Upstream changes:
0.044 2013-10-17 17:00:41 America/New_York
[FIXED]
- Fixed child path construction against the root path.
- Fixed path construction when a relative volume is provided as the
first argument on Windows; e.g. path("C:", "lib") must be like
path("C:lib"), not path("C:/lib").
- On AIX, shared locking is replaced by exclusive locking on a R/W
filehandle, as locking read handles is not supported
0.043 2013-10-14 06:24:06 America/New_York
[CHANGED]
- Calling 'absolute' on Windows will add the volume if it is missing
(E.g. "/foo" will become "C:/foo"). This matches the behavior
of File::Spec->rel2abs.
[FIXED]
- Fixed t/00-report-prereqs.t for use with older versions of
CPAN::Meta::Requirements
0.042 2013-10-13 11:02:02 America/New_York
[FIXED]
- When 'realpath' can't be resolved (because intermediate directories
don't exist), the exception now explains the error clearly instead of
complaining about path() needing a defined, positive-length argument.
- On Windows, fixed resolution of relative paths with a volume.
E.g. "C:foo" is now correctly translated into getdcwd on "C:"
plus "foo".
0.041 2013-10-11 08:56:31 America/New_York
[FIXES]
- Removes duplicate test dependency on File::Spec that triggers
a CPAN.pm bug
0.040 2013-10-08 22:01:50 America/New_York
[FIXES]
- Fixed broken locking test on *bsd
- When using 'filehandle' to request a locked handle that truncates an
existing file and has a binmode starting with ":unix", this fixes a
bug where pseudo-layers weren't being cleared properly.
0.039 2013-10-08 16:39:23 America/New_York
[ADDITIONS]
- The 'filehandle' method now offers an option to return locked handles
based on the file mode. Input-output methods now rely on this
feature internally. Truncating file modes defer truncation until
after an exclusive lock is acquired.
[FIXES]
- The 'filehandle' method now respects default encoding set by
the caller's open pragma.
0.038 2013-10-01 18:20:05 America/New_York
[ADDITIONS]
- Added 'is_rootdir' method to simplify testing if a path is
the root directory
0.037 2013-09-25 13:00:25 America/New_York
[FIXES]
- Fixed for v5.8
0.036 2013-09-25 09:34:28 America/New_York
[PREREQS]
- No longer lists 'threads' as a prerequisite. If you have a threaded
perl, you have it and if you're not, Path::Tiny doesn't care.
0.035 2013-09-24 07:21:55 America/New_York
[FIXED]
- Fixed flock warning on BSD that was broken with the autodie
removal; now also applies to all BSD flavors
0.034 2013-09-23 16:16:36 America/New_York
[INCOMPATIBLE CHANGE]
- Exceptions are now Path::Tiny::Error objects, not autodie exceptions;
this removes the last dependency on autodie, which allows us to
support Perls as far back as v5.8.1
[FIXED]
- BSD/NFS flock fix was not backwards compatible before v5.14. This
fixes it harder.
[PREREQS]
- dropped autodie
- lowered ExtUtils::MakeMaker configure_requires version to 6.17
0.033 2013-09-12 08:54:30 America/New_York
[FIXED]
- Perl on BSD may not support locking on an NFS filesystem. If this is
detected, Path::Tiny warns and continues in an unsafe mode. The
'flock' warning category may be fatalized to die instead.
[DOCUMENTED]
- Added 'iterator' example showing defaults
0.032 2013-09-06 17:52:48 America/New_York
[PREREQS]
- Removed several test dependencies. Path::Tiny now only needs
core modules, though some must be upgraded on old Perls
Changes since 1.6.2:
OpenAFS 1.6.5
commit 5f5b02a57102af1a85fb9bdaaec31b6094d0c9c4
Author: Michael Meffie <mmeffie@sinenomine.net>
Date: Wed Jul 17 23:10:42 2013 +0100
ubik: Fix encryption selection in ugen
Make sure that we encrypt when requested to by the application
Change-Id: If4c2ba2257bf060d3e9169ccdbcae54f54dfe5d7
commit 0e41558190a5190dee3037c08e8df31e61e5134e
Author: Simon Wilkinson <sxw@your-file-system.com>
Date: Tue Jul 16 19:37:00 2013 +0100
Make OpenAFS 1.6.5
Change-Id: I693297ef6e20358966930cb29116d45b9151811f
commit 9e1c24a583634e6102091388dedc47745efce78a
Author: Ben Kaduk <kaduk@mit.edu>
Date: Sat Jul 13 10:49:27 2013 +0100
Add support for deriving DES keys to klog.krb5
(cherry picked from commit e79102e7918ce5196e870a806879135743ec3abb)
Change-Id: Ia7ebfdd10dcfd6cd164b10275016147630748bac
commit 4b7553600a7659d117df0bde7b1c1dfde031deb8
Author: Andrew Deason <adeason@sinenomine.net>
Date: Wed Jul 10 12:52:28 2013 -0500
Reload rxkad.keytab on CellServDB modification
Make the reloading of rxkad.keytab keys occur in the same way that
KeyFile keys are reloaded. That is, we only try to reload them if the
CellServDB mtime has changed. This is intended to have exactly the
same reloading behavior as KeyFile reloads.
