1 User visible changes in Tahoe-LAFS. -*- outline; coding: utf-8 -*-
3 * Release 1.8.1 (coming)
7 - All .txt documents have been converted to .rst format (#1225)
9 * Release 1.8.0 (2010-09-23)
13 - A completely new downloader which improves performance and
14 robustness of immutable-file downloads. It uses the fastest K
15 servers to download the data in K-way parallel. It automatically
16 fails over to alternate servers if servers fail in mid-download. It
17 allows seeking to arbitrary locations in the file (the previous
18 downloader which would only read the entire file sequentially from
19 beginning to end). It minimizes unnecessary round trips and
20 unnecessary bytes transferred to improve performance. It sends
21 requests to fewer servers to reduce the load on servers (the
22 previous one would send a small request to every server for every
23 download) (#287, #288, #448, #798, #800, #990, #1170, #1191)
25 - Non-ASCII command-line arguments and non-ASCII outputs now work on
26 Windows. In addition, the command-line tool now works on 64-bit
29 ** Bugfixes and Improvements
31 - Document and clean up the command-line options for specifying the
32 node's base directory. (#188, #706, #715, #772, #1108)
33 - The default node directory for Windows is ".tahoe" in the user's
34 home directory, the same as on other platforms. (#890)
35 - Fix a case in which full cap URIs could be logged. (#685, #1155)
36 - Fix bug in WUI in Python 2.5 when the system clock is set back to
37 1969. Now you can use Tahoe-LAFS with Python 2.5 and set your
38 system clock to 1969 and still use the WUI. (#1055)
39 - Many improvements in code organization, tests, logging,
40 documentation, and packaging. (#983, #1074, #1108, #1127, #1129,
45 - on x86 and x86-64 platforms, pycryptopp >= 0.5.20
46 - pycrypto 2.2 is excluded due to a bug
48 * Release 1.7.1 (2010-07-18)
50 ** Bugfixes and Improvements
52 - Fix bug in which uploader could fail with AssertionFailure or
53 report that it had achieved servers-of-happiness when it
55 - Fix bug in which servers could get into a state where they would
56 refuse to accept shares of a certain file (#1117)
57 - Add init scripts for managing the gateway server on Debian/Ubuntu
59 - Fix bug where server version number was always 0 on the welcome
61 - Add new command-line command "tahoe unlink" as a synonym for "tahoe
63 - The FTP frontend now encrypts its temporary files, protecting their
64 contents from an attacker who is able to read the disk. (#1083)
65 - Fix IP address detection on FreeBSD 7, 8, and 9 (#1098)
66 - Fix minor layout issue in the Web User Interface with Internet
68 - Fix rarely-encountered incompatibility between Twisted logging
69 utility and the new unicode support added in v1.7.0 (#1099)
70 - Forward-compatibility improvements for non-ASCII caps (#1051)
74 - Simplify and tidy-up directories, unicode support, test code (#923, #967,
77 * Release 1.7.0 (2010-06-18)
83 Your Tahoe-LAFS gateway now acts like a full-fledged SFTP server. It has been
84 tested with sshfs to provide a virtual filesystem in Linux. Many users have
85 asked for this feature. We hope that it serves them well! See the
86 docs/frontends/FTP-and-SFTP.txt document to get started.
88 *** support for non-ASCII character encodings
90 Tahoe-LAFS now correctly handles filenames containing non-ASCII characters on
91 all supported platforms:
93 - when reading files in from the local filesystem (such as when you run "tahoe
94 backup" to back up your local files to a Tahoe-LAFS grid);
96 - when writing files out to the local filesystem (such as when you run "tahoe
97 cp -r" to recursively copy files out of a Tahoe-LAFS grid);
99 - when displaying filenames to the terminal (such as when you run "tahoe ls"),
100 subject to limitations of the terminal and locale;
102 - when parsing command-line arguments, except on Windows.
104 *** Servers of Happiness
106 Tahoe-LAFS now measures during immutable file upload to see how well
107 distributed it is across multiple servers. It aborts the upload if the pieces
108 of the file are not sufficiently well-distributed.
110 This behavior is controlled by a configuration parameter called "servers of
111 happiness". With the default settings for its erasure coding, Tahoe-LAFS
112 generates 10 shares for each file, such that any 3 of those shares are
113 sufficient to recover the file. The default value of "servers of happiness" is
114 7, which means that Tahoe-LAFS will guarantee that there are at least 7 servers
115 holding some of the shares, such that any 3 of those servers can completely
118 The new upload code also distributes the shares better than the previous
119 version in some cases and takes better advantage of pre-existing shares (when a
120 file has already been previously uploaded). See the architecture.txt document
123 ** Bugfixes and Improvements
125 - Premature abort of upload if some shares were already present and some
127 - python ./setup.py install -- can't create or remove files in install
129 - Network failure => internal TypeError. (#902)
130 - Install of Tahoe on CentOS 5.4. (#933)
131 - CLI option --node-url now supports https url. (#1028)
132 - HTML/CSS template files were not correctly installed under Windows. (#1033)
133 - MetadataSetter does not enforce restriction on setting "tahoe" subkeys.
135 - ImportError: No module named setuptools_darcs.setuptools_darcs. (#1054)
136 - Renamed Title in xhtml files. (#1062)
137 - Increase Python version dependency to 2.4.4, to avoid a critical CPython
138 security bug. (#1066)
139 - Typo correction for the munin plugin tahoe_storagespace. (#968)
140 - Fix warnings found by pylint. (#973)
141 - Changing format of some documentation files. (#1027)
142 - the misc/ directory was tied up. (#1068)
143 - The 'ctime' and 'mtime' metadata fields are no longer written except by
144 "tahoe backup". (#924)
145 - Unicode filenames in Tahoe-LAFS directories are normalized so that names
146 that differ only in how accents are encoded are treated as the same. (#1076)
147 - Various small improvements to documentation. (#937, #911, #1024, #1082)
151 The 'tahoe debug consolidate' subcommand (for converting old allmydata Windows
152 client backups to a newer format) has been removed.
