https://github.com/matrix-org/synapse/releases/tag/v1.7.3
(cherry picked from commit a5689a2)

This is what I've suspected a while ago[1]:

> Heads-up everyone: After testing this in a few production instances,
> it seems that some browsers still get cache hits for new store paths
> (and changed contents) for some reason. I highly suspect that it might
> be due to the last-modified header (as mentioned in [2]).
>
> Going to test this with last-modified disabled for a little while and
> if this is the case I think we should improve that patch by disabling
> last-modified if serving from a store path.

Much earlier[2] when I reviewed the patch, I wrote this:

> Other than that, it looks good to me.
>
> However, I'm not sure what we should do with Last-Modified header.
> From RFC 2616, section 13.3.4:
>
> - If both an entity tag and a Last-Modified value have been
>   provided by the origin server, SHOULD use both validators in
>   cache-conditional requests. This allows both HTTP/1.0 and
>   HTTP/1.1 caches to respond appropriately.
>
> I'm a bit nervous about the SHOULD here, as user agents in the wild
> could possibly just use Last-Modified and use the cached content
> instead.

Unfortunately, I didn't pursue this any further back then because
@pbogdan noted[3] the following:

> Hmm, could they (assuming they are conforming):
>
>  * If an entity tag has been provided by the origin server, MUST
>    use that entity tag in any cache-conditional request (using If-
>    Match or If-None-Match).

Since running with this patch in some deployments, I found that both
Firefox and Chrome/Chromium do NOT re-validate against the ETag if the
Last-Modified header is still the same.

So I wrote a small NixOS VM test with Geckodriver to have a test case
which is closer to the real world and I indeed was able to reproduce
this.

Whether this is actually a bug in Chrome or Firefox is an entirely
different issue and even IF it is the fault of the browsers and it is
fixed at some point, we'd still need to handle this for older browser
versions.

Apart from clearing the header, I also recreated the patch by using a
plain "git diff" with a small description on top. This should make it
easier for future authors to work on that patch.

[1]: NixOS/nixpkgs#48337 (comment)
[2]: NixOS/nixpkgs#48337 (comment)
[3]: NixOS/nixpkgs#48337 (comment)

Signed-off-by: aszlig <aszlig@nix.build>
(cherry picked from commit ccf55be)
Reason: The issue breaks setups that serve static content via Nix store
        paths. I've also backported the NixOS VM test from Python to
        Perl.

(cherry picked from commit fad24a7)

(cherry picked from commit 31d2d5a)

(cherry picked from commit 6972aec)

(cherry picked from commit 2f61471)

For some reason this untagged commit is the one referred to in the
main repository; this might be a mistake, but we'll have to package it
for now to follow upstream.

(cherry picked from commit 445bc14)

GitLab Shell now has the go.mod and go.sum files in the root of the
repo; the go subdirectory has been removed and all the code in it has
been moved up to the root.

(cherry picked from commit a3c72e6)

(cherry picked from commit ff28cfa)

(cherry picked from commit 0825e38)

 - CVE-2019-20146
 - CVE-2019-20143
 - CVE-2019-20147
 - CVE-2019-20145
 - CVE-2019-20142
 - CVE-2019-20148
 - CVE-2020-5197

(cherry picked from commit d075e33)

(cherry picked from commit 0a65d1c)

Apple no longer ships with it, so best to avoid forcing it into use.

Even when building for the simulator.

…pick-for-1909

iOS with xcode 11 cherry pick for 19.09