I would have triggered this from afsconf_Check, but that approach
has annoyances. (Calling ticket5_keytab functions directly from
cellconfig pulls in libkrb5 dependencies for everything that uses
cellconfig, and we'd have to trigger an afsconf_Check call by calling
some other cellconfig function.)
9102f49a3bdc67ed74e254349eb55b529472f45c
commit d2024c158e3a879305ff17cf726d3958f20677f4
Author: Andrew Deason <adeason@sinenomine.net>
Date: Mon Jun 10 17:49:12 2013 -0500
Avoid calling afsconf_GetLatestKey directly
Don't call afsconf_GetLatestKey to determine whether we can print our
own local tokens, since we may have keytab 'local' keys, but no DES
keys. Just try to construct them and see if it fails, using
afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as
appropriate.
commit d4788f6e283b79a1b974dda1e8fae213efd34930
Author: Andrew Deason <adeason@sinenomine.net>
Date: Mon Jun 10 17:15:27 2013 -0500
auth: Do not always fallback to noauth
Make afsconf_PickClientSecObj error out if we can't construct
localauth tokens (unless the caller explicitly requested rxnull
fallback). afsconf_ClientAuth{,Secure} still falls back, as always.
commit 95d57c74476c5a02ce6d9ca913dcbf88ac5c1143
Author: Ben Kaduk <kaduk@mit.edu>
Date: Tue May 14 19:37:59 2013 -0400
Clean up akimpersonate and use for server-to-server
Since a6d7cacfd, aklog has been able to print a krb5 ticket to
itself for an arbitrary client principal, allowing a user with
access to the cell's krb5 key to get tokens as an arbitrary user.
Now that it is possible to use native krb5 tickets with non-DES
enctypes for authentication, and akimpersonate is available from libauth,
use printed native krb5 tickets for server-to-server communication (as well
as the -localauth versions of the client utilities).
Remove the early call to afsconf_GetLatestKey() in
afsconf_PickClientSecObj() so that we do not end up picking an old DES
key before we try to find a better key to use.
Before doing so, refactor the akimpersonate code to be more usable
and readable, and eliminate some dead code. For example, we always printed
addressless tickets, so that code could be removed. Other code had excessive
stack usage for a library routine, which is eliminated. Use a start time
of 0 instead of 300 so that the printed ticket will always be
detected as infinite-lifetime.
In order to ensure usability on all platforms (in particular Solaris),
provide a couple more compat shims to implement routines which are not
always available from the krb5 library, in particular encode_krb5_ticket
and encode_krb5_enc_tkt_part. Thanks to Andrew Deason for implementing
these compatability routines.
UKERNEL doesn't need this stuff.
commit 15b77552b22e3ff3e7478008673775a45047f600
Author: Alexander Chernyakhovsky <achernya@mit.edu>
Date: Tue May 14 18:12:08 2013 -0400
Move akimpersonate to libauth
Give it its own source file and header, install the header at
depinstall time, and have aklog get the akimpersonate functionality
from libauth.
Keep the linux box copyright from aklog_main.c (but strip the trailing
whitespace), as that block was added with the akimpersonate code.
Remove all calls to afs_com_err() as is fitting for library code,
to let it build. Do not bother removing curly braces which are
no longer needed; a future cleanup commit will catch that.
commit 1c7fa1405940a136a992d65023cc690b1111ab3e
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun Mar 17 21:58:47 2013 -0400
Derive DES/fcrypt session key from other key types
If a kerberos 5 ticket has a session key with a non-DES enctype,
use the NIST SP800-108 KDF in counter mode with HMAC_MD5 as the PRF to
construct a DES key to be used by rxkad.
To satisfy the requirements of the KDF, DES3 keys are first compressed into a
168 bit form by reversing the RFC3961 random-to-key algorithm
Change-Id: I4dc8e83a641f9892b31c109fb9025251de3dcb27
commit 33eecea7db14d06c59e1081b970d4caf0af773ca
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sun Feb 10 13:27:03 2013 -0500
Integrate keytab-based decryption into afsconf_BuildServerSecurityObjects
Now all servers can have it.
authcon.o grows a krb5 dependency and needs to get KRB5_CPPFLAGS.