154 ** Dependency Updates
156 the Python version dependency is raised to 2.4.4 in some cases (2.4.3 for
157 Redhat-based Linux distributions, 2.4.2 for UCS-2 builds) (#1066)
160 mock (only required by unit tests)
162 * Release 1.6.1 (2010-02-27)
166 *** Correct handling of Small Immutable Directories
168 Immutable directories can now be deep-checked and listed in the web UI in
169 all cases. (In v1.6.0, some operations, such as deep-check, on a directory
170 graph that included very small immutable directories, would result in an
171 exception causing the whole operation to abort.) (#948)
173 ** Usability Improvements
175 Improved user interface messages and error reporting. (#681, #837, #939)
177 The timeouts for operation handles have been greatly increased, so that
178 you can view the results of an operation up to 4 days after it has
179 completed. After viewing them for the first time, the results are
180 retained for a further day. (#577)
182 * Release 1.6.0 (2010-02-01)
186 *** Immutable Directories
188 Tahoe-LAFS can now create and handle immutable directories. (#607, #833, #931)
189 These are read just like normal directories, but are "deep-immutable", meaning
190 that all their children (and everything reachable from those children) must be
191 immutable objects (i.e. immutable or literal files, and other immutable
194 These directories must be created in a single webapi call that provides all
195 of the children at once. (Since they cannot be changed after creation, the
196 usual create/add/add sequence cannot be used.) They have URIs that start with
197 "URI:DIR2-CHK:" or "URI:DIR2-LIT:", and are described on the human-facing web
198 interface (aka the "WUI") with a "DIR-IMM" abbreviation (as opposed to "DIR"
199 for the usual read-write directories and "DIR-RO" for read-only directories).
201 Tahoe-LAFS releases before 1.6.0 cannot read the contents of an immutable
202 directory. 1.5.0 will tolerate their presence in a directory listing (and
203 display it as "unknown"). 1.4.1 and earlier cannot tolerate them: a DIR-IMM
204 child in any directory will prevent the listing of that directory.
206 Immutable directories are repairable, just like normal immutable files.
208 The webapi "POST t=mkdir-immutable" call is used to create immutable
209 directories. See docs/frontends/webapi.txt for details.
211 *** "tahoe backup" now creates immutable directories, backupdb has dircache
213 The "tahoe backup" command has been enhanced to create immutable directories
214 (in previous releases, it created read-only mutable directories) (#828). This
215 is significantly faster, since it does not need to create an RSA keypair for
216 each new directory. Also "DIR-IMM" immutable directories are repairable, unlike
217 "DIR-RO" read-only mutable directories at present. (A future Tahoe-LAFS release
218 should also be able to repair DIR-RO.)
220 In addition, the backupdb (used by "tahoe backup" to remember what it has
221 already copied) has been enhanced to store information about existing immutable
222 directories. This allows it to re-use directories that have moved but still
223 contain identical contents, or that have been deleted and later replaced. (The
224 1.5.0 "tahoe backup" command could only re-use directories that were in the
225 same place as they were in the immediately previous backup.) With this change,
226 the backup process no longer needs to read the previous snapshot out of the
227 Tahoe-LAFS grid, reducing the network load considerably. (#606)
229 A "null backup" (in which nothing has changed since the previous backup) will
230 require only two Tahoe-side operations: one to add an Archives/$TIMESTAMP
231 entry, and a second to update the Latest/ link. On the local disk side, it
232 will readdir() all your local directories and stat() all your local files.
234 If you've been using "tahoe backup" for a while, you will notice that your
235 first use of it after upgrading to 1.6.0 may take a long time: it must create
236 proper immutable versions of all the old read-only mutable directories. This
237 process won't take as long as the initial backup (where all the file contents
238 had to be uploaded too): it will require time proportional to the number and
239 size of your directories. After this initial pass, all subsequent passes
240 should take a tiny fraction of the time.
242 As noted above, Tahoe-LAFS versions earlier than 1.5.0 cannot list a directory
243 containing an immutable subdirectory. Tahoe-LAFS versions earlier than 1.6.0
244 cannot read the contents of an immutable directory.
246 The "tahoe backup" command has been improved to skip over unreadable objects
247 (like device files, named pipes, and files with permissions that prevent the
248 command from reading their contents), instead of throwing an exception and
249 terminating the backup process. It also skips over symlinks, because these
250 cannot be represented faithfully in the Tahoe-side filesystem. A warning
251 message will be emitted each time something is skipped. (#729, #850, #641)
253 *** "create-node" command added, "create-client" now implies --no-storage
255 The basic idea behind Tahoe-LAFS's client+server and client-only processes is
256 that you are creating a general-purpose Tahoe-LAFS "node" process, which has
257 several components that can be activated. Storage service is one of these
258 optional components, as is the Helper, FTP server, and SFTP server. Web gateway
259 functionality is nominally on this list, but it is always active; a future
260 release will make it optional. There are three special purpose servers that
261 can't currently be run as a component in a node: introducer, key-generator,
264 So now "tahoe create-node" will create a Tahoe-LAFS node process, and after
265 creation you can edit its tahoe.cfg to enable or disable the desired
266 services. It is a more general-purpose replacement for "tahoe create-client".
267 The default configuration has storage service enabled. For convenience, the
268 "--no-storage" argument makes a tahoe.cfg file that disables storage
271 "tahoe create-client" has been changed to create a Tahoe-LAFS node without a
272 storage service. It is equivalent to "tahoe create-node --no-storage". This
273 helps to reduce the confusion surrounding the use of a command with "client" in
274 its name to create a storage *server*. Use "tahoe create-client" to create a
275 purely client-side node. If you want to offer storage to the grid, use
276 "tahoe create-node" instead.
278 In the future, other services will be added to the node, and they will be
279 controlled through options in tahoe.cfg . The most important of these
280 services may get additional --enable-XYZ or --disable-XYZ arguments to
283 ** Performance Improvements
285 Download of immutable files begins as soon as the downloader has located the K
286 necessary shares (#928, #287). In both the previous and current releases, a
287 downloader will first issue queries to all storage servers on the grid to
288 locate shares before it begins downloading the shares. In previous releases of
289 Tahoe-LAFS, download would not begin until all storage servers on the grid had
290 replied to the query, at which point K shares would be chosen for download from
291 among the shares that were located. In this release, download begins as soon as
292 any K shares are located. This means that downloads start sooner, which is
293 particularly important if there is a server on the grid that is extremely slow
294 or even hung in such a way that it will never respond. In previous releases
295 such a server would have a negative impact on all downloads from that grid. In
296 this release, such a server will have no impact on downloads, as long as K
297 shares can be found on other, quicker, servers. This also means that
298 downloads now use the "best-alacrity" servers that they talk to, as measured by
299 how quickly the servers reply to the initial query. This might cause downloads
300 to go faster, especially on grids with heterogeneous servers or geographical
305 The webapi acquired a new "t=mkdir-with-children" command, to create and
306 populate a directory in a single call. This is significantly faster than
307 using separate "t=mkdir" and "t=set-children" operations (it uses one
308 gateway-to-grid roundtrip, instead of three or four). (#533)
310 The t=set-children (note the hyphen) operation is now documented in
311 docs/frontends/webapi.txt, and is the new preferred spelling of the old
312 t=set_children (with an underscore). The underscore version remains for
313 backwards compatibility. (#381, #927)
315 The tracebacks produced by errors in CLI tools should now be in plain text,
316 instead of HTML (which is unreadable outside of a browser). (#646)
318 The [storage]reserved_space configuration knob (which causes the storage
319 server to refuse shares when available disk space drops below a threshold)
320 should work on Windows now, not just UNIX. (#637)
322 "tahoe cp" should now exit with status "1" if it cannot figure out a suitable
323 target filename, such as when you copy from a bare filecap. (#761)
325 "tahoe get" no longer creates a zero-length file upon error. (#121)
327 "tahoe ls" can now list single files. (#457)
329 "tahoe deep-check --repair" should tolerate repair failures now, instead of
330 halting traversal. (#874, #786)
332 "tahoe create-alias" no longer corrupts the aliases file if it had
333 previously been edited to have no trailing newline. (#741)
335 Many small packaging improvements were made to facilitate the "tahoe-lafs"
336 package being included in Ubuntu. Several mac/win32 binary libraries were
337 removed, some figleaf code-coverage files were removed, a bundled copy of
338 darcsver-1.2.1 was removed, and additional licensing text was added.
