 * Fixed `/SAMODE` on a channel not producing a snomask (#1787, thanks [@mogad0n](https://github.com/mogad0n), [@ajaspers](https://github.com/ajaspers)!)
+* Adding `+f` to a channel with `SAMODE` used to require channel operator privileges on the receiving channel; this has been fixed (#1825, thanks [@Mikaela](https://github.com/Mikaela)!)
 * Fixed parameters sent with `697 ERR_LISTMODEALREADYSET` and `698 ERR_LISTMODENOTSET` (#1727, thanks [@kylef](https://github.com/kylef)!)
 * Fixed parameter sent with `696 ERR_INVALIDMODEPARAM` (#1773, thanks [@kylef](https://github.com/kylef)!)
 * Fixed handling of channel mode `+k` with an empty parameter (#1774, #1775, thanks [@ProgVal](https://github.com/ProgVal)!)
@@ -62,6 +61,9 @@ Many thanks to [@ajaspers](https://github.com/ajaspers), [@delthas](https://gith
 * `#` can no longer be used in new account names and nicknames, or as the RELAYMSG separator (#1679)
 * The `oragono.io/nope` capability was renamed to `ergo.chat/nope` (#1793)
 
+### Removed
+* `never` is no longer accepted as a value of the `replay-joins` NickServ setting (`/NS SET replay-joins`); user accounts which enabled this setting have been reverted to the default value of `commands-only` (#1676)
+
 ### Internal
 * We have a cool new logo!
 * Official builds now use Go 1.17 (#1781)

From e74da6c51e4a625c193a8d96fe9f16d038f328b6 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Sat, 13 Nov 2021 19:51:07 -0500
Subject: [PATCH 2/3] fix #1827

Document operator capabilities.
---
 default.yaml     | 37 +++++++++++++++++++++----------------
 docs/MANUAL.md   |  2 ++
 traditional.yaml | 37 +++++++++++++++++++++----------------
 3 files changed, 44 insertions(+), 32 deletions(-)

diff --git a/default.yaml b/default.yaml
index f450c47c..712aa335 100644
--- a/default.yaml
+++ b/default.yaml
@@ -603,7 +603,12 @@ channels:
     # (0 or omit for no expiration):
     invite-expiration: 24h
 
-# operator classes
+# operator classes:
+# an operator has a single "class" (defining a privilege level), which can include
+# multiple "capabilities" (defining privileged actions they can take). all
+# currently available operator capabilities are associated with either the
+# 'chat-moderator' class (less privileged) or the 'server-admin' class (full
+# privileges) below: you can mix and match to create new classes.
 oper-classes:
     # chat moderator: can ban/unban users from the server, join channels,
     # fix mode issues and sort out vhosts.
@@ -613,15 +618,15 @@ oper-classes:
 
         # capability names
         capabilities:
-            - "kill"
-            - "ban"
-            - "nofakelag"
-            - "roleplay"
-            - "relaymsg"
-            - "vhosts"
-            - "sajoin"
-            - "samode"
-            - "snomasks"
+            - "kill"      # disconnect user sessions
+            - "ban"       # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
+            - "nofakelag" # remove "fakelag" restrictions on rate of message sending
+            - "relaymsg"  # use RELAYMSG in any channel (see the 'relaymsg' config block)
+            - "vhosts"    # add and remove vhosts from users
+            - "sajoin"    # join arbitrary channels, including private channels
+            - "samode"    # modify arbitrary channel and user modes
+            - "snomasks"  # subscribe to arbitrary server notice masks
+            - "roleplay"  # use the (deprecated) roleplay commands in any channel
 
     # server admin: has full control of the ircd, including nickname and
     # channel registrations
@@ -634,12 +639,12 @@ oper-classes:
 
         # capability names
         capabilities:
-            - "rehash"
-            - "accreg"
-            - "chanreg"
-            - "history"
-            - "defcon"
-            - "massmessage"
+            - "rehash"       # rehash the server, i.e. reload the config at runtime
+            - "accreg"       # modify arbitrary account registrations
+            - "chanreg"      # modify arbitrary channel registrations
+            - "history"      # modify or delete history messages
+            - "defcon"       # use the DEFCON command (restrict server capabilities)
+            - "massmessage"  # message all users on the server
 
 # ircd operators
 opers:
diff --git a/docs/MANUAL.md b/docs/MANUAL.md
index db51b155..99be905b 100644
--- a/docs/MANUAL.md
+++ b/docs/MANUAL.md
@@ -151,6 +151,8 @@ You'll need an [up-to-date distribution of the Go language for your OS and archi
 
 Many administrative actions on an IRC server are performed "in-band" as IRC commands sent from a client. The client in question must be an IRC operator ("oper", "ircop"). The easiest way to become an operator on your new Ergo instance is first to pick a strong, secure password, then "hash" it using the `ergo genpasswd` command (run `ergo genpasswd` from the command line, then enter your password twice), then copy the resulting hash into the `opers` section of your `ircd.yaml` file. Then you can become an operator by issuing the IRC command: `/oper admin mysecretpassword`.
 
