+++ /dev/null
-User visible changes in Tahoe. -*- outline -*-
-
-* Release 1.2.0 (2008-07-21)
-
-** Security
-
-This release makes the immutable-file "ciphertext hash tree" mandatory.
-Previous releases allowed the uploader to decide whether their file would
-have an integrity check on the ciphertext or not. A malicious uploader could
-use this to create a readcap that would download as one file or a different
-one, depending upon which shares the client fetched first, with no errors
-raised. There are other integrity checks on the shares themselves, preventing
-a storage server or other party from violating the integrity properties of
-the read-cap: this failure was only exploitable by the uploader who gives you
-a carefully constructed read-cap. If you download the file with Tahoe 1.2.0
-or later, you will not be vulnerable to this problem. #491
-
-This change does not introduce a compatibility issue, because all existing
-versions of Tahoe will emit the ciphertext hash tree in their shares.
-
-** Dependencies
-
-Tahoe now requires Foolscap-0.2.9 . It also requires pycryptopp 0.5 or newer,
-since earlier versions had a bug that interacted with specific compiler
-versions that could sometimes result in incorrect encryption behavior. Both
-packages are included in the Tahoe source tarball in misc/dependencies/ , and
-should be built automatically when necessary.
-
-** Web API
-
-Web API directory pages should now contain properly-slash-terminated links to
-other directories. They have also stopped using absolute links in forms and
-pages (which interfered with the use of a front-end load-balancing proxy).
-
-The behavior of the "Check This File" button changed, in conjunction with
-larger internal changes to file checking/verification. The button triggers an
-immediate check as before, but the outcome is shown on its own page, and does
-not get stored anywhere. As a result, the web directory page no longer shows
-historical checker results.
-
-A new "Deep-Check" button has been added, which allows a user to initiate a
-recursive check of the given directory and all files and directories
-reachable from it. This can cause quite a bit of work, and has no
-intermediate progress information or feedback about the process. In addition,
-the results of the deep-check are extremely limited. A later release will
-improve this behavior.
-
-The web server's behavior with respect to non-ASCII (unicode) filenames in
-the "GET save=true" operation has been improved. To achieve maximum
-compatibility with variously buggy web browsers, the server does not try to
-figure out the character set of the inbound filename. It just echoes the same
-bytes back to the browser in the Content-Disposition header. This seems to
-make both IE7 and Firefox work correctly.
-
-** Checker/Verifier/Repairer
-
-Tahoe is slowly acquiring convenient tools to check up on file health,
-examine existing shares for errors, and repair files that are not fully
-healthy. This release adds a mutable checker/verifier/repairer, although
-testing is very limited, and there are no web interfaces to trigger repair
-yet. The "Check" button next to each file or directory on the webapi page
-will perform a file check, and the "deep check" button on each directory will
-recursively check all files and directories reachable from there (which may
-take a very long time).
-
-Future releases will improve access to this functionality.
-
-** Operations/Packaging
-
-A "check-grid" script has been added, along with a Makefile target. This is
-intended (with the help of a pre-configured node directory) to check upon the
-health of a Tahoe grid, uploading and downloading a few files. This can be
-used as a monitoring tool for a deployed grid, to be run periodically and to
-signal an error if it ever fails. It also helps with compatibility testing,
-to verify that the latest Tahoe code is still able to handle files created by
-an older version.
-
-The munin plugins from misc/munin/ are now copied into any generated debian
-packages, and are made executable (and uncompressed) so they can be symlinked
-directly from /etc/munin/plugins/ .
-
-Ubuntu "Hardy" was added as a supported debian platform, with a Makefile
-target to produce hardy .deb packages. Some notes have been added to
-docs/debian.txt about building Tahoe on a debian/ubuntu system.
-
-Storage servers now measure operation rates and latency-per-operation, and
-provides results through the /statistics web page as well as the stats
-gatherer. Munin plugins have been added to match.
-
-** Other
-
-Tahoe nodes now use Foolscap "incident logging" to record unusual events to
-their NODEDIR/logs/incidents/ directory. These incident files can be examined
-by Foolscap logging tools, or delivered to an external log-gatherer for
-further analysis. Note that Tahoe now requires Foolscap-0.2.9, since 0.2.8
-had a bug that complained about "OSError: File exists" when trying to create
-the incidents/ directory for a second time.
-
-If no servers are available when retrieving a mutable file (like a
-directory), the node now reports an error instead of hanging forever. Earlier
-releases would not only hang (causing the webapi directory listing to get
-stuck half-way through), but the internal dirnode serialization would cause
-all subsequent attempts to retrieve or modify the same directory to hang as
-well. #463
-
-A minor internal exception (reported in logs/twistd.log, in the
-"stopProducing" method) was fixed, which complained about "self._paused_at
-not defined" whenever a file download was stopped from the web browser end.