340 Several DeprecationWarnings for python2.6 were silenced. (#859)
342 The checker --add-lease option would sometimes fail for shares stored
343 on old (Tahoe v1.2.0) servers. (#875)
345 The documentation for installing on Windows (docs/install.html) has been
348 For other changes not mentioned here, see
349 <http://allmydata.org/trac/tahoe/query?milestone=1.6.0&keywords=!~news-done>.
350 To include the tickets mentioned above, go to
351 <http://allmydata.org/trac/tahoe/query?milestone=1.6.0>.
354 * Release 1.5.0 (2009-08-01)
358 Uploads of immutable files now use pipelined writes, improving upload speed
359 slightly (10%) over high-latency connections. (#392)
361 Processing large directories has been sped up, by removing a O(N^2) algorithm
362 from the dirnode decoding path and retaining unmodified encrypted entries.
365 The human-facing web interface (aka the "WUI") received a significant CSS
366 makeover by Kevin Reid, making it much prettier and easier to read. The WUI
367 "check" and "deep-check" forms now include a "Renew Lease" checkbox,
368 mirroring the CLI --add-lease option, so leases can be added or renewed from
371 The CLI "tahoe mv" command now refuses to overwrite directories. (#705)
373 The CLI "tahoe webopen" command, when run without arguments, will now bring
374 up the "Welcome Page" (node status and mkdir/upload forms).
376 The 3.5MB limit on mutable files was removed, so it should be possible to
377 upload arbitrarily-sized mutable files. Note, however, that the data format
378 and algorithm remains the same, so using mutable files still requires
379 bandwidth, computation, and RAM in proportion to the size of the mutable file.
382 This version of Tahoe-LAFS will tolerate directory entries that contain filecap
383 formats which it does not recognize: files and directories from the future.
384 This should improve the user experience (for 1.5.0 users) when we add new cap
385 formats in the future. Previous versions would fail badly, preventing the user
386 from seeing or editing anything else in those directories. These unrecognized
387 objects can be renamed and deleted, but obviously not read or written. Also
388 they cannot generally be copied. (#683)
392 deep-check-and-repair now tolerates read-only directories, such as the ones
393 produced by the "tahoe backup" CLI command. Read-only directories and mutable
394 files are checked, but not repaired. Previous versions threw an exception
395 when attempting the repair and failed to process the remaining contents. We
396 cannot yet repair these read-only objects, but at least this version allows
397 the rest of the check+repair to proceed. (#625)
399 A bug in 1.4.1 which caused a server to be listed multiple times (and
400 frequently broke all connections to that server) was fixed. (#653)
402 The plaintext-hashing code was removed from the Helper interface, removing
403 the Helper's ability to mount a partial-information-guessing attack. (#722)
405 ** Platform/packaging changes
407 Tahoe-LAFS now runs on NetBSD, OpenBSD, ArchLinux, and NixOS, and on an
408 embedded system based on an ARM CPU running at 266 MHz.
410 Unit test timeouts have been raised to allow the tests to complete on
411 extremely slow platforms like embedded ARM-based NAS boxes, which may take
412 several hours to run the test suite. An ARM-specific data-corrupting bug in
413 an older version of Crypto++ (5.5.2) was identified: ARM-users are encouraged
414 to use recent Crypto++/pycryptopp which avoids this problem.
416 Tahoe-LAFS now requires a SQLite library, either the sqlite3 that comes
417 built-in with python2.5/2.6, or the add-on pysqlite2 if you're using
418 python2.4. In the previous release, this was only needed for the "tahoe backup"
419 command: now it is mandatory.
421 Several minor documentation updates were made.
423 To help get Tahoe-LAFS into Linux distributions like Fedora and Debian,
424 packaging improvements are being made in both Tahoe-LAFS and related libraries
425 like pycryptopp and zfec.
427 The Crypto++ library included in the pycryptopp package has been upgraded to
428 version 5.6.0 of Crypto++, which includes a more efficient implementation of
429 SHA-256 in assembly for x86 or amd64 architectures.
431 ** dependency updates
434 no python-2.4.0 or 2.4.1 (2.4.2 is good)
435 (they contained a bug in base64.b32decode)
436 avoid python-2.6 on windows with mingw: compiler issues
437 python2.4 requires pysqlite2 (2.5,2.6 does not)
442 * Release 1.4.1 (2009-04-13)
444 ** Garbage Collection
446 The big feature for this release is the implementation of garbage collection,
447 allowing Tahoe storage servers to delete shares for old deleted files. When
448 enabled, this uses a "mark and sweep" process: clients are responsible for
449 updating the leases on their shares (generally by running "tahoe deep-check
450 --add-lease"), and servers are allowed to delete any share which does not
451 have an up-to-date lease. The process is described in detail in
452 docs/garbage-collection.txt .
454 The server must be configured to enable garbage-collection, by adding
455 directives to the [storage] section that define an age limit for shares. The
456 default configuration will not delete any shares.
458 Both servers and clients should be upgraded to this release to make the
459 garbage-collection as pleasant as possible. 1.2.0 servers have code to
460 perform the update-lease operation but it suffers from a fatal bug, while
461 1.3.0 servers have update-lease but will return an exception for unknown
462 storage indices, causing clients to emit an Incident for each exception,
463 slowing the add-lease process down to a crawl. 1.1.0 servers did not have the
464 add-lease operation at all.