+The operator defined in the default configuration file is named `admin` and has full administrative privileges on the server; see the `oper-classes` and `opers` blocks for information on how to define additional operators, or less privileged operators.
+
 
 ## Rehashing
 
diff --git a/traditional.yaml b/traditional.yaml
index ad7be001..0bcff372 100644
--- a/traditional.yaml
+++ b/traditional.yaml
@@ -576,7 +576,12 @@ channels:
     # (0 or omit for no expiration):
     invite-expiration: 24h
 
-# operator classes
+# operator classes:
+# an operator has a single "class" (defining a privilege level), which can include
+# multiple "capabilities" (defining privileged actions they can take). all
+# currently available operator capabilities are associated with either the
+# 'chat-moderator' class (less privileged) or the 'server-admin' class (full
+# privileges) below: you can mix and match to create new classes.
 oper-classes:
     # chat moderator: can ban/unban users from the server, join channels,
     # fix mode issues and sort out vhosts.
@@ -586,15 +591,15 @@ oper-classes:
 
         # capability names
         capabilities:
-            - "kill"
-            - "ban"
-            - "nofakelag"
-            - "roleplay"
-            - "relaymsg"
-            - "vhosts"
-            - "sajoin"
-            - "samode"
-            - "snomasks"
+            - "kill"      # disconnect user sessions
+            - "ban"       # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
+            - "nofakelag" # remove "fakelag" restrictions on rate of message sending
+            - "relaymsg"  # use RELAYMSG in any channel (see the 'relaymsg' config block)
+            - "vhosts"    # add and remove vhosts from users
+            - "sajoin"    # join arbitrary channels, including private channels
+            - "samode"    # modify arbitrary channel and user modes
+            - "snomasks"  # subscribe to arbitrary server notice masks
+            - "roleplay"  # use the (deprecated) roleplay commands in any channel
 
     # server admin: has full control of the ircd, including nickname and
     # channel registrations
@@ -607,12 +612,12 @@ oper-classes:
 
         # capability names
         capabilities:
-            - "rehash"
-            - "accreg"
-            - "chanreg"
-            - "history"
-            - "defcon"
-            - "massmessage"
+            - "rehash"       # rehash the server, i.e. reload the config at runtime
+            - "accreg"       # modify arbitrary account registrations
+            - "chanreg"      # modify arbitrary channel registrations
+            - "history"      # modify or delete history messages
+            - "defcon"       # use the DEFCON command (restrict server capabilities)
+            - "massmessage"  # message all users on the server
 
 # ircd operators
 opers:

From 050e27b31bf9f6789d1312c8f4a91e251eada5fc Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Sat, 13 Nov 2021 19:58:56 -0500
Subject: [PATCH 3/3] fix #1798

Improve documentation for use of certificate fingerprints
---
 docs/USERGUIDE.md | 2 ++
 irc/nickserv.go   | 9 +++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/docs/USERGUIDE.md b/docs/USERGUIDE.md
index 2012b433..127609ce 100644
--- a/docs/USERGUIDE.md
+++ b/docs/USERGUIDE.md
@@ -75,6 +75,8 @@ Once you have registered your account, you must configure SASL in your client, s
 
 If your client doesn't support SASL, you can typically use the "server password" (`PASS`) field in your client to log into your account automatically when connecting. Set the server password to `accountname:accountpassword`, where `accountname` is your account name and `accountpassword` is your account password.
 
+For information on how to use a client certificate for authentication, see the [operator manual](https://github.com/ergochat/ergo/blob/stable/docs/MANUAL.md#client-certificates).
+
 # Channel registration
 
 Once you've registered your nickname, you can use it to register channels. By default, channels are ephemeral; they go away when there are no longer any users in the channel, or when the server is restarted. Registering a channel gives you permanent control over it, and ensures that its settings will persist. To register a channel, send a message to `ChanServ`:
diff --git a/irc/nickserv.go b/irc/nickserv.go
index 89e74e02..517116c5 100644
--- a/irc/nickserv.go
+++ b/irc/nickserv.go
@@ -354,12 +354,13 @@ the result of a previous $bSENDPASS$b command.`,
 			handler: nsCertHandler,
 			help: `Syntax: $bCERT <LIST | ADD | DEL> [account] [certfp]$b
 
-CERT examines or modifies the TLS certificate fingerprints that can be used to
-log into an account. Specifically, $bCERT LIST$b lists the authorized
-fingerprints, $bCERT ADD <fingerprint>$b adds a new fingerprint, and
+CERT examines or modifies the SHA-256 TLS certificate fingerprints that can
+be used to log into an account. Specifically, $bCERT LIST$b lists the
+authorized fingerprints, $bCERT ADD <fingerprint>$b adds a new fingerprint, and
 $bCERT DEL <fingerprint>$b removes a fingerprint. If you're an IRC operator
 with the correct permissions, you can act on another user's account, for
-example with $bCERT ADD <account> <fingerprint>$b.`,
+example with $bCERT ADD <account> <fingerprint>$b. See the operator manual
+for instructions on how to compute the fingerprint.`,
 			helpShort: `$bCERT$b controls a user account's certificate fingerprints`,
 			enabled:   servCmdRequiresAuthEnabled,
 			minParams: 1,