From: Brian Warner Date: Mon, 21 Jul 2008 23:29:30 +0000 (-0700) Subject: NEWS: add user-visible changes since the previous release X-Git-Tag: allmydata-tahoe-1.2.0~6 X-Git-Url: https://git.rkrishnan.org/pf/content/en/seg/priv.html?a=commitdiff_plain;h=cbadcc86ccca624b4233b15e85f7cf98a4e77f6d;p=tahoe-lafs%2Ftahoe-lafs.git NEWS: add user-visible changes since the previous release --- diff --git a/NEWS b/NEWS index 732cc7fb..3352d5fc 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,113 @@ User visible changes in Tahoe. -*- outline -*- +* Release 1.2.0 (2008-07-21) + +** Security + +This release makes the immutable-file "ciphertext hash tree" mandatory. +Previous releases allowed the uploader to decide whether their file would +have an integrity check on the ciphertext or not. A malicious uploader could +use this to create a readcap that would download as one file or a different +one, depending upon which shares the client fetched first, with no errors +raised. There are other integrity checks on the shares themselves, preventing +a storage server or other party from violating the integrity properties of +the read-cap: this failure was only exploitable by the uploader who gives you +a carefully constructed read-cap. If you download the file with Tahoe 1.2.0 +or later, you will not be vulnerable to this problem. #491 + +This change does not introduce a compatibility issue, because all existing +versions of Tahoe will emit the ciphertext hash tree in their shares. + +** Dependencies + +Tahoe now requires Foolscap-0.2.9 . It also requires pycryptopp 0.5 or newer, +since earlier versions had a bug that interacted with specific compiler +versions that could sometimes result in incorrect encryption behavior. Both +packages are included in the Tahoe source tarball in misc/dependencies/ , and +should be built automatically when necessary. + +** Web API + +Web API directory pages should now contain properly-slash-terminated links to +other directories. They have also stopped using absolute links in forms and +pages (which interfered with the use of a front-end load-balancing proxy). + +The behavior of the "Check This File" button changed, in conjunction with +larger internal changes to file checking/verification. The button triggers an +immediate check as before, but the outcome is shown on its own page, and does +not get stored anywhere. As a result, the web directory page no longer shows +historical checker results. + +A new "Deep-Check" button has been added, which allows a user to initiate a +recursive check of the given directory and all files and directories +reachable from it. This can cause quite a bit of work, and has no +intermediate progress information or feedback about the process. In addition, +the results of the deep-check are extremely limited. A later release will +improve this behavior. + +The web server's behavior with respect to non-ASCII (unicode) filenames in +the "GET save=true" operation has been improved. To achieve maximum +compatibility with variously buggy web browsers, the server does not try to +figure out the character set of the inbound filename. It just echoes the same +bytes back to the browser in the Content-Disposition header. This seems to +make both IE7 and Firefox work correctly. + +** Checker/Verifier/Repairer + +Tahoe is slowly acquiring convenient tools to check up on file health, +examine existing shares for errors, and repair files that are not fully +healthy. This release adds a mutable checker/verifier/repairer, although +testing is very limited, and there are no web interfaces to trigger repair +yet. The "Check" button next to each file or directory on the webapi page +will perform a file check, and the "deep check" button on each directory will +recursively check all files and directories reachable from there (which may +take a very long time). + +Future releases will improve access to this functionality. + +** Operations/Packaging + +A "check-grid" script has been added, along with a Makefile target. This is +intended (with the help of a pre-configured node directory) to check upon the +health of a Tahoe grid, uploading and downloading a few files. This can be +used as a monitoring tool for a deployed grid, to be run periodically and to +signal an error if it ever fails. It also helps with compatibility testing, +to verify that the latest Tahoe code is still able to handle files created by +an older version. + +The munin plugins from misc/munin/ are now copied into any generated debian +packages, and are made executable (and uncompressed) so they can be symlinked +directly from /etc/munin/plugins/ . + +Ubuntu "Hardy" was added as a supported debian platform, with a Makefile +target to produce hardy .deb packages. Some notes have been added to +docs/debian.txt about building Tahoe on a debian/ubuntu system. + +Storage servers now measure operation rates and latency-per-operation, and +provides results through the /statistics web page as well as the stats +gatherer. Munin plugins have been added to match. + +** Other + +Tahoe nodes now use Foolscap "incident logging" to record unusual events to +their NODEDIR/logs/incidents/ directory. These incident files can be examined +by Foolscap logging tools, or delivered to an external log-gatherer for +further analysis. Note that Tahoe now requires Foolscap-0.2.9, since 0.2.8 +had a bug that complained about "OSError: File exists" when trying to create +the incidents/ directory for a second time. + +If no servers are available when retrieving a mutable file (like a +directory), the node now reports an error instead of hanging forever. Earlier +releases would not only hang (causing the webapi directory listing to get +stuck half-way through), but the internal dirnode serialization would cause +all subsequent attempts to retrieve or modify the same directory to hang as +well. #463 + +A minor internal exception (reported in logs/twistd.log, in the +"stopProducing" method) was