466 ** Security/Usability Problems Fixed
468 A super-linear algorithm in the Merkle Tree code was fixed, which previously
469 caused e.g. download of a 10GB file to take several hours before the first
470 byte of plaintext could be produced. The new "alacrity" is about 2 minutes. A
471 future release should reduce this to a few seconds by fixing ticket #442.
473 The previous version permitted a small timing attack (due to our use of
474 strcmp) against the write-enabler and lease-renewal/cancel secrets. An
475 attacker who could measure response-time variations of approximatly 3ns
476 against a very noisy background time of about 15ms might be able to guess
477 these secrets. We do not believe this attack was actually feasible. This
478 release closes the attack by first hashing the two strings to be compared
479 with a random secret.
483 In most cases, HTML tracebacks will only be sent if an "Accept: text/html"
484 header was provided with the HTTP request. This will generally cause browsers
485 to get an HTMLized traceback but send regular text/plain tracebacks to
486 non-browsers (like the CLI clients). More errors have been mapped to useful
489 The streaming webapi operations (deep-check and manifest) now have a way to
490 indicate errors (an output line that starts with "ERROR" instead of being
491 legal JSON). See docs/frontends/webapi.txt for details.
493 The storage server now has its own status page (at /storage), linked from the
494 Welcome page. This page shows progress and results of the two new
495 share-crawlers: one which merely counts shares (to give an estimate of how
496 many files/directories are being stored in the grid), the other examines
497 leases and reports how much space would be freed if GC were enabled. The page
498 also shows how much disk space is present, used, reserved, and available for
499 the Tahoe server, and whether the server is currently running in "read-write"
500 mode or "read-only" mode.
502 When a directory node cannot be read (perhaps because of insufficent shares),
503 a minimal webapi page is created so that the "more-info" links (including a
504 Check/Repair operation) will still be accessible.
506 A new "reliability" page was added, with the beginnings of work on a
507 statistical loss model. You can tell this page how many servers you are using
508 and their independent failure probabilities, and it will tell you the
509 likelihood that an arbitrary file will survive each repair period. The
510 "numpy" package must be installed to access this page. A partial paper,
511 written by Shawn Willden, has been added to docs/proposed/lossmodel.lyx .
515 "tahoe check" and "tahoe deep-check" now accept an "--add-lease" argument, to
516 update a lease on all shares. This is the "mark" side of garbage collection.
518 In many cases, CLI error messages have been improved: the ugly HTMLized
519 traceback has been replaced by a normal python traceback.
521 "tahoe deep-check" and "tahoe manifest" now have better error reporting.
522 "tahoe cp" is now non-verbose by default.
524 "tahoe backup" now accepts several "--exclude" arguments, to ignore certain
525 files (like editor temporary files and version-control metadata) during
528 On windows, the CLI now accepts local paths like "c:\dir\file.txt", which
529 previously was interpreted as a Tahoe path using a "c:" alias.
531 The "tahoe restart" command now uses "--force" by default (meaning it will
532 start a node even if it didn't look like there was one already running).
534 The "tahoe debug consolidate" command was added. This takes a series of
535 independent timestamped snapshot directories (such as those created by the
536 allmydata.com windows backup program, or a series of "tahoe cp -r" commands)
537 and creates new snapshots that used shared read-only directories whenever
538 possible (like the output of "tahoe backup"). In the most common case (when
539 the snapshots are fairly similar), the result will use significantly fewer
540 directories than the original, allowing "deep-check" and similar tools to run
541 much faster. In some cases, the speedup can be an order of magnitude or more.
542 This tool is still somewhat experimental, and only needs to be run on large
543 backups produced by something other than "tahoe backup", so it was placed
544 under the "debug" category.
546 "tahoe cp -r --caps-only tahoe:dir localdir" is a diagnostic tool which,
547 instead of copying the full contents of files into the local directory,
548 merely copies their filecaps. This can be used to verify the results of a
549 "consolidation" operation.
553 The codebase no longer rauses RuntimeError as a kind of assert(). Specific
554 exception classes were created for each previous instance of RuntimeError.
556 Many unit tests were changed to use a non-network test harness, speeding them
559 Deep-traversal operations (manifest and deep-check) now walk individual
560 directories in alphabetical order. Occasional turn breaks are inserted to
561 prevent a stack overflow when traversing directories with hundreds of
564 The experimental SFTP server had its path-handling logic changed slightly, to
565 accomodate more SFTP clients, although there are still issues (#645).
568 * Release 1.3.0 (2009-02-13)
570 ** Checker/Verifier/Repairer
572 The primary focus of this release has been writing a checker / verifier /
573 repairer for files and directories. "Checking" is the act of asking storage
574 servers whether they have a share for the given file or directory: if there
575 are not enough shares available, the file or directory will be
576 unrecoverable. "Verifying" is the act of downloading and cryptographically
577 asserting that the server's share is undamaged: it requires more work
578 (bandwidth and CPU) than checking, but can catch problems that simple
579 checking cannot. "Repair" is the act of replacing missing or damaged shares
582 This release includes a full checker, a partial verifier, and a partial
583 repairer. The repairer is able to handle missing shares: new shares are
584 generated and uploaded to make up for the missing ones. This is currently the
585 best application of the repairer: to replace shares that were lost because of
586 server departure or permanent drive failure.
588 The repairer in this release is somewhat able to handle corrupted shares. The
591 * Immutable verifier is incomplete: not all shares are used, and not all
592 fields of those shares are verified. Therefore the immutable verifier has
593 only a moderate chance of detecting corrupted shares.
594 * The mutable verifier is mostly complete: all shares are examined, and most
595 fields of the shares are validated.
596 * The storage server protocol offers no way for the repairer to replace or
597 delete immutable shares. If corruption is detected, the repairer will
598 upload replacement shares to other servers, but the corrupted shares will
600 * read-only directories and read-only mutable files must be repaired by
601 someone who holds the write-cap: the read-cap is insufficient. Moreover,
602 the deep-check-and-repair operation will halt with an error if it attempts
603 to repair one of these read-only objects.
604 * Some forms of corruption can cause both download and repair operations to
605 fail. A future release will fix this, since download should be tolerant of
606 any corruption as long as there are at least 'k' valid shares, and repair
607 should be able to fix any file that is downloadable.
