From cbadcc86ccca624b4233b15e85f7cf98a4e77f6d Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Mon, 21 Jul 2008 16:29:30 -0700
Subject: [PATCH] NEWS: add user-visible changes since the previous release

---
 NEWS      | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 docs/NEWS | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 216 insertions(+)

diff --git a/NEWS b/NEWS
index 732cc7fb..3352d5fc 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,113 @@
 User visible changes in Tahoe.  -*- outline -*-
 
+* Release 1.2.0 (2008-07-21)
+
+** Security
+
+This release makes the immutable-file "ciphertext hash tree" mandatory.
+Previous releases allowed the uploader to decide whether their file would
+have an integrity check on the ciphertext or not. A malicious uploader could
+use this to create a readcap that would download as one file or a different
+one, depending upon which shares the client fetched first, with no errors
+raised. There are other integrity checks on the shares themselves, preventing
+a storage server or other party from violating the integrity properties of
+the read-cap: this failure was only exploitable by the uploader who gives you
+a carefully constructed read-cap. If you download the file with Tahoe 1.2.0
+or later, you will not be vulnerable to this problem. #491
+
+This change does not introduce a compatibility issue, because all existing
+versions of Tahoe will emit the ciphertext hash tree in their shares.
+
+** Dependencies
+
+Tahoe now requires Foolscap-0.2.9 . It also requires pycryptopp 0.5 or newer,
+since earlier versions had a bug that interacted with specific compiler
+versions that could sometimes result in incorrect encryption behavior. Both
+packages are included in the Tahoe source tarball in misc/dependencies/ , and
+should be built automatically when necessary.
+
+** Web API
+
+Web API directory pages should now contain properly-slash-terminated links to
+other directories. They have also stopped using absolute links in forms and
+pages (which interfered with the use of a front-end load-balancing proxy).
+
+The behavior of the "Check This File" button changed, in conjunction with
+larger internal changes to file checking/verification. The button triggers an
+immediate check as before, but the outcome is shown on its own page, and does
+not get stored anywhere. As a result, the web directory page no longer shows
+historical checker results.
+
+A new "Deep-Check" button has been added, which allows a user to initiate a
+recursive check of the given directory and all files and directories
+reachable from it. This can cause quite a bit of work, and has no
+intermediate progress information or feedback about the process. In addition,
+the results of the deep-check are extremely limited. A later release will
+improve this behavior.
+
+The web server's behavior with respect to non-ASCII (unicode) filenames in
+the "GET save=true" operation has been improved. To achieve maximum
+compatibility with variously buggy web browsers, the server does not try to
+figure out the character set of the inbound filename. It just echoes the same
+bytes back to the browser in the Content-Disposition header. This seems to
+make both IE7 and Firefox work correctly.
+
+** Checker/Verifier/Repairer
+
+Tahoe is slowly acquiring convenient tools to check up on file health,
+examine existing shares for errors, and repair files that are not fully
+healthy. This release adds a mutable checker/verifier/repairer, although
+testing is very limited, and there are no web interfaces to trigger repair
+yet. The "Check" button next to each file or directory on the webapi page
+will perform a file check, and the "deep check" button on each directory will
+recursively check all files and directories reachable from there (which may
+take a very long time).
+
+Future releases will improve access to this functionality.
+
+** Operations/Packaging
+
+A "check-grid" script has been added, along with a Makefile target. This is
+intended (with the help of a pre-configured node directory) to check upon the
+health of a Tahoe grid, uploading and downloading a few files. This can be
+used as a monitoring tool for a deployed grid, to be run periodically and to
+signal an error if it ever fails. It also helps with compatibility testing,
+to verify that the latest Tahoe code is still able to handle files created by
+an older version.
+
+The munin plugins from misc/munin/ are now copied into any generated debian
+packages, and are made executable (and uncompressed) so they can be symlinked
+directly from /etc/munin/plugins/ .
+
+Ubuntu "Hardy" was added as a supported debian platform, with a Makefile
+target to produce hardy .deb packages. Some notes have been added to
+docs/debian.txt about building Tahoe on a debian/ubuntu system.
+
+Storage servers now measure operation rates and latency-per-operation, and
+provides results through the /statistics web page as well as the stats
+gatherer. Munin plugins have been added to match.
+
+** Other
+
+Tahoe nodes now use Foolscap "incident logging" to record unusual events to
+their NODEDIR/logs/incidents/ directory. These incident files can be examined
+by Foolscap logging tools, or delivered to an external log-gatherer for
+further analysis. Note that Tahoe now requires Foolscap-0.2.9, since 0.2.8
+had a bug that complained about "OSError: File exists" when trying to create
+the incidents/ directory for a second time.
+
+If no servers are available when retrieving a mutable file (like a
+directory), the node now reports an error instead of hanging forever. Earlier
+releases would not only hang (causing the webapi directory listing to get
+stuck half-way through), but the internal dirnode serialization would cause
+all subsequent attempts to retrieve or modify the same directory to hang as
+well. #463
+
+A minor internal exception (reported in logs/twistd.log, in the
+"stopProducing" method) was fixed, which complained about "self._paused_at
+not defined" whenever a file download was stopped from the web browser end.
+
+
 * Release 1.1.0 (2008-06-11)
 