-
-
-* Release 1.1.0 (2008-06-11)
-
-** CLI: new "alias" model
-
-The new CLI code uses an scp/rsync -like interface, in which directories in
-the Tahoe storage grid are referenced by a colon-suffixed alias. The new
-commands look like:
- tahoe cp local.txt tahoe:virtual.txt
- tahoe ls work:subdir
-
-More functionality is available through the CLI: creating unlinked files and
-directories, recursive copy in or out of the storage grid, hardlinks, and
-retrieving the raw read- or write- caps through the 'ls' command. Please read
-docs/CLI.txt for complete details.
-
-** webapi: new pages, new commands
-
-Several new pages were added to the web API:
-
- /helper_status : to describe what a Helper is doing
- /statistics : reports node uptime, CPU usage, other stats
- /file : for easy file-download URLs, see #221
- /cap == /uri : future compatibility
-
-The localdir=/localfile= and t=download operations were removed. These
-required special configuration to enable anyways, but this feature was a
-security problem, and was mostly obviated by the new "cp -r" command.
-
-Several new options to the GET command were added:
-
- t=deep-size : add up the size of all immutable files reachable from the directory
- t=deep-stats : return a JSON-encoded description of number of files, size
- distribution, total size, etc
-
-POST is now preferred over PUT for most operations which cause side-effects.
-
-Most webapi calls now accept overwrite=, and default to overwrite=true .
-
-"POST /uri/DIRCAP/parent/child?t=mkdir" is now the preferred API to create
-multiple directories at once, rather than ...?t=mkdir-p .
-
-PUT to a mutable file ("PUT /uri/MUTABLEFILECAP", "PUT /uri/DIRCAP/child")
-will modify the file in-place.
-
-** more munin graphs in misc/munin/
-
- tahoe-introstats
- tahoe-rootdir-space
- tahoe_estimate_files
- mutable files published/retrieved
- tahoe_cpu_watcher
- tahoe_spacetime
-
-** New Dependencies
-
- zfec 1.1.0
- foolscap 0.2.8
- pycryptopp 0.5
- setuptools (now required at runtime)
-
-** New Mutable-File Code
-
-The mutable-file handling code (mostly used for directories) has been
-completely rewritten. The new scheme has a better API (with a modify()
-method) and is less likely to lose data when several uncoordinated writers
-change a file at the same time.
-
-In addition, a single Tahoe process will coordinate its own writes. If you
-make two concurrent directory-modifying webapi calls to a single tahoe node,
-it will internally make one of them wait for the other to complete. This
-prevents auto-collision (#391).
-
-The new mutable-file code also detects errors during publish better. Earlier
-releases might believe that a mutable file was published when in fact it
-failed.
-
-** other features
-
-The node now monitors its own CPU usage, as a percentage, measured every 60
-seconds. 1/5/15 minute moving averages are available on the /statistics web
-page and via the stats-gathering interface.
-
-Clients now accelerate reconnection to all servers after being offline
-(#374). When a client is offline for a long time, it scales back reconnection
-attempts to approximately once per hour, so it may take a while to make the
-first attempt, but once any attempt succeeds, the other server connections
-will be retried immediately.
-
-A new "offloaded KeyGenerator" facility can be configured, to move RSA key
-generation out from, say, a webapi node, into a separate process. RSA keys
-can take several seconds to create, and so a webapi node which is being used
-for directory creation will be unavailable for anything else during this
-time. The Key Generator process will pre-compute a small pool of keys, to
-speed things up further. This also takes better advantage of multi-core CPUs,
-or SMP hosts.
-
-The node will only use a potentially-slow "du -s" command at startup (to
-measure how much space has been used) if the "sizelimit" parameter has been
-configured (to limit how much space is used). Large storage servers should
-turn off sizelimit until a later release improves the space-management code,
-since "du -s" on a terabyte filesystem can take hours.
-
-The Introducer now allows new announcements to replace old ones, to avoid
-buildups of obsolete announcements.
-
-Immutable files are limited to about 12GiB (when using the default 3-of-10
-encoding), because larger files would be corrupted by the four-byte
-share-size field on the storage servers (#439). A later release will remove
-this limit. Earlier releases would allow >12GiB uploads, but the resulting
-file would be unretrievable.
-
-The docs/ directory has been rearranged, with old docs put in
-docs/historical/ and not-yet-implemented ones in docs/proposed/ .
-
-The Mac OS-X FUSE plugin has a significant bug fix: earlier versions would
-corrupt writes that used seek() instead of writing the file in linear order.
-The rsync tool is known to perform writes in this order. This has been fixed.