609 If the downloader, verifier, or repairer detects share corruption, the
610 servers which provided the bad shares will be notified (via a file placed in
611 the BASEDIR/storage/corruption-advisories directory) so their operators can
612 manually delete the corrupted shares and investigate the problem. In
613 addition, the "incident gatherer" mechanism will automatically report share
614 corruption to an incident gatherer service, if one is configured. Note that
615 corrupted shares indicate hardware failures, serious software bugs, or malice
616 on the part of the storage server operator, so a corrupted share should be
617 considered highly unusual.
619 By periodically checking/repairing all files and directories, objects in the
620 Tahoe filesystem remain resistant to recoverability failures due to missing
621 and/or broken servers.
623 This release includes a wapi mechanism to initiate checks on individual
624 files and directories (with or without verification, and with or without
625 automatic repair). A related mechanism is used to initiate a "deep-check" on
626 a directory: recursively traversing the directory and its children, checking
627 (and/or verifying/repairing) everything underneath. Both mechanisms can be
628 run with an "output=JSON" argument, to obtain machine-readable check/repair
629 status results. These results include a copy of the filesystem statistics
630 from the "deep-stats" operation (including total number of files, size
631 histogram, etc). If repair is possible, a "Repair" button will appear on the
634 The client web interface now features some extra buttons to initiate check
635 and deep-check operations. When these operations finish, they display a
636 results page that summarizes any problems that were encountered. All
637 long-running deep-traversal operations, including deep-check, use a
638 start-and-poll mechanism, to avoid depending upon a single long-lived HTTP
639 connection. docs/frontends/webapi.txt has details.
643 The "tahoe backup" command is new in this release, which creates efficient
644 versioned backups of a local directory. Given a local pathname and a target
645 Tahoe directory, this will create a read-only snapshot of the local directory
646 in $target/Archives/$timestamp. It will also create $target/Latest, which is
647 a reference to the latest such snapshot. Each time you run "tahoe backup"
648 with the same source and target, a new $timestamp snapshot will be added.
649 These snapshots will share directories that have not changed since the last
650 backup, to speed up the process and minimize storage requirements. In
651 addition, a small database is used to keep track of which local files have
652 been uploaded already, to avoid uploading them a second time. This
653 drastically reduces the work needed to do a "null backup" (when nothing has
654 changed locally), making "tahoe backup' suitable to run from a daily cronjob.
656 Note that the "tahoe backup" CLI command must be used in conjunction with a
657 1.3.0-or-newer Tahoe client node; there was a bug in the 1.2.0 webapi
658 implementation that would prevent the last step (create $target/Latest) from
663 The 12GiB (approximate) immutable-file-size limitation is lifted. This
664 release knows how to handle so-called "v2 immutable shares", which permit
665 immutable files of up to about 18 EiB (about 3*10^14). These v2 shares are
666 created if the file to be uploaded is too large to fit into v1 shares. v1
667 shares are created if the file is small enough to fit into them, so that
668 files created with tahoe-1.3.0 can still be read by earlier versions if they
669 are not too large. Note that storage servers also had to be changed to
670 support larger files, and this release is the first release in which they are
671 able to do that. Clients will detect which servers are capable of supporting
672 large files on upload and will not attempt to upload shares of a large file
673 to a server which doesn't support it.
677 Tahoe now includes experimental FTP and SFTP servers. When configured with a
678 suitable method to translate username+password into a root directory cap, it
679 provides simple access to the virtual filesystem. Remember that FTP is
680 completely unencrypted: passwords, filenames, and file contents are all sent
681 over the wire in cleartext, so FTP should only be used on a local (127.0.0.1)
682 connection. This feature is still in development: there are no unit tests
683 yet, and behavior with respect to Unicode filenames is uncertain. Please see
684 docs/frontends/FTP-and-SFTP.txt for configuration details. (#512, #531)
688 This release adds the 'tahoe create-alias' command, which is a combination of
689 'tahoe mkdir' and 'tahoe add-alias'. This also allows you to start using a
690 new tahoe directory without exposing its URI in the argv list, which is
691 publicly visible (through the process table) on most unix systems. Thanks to
692 Kevin Reid for bringing this issue to our attention.
694 The single-argument form of "tahoe put" was changed to create an unlinked
695 file. I.e. "tahoe put bar.txt" will take the contents of a local "bar.txt"
696 file, upload them to the grid, and print the resulting read-cap; the file
697 will not be attached to any directories. This seemed a bit more useful than
698 the previous behavior (copy stdin, upload to the grid, attach the resulting
699 file into your default tahoe: alias in a child named 'bar.txt').
701 "tahoe put" was also fixed to handle mutable files correctly: "tahoe put
702 bar.txt URI:SSK:..." will read the contents of the local bar.txt and use them
703 to replace the contents of the given mutable file.
705 The "tahoe webopen" command was modified to accept aliases. This means "tahoe
706 webopen tahoe:" will cause your web browser to open to a "wui" page that
707 gives access to the directory associated with the default "tahoe:" alias. It
708 should also accept leading slashes, like "tahoe webopen tahoe:/stuff".
710 Many esoteric debugging commands were moved down into a "debug" subcommand:
713 tahoe debug dump-share
714 tahoe debug find-shares
715 tahoe debug catalog-shares
716 tahoe debug corrupt-share
718 The last command ("tahoe debug corrupt-share") flips a random bit of the
719 given local sharefile. This is used to test the file verifying/repairing
720 code, and obviously should not be used on user data.
722 The cli might not correctly handle arguments which contain non-ascii
723 characters in Tahoe v1.3 (although depending on your platform it
724 might, especially if your platform can be configured to pass such
725 characters on the command-line in utf-8 encoding). See
726 http://allmydata.org/trac/tahoe/ticket/565 for details.
730 The "default webapi port", used when creating a new client node (and in the
731 getting-started documentation), was changed from 8123 to 3456, to reduce
732 confusion when Tahoe accessed through a Firefox browser on which the
733 "Torbutton" extension has been installed. Port 8123 is occasionally used as a
734 Tor control port, so Torbutton adds 8123 to Firefox's list of "banned ports"
735 to avoid CSRF attacks against Tor. Once 8123 is banned, it is difficult to
736 diagnose why you can no longer reach a Tahoe node, so the Tahoe default was
737 changed. Note that 3456 is reserved by IANA for the "vat" protocol, but there
738 are argueably more Torbutton+Tahoe users than vat users these days. Note that
739 this will only affect newly-created client nodes. Pre-existing client nodes,
740 created by earlier versions of tahoe, may still be listening on 8123.
742 All deep-traversal operations (start-manifest, start-deep-size,
743 start-deep-stats, start-deep-check) now use a start-and-poll approach,
744 instead of using a single (fragile) long-running synchronous HTTP connection.