fixed, which complained about "self._paused_at +not defined" whenever a file download was stopped from the web browser end. + + * Release 1.1.0 (2008-06-11) ** CLI: new "alias" model diff --git a/docs/NEWS b/docs/NEWS index 732cc7fb..3352d5fc 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -1,5 +1,113 @@ User visible changes in Tahoe. -*- outline -*- +* Release 1.2.0 (2008-07-21) + +** Security + +This release makes the immutable-file "ciphertext hash tree" mandatory. +Previous releases allowed the uploader to decide whether their file would +have an integrity check on the ciphertext or not. A malicious uploader could +use this to create a readcap that would download as one file or a different +one, depending upon which shares the client fetched first, with no errors +raised. There are other integrity checks on the shares themselves, preventing +a storage server or other party from violating the integrity properties of +the read-cap: this failure was only exploitable by the uploader who gives you +a carefully constructed read-cap. If you download the file with Tahoe 1.2.0 +or later, you will not be vulnerable to this problem. #491 + +This change does not introduce a compatibility issue, because all existing +versions of Tahoe will emit the ciphertext hash tree in their shares. + +** Dependencies + +Tahoe now requires Foolscap-0.2.9 . It also requires pycryptopp 0.5 or newer, +since earlier versions had a bug that interacted with specific compiler +versions that could sometimes result in incorrect encryption behavior. Both +packages are included in the Tahoe source tarball in misc/dependencies/ , and +should be built automatically when necessary. + +** Web API + +Web API directory pages should now contain properly-slash-terminated links to +other directories. They have also stopped using absolute links in forms and +pages (which interfered with the use of a front-end load-balancing proxy). + +The behavior of the "Check This File" button changed, in conjunction with +larger internal changes to file checking/verification. The button triggers an +immediate check as before, but the outcome is shown on its own page, and does +not get stored anywhere. As a result, the web directory page no longer shows +historical checker results. + +A new "Deep-Check" button has been added, which allows a user to initiate a +recursive check of the given directory and all files and directories +reachable from it. This can cause quite a bit of work, and has no +intermediate progress information or feedback about the process. In addition, +the results of the deep-check are extremely limited. A later release will +improve this behavior. + +The web server's behavior with respect to non-ASCII (unicode) filenames in +the "GET save=true" operation has been improved. To achieve maximum +compatibility with variously buggy web browsers, the server does not try to +figure out the character set of the inbound filename. It just echoes the same +bytes back to the browser in the Content-Disposition header. This seems to +make both IE7 and Firefox work correctly. + +** Checker/Verifier/Repairer + +Tahoe is slowly acquiring convenient tools to check up on file health, +examine existing shares for errors, and repair files that are not fully +healthy. This release adds a mutable checker/verifier/repairer, although +testing is very limited, and there are no web interfaces to trigger repair +yet. The "Check" button next to each file or directory on the webapi page +will perform a file check, and the "deep check" button on each directory will +recursively check all files and directories reachable from there (which may +take a very long time). + +Future releases will improve access to this functionality. + +** Operations/Packaging + +A "check-grid" script has been added, along with a Makefile target. This is +intended (with the help of a pre-configured node directory) to check upon the +health of a Tahoe grid, uploading and downloading a few files. This can be +used as a monitoring tool for a deployed grid, to be run periodically and to +signal an error if it ever fails. It also helps with compatibility testing, +to verify that the latest Tahoe code is still able to handle files created by +an older version. + +The munin plugins from misc/munin/ are now copied into any generated debian +packages, and are made executable (and uncompressed) so they can be symlinked +directly from /etc/munin/plugins/ . + +Ubuntu "Hardy" was added as a supported debian platform, with a Makefile +target to produce hardy .deb packages. Some notes have been added to +docs/debian.txt about building Tahoe on a debian/ubuntu system. + +Storage servers now measure operation rates and latency-per-operation, and +provides results through the /statistics web page as well as the stats +gatherer. Munin plugins have been added to match. + +** Other + +Tahoe nodes now use Foolscap "incident logging" to record unusual events to +their NODEDIR/logs/incidents/ directory. These incident files can be examined +by Foolscap logging tools, or delivered to an external log-gatherer for +further analysis. Note that Tahoe now requires Foolscap-0.2.9, since 0.2.8 +had a bug that complained about "OSError: File exists" when trying to create +the incidents/ directory for a second time. + +If no servers are available when retrieving a mutable file (like a +directory), the node now reports an error instead of hanging forever. Earlier +releases would not only hang (causing the webapi directory listing to get +stuck half-way through), but the internal dirnode serialization would cause +all subsequent attempts to retrieve or modify the same directory to hang as +well. #463 + +A minor internal exception (reported in logs/twistd.log, in the +"stopProducing" method) was fixed, which complained about "self._paused_at +not defined" whenever a file download was stopped from the web browser end. + + * Release 1.1.0 (2008-06-11) ** CLI: new "alias" model