1.6.x will be the last version of cfengine before radical changes.
Safer umask behaviour. Allow setting global umask in control and per process in shellcommands, processes. In editfiles "Umask 022" sets umask for new file creation and script exection.

Possible to set chroot= and chdir= options when running shell commands and restarting processes. This allows one to create a `sandbox' around potentially dangerous processes.

Setuid now completely isolates processes and sets both real and effective user ids. Fixes problems with file generation ownership etc.

filter= tag added to main commands adds a new matching mechanism with inheritable patterns. This introduces a generic mechanism for pattern matching which will unify and simplify many file and process searches in the future. Allowed in copy,editfiles,files,tidy,processes

        { filter2 # check if users set history to dev/null (up to no good)

        NameRegex:   ".*history"
        IsSymLinkTo: "/dev/null"
        Result:      "IsSymLinkTo.NameRegex"
        DefineClasses: "history"
Mandrake, SuSE and Slackware classes defined
Facility for ignoring IP/name authentication for selected IP addresses for users using Network Address Translators. SkipVerify (IP list). Careful!! This could be a security risk. It generates implied trust.
Can now be passed arguments by enclosing the module in the actionsequence by quotes. e.g.
actionsequence = ( 
                   "module:argplugin.specialclass arg1 arg2"
The modules return variables and classes which can be used in other actions.
Nested macros
Allowed by quotation, e.g.
control: macro1 = ( "hello $(macro2)" )
Editing a directory now iterates over file tree recursively. Ignore,exclude, include and filter work here. Recurse "number" added.

EditMode "Binary" causes cfengine to examine binary files limited by editbinaryfilesize. A limited number of operations may be performed on files which are of binary type: WarnIfContainsString "x", WarnIfContainsFile "/filename" and ReplaceAll ..With... String replacement is only allowed if the replace string is of less than or equal length than the search string. If the replacement string is shorter, it is padded with NULL bytes.
courtesy of David Masterson
Can be set as a local override in copy,disable and editfiles


 Repository "/mydir"
File times can now be preserved in copy with option timestamps=preserve/keep
Reserved variables
$(month) $(day) $(hr) $(min)
giving current time

In addition there is a contant trickle of minor bugs and configuration problems which get fixed.