745 All these "start-" operations use POST instead of GET. The old "GET
746 manifest", "GET deep-size", and "POST deep-check" operations have been
749 The new "POST start-manifest" operation, when it finally completes, results
750 in a table of (path,cap), instead of the list of verifycaps produced by the
751 old "GET manifest". The table is available in several formats: use
752 output=html, output=text, or output=json to choose one. The JSON output also
753 includes stats, and a list of verifycaps and storage-index strings.
755 The "return_to=" and "when_done=" arguments have been removed from the
756 t=check and deep-check operations.
758 The top-level status page (/status) now has a machine-readable form, via
759 "/status/?t=json". This includes information about the currently-active
760 uploads and downloads, which may be useful for frontends that wish to display
761 progress information. There is no easy way to correlate the activities
762 displayed here with recent wapi requests, however.
764 Any files in BASEDIR/public_html/ (configurable) will be served in response
765 to requests in the /static/ portion of the URL space. This will simplify the
766 deployment of javascript-based frontends that can still access wapi calls
767 by conforming to the (regrettable) "same-origin policy".
769 The welcome page now has a "Report Incident" button, which is tied into the
770 "Incident Gatherer" machinery. If the node is attached to an incident
771 gatherer (via log_gatherer.furl), then pushing this button will cause an
772 Incident to be signalled: this means recent log events are aggregated and
773 sent in a bundle to the gatherer. The user can push this button after
774 something strange takes place (and they can provide a short message to go
775 along with it), and the relevant data will be delivered to a centralized
776 incident-gatherer for later processing by operations staff.
778 The "HEAD" method should now work correctly, in addition to the usual "GET",
779 "PUT", and "POST" methods. "HEAD" is supposed to return exactly the same
780 headers as "GET" would, but without any of the actual response body data. For
781 mutable files, this now does a brief mapupdate (to figure out the size of the
782 file that would be returned), without actually retrieving the file's
785 The "GET" operation on files can now support the HTTP "Range:" header,
786 allowing requests for partial content. This allows certain media players to
787 correctly stream audio and movies out of a Tahoe grid. The current
788 implementation uses a disk-based cache in BASEDIR/private/cache/download ,
789 which holds the plaintext of the files being downloaded. Future
790 implementations might not use this cache. GET for immutable files now returns
793 Each file and directory now has a "Show More Info" web page, which contains
794 much of the information that was crammed into the directory page before. This
795 includes readonly URIs, storage index strings, object type, buttons to
796 control checking/verifying/repairing, and deep-check/deep-stats buttons (for
797 directories). For mutable files, the "replace contents" upload form has been
798 moved here too. As a result, the directory page is now much simpler and
799 cleaner, and several potentially-misleading links (like t=uri) are now gone.
801 Slashes are discouraged in Tahoe file/directory names, since they cause
802 problems when accessing the filesystem through the wapi. However, there are
803 a couple of accidental ways to generate such names. This release tries to
804 make it easier to correct such mistakes by escaping slashes in several
805 places, allowing slashes in the t=info and t=delete commands, and in the
806 source (but not the target) of a t=rename command.
810 Tahoe's dependencies have been extended to require the "[secure_connections]"
811 feature from Foolscap, which will cause pyOpenSSL to be required and/or
812 installed. If OpenSSL and its development headers are already installed on
813 your system, this can occur automatically. Tahoe now uses pollreactor
814 (instead of the default selectreactor) to work around a bug between pyOpenSSL
815 and the most recent release of Twisted (8.1.0). This bug only affects unit
816 tests (hang during shutdown), and should not impact regular use.
818 The Tahoe source code tarballs now come in two different forms: regular and
819 "sumo". The regular tarball contains just Tahoe, nothing else. When building
820 from the regular tarball, the build process will download any unmet
821 dependencies from the internet (starting with the index at PyPI) so it can
822 build and install them. The "sumo" tarball contains copies of all the
823 libraries that Tahoe requires (foolscap, twisted, zfec, etc), so using the
824 "sumo" tarball should not require any internet access during the build
825 process. This can be useful if you want to build Tahoe while on an airplane,
826 a desert island, or other bandwidth-limited environments.
828 Similarly, allmydata.org now hosts a "tahoe-deps" tarball which contains the
829 latest versions of all these dependencies. This tarball, located at
830 http://allmydata.org/source/tahoe/deps/tahoe-deps.tar.gz, can be unpacked in
831 the tahoe source tree (or in its parent directory), and the build process
832 should satisfy its downloading needs from it instead of reaching out to PyPI.
833 This can be useful if you want to build Tahoe from a darcs checkout while on
834 that airplane or desert island.
836 Because of the previous two changes ("sumo" tarballs and the "tahoe-deps"
837 bundle), most of the files have been removed from misc/dependencies/ . This
838 brings the regular Tahoe tarball down to 2MB (compressed), and the darcs
839 checkout (without history) to about 7.6MB. A full darcs checkout will still
840 be fairly large (because of the historical patches which included the
841 dependent libraries), but a 'lazy' one should now be small.
843 The default "make" target is now an alias for "setup.py build", which itself
844 is an alias for "setup.py develop --prefix support", with some extra work
845 before and after (see setup.cfg). Most of the complicated platform-dependent
846 code in the Makefile was rewritten in Python and moved into setup.py,
847 simplifying things considerably.
849 Likewise, the "make test" target now delegates most of its work to "setup.py
850 test", which takes care of getting PYTHONPATH configured to access the tahoe
851 code (and dependencies) that gets put in support/lib/ by the build_tahoe
852 step. This should allow unit tests to be run even when trial (which is part
853 of Twisted) wasn't already installed (in this case, trial gets installed to
854 support/bin because Twisted is a dependency of Tahoe).
856 Tahoe is now compatible with the recently-released Python 2.6 , although it
857 is recommended to use Tahoe on Python 2.5, on which it has received more
858 thorough testing and deployment.
860 Tahoe is now compatible with simplejson-2.0.x . The previous release assumed
861 that simplejson.loads always returned unicode strings, which is no longer the
864 ** Grid Management Tools
866 Several tools have been added or updated in the misc/ directory, mostly munin
867 plugins that can be used to monitor a storage grid.
869 The misc/spacetime/ directory contains a "disk watcher" daemon (startable
870 with 'tahoe start'), which can be configured with a set of HTTP URLs
871 (pointing at the wapi '/statistics' page of a bunch of storage servers),
872 and will periodically fetch disk-used/disk-available information from all the
873 servers. It keeps this information in an Axiom database (a sqlite-based
874 library available from divmod.org). The daemon computes time-averaged rates
875 of disk usage, as well as a prediction of how much time is left before the
876 grid is completely full.