Change-Id: I95fecb3f88c19b3d5193ea8200fa20c86ec08ad7
commit 14db1a40e5be3b7325951d002885bbf288d570c1
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sat Feb 9 12:42:20 2013 -0500
New optional rxkad functionality for decypting krb5 tokens
An additional, optional mechanism for decrypting krb5-format tokens
is provided that uses the krb5 api with a key from a keytab
instead of using libdes and the AFS KeyFile.
The AIX compat stub for krb5_c_decrypt is contributed by Andrew Deason.
Change-Id: I97c08122c60482b84d602d6fa6482f1d5deef142
commit 5e0cbc930508a697331bad07cc201c1e1985ff84
Author: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sat Feb 9 12:01:37 2013 -0500
Add rxkad server hook function to decrypt more types of tokens
Allow tokens to be encrypted with algorithms other than DES.
The security object owner must provide an implementation
by calling rxkad_SetAltDecryptProc.
Make sure plainsiz is initialized before calling the alternate decrypt
proc.
User-Visible OpenAFS Changes
OpenAFS 1.6.4
All platforms
* Obey the jumbo/nojumbo settings for ubik servers (the DB servers)
too. In previous releases, those servers may have used jumbograms
even if they were not configured to do so. This change corrects
the actual behaviour, and will improve performance and reliability
for sites where jumbograms are problematic. It could cause a decrease
in performance for sites where jumbograms work, but those can turn
them back on manually.
* Dozens of fixes for common coding problems like use after free,
use of possibly uninitialised memory, reading or writing past the
end of arrays and potential NULL pointer derefences. Spotted by
code analysis tools or human inspection.
* Documentation improvements.
* Fixes and improvements to the diagnostic or log messages printed by
vos, the fileserver and others.
* Build fixes, making parallel builds more reliable with certain
configuration options and helping various platforms including
recent releases of IRIX, Solaris and several flavours of Linux.
* Avoid sending a small amount of data over the wire unencrypted
under certain conditions, and emit the correct error message in
this case.
All server platforms
* Avoid generating duplicate IDs for readonly and backup volumes,
which could happen under certain conditions.
* Allow the fileserver to return volume data like quota or free space,
which is available publicly elsewhere, without the additional access
check for read permissions on a volume's root directory the fileserver
performed before.
* The fileserver now emits a log message when it ran out of memory for
callbacks.
* Avoid several potential fileserver problems, including memory
corruption and segmentation faults, due to client bookkeeping.
* Avoid known cases of silent data corruption due to background syncs
on the fileserver, especially during Copy on Write.
* Make the fileserver sync behaviour runtime configurable. Up to 1.4.5,
we had synchronous syncs which were safe but really slow. Since 1.4.5,
we've had asynchronous syncs which are much faster but believed to
be the cause of rare data corruption issues, and while all known cases
of these happening are believed to be fixed in the 1.6.3 release, doubts
remain. This change allows choosing between those, and in addition allows
to turn syncs by the fileserver off altogether, thus relying on the vice
partition's backend filesystem and the operating system, or to just
execute them when a volume is detached. The default behaviour is
unchanged from releases since 1.4.5, but it's highly recommended to
consider the additional options this change provides. Future OpenAFS
releases will default to "-sync=none".
* For dbservers, avoid a situation where misinterpreting transient
network errors causes long-term issues with achieving ubik quorum.
All UNIX client platforms
* Improvements to the detection of an aklog-specific krb5 configuration
file, for the purposes of turning on "weak crypto" for aklog.
* Fixed a regression introduced in release 1.6.2 which caused the
supposedly persistent disk cache to be discarded upon client start.
(RT #131655)
Linux clients
* Support Linux kernels up to 3.10
* Fixed two bugs making it impossible to unmount a disk cache filesystem
after it has been used by the client. (RT #131613)
* Fixed a bug that could cause an oops with kernels 3.6 and later
OpenBSD
* Improved support for OpenBSD 4.9 to 5.3
OpenAFS 1.6.3
This release number had to be skipped for technical reasons.
* Improvements for Virtual Machine Image Storage
A number of improvements have been performed to let Gluster volumes provide
storage for Virtual Machine Images. Some of them include:
- qemu / libgfapi integration.
- Causal ordering in write-behind translator.
- Tunables for a gluster volume in group-virt.example.
The above results in significant improvements in performance for VM image
hosting.
