YunoHost 3.5 testing / Call for feedback

Hello everyone!

We just released a new testing version for YunoHost and would be happy to receive feedback before releasing it as a stable version :yum:

For now, this release essentially includes many miscellaneous fixes and improvements for security, UX and general robustness. Also, many improvements and new helpers are now available for application packagers. In particular, the getopts mechanism will allow for more flexibility in helpers evolution as well as more explicit options name and usage.

Thanks to all contributors (Aleks, Jimmy Monin, Josué Tille, Kayou, Laurent Peuch, Lukas Fülling, Maniack Crudelis, n3uz, Taekiro, frju365, ljf, opi, yalh76, Алексей) ! :heart:

In parallel, the application team is currently reworking some of the definition of the quality level of apps to be more meaningful, as well as the whole “official” app classification which is to become more flexible. Some of this is detailed here and here. We will probably release a more detailed statement once everything is settled :wink:!

:hammer_and_wrench: Detailed changelog


  • [fix] Disable gzip entirely to avoid BREACH attacks (#675)
  • [fix] Repair backup tests (#673)
  • [fix] Backup fails because output directory not empty (#672)
  • [fix] Reject app password if they contains { or } (#671)
  • [fix] Optimize dyndns requests (#662)
  • [enh] Don’t add Strict-Transport-Security header in nginx conf if using a selfsigned cert (#661)
  • [enh] Add apt-transport-https to dependencies (#658)
  • [enh] Cache results from meltdown vulnerability checker (#656)
  • [enh] Ensure the tar file is closed during the backup (#655)
  • [enh] Be able to define hook to trigger when changing a setting (#654)
  • [enh] Assert apt/dpkg is not broken before app install (#652)
  • [fix] Loading only one helper file leads to errors because missing getopts (#651)
  • [enh] Improve / add some messages to improve UX (#650)
  • [enh] Reload fail2ban instead of restart to improve performances (#649)
  • [enh] Add IPv6 resolvers from to resolv.dnsmasq.conf (#639)
  • [fix] Remove old SMTP port (465) from fail2ban jail.conf (#637)
  • [enh] Improve protection against indexation from robots (#622)
  • [enh] Allow hooks to return data (#526)
  • [fix] Do not make version number available from web API to unauthenticated users (#291, YunoHost-admin#226)
  • [enh] Add Konami code in webadmin :wink: (YunoHost-admin#208)
  • [i18n] Improve Russian and Chinese (Mandarin) translations

App helpers

  • [enh] ynh_systemd_action : reload-or-restart instead of just reload (#681)
  • [fix] Make sure that ynh_system_user_delete also deletes the group (#680)
  • [enh] Optimize app setting helpers (#663, #676)
  • [enh] Allow display_text ‘fake’ argument in manifest.json (still kinda experimental, might change in the future?) (#669)
  • [enh] Handle ynh_install_nodejs for arm64 / aarch64 (#660)
  • [enh] Update postgresql helpers (#657)
  • [enh] Print diff of files when backup by ynh_backup_if_checksum_is_different (#648)
  • [enh] Add app debugger helper (#647)
  • [fix] Escape double quote before eval in getopts (#646)
  • [fix] ynh_local_curl not using the right url in some cases (#644)
  • [fix] Get rid of annoying ‘unable to initialize frontend’ messages (#643)
  • [enh] Check if dpkg is not broken when calling ynh_wait_dpkg_free (#638)
  • [enh] Warn the packager that ynh_secure_remove should be used with only one arg… (#635, #642)
  • [enh] Add ynh_script_progression helper (#634)
  • [enh] Add ynh_systemd_action helper (#633)
  • [enh] Allow to dig deeper into an archive with ynh_setup_source (#630)
  • [enh] Use getops (#561)
  • [enh] Add ynh_check_app_version_changed helper (#521)
  • [enh] Add fail2ban helpers (#364)

How to participate to the beta-testing :construction_worker_woman: :construction_worker_man:

:warning: Do not do this on a critical production server!

From the command line, you can launch the following command to switch to testing:

curl | bash

(If you are familiar with bash scripting, you might want to read what this does before blindly running the command)

After this command, you should be running YunoHost 3.5.0.

What to test? :space_invader: :telescope:

Here are a few specific items for which tests and feedback would be nice!

  • Browse and test a few things in the webadmin to validate that it behaves correctly;
  • Install / remove few apps … ideally test to upgrade an app
  • Try to create a backup with a tmp folder already existing (maybe add --apps some_app to not backup everything if you have a lot of stuff on your system):
mkdir /home/yunohost.backup/tmp/foobar
touch /home/yunohost.backup/tmp/foobar/foobar
yunohost backup create -n foobar


So i upgrade from 3.4.x to 3.5.x on a VirtualBox : no error at this time.
In this VirtualBox, i’ve upgrade a WordPress multi-instance : no error at this time.

I’ve upgrade too my Raspberry Pi 3B : no error at this time.



1 Like

les empaqueteurs sont gâtés sur plein de sujets, merci ! Et même si c’est pas mis en avant, les évolutions sur le linter, mais surtout sur le paquet d’exemple sont vraiment supers !