878 The misc/munin/ directory contains a new set of munin plugins
879 (tahoe_diskleft, tahoe_diskusage, tahoe_doomsday) which talk to the
880 disk-watcher and provide graphs of its calculations.
882 To support the disk-watcher, the Tahoe statistics component (visible through
883 the wapi at the /statistics/ URL) now includes disk-used and disk-available
884 information. Both are derived through an equivalent of the unix 'df' command
885 (i.e. they ask the kernel for the number of free blocks on the partition that
886 encloses the BASEDIR/storage directory). In the future, the disk-available
887 number will be further influenced by the local storage policy: if that policy
888 says that the server should refuse new shares when less than 5GB is left on
889 the partition, then "disk-available" will report zero even though the kernel
892 The 'tahoe_overhead' munin plugin interacts with an allmydata.com-specific
893 server which reports the total of the 'deep-size' reports for all active user
894 accounts, compares this with the disk-watcher data, to report on overhead
895 percentages. This provides information on how much space could be recovered
896 once Tahoe implements some form of garbage collection.
898 ** Configuration Changes: single INI-format tahoe.cfg file
900 The Tahoe node is now configured with a single INI-format file, named
901 "tahoe.cfg", in the node's base directory. Most of the previous
902 multiple-separate-files are still read for backwards compatibility (the
903 embedded SSH debug server and the advertised_ip_addresses files are the
904 exceptions), but new directives will only be added to tahoe.cfg . The "tahoe
905 create-client" command will create a tahoe.cfg for you, with sample values
906 commented out. (ticket #518)
908 tahoe.cfg now has controls for the foolscap "keepalive" and "disconnect"
911 tahoe.cfg now has controls for the encoding parameters: "shares.needed" and
912 "shares.total" in the "[client]" section. The default parameters are still
915 The inefficient storage 'sizelimit' control (which established an upper bound
916 on the amount of space that a storage server is allowed to consume) has been
917 replaced by a lightweight 'reserved_space' control (which establishes a lower
918 bound on the amount of remaining space). The storage server will reject all
919 writes that would cause the remaining disk space (as measured by a '/bin/df'
920 equivalent) to drop below this value. The "[storage]reserved_space="
921 tahoe.cfg parameter controls this setting. (note that this only affects
922 immutable shares: it is an outstanding bug that reserved_space does not
923 prevent the allocation of new mutable shares, nor does it prevent the growth
924 of existing mutable shares).
928 Clients now declare which versions of the protocols they support. This is
929 part of a new backwards-compatibility system:
930 http://allmydata.org/trac/tahoe/wiki/Versioning .
932 The version strings for human inspection (as displayed on the Welcome web
933 page, and included in logs) now includes a platform identifer (frequently
934 including a linux distribution name, processor architecture, etc).
936 Several bugs have been fixed, including one that would cause an exception (in
937 the logs) if a wapi download operation was cancelled (by closing the TCP
938 connection, or pushing the "stop" button in a web browser).
940 Tahoe now uses Foolscap "Incidents", writing an "incident report" file to
941 logs/incidents/ each time something weird occurs. These reports are available
942 to an "incident gatherer" through the flogtool command. For more details,
943 please see the Foolscap logging documentation. An incident-classifying plugin
944 function is provided in misc/incident-gatherer/classify_tahoe.py .
946 If clients detect corruption in shares, they now automatically report it to
947 the server holding that share, if it is new enough to accept the report.
948 These reports are written to files in BASEDIR/storage/corruption-advisories .
950 The 'nickname' setting is now defined to be a UTF-8 -encoded string, allowing
953 The 'tahoe start' command will now accept a --syslog argument and pass it
954 through to twistd, making it easier to launch non-Tahoe nodes (like the
955 cpu-watcher) and have them log to syslogd instead of a local file. This is
956 useful when running a Tahoe node out of a USB flash drive.
958 The Mac GUI in src/allmydata/gui/ has been improved.
961 * Release 1.2.0 (2008-07-21)
965 This release makes the immutable-file "ciphertext hash tree" mandatory.
966 Previous releases allowed the uploader to decide whether their file would
967 have an integrity check on the ciphertext or not. A malicious uploader could
968 use this to create a readcap that would download as one file or a different
969 one, depending upon which shares the client fetched first, with no errors
970 raised. There are other integrity checks on the shares themselves, preventing
971 a storage server or other party from violating the integrity properties of
972 the read-cap: this failure was only exploitable by the uploader who gives you
973 a carefully constructed read-cap. If you download the file with Tahoe 1.2.0
974 or later, you will not be vulnerable to this problem. #491
976 This change does not introduce a compatibility issue, because all existing
977 versions of Tahoe will emit the ciphertext hash tree in their shares.
981 Tahoe now requires Foolscap-0.2.9 . It also requires pycryptopp 0.5 or newer,
982 since earlier versions had a bug that interacted with specific compiler
983 versions that could sometimes result in incorrect encryption behavior. Both
984 packages are included in the Tahoe source tarball in misc/dependencies/ , and
985 should be built automatically when necessary.
989 Web API directory pages should now contain properly-slash-terminated links to
990 other directories. They have also stopped using absolute links in forms and
991 pages (which interfered with the use of a front-end load-balancing proxy).
993 The behavior of the "Check This File" button changed, in conjunction with
994 larger internal changes to file checking/verification. The button triggers an
995 immediate check as before, but the outcome is shown on its own page, and does
996 not get stored anywhere. As a result, the web directory page no longer shows
997 historical checker results.
999 A new "Deep-Check" button has been added, which allows a user to initiate a
1000 recursive check of the given directory and all files and directories
1001 reachable from it. This can cause quite a bit of work, and has no
1002 intermediate progress information or feedback about the process. In addition,
1003 the results of the deep-check are extremely limited. A later release will
1004 improve this behavior.
1006 The web server's behavior with respect to non-ASCII (unicode) filenames in
1007 the "GET save=true" operation has been improved. To achieve maximum
1008 compatibility with variously buggy web browsers, the server does not try to
1009 figure out the character set of the inbound filename. It just echoes the same
1010 bytes back to the browser in the Content-Disposition header. This seems to
1011 make both IE7 and Firefox work correctly.
1013 ** Checker/Verifier/Repairer
1015 Tahoe is slowly acquiring convenient tools to check up on file health,
1016 examine existing shares for errors, and repair files that are not fully
1017 healthy. This release adds a mutable checker/verifier/repairer, although
1018 testing is very limited, and there are no web interfaces to trigger repair
1019 yet. The "Check" button next to each file or directory on the wapi page
1020 will perform a file check, and the "deep check" button on each directory will
1021 recursively check all files and directories reachable from there (which may
1022 take a very long time).