* Synchronous Replication Improvements
GlusterFS 3.4 features significant improvements in performance for
the replication (AFR) translator. This is in addition to bug fixes
for volumes that used replica 3.
* Open Cluster Framework compliant Resource Agents
Resource Agents (RA) plug glusterd into Open Cluster Framework
(OCF) compliant cluster resource managers, like Pacemaker.
The glusterd RA manages the glusterd daemon like any upstart or
systemd job would, except that Pacemaker can do it in a cluster-aware
fashion.
The volume RA starts a volume and monitors individual brick?s
daemons in a cluster aware fashion, recovering bricks when their
processes fail.
* POSIX ACL support over NFSv3
setfacl and getfacl commands now can be used on a nfs mount that
exports a gluster volume to set or read posix ACLs.
* 3.3.x compatibility
The new op-version infrastructure provides compatibility with 3.3.x
release of GlusterFS. 3.3.x clients can talk to 3.4.x servers and
the vice-versa is also possible.
If a volume option that corresponds to 3.4 is enabled, then 3.3
clients cannot mount the volume.
* Packaging changes
New RPMs for libgfapi and OCF RA are present with 3.4.0.
* Experimental Features
- RDMA-connection manager (RDMA-CM)
- New Block Device translator
- Support for NUFA
As experimental features, we don?t expect them to work perfectly
for this release, but you can expect them to improve dramatically
as we make successive 3.4.x releases.
* Minor Improvements:
- The Ext4 file system change which affected readdir workloads for
Gluster volumes has been addressed.
- More options for selecting read-child with afr available now.
- Custom layouts possible with distribute translator.
- No 32-aux-gid limit
- SSL support for socket connections.
- Known issues with replica count greater than 2 addressed.
- quick-read and md-cache translators have been refactored.
- open-behind translator introduced.
- Ability to avoid glusterfs bind to reserved ports.
- statedumps are now created in /var/run/gluster instead of /tmp by default.
Upstream changes:
0.031 2013-08-27 10:03:57 America/New_York
[FIXED]
- parent() on paths with internal double dots (e.g. /foo..bar.txt) now works
correctly
0.030 2013-08-20 16:10:04 America/New_York
[FIXED]
- t/zzz-spec.t used getcwd() instead of getdcwd(), which breaks
on Windows if the build directory isn't on the 'C' drive
0.029 2013-08-19 11:52:24 America/New_York
[FIXED]
- On Win32, "C:/" no longer is changed to "C:". Also, "C:" is
converted to the absolute path of cwd on the "C:" volume. UNC paths
("//server/share/") now retain their trailing slash to correctly
distinguish volume and directory paths when split
0.028 2013-08-14 13:12:49 America/New_York
[ADDED]
- The 'children()' method now takes an optional regular expression to
filter the results
Upstream changes:
0.027 2013-07-25 19:38:44 America/New_York
[ADDED]
- Added the 'digest' method to produce a hexadecimal SHA-256
(or user-specified) digest of a file
0.026 2013-07-14 21:25:22 America/New_York
[FIXED]
- Fixed bug where lines() with a count longer than the
file would return undef for the extra lines. Now returns
only the lines in the file if the count is greater than
the number of lines.
0.025 2013-07-10 09:32:13 America/New_York
[FIXED]
- Spew to an existing symlink now atomically replaces
the resolved destination, not the symlink
are replaced with .include "../../devel/readline/buildlink3.mk", and
USE_GNU_READLINE are removed,
* .include "../../devel/readline/buildlink3.mk" without USE_GNU_READLINE
are replaced with .include "../../mk/readline.buildlink3.mk".
into filesystems/p5-MooseX-Types-Path-Tiny.
This module provides Path::Tiny types for Moose. It handles two important
types of coercion:
* coercing objects with overloaded stringification
* coercing to absolute paths
It also can check to ensure that files or directories exist.
filesystems/p5-Path-Tiny.
This module attempts to provide a small, fast utility for working with
file paths. It is friendlier to use than File::Spec and provides easy
access to functions from several other core file handling modules.
It doesn't attempt to be as full-featured as IO::All or Path::Class,
nor does it try to work for anything except Unix-like and Win32 platforms.
Even then, it might break if you try something particularly obscure or
tortuous. (Quick! What does this mean: ///../../..//./././a//b/.././c/././?
And how does it differ on Win32?)
All paths are forced to have Unix-style forward slashes. Stringifying the
object gives you back the path (after some clean up).
File input/output methods flock handles before reading or writing, as
appropriate.
