Move changelog files for 0.11.0

changelog/0.11.0_2022-02-10/issue-119

@@ -0,0 +1,9 @@
+Bugfix: Fix Docker configuration for `DISABLE_AUTHENTICATION`
+
+rest-server 0.10.0 introduced a regression which caused the
+`DISABLE_AUTHENTICATION` environment variable to stop working for the Docker
+container. This has been fixed by automatically setting the option `--no-auth`
+to disable authentication.
+
+https://github.com/restic/rest-server/issues/119
+https://github.com/restic/rest-server/pull/124

changelog/0.11.0_2022-02-10/issue-122

@@ -0,0 +1,9 @@
+Enhancement: Verify uploaded files
+
+The rest-server now by default verifies that the hash of content of uploaded
+files matches their filename. This ensures that transmission errors are
+detected and forces restic to retry the upload. On low-power devices it can
+make sense to disable this check by passing the `--no-verify-upload` flag.
+
+https://github.com/restic/rest-server/issues/122
+https://github.com/restic/rest-server/pull/130

changelog/0.11.0_2022-02-10/issue-126

@@ -0,0 +1,7 @@
+Enhancement: Allow running rest-server via systemd socket activation
+
+We've added the option to have systemd create the listening socket and start the rest-server on demand.
+
+https://github.com/restic/rest-server/issues/126
+https://github.com/restic/rest-server/pull/151
+https://github.com/restic/rest-server/pull/127

changelog/0.11.0_2022-02-10/issue-131

@@ -0,0 +1,16 @@
+Security: Prevent loading of usernames containing a slash
+
+"/" is valid char in HTTP authorization headers, but is also used in
+rest-server to map usernames to private repos.
+
+This commit prevents loading maliciously composed usernames like
+"/foo/config" by restricting the allowed characters to the unicode
+character class, numbers, "-", "." and "@".
+
+This prevents requests to other users files like:
+
+curl -v  -X DELETE -u foo/config:attack  http://localhost:8000/foo/config
+
+https://github.com/restic/rest-server/issues/131
+https://github.com/restic/rest-server/pull/132
+https://github.com/restic/rest-server/pull/137

changelog/0.11.0_2022-02-10/issue-146

@@ -0,0 +1,9 @@
+Change: Build rest-server at docker container build time
+
+The Dockerfile now includes a build stage such that the latest rest-server is
+always built and packaged. This is done in a standard golang container to
+ensure a clean build environment and only the final binary is shipped rather
+than the whole build environment.
+
+https://github.com/restic/rest-server/issues/146
+https://github.com/restic/rest-server/pull/145

changelog/0.11.0_2022-02-10/issue-148

@@ -0,0 +1,8 @@
+Enhancement: Expand use of security features in example systemd unit file
+
+The example systemd unit file now enables additional systemd features to
+mitigate potential security vulnerabilities in rest-server and the various
+packages and operating system components which it relies upon.
+
+https://github.com/restic/rest-server/issues/148
+https://github.com/restic/rest-server/pull/149

changelog/0.11.0_2022-02-10/pull-112

@@ -0,0 +1,20 @@
+Change: Add subrepo support and refactor server code
+
+Support for multi-level repositories has been added, so now each user can have
+its own subrepositories. This feature is always enabled.
+
+Authentication for the Prometheus /metrics endpoint can now be disabled with the
+new `--prometheus-no-auth` flag.
+
+We have split out all HTTP handling to a separate `repo` subpackage to cleanly
+separate the server code from the code that handles a single repository. The new
+RepoHandler also makes it easier to reuse rest-server as a Go component in
+any other HTTP server.
+
+The refactoring makes the code significantly easier to follow and understand,
+which in turn makes it easier to add new features, audit for security and debug
+issues.
+
+https://github.com/restic/restic/pull/112
+https://github.com/restic/restic/issues/109
+https://github.com/restic/restic/issues/107

changelog/0.11.0_2022-02-10/pull-142

@@ -0,0 +1,16 @@
+Bugfix: Fix possible data loss due to interrupted network connections
+
+When rest-server was run without `--append-only` it was possible to lose uploaded
+files in a specific scenario in which a network connection was interrupted.
+
+For the data loss to occur a file upload by restic would have to be interrupted
+such that restic notices the interrupted network connection before the
+rest-server. Then restic would have to retry the file upload and finish it
+before the rest-server notices that the initial upload has failed. Then the
+uploaded file would be accidentally removed by rest-server when trying to
+cleanup the failed upload.
+
+This has been fixed by always uploading to a temporary file first which is moved
+in position only once it was uploaded completely.
+
+https://github.com/restic/rest-server/pull/142

changelog/0.11.0_2022-02-10/pull-158

@@ -0,0 +1,8 @@
+Bugfix: Use platform-specific temporary directory as default data directory
+
+If no data directory is specificed, then rest-server now uses the Go standard
+library functions to retrieve the standard temporary directory path for the
+current platform.
+
+https://github.com/restic/rest-server/issues/157
+https://github.com/restic/rest-server/pull/158

changelog/0.11.0_2022-02-10/pull-160

@@ -0,0 +1,13 @@
+Bugfix: Reply "insufficient storage" on disk full or over-quota
+
+When there was no space left on disk, or any other write-related error
+occurred, rest-server replied with HTTP status code 400 (Bad request).
+This is misleading (restic client will dump the status code to the user).
+
+rest-server now replies with two different status codes in these situations:
+* HTTP 507 "Insufficient storage" is the status on disk full or repository
+  over-quota
+* HTTP 500 "Internal server error" is used for other disk-related errors
+
+https://github.com/restic/rest-server/issues/155
+https://github.com/restic/rest-server/pull/160