 ** CLI: new "alias" model
diff --git a/docs/NEWS b/docs/NEWS
index 732cc7fb..3352d5fc 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -1,5 +1,113 @@
 User visible changes in Tahoe.  -*- outline -*-
 
+* Release 1.2.0 (2008-07-21)
+
+** Security
+
+This release makes the immutable-file "ciphertext hash tree" mandatory.
+Previous releases allowed the uploader to decide whether their file would
+have an integrity check on the ciphertext or not. A malicious uploader could
+use this to create a readcap that would download as one file or a different
+one, depending upon which shares the client fetched first, with no errors
+raised. There are other integrity checks on the shares themselves, preventing
+a storage server or other party from violating the integrity properties of
+the read-cap: this failure was only exploitable by the uploader who gives you
+a carefully constructed read-cap. If you download the file with Tahoe 1.2.0
+or later, you will not be vulnerable to this problem. #491
+
+This change does not introduce a compatibility issue, because all existing
+versions of Tahoe will emit the ciphertext hash tree in their shares.
+
+** Dependencies
+
+Tahoe now requires Foolscap-0.2.9 . It also requires pycryptopp 0.5 or newer,
+since earlier versions had a bug that interacted with specific compiler
+versions that could sometimes result in incorrect encryption behavior. Both
+packages are included in the Tahoe source tarball in misc/dependencies/ , and
+should be built automatically when necessary.
+
+** Web API
+
+Web API directory pages should now contain properly-slash-terminated links to
+other directories. They have also stopped using absolute links in forms and
+pages (which interfered with the use of a front-end load-balancing proxy).
+
+The behavior of the "Check This File" button changed, in conjunction with
+larger internal changes to file checking/verification. The button triggers an
+immediate check as before, but the outcome is shown on its own page, and does
+not get stored anywhere. As a result, the web directory page no longer shows
+historical checker results.
+
+A new "Deep-Check" button has been added, which allows a user to initiate a
+recursive check of the given directory and all files and directories
+reachable from it. This can cause quite a bit of work, and has no
+intermediate progress information or feedback about the process. In addition,
+the results of the deep-check are extremely limited. A later release will
+improve this behavior.
+
+The web server's behavior with respect to non-ASCII (unicode) filenames in
+the "GET save=true" operation has been improved. To achieve maximum
+compatibility with variously buggy web browsers, the server does not try to
+figure out the character set of the inbound filename. It just echoes the same
+bytes back to the browser in the Content-Disposition header. This seems to
+make both IE7 and Firefox work correctly.
+
+** Checker/Verifier/Repairer
+
+Tahoe is slowly acquiring convenient tools to check up on file health,
+examine existing shares for errors, and repair files that are not fully
+healthy. This release adds a mutable checker/verifier/repairer, although
+testing is very limited, and there are no web interfaces to trigger repair
+yet. The "Check" button next to each file or directory on the webapi page
+will perform a file check, and the "deep check" button on each directory will
+recursively check all files and directories reachable from there (which may
+take a very long time).
+
+Future releases will improve access to this functionality.
+
+** Operations/Packaging
+
+A "check-grid" script has been added, along with a Makefile target. This is
+intended (with the help of a pre-configured node directory) to check upon the
+health of a Tahoe grid, uploading and downloading a few files. This can be
+used as a monitoring tool for a deployed grid, to be run periodically and to
+signal an error if it ever fails. It also helps with compatibility testing,
+to verify that the latest Tahoe code is still able to handle files created by
+an older version.
+
+The munin plugins from misc/munin/ are now copied into any generated debian
+packages, and are made executable (and uncompressed) so they can be symlinked
+directly from /etc/munin/plugins/ .
+
+Ubuntu "Hardy" was added as a supported debian platform, with a Makefile
+target to produce hardy .deb packages. Some notes have been added to
+docs/debian.txt about building Tahoe on a debian/ubuntu system.
+
+Storage servers now measure operation rates and latency-per-operation, and
+provides results through the /statistics web page as well as the stats
+gatherer. Munin plugins have been added to match.
+
+** Other
+
+Tahoe nodes now use Foolscap "incident logging" to record unusual events to
+their NODEDIR/logs/incidents/ directory. These incident files can be examined
+by Foolscap logging tools, or delivered to an external log-gatherer for
+further analysis. Note that Tahoe now requires Foolscap-0.2.9, since 0.2.8
+had a bug that complained about "OSError: File exists" when trying to create
+the incidents/ directory for a second time.
+
+If no servers are available when retrieving a mutable file (like a
+directory), the node now reports an error instead of hanging forever. Earlier
+releases would not only hang (causing the webapi directory listing to get
+stuck half-way through), but the internal dirnode serialization would cause
+all subsequent attempts to retrieve or modify the same directory to hang as
+well. #463
+
+A minor internal exception (reported in logs/twistd.log, in the
+"stopProducing" method) was fixed, which complained about "self._paused_at
+not defined" whenever a file download was stopped from the web browser end.
+
+
 * Release 1.1.0 (2008-06-11)
 
 ** CLI: new "alias" model
-- 
2.45.2