Merge branch 'main' into v2

* main:
  chore(gui, man, authors): update docs, translations, and contributors
  fix(config): mark audit log options as needing restart (fixes #10099) (#10100)
  fix(config): deep copy configuration defaults (fixes #9916) (#10101)

gui/default/assets/lang/lang-ru.json

@@ -27,6 +27,7 @@
     "Allowed Networks": "Разрешённые сети",
     "Alphabetic": "По алфавиту",
     "Altered by ignoring deletes.": "Изменено, игнорируя удаления.",
+    "Always turned on when the folder type is \"{%foldertype%}\".": "Всегда включено для папок с типом «{{foldertype}}».",
     "An external command handles the versioning. It has to remove the file from the shared folder. If the path to the application contains spaces, it should be quoted.": "Для версионирования используется внешняя программа. Ей нужно удалить файл из общей папки. Если путь к приложению содержит пробелы, его нужно взять в кавычки.",
     "Anonymous Usage Reporting": "Анонимный отчет об использовании",
     "Anonymous usage report format has changed. Would you like to move to the new format?": "Формат анонимных отчётов изменился. Хотите переключиться на новый формат?",
@@ -52,6 +53,7 @@
     "Body:": "Тело:",
     "Bugs": "Ошибки",
     "Cancel": "Отмена",
+    "Cannot be enabled when the folder type is \"{%foldertype%}\".": "Не может быть включено для папок с типом «{{foldertype}}».",
     "Changelog": "Журнал изменений",
     "Clean out after": "Очистить после",
     "Cleaning Versions": "Очистка версий",
@@ -171,8 +173,8 @@
     "Folder Path": "Путь к папке",
     "Folder Status": "Статус папки",
     "Folder Type": "Тип папки",
-    "Folder type \"{%receiveEncrypted%}\" can only be set when adding a new folder.": "Тип папки «{{receiveEncrypted}}» может быть указан только при создании новой папки.",
-    "Folder type \"{%receiveEncrypted%}\" cannot be changed after adding the folder. You need to remove the folder, delete or decrypt the data on disk, and add the folder again.": "Тип папки «{{receiveEncrypted}}» не может быть изменён после добавления. Вам необходимо убрать папку, удалить или дешифровать данные на диске, а затем снова добавить папку.",
+    "Folder type \"{%receiveEncrypted%}\" can only be set when adding a new folder.": "Тип папки «{{receiveEncrypted}}» может быть выбран только при добавлении новой папки.",
+    "Folder type \"{%receiveEncrypted%}\" cannot be changed after adding the folder. You need to remove the folder, delete or decrypt the data on disk, and add the folder again.": "Тип папки «{{receiveEncrypted}}» не может быть изменён после добавления. Вам необходимо убрать папку, удалить или дешифровать данные на диске и затем снова её добавить.",
     "Folders": "Папки",
     "For the following folders an error occurred while starting to watch for changes. It will be retried every minute, so the errors might go away soon. If they persist, try to fix the underlying issue and ask for help if you can't.": "Для следующих папок произошла ошибка при запуске отслеживания изменений. Попытки будут повторяться раз в минуту, и ошибки скоро могут быть устранены. Если этого не произойдёт, попробуйте разобраться в причинах и попросите поддержки, если у вас не получится.",
     "Forever": "Вечно",

lib/config/config.go

@@ -235,6 +235,10 @@ func ReadJSON(r io.Reader, myID protocol.DeviceID) (Configuration, error) {
 func (cfg Configuration) Copy() Configuration {
 	newCfg := cfg
 
+	// Deep copy Defaults
+	newCfg.Defaults.Folder = cfg.Defaults.Folder.Copy()
+	newCfg.Defaults.Device = cfg.Defaults.Device.Copy()
+
 	// Deep copy FolderConfigurations
 	newCfg.Folders = make([]FolderConfiguration, len(cfg.Folders))
 	for i := range newCfg.Folders {

lib/config/optionsconfiguration.go

@@ -67,8 +67,8 @@ type OptionsConfiguration struct {
 	AnnounceLANAddresses        bool     `json:"announceLANAddresses" xml:"announceLANAddresses" default:"true"`
 	SendFullIndexOnUpgrade      bool     `json:"sendFullIndexOnUpgrade" xml:"sendFullIndexOnUpgrade"`
 	FeatureFlags                []string `json:"featureFlags" xml:"featureFlag"`
-	AuditEnabled                bool     `json:"auditEnabled" xml:"auditEnabled" default:"false"`
-	AuditFile                   string   `json:"auditFile" xml:"auditFile"`
+	AuditEnabled                bool     `json:"auditEnabled" xml:"auditEnabled" default:"false" restart:"true"`
+	AuditFile                   string   `json:"auditFile" xml:"auditFile" restart:"true"`
 	// The number of connections at which we stop trying to connect to more
 	// devices, zero meaning no limit. Does not affect incoming connections.
 	ConnectionLimitEnough int `json:"connectionLimitEnough" xml:"connectionLimitEnough"`