1024 Future releases will improve access to this functionality.
1026 ** Operations/Packaging
1028 A "check-grid" script has been added, along with a Makefile target. This is
1029 intended (with the help of a pre-configured node directory) to check upon the
1030 health of a Tahoe grid, uploading and downloading a few files. This can be
1031 used as a monitoring tool for a deployed grid, to be run periodically and to
1032 signal an error if it ever fails. It also helps with compatibility testing,
1033 to verify that the latest Tahoe code is still able to handle files created by
1036 The munin plugins from misc/munin/ are now copied into any generated debian
1037 packages, and are made executable (and uncompressed) so they can be symlinked
1038 directly from /etc/munin/plugins/ .
1040 Ubuntu "Hardy" was added as a supported debian platform, with a Makefile
1041 target to produce hardy .deb packages. Some notes have been added to
1042 docs/debian.txt about building Tahoe on a debian/ubuntu system.
1044 Storage servers now measure operation rates and latency-per-operation, and
1045 provides results through the /statistics web page as well as the stats
1046 gatherer. Munin plugins have been added to match.
1050 Tahoe nodes now use Foolscap "incident logging" to record unusual events to
1051 their NODEDIR/logs/incidents/ directory. These incident files can be examined
1052 by Foolscap logging tools, or delivered to an external log-gatherer for
1053 further analysis. Note that Tahoe now requires Foolscap-0.2.9, since 0.2.8
1054 had a bug that complained about "OSError: File exists" when trying to create
1055 the incidents/ directory for a second time.
1057 If no servers are available when retrieving a mutable file (like a
1058 directory), the node now reports an error instead of hanging forever. Earlier
1059 releases would not only hang (causing the wapi directory listing to get
1060 stuck half-way through), but the internal dirnode serialization would cause
1061 all subsequent attempts to retrieve or modify the same directory to hang as
1064 A minor internal exception (reported in logs/twistd.log, in the
1065 "stopProducing" method) was fixed, which complained about "self._paused_at
1066 not defined" whenever a file download was stopped from the web browser end.
1069 * Release 1.1.0 (2008-06-11)
1071 ** CLI: new "alias" model
1073 The new CLI code uses an scp/rsync -like interface, in which directories in
1074 the Tahoe storage grid are referenced by a colon-suffixed alias. The new
1076 tahoe cp local.txt tahoe:virtual.txt
1077 tahoe ls work:subdir
1079 More functionality is available through the CLI: creating unlinked files and
1080 directories, recursive copy in or out of the storage grid, hardlinks, and
1081 retrieving the raw read- or write- caps through the 'ls' command. Please read
1082 docs/CLI.txt for complete details.
1084 ** wapi: new pages, new commands
1086 Several new pages were added to the web API:
1088 /helper_status : to describe what a Helper is doing
1089 /statistics : reports node uptime, CPU usage, other stats
1090 /file : for easy file-download URLs, see #221
1091 /cap == /uri : future compatibility
1093 The localdir=/localfile= and t=download operations were removed. These
1094 required special configuration to enable anyways, but this feature was a
1095 security problem, and was mostly obviated by the new "cp -r" command.
1097 Several new options to the GET command were added:
1099 t=deep-size : add up the size of all immutable files reachable from the directory
1100 t=deep-stats : return a JSON-encoded description of number of files, size
1101 distribution, total size, etc
1103 POST is now preferred over PUT for most operations which cause side-effects.
1105 Most wapi calls now accept overwrite=, and default to overwrite=true .
1107 "POST /uri/DIRCAP/parent/child?t=mkdir" is now the preferred API to create
1108 multiple directories at once, rather than ...?t=mkdir-p .
1110 PUT to a mutable file ("PUT /uri/MUTABLEFILECAP", "PUT /uri/DIRCAP/child")
1111 will modify the file in-place.
1113 ** more munin graphs in misc/munin/
1117 tahoe_estimate_files
1118 mutable files published/retrieved
1127 setuptools (now required at runtime)
1129 ** New Mutable-File Code
1131 The mutable-file handling code (mostly used for directories) has been
1132 completely rewritten. The new scheme has a better API (with a modify()
1133 method) and is less likely to lose data when several uncoordinated writers
1134 change a file at the same time.
1136 In addition, a single Tahoe process will coordinate its own writes. If you
1137 make two concurrent directory-modifying wapi calls to a single tahoe node,
1138 it will internally make one of them wait for the other to complete. This
1139 prevents auto-collision (#391).
1141 The new mutable-file code also detects errors during publish better. Earlier
1142 releases might believe that a mutable file was published when in fact it
1147 The node now monitors its own CPU usage, as a percentage, measured every 60
1148 seconds. 1/5/15 minute moving averages are available on the /statistics web
1149 page and via the stats-gathering interface.
1151 Clients now accelerate reconnection to all servers after being offline
1152 (#374). When a client is offline for a long time, it scales back reconnection
1153 attempts to approximately once per hour, so it may take a while to make the
1154 first attempt, but once any attempt succeeds, the other server connections
1155 will be retried immediately.
1157 A new "offloaded KeyGenerator" facility can be configured, to move RSA key
1158 generation out from, say, a wapi node, into a separate process. RSA keys
1159 can take several seconds to create, and so a wapi node which is being used
1160 for directory creation will be unavailable for anything else during this
1161 time. The Key Generator process will pre-compute a small pool of keys, to
1162 speed things up further. This also takes better advantage of multi-core CPUs,
1165 The node will only use a potentially-slow "du -s" command at startup (to
1166 measure how much space has been used) if the "sizelimit" parameter has been
1167 configured (to limit how much space is used). Large storage servers should
1168 turn off sizelimit until a later release improves the space-management code,
1169 since "du -s" on a terabyte filesystem can take hours.
1171 The Introducer now allows new announcements to replace old ones, to avoid
1172 buildups of obsolete announcements.
1174 Immutable files are limited to about 12GiB (when using the default 3-of-10
1175 encoding), because larger files would be corrupted by the four-byte
1176 share-size field on the storage servers (#439). A later release will remove
1177 this limit. Earlier releases would allow >12GiB uploads, but the resulting
1178 file would be unretrievable.
1180 The docs/ directory has been rearranged, with old docs put in
1181 docs/historical/ and not-yet-implemented ones in docs/proposed/ .
1183 The Mac OS-X FUSE plugin has a significant bug fix: earlier versions would
1184 corrupt writes that used seek() instead of writing the file in linear order.
1185 The rsync tool is known to perform writes in this order. This has been fixed.