Pour l’histoire des accolades dans les mot de passe qui risquent une injection bash, est-ce qu’il a été pensé d’ajouter un cas de tests qui essaye de faire de l’injection bash sur chaque paramètre passé dans le manifest.json avec

c’est logique d’avoir cette protection, et globalement on devrait l’avoir sur n’importe quel champ, c’est juste un peu chiant pour les mots de passe pour le cas légitime où on utilise un générateur de mot de passe genre keepass.

The problem about braces into a password isn’t related to a possible injection. And anyway, why an admin would try to do an injection through an app when he’s already admin and need to be to install an app !

The problem is that such characters break bash as they’re bash special characters.
That’s not only a problem about braces, we had similar issues with other special characters previously.

Administration part, Menu “Versions”. Click.

URL announced by my Firefox browser

Message displayed

Error: 404 Not Found

Sorry, the requested URL ‘’ caused an error:
Not found: ‘/version’

The URL being in 404 in http without S, and not in subdomain admin, directly at my domain root level (where yunohost is installed).

Info in diagnostic mode

"host": "Debian 9.8",
"kernel": "4.9.0-8-686-pae",
"packages": {
    "yunohost": {
        "repo": "testing",
        "version": ""
    "yunohost-admin": {
        "repo": "testing",
        "version": "3.5.0"
    "moulinette": {
        "repo": "testing",
        "version": "3.5.0"
    "ssowat": {
        "repo": "testing",
        "version": "3.5.0"

Ah yes indeed, good catch, I forgot about that thing. Will investigate what to do. Thanks for all the tests !

1 Like

Yunohost version still leaks by looking at the source code of the page

<!DOCTYPE html>
<html lang="en">
    <link rel="stylesheet" media="screen" href="dist/css/style.min.css?version=3.5.0">
    <link rel="shortcut icon" href="dist/img/ynhadmin_icon.png">
    <script type="text/javascript" src="dist/js/script.min.js?version=3.5.0"></script>

Wholy shit indeed, good catch sir :open_mouth:

Will look at this, I think we can safely remove this ?=version as it might not be actually used but not 100% familiar with that particular piece of code

Can be there to avoid browser caching issue while changing/upgrading the css

1 Like

Yunohost 3.5 testing


Novice sur Yunohost, après avoir “planté” une première installation en début d’année, j’ai installé Yunohost sur une VirtualBox : Debian Stretch (hôte et invité).
Souhaitant participer, à mon niveau, au projet Yunohost j’ai installé la testing 3.5 sur VirtualBox.
“yunohost”: {
“repo”: “testing”,
“version”: “”
“yunohost-admin”: {
“repo”: “testing”,
“version”: “3.5.0”
“moulinette”: {
“repo”: “testing”,
“version”: “3.5.0”
“ssowat”: {
“repo”: “testing”,
“version”: “3.5.0”


  • /etc/apt/sources.list.d/* introuvable
  • apt dist-upgrade à la main pour finaliser installation (retour à l’invite intempestif).


  • Sur VM Webadmin : OK.
  • Installer/désinstaller plusieurs fois Hextris, Jirafeau, Piwigo tout s’est bien passé…

Jirafeau :

En cli, si je laisse vide le mot de passe comme indiqué “Définissez le mot de passe…(laisser vide pour autoriser tout le monde).”: arrêt installation et renvoi à l’invite de commande.

Kanboard, Rain Loop, Custom Webapp :

installés « à demeure » ont continué à bien fonctionner.


OK après manœuvre indiquée !


Je ne sais pas si cela est d’aucune utilité, mais je n’ai ni les connaissances, ni les compétences pour aller, pour l’instant, beaucoup plus loin.
Encore bravo et merci pour Yunohost que j’utilise, en privé, par pure curiosité politique et intellectuelle.

Bien cordialement. Melina


Merci beaucoup pour ces tests et le feedback ! :slight_smile:

Est-ce que tu peux juste préciser où / comment tu as vu ce problème de /etc/apt/sources.list.d/* introuvable ?

1 Like

Juste au début de l’install:

Pachting sources.list to enable testing repository…

ls : impossible d’accéder à /etc/apt/sources.lists.d/* Aucun fichier ou dossier de ce type

Running apt-get update…

1 Like

Merci beaucoup pour avoir pris du temps et la peine de produire ce retour détaillé!

1 Like

j’ai rencontré le même problème, le script s’interrompt. Il faut relancer manuellement l’installation. Après tout se déroule normalement et l’installation est réussie. (test sur VM)

Depuis la dernière maj (5/4/19) de la Testing 3.5, je rencontre quelques désagréments.
Je me connecte en utilisateur lambda, 3 applis au tableau :
Rainloop, Kanboard, Custom Webapp (racine du site).
Une fois connecté à Rainloop plus moyen de revenir à la page d’accueil. Clic sur logo Yunohost ouvre ladite page d’accueil une demi seconde et revient sur Rainloop. Je suis obligé de me déconnecter sur l’appli Rainloop pour retrouver la fonction du logo.
En revanche, le logo apparait sur ma page d’accueil webapp : ce n’était pas le cas auparavant !
Avez-vous déjà rencontré ce (petit) problème ?
Cordialement, Melina.

1 Like