man/stdiscosrv.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "STDISCOSRV" "1" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "STDISCOSRV" "1" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 stdiscosrv \- Syncthing Discovery Server
 .SH SYNOPSIS

man/strelaysrv.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "STRELAYSRV" "1" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "STRELAYSRV" "1" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 strelaysrv \- Syncthing Relay Server
 .SH SYNOPSIS

man/syncthing-bep.7

@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-BEP" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-BEP" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-bep \- Block Exchange Protocol v1
 .SH INTRODUCTION AND DEFINITIONS
@@ -61,7 +61,7 @@ level protocols providing encryption and authentication.
 +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
 |   Block Exchange Protocol   |
 |\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-|
-| Encryption & Auth (TLS 1.2) |
+| Encryption & Auth (TLS 1.3) |
 |\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-|
 |      Reliable Transport     |
 |\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-|
@@ -70,13 +70,8 @@ v             ...             v
 .UNINDENT
 .UNINDENT
 .sp
-The encryption and authentication layer SHALL use TLS 1.2 or a higher
-revision. A strong cipher suite SHALL be used, with “strong cipher
-suite” being defined as being without known weaknesses and providing
-Perfect Forward Secrecy (PFS). Examples of strong cipher suites are
-given at the end of this document. This is not to be taken as an
-exhaustive list of allowed cipher suites but represents best practices
-at the time of writing.
+The encryption and authentication layer SHALL use TLS 1.3 or a higher
+revision.
 .sp
 The exact nature of the authentication is up to the application, however
 it SHALL be based on the TLS certificate presented at the start of the
@@ -1054,82 +1049,6 @@ retrieves the data from the folder and transmits Response records (9 through
 message (13). Both peers enter idle state after 13. At some later time 14,
 the ping timer on device B expires and a Ping message is sent. The same
 process occurs for device A at 15.
-.SH EXAMPLES OF STRONG CIPHER SUITES
-.TS
-box center;
-l|l|l.
-T{
-ID
-T}	T{
-Name
-T}	T{
-Description
-T}
-_
-T{
-0x009F
-T}	T{
-DHE\-RSA\-AES256\-GCM\-SHA384
-T}	T{
-TLSv1.2 DH RSA AESGCM(256) AEAD
-T}
-_
-T{
-0x006B
-T}	T{
-DHE\-RSA\-AES256\-SHA256
-T}	T{
-TLSv1.2 DH RSA AES(256) SHA256
-T}
-_
-T{
-0xC030
-T}	T{
-ECDHE\-RSA\-AES256\-GCM\-SHA384
-T}	T{
-TLSv1.2 ECDH RSA AESGCM(256) AEAD
-T}
-_
-T{
-0xC028
-T}	T{
-ECDHE\-RSA\-AES256\-SHA384
-T}	T{
-TLSv1.2 ECDH RSA AES(256) SHA384
-T}
-_
-T{
-0x009E
-T}	T{
-DHE\-RSA\-AES128\-GCM\-SHA256
-T}	T{
-TLSv1.2 DH RSA AESGCM(128) AEAD
-T}
-_
-T{
-0x0067
-T}	T{
-DHE\-RSA\-AES128\-SHA256
-T}	T{
-TLSv1.2 DH RSA AES(128) SHA256
-T}
-_
-T{
-0xC02F
-T}	T{
-ECDHE\-RSA\-AES128\-GCM\-SHA256
-T}	T{
-TLSv1.2 ECDH RSA AESGCM(128) AEAD
-T}
-_
-T{
-0xC027
-T}	T{
-ECDHE\-RSA\-AES128\-SHA256
-T}	T{
-TLSv1.2 ECDH RSA AES(128) SHA256
-T}
-.TE
 .SH AUTHOR
 The Syncthing Authors
 .SH COPYRIGHT

man/syncthing-config.5

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-CONFIG" "5" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-CONFIG" "5" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-config \- Syncthing Configuration
 .SH SYNOPSIS
@@ -1432,8 +1432,9 @@ ECN bits into account.
 .INDENT 0.0
 .TP
 .B stunServer
-Server to be used for STUN, given as ip:port. The keyword \fBdefault\fP gets
-expanded to a set of public STUN servers.
+Server to use for STUN, given as ip:port. The keyword \fBdefault\fP gets
+expanded to a set of public STUN servers, with preference given to those
+hosted by the Syncthing project.
 .sp
 To configure multiple servers, you can either: repeat \fB<stunServer>\fP tags
 in the configuration file or enter several servers separated by commas in

