|
| 1 | +# Fluxheim 0.5.0 Release Notes |
| 2 | + |
| 3 | +## Version |
| 4 | + |
| 5 | +- Version: `0.5.0` |
| 6 | +- Release date: 2026-05-06 |
| 7 | +- Git tag: `v0.5.0` after release validation |
| 8 | +- Git commit: fill in from `git rev-parse HEAD` before tagging |
| 9 | +- License: EUPL-1.2 |
| 10 | + |
| 11 | +## Scope |
| 12 | + |
| 13 | +Fluxheim `0.5.0` is the basic-sites preview. It is intended for normal static |
| 14 | +HTML websites and simple whole-vhost reverse proxying with static TLS |
| 15 | +certificates. |
| 16 | + |
| 17 | +Stable preview scope: |
| 18 | + |
| 19 | +- static web serving for HTML, CSS, JavaScript, images, fonts, and other normal |
| 20 | + site assets; |
| 21 | +- vhost routing by Host header; |
| 22 | +- static downstream TLS certificates, with rustls as the default backend; |
| 23 | +- optional global HTTP-to-HTTPS redirect; |
| 24 | +- simple whole-vhost reverse proxying to one upstream; |
| 25 | +- request/header/body limits; |
| 26 | +- default `Server: fluxheim` response header, removable by config; |
| 27 | +- secure header mutation policy; |
| 28 | +- static cache headers, ETag, conditional requests, and byte ranges; |
| 29 | +- rootless Podman/container examples for Wolfi, Alpine, SUSE Micro, and Debian |
| 30 | + runtime variants; |
| 31 | +- RPM packaging spec for RHEL/openSUSE-style builds from vendored Cargo |
| 32 | + dependencies; |
| 33 | +- release checks for formatting, linting, tests, dependency policy, advisory |
| 34 | + policy, CodeQL, and local smoke coverage. |
| 35 | + |
| 36 | +Default Cargo features: |
| 37 | + |
| 38 | +- `proxy` |
| 39 | +- `web` |
| 40 | +- `cache` |
| 41 | +- `tls-rustls` |
| 42 | +- `security` |
| 43 | + |
| 44 | +## Highlights |
| 45 | + |
| 46 | +- Basic vhost static hosting and simple reverse proxying are now documented as |
| 47 | + the preview release promise. |
| 48 | +- Container deployment examples include explicit graceful shutdown settings so |
| 49 | + normal `podman compose down` does not fall back to `SIGKILL`. |
| 50 | +- The public `1.0.0` target is now defined as the gateway-ready release needed |
| 51 | + for representative real multi-site configs. |
| 52 | + |
| 53 | +## Security And Stability Gate |
| 54 | + |
| 55 | +Fill this in immediately before tagging: |
| 56 | + |
| 57 | +- Gate command: `scripts/stable_release_gate.sh check` or stronger |
| 58 | +- Gate report directory: |
| 59 | +- Result: |
| 60 | +- `cargo audit` result: |
| 61 | +- `cargo deny check` result: |
| 62 | +- TLS scan result: |
| 63 | +- Load smoke result: |
| 64 | +- Request-framing smoke result: |
| 65 | +- Fuzz target compile result: |
| 66 | +- Podman smoke result: |
| 67 | + |
| 68 | +## Reviewed Advisory Exceptions |
| 69 | + |
| 70 | +- `protobuf < 3.7.2` may appear transitively through Pingora dependencies until |
| 71 | + upstream updates. Do not accept this exception silently: record the exact |
| 72 | + dependency path from `cargo audit`, confirm whether Fluxheim parses |
| 73 | + attacker-supplied protobuf through that dependency in this release, and remove |
| 74 | + the exception as soon as the upstream fix is available. |
| 75 | + |
| 76 | +## Breaking Changes |
| 77 | + |
| 78 | +- This is a pre-`1.0.0` preview release. Config shape and behavior may still |
| 79 | + change when the change improves security or the `1.0.0` gateway target. |
| 80 | + |
| 81 | +## Upgrade Notes |
| 82 | + |
| 83 | +- Prefer `upstreams = ["host:port"]` over the older single `upstream = "host:port"` |
| 84 | + field. Do not configure both in the same proxy block. |
| 85 | +- Use `[headers.*.add]`/`remove` for user-friendly header changes. The older |
| 86 | + `set`/`unset` names remain compatible. |
| 87 | +- For containers, keep the container stop timeout higher than |
| 88 | + `server.process.grace_period_seconds + graceful_shutdown_timeout_seconds`. |
| 89 | + |
| 90 | +## Known Limitations |
| 91 | + |
| 92 | +These are intentional `1.0.0` blockers, not `0.5.0` promises: |
| 93 | + |
| 94 | +- no multi-certificate SNI selection at runtime yet; |
| 95 | +- no route/location layer yet; |
| 96 | +- no route-level redirect/proxy/static actions yet; |
| 97 | +- no websocket-specific upgrade support yet; |
| 98 | +- no per-route body limits or upstream timeouts yet; |
| 99 | +- no custom upstream error pages yet; |
| 100 | +- no static alias or directory listing support yet; |
| 101 | +- no runtime ACME issuance yet. |
| 102 | + |
| 103 | +## Container Images |
| 104 | + |
| 105 | +Planned image tags after release validation: |
| 106 | + |
| 107 | +- GitHub Container Registry: `ghcr.io/valkyoth/fluxheim:v0.5.0-wolfi` |
| 108 | +- GitHub Container Registry: `ghcr.io/valkyoth/fluxheim:v0.5.0-alpine` |
| 109 | +- GitHub Container Registry: `ghcr.io/valkyoth/fluxheim:v0.5.0-suse-micro` |
| 110 | +- GitHub Container Registry: `ghcr.io/valkyoth/fluxheim:v0.5.0-debian` |
| 111 | +- Docker Hub: matching variant tags when Docker Hub credentials are configured |
| 112 | +- Runtime user: `65532:65532` by default |
| 113 | +- Default config path: `/etc/fluxheim/fluxheim.toml` |
| 114 | +- Static site path: operator-mounted, commonly `/srv/sites/...` |
| 115 | +- Cache path: `/var/cache/fluxheim` |
| 116 | +- State path: `/var/lib/fluxheim` |
| 117 | + |
| 118 | +## RPM Packaging |
| 119 | + |
| 120 | +The release includes [packaging/rpm/fluxheim.spec](packaging/rpm/fluxheim.spec) |
| 121 | +and [packaging/rpm/fluxheim.tmpfiles](packaging/rpm/fluxheim.tmpfiles). |
| 122 | + |
| 123 | +The spec expects a source tarball plus a vendored Cargo dependency tarball, then |
| 124 | +builds with `cargo --offline`: |
| 125 | + |
| 126 | +```bash |
| 127 | +cargo vendor vendor > /tmp/fluxheim-cargo-config.toml |
| 128 | +tar -czf fluxheim-0.5.0-vendor.tar.gz vendor |
| 129 | +``` |
| 130 | + |
| 131 | +The default RPM feature set is `profile-core`. Builders can override it with: |
| 132 | + |
| 133 | +```bash |
| 134 | +rpmbuild -ba packaging/rpm/fluxheim.spec --define 'fluxheim_features profile-static-site' |
| 135 | +``` |
| 136 | + |
| 137 | +## Checksums And Signatures |
| 138 | + |
| 139 | +Fill this in during the release: |
| 140 | + |
| 141 | +- Source archive checksum: |
| 142 | +- Binary checksums: |
| 143 | +- Container digests: |
| 144 | +- Tag signature: |
0 commit comments