The *_utf8 methods (slurp_utf8, lines_utf8, etc.) operate in raw mode
without CRLF translation. Installing Unicode::UTF8 0.58 or later will speed
up several of them and is highly recommended.
It uses autodie internally, so most failures will be thrown as exceptions.
filesystems/p5-Module-Path.
Module::Path provides a single function, module_path(), which will find
where a module is installed locally.
It works by looking in all the directories in @INC for an appropriately
named file:
* Foo::Bar becomes Foo/Bar.pm, using the correct directory path
separator for your operating system.
* Iterate over @INC, ignoring any references (see "require" in
"perlfunc" if you're surprised to hear that you might find references
in @INC).
* For each directory in @INC, append the partial path (Foo/Bar.pm),
again using the correct directory path separator. If the resulting
file exists, return this path.
* If no file was found, return undef.
I don't think we can assume that ufs headers will be included in all cases
when this file is included, so do it unconditionally. This will fail on
6.99 from before ROOTINO turned into UFS_ROOTINO; if anyone wants to
figure out how to make a more precise check, be my guest.
to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
Release 1.10.0 (2013-05-01)
'''''''''''''''''''''''''''
New Features
------------
- The Welcome page has been redesigned. This is a preview of the design style
that is likely to be used in other parts of the WUI in future Tahoe-LAFS
versions. (`#1713`_, `#1457`_, `#1735`_)
- A new extensible Introducer protocol has been added, as the basis for
future improvements such as accounting. Compatibility with older nodes is
not affected. When server, introducer, and client are all upgraded, the
welcome page will show node IDs that start with "v0-" instead of the old
tubid. See `<docs/nodekeys.rst>`__ for details. (`#466`_)
- The web-API has a new ``relink`` operation that supports directly moving
files between directories. (`#1579`_)
Security Improvements
---------------------
- The ``introducer.furl`` for new Introducers is now unguessable. In previous
releases, this FURL used a predictable swissnum, allowing a network
eavesdropper who observes any node connecting to the Introducer to access
the Introducer themselves, and thus use servers or offer storage service to
clients (i.e. "join the grid"). In the new code, the only way to join a
grid is to be told the ``introducer.furl`` by someone who already knew it.
Note that pre-existing introducers are not changed. To force an introducer
to generate a new FURL, delete the existing ``introducer.furl`` file and
restart it. After doing this, the ``[client]introducer.furl`` setting of
every client and server that should connect to that introducer must be
updated. Note that other users of a shared machine may be able to read
``introducer.furl`` from your ``tahoe.cfg`` file unless you configure the
file permissions to prevent them. (`#1802`_)
- Both ``introducer.furl`` and ``helper.furl`` are now censored from the
Welcome page, to prevent users of your gateway from learning enough to
create gateway nodes of their own. For existing guessable introducer
FURLs, the ``introducer`` swissnum is still displayed to show that a
guessable FURL is in use. (`#860`_)
Command-line Syntax Changes
---------------------------
- Global options to ``tahoe``, such as ``-d``/``--node-directory``, must now
come before rather than after the command name (for example,
``tahoe -d BASEDIR cp -r foo: bar:`` ). (`#166`_)
Notable Bugfixes
----------------
- In earlier versions, if a connection problem caused a download failure for
an immutable file, subsequent attempts to download the same file could also
fail. This is now fixed. (`#1679`_)
- Filenames in WUI directory pages are now displayed correctly when they
contain characters that require HTML escaping. (`#1143`_)
- Non-ASCII node nicknames no longer cause WUI errors. (`#1298`_)
- Checking a LIT file using ``tahoe check`` no longer results in an
exception. (`#1758`_)
- The SFTP frontend now works with recent versions of Twisted, rather than
giving errors or warnings about use of ``IFinishableConsumer``. (`#1926`_,
`#1564`_, `#1525`_)
- ``tahoe cp --verbose`` now counts the files being processed correctly.
(`#1805`_, `#1783`_)
- Exceptions no longer trigger an unhelpful crash reporter on Ubuntu 12.04
("Precise") or later. (`#1746`_)
- The error message displayed when a CLI tool cannot connect to a gateway has
been improved. (`#974`_)
- Other minor fixes: `#1781`_, `#1812`_, `#1915`_, `#1484`_, `#1525`_
Other Changes
-------------
- The provisioning/reliability pages were removed from the main client's web
interface, and moved into a standalone web-based tool. Use the ``run.py``
script in ``misc/operations_helpers/provisioning/`` to access them.
- Web clients can now cache (ETag) immutable directory pages. (`#443`_)
- `<docs/convergence_secret.rst>`__ was added to document the adminstration
of convergence secrets. (`#1761`_)