man/syncthing-device-ids.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-DEVICE-IDS" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-DEVICE-IDS" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-device-ids \- Understanding Device IDs
 .sp

man/syncthing-event-api.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-EVENT-API" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-EVENT-API" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-event-api \- Event API
 .SH DESCRIPTION
@@ -845,9 +845,7 @@ Deprecated since version v1.10.0: The \fBversion\fP field is a legacy name kept
 .sp
 When authentication is enabled for the GUI, this event is emitted on every
 login attempt. If either the username or password are incorrect, \fBsuccess\fP
-is false and in any case the given username is returned.  The included
-remote address concerns the immediate connecting host, which may not be the
-origin of the request, but e.g. a reverse proxy.
+is false and in any case the given username is returned.
 .INDENT 0.0
 .INDENT 3.5
 .sp
@@ -856,7 +854,32 @@ origin of the request, but e.g. a reverse proxy.
    \(dqid\(dq : 187,
    \(dqtime\(dq : \(dq2017\-03\-07T00:19:24.420386143+01:00\(dq,
    \(dqdata\(dq : {
-      \(dqremoteAddress\(dq : \(dq127.0.0.1:55530\(dq,
+      \(dqremoteAddress\(dq : \(dq127.0.0.1\(dq,
+      \(dqusername\(dq : \(dqsomename\(dq,
+      \(dqsuccess\(dq : false
+   },
+   \(dqtype\(dq : \(dqLoginAttempt\(dq,
+   \(dqglobalID\(dq : 195
+}
+.EE
+.UNINDENT
+.UNINDENT
+.sp
+If the \fBX\-Forwared\-For\fP header is present and the connecting host is
+either on \fBlocalhost\fP or on the same LAN, it will be treated as a reverse
+proxy. In this case, the \fBremoteAddress\fP field is filled with the leftmost
+IP address from the header, and the additional \fBproxy\fP field retains the
+original IP of the connecting host.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.EX
+{
+   \(dqid\(dq : 187,
+   \(dqtime\(dq : \(dq2017\-03\-07T00:19:24.420386143+01:00\(dq,
+   \(dqdata\(dq : {
+      \(dqproxy\(dq : \(dq127.0.0.1\(dq,
+      \(dqremoteAddress\(dq : \(dq192.168.178.10\(dq,
       \(dqusername\(dq : \(dqsomename\(dq,
       \(dqsuccess\(dq : false
    },

man/syncthing-faq.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-FAQ" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-FAQ" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-faq \- Frequently Asked Questions
 .INDENT 0.0
@@ -158,6 +158,16 @@ Extended attributes (when enabled)
 POSIX or NFS ACLs (as part of extended attributes)
 .UNINDENT
 .sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Note that what can be synced often depends on the operating system, file
+system, and possibly other factors. For example, even though Syncthing may
+try to synchronise symbolic links on Android, this will not succeed, as the
+OS does not support them on the user storage.
+.UNINDENT
+.UNINDENT
+.sp
 The following are \fInot\fP synchronized;
 .INDENT 0.0
 .IP \(bu 2

man/syncthing-globaldisco.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-GLOBALDISCO" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-GLOBALDISCO" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-globaldisco \- Global Discovery Protocol v3
 .SH ANNOUNCEMENTS

man/syncthing-localdisco.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-LOCALDISCO" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-LOCALDISCO" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-localdisco \- Local Discovery Protocol v4
 .SH MODE OF OPERATION

man/syncthing-networking.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-NETWORKING" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-NETWORKING" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-networking \- Firewall Setup
 .SH ROUTER SETUP

man/syncthing-relay.7

@@ -28,7 +28,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-RELAY" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-RELAY" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-relay \- Relay Protocol v1
 .SH WHAT IS A RELAY?

man/syncthing-rest-api.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-REST-API" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-REST-API" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-rest-api \- REST API
 .sp

man/syncthing-security.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-SECURITY" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-SECURITY" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-security \- Security Principles
 .sp

man/syncthing-stignore.5

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-STIGNORE" "5" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-STIGNORE" "5" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-stignore \- Prevent files from being synchronized to other nodes
 .SH SYNOPSIS

man/syncthing-versioning.7

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING-VERSIONING" "7" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING-VERSIONING" "7" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing-versioning \- Keep automatic backups of deleted files by other nodes
 .sp

man/syncthing.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "SYNCTHING" "1" "May 01, 2025" "v1.29.3" "Syncthing"
+.TH "SYNCTHING" "1" "May 09, 2025" "v1.29.6" "Syncthing"
 .SH NAME
 syncthing \- Syncthing
 .SH SYNOPSIS