Skip to content

Releases: valkyoth/fluxheim

Fluxheim 1.7.12

Choose a tag to compare

@eldryoth eldryoth released this 16 Jul 10:22
Immutable release. Only release title and notes can be modified.
v1.7.12
ab02c4f

Fluxheim 1.7.12 Release Notes

Fluxheim 1.7.12 adds standards-based response metadata generated from native
runtime outcomes and final response bytes. It also adds reproducible,
CI-only proof environments for both FIPS-capable TLS backend profiles.

All new response metadata remains opt-in. Existing configurations and response
headers are unchanged unless an operator enables the new metadata policy.

Snapshot Lifecycle Proof and Hardening

  • Add a dedicated real-binary smoke that captures a running baseline through
    the authenticated admin API, publishes and live-applies a candidate config,
    verifies changed serving behavior, performs a live rollback, runs snapshot
    integrity doctor, and proves the rolled-back current pointer survives restart.
  • Serialize snapshot candidates behind one clone-shared admission lock, bounding
    concurrent near-limit serialization buffers without creating store state for
    rejected oversized candidates.
  • Create snapshot directories as 0700 at the operating-system creation call,
    closing the permissive-umask interval before any follow-up mode enforcement.
  • Build a complete replacement host router before atomically swapping it into
    the native listener. Snapshot-safe reload and rollback now affect real data
    plane requests while each in-flight HTTP/1 or HTTP/2 request retains one
    router generation across all handler phases.
  • Reject live router replacement while background load-balancer health or
    discovery services are active, avoiding a router/service state split; use a
    zero-downtime process upgrade for those deployments.

Standards-Based Response Metadata

  • Add RFC 9211 Cache-Status derived from actual cache results, including hit,
    URI miss/store, stale forwarding, revalidation, expiry, and bypass outcomes.
  • Add RFC 9209 Proxy-Status for Fluxheim-generated proxy failures using only
    standardized low-cardinality error tokens.
  • Require a bounded Structured Fields token as the public Fluxheim deployment
    identifier when either status field is enabled.
  • Do not expose cache keys, internal storage tiers, policy reasons, backend
    addresses, DNS names, certificate details, or raw error strings.
  • Preserve existing origin status members and append Fluxheim's member, making
    multi-proxy status chains visible only when the operator explicitly opts in.

Example:

[headers.response.metadata]
identifier = "edge-gateway"
cache_status = true
proxy_status = true
content_digest = true
repr_digest = true

The metadata policy inherits through global, vhost, and route response-header
configuration. Every field defaults to disabled.

Response Digests

  • Add RFC 9530 SHA-256 Content-Digest over final HTTP message content.
  • Add Repr-Digest only when Fluxheim holds a complete selected
    representation: a complete GET response with status 200, no range, and a
    body consistent with its declared content length.
  • Compute digest fields after Fluxheim compression so they describe the bytes
    actually delivered to the client.
  • Suppress Repr-Digest for HEAD, 206, 304, and other incomplete
    representation paths instead of guessing an unseen full representation.
  • Cover bodyless HEAD and 304 content as empty message content and cover a
    206 response's returned range with Content-Digest.
  • Remove origin digest fields when Fluxheim compression changes the body and
    digest generation is disabled, preventing stale integrity metadata.
  • Apply digest metadata once after Wasm response-header hooks, and share one
    SHA-256 computation when both digest fields describe the same bytes.
  • Compute immutable cache-body digests once when objects are stored and reuse
    them for memory and disk hits. New disk metadata is versioned and existing
    v1 and v2 cache objects remain readable.
  • Invalidate a precomputed cache digest whenever compression replaces the body,
    then hash the final encoded bytes before emission.

The native response model remains bounded and buffered. Digest generation
hashes the final response buffer without another body copy; unbuffered digest
trailers are not part of this release.

Wasm Loader Hardening

  • Require SHA-256 pins at the final public manifest and loader boundary for
    access-decision, route-decision, and cache-store phases, matching the
    existing configuration invariant.
  • Remove detached Wasmtime compilation workers. Compilation is synchronous,
    limited to two process-wide startup/reload slots, and releases its permit
    before an over-deadline result is returned.
  • Add max_compiled_artifact_bytes, defaulting to 32 MiB and capped at 256
    MiB, and reject compiled modules above that ceiling before registry
    admission.
  • Document compile_timeout_ms accurately as an in-process result deadline,
    not native compiler preemption; hard cancellation requires future
    process-isolated compilation and execution.
  • Open plugin files with no-follow/reparse-point semantics during validation,
    retain that exact regular-file handle, and read module bytes from it without
    reopening the pathname. This closes final-file replacement races on Windows,
    ReFS, Unix, and macOS without identity inference or unsafe code.

Downstream TLS Hardening

  • Add optional tls.client_auth.crl_path support to rustls and OpenSSL with an
    8 MiB input bound, a 1-to-64 PEM CRL bundle limit, strict full-chain
    revocation, and expired-CRL rejection. Root/intermediate/client regression
    handshakes prove hierarchical mTLS succeeds only when every required issuer
    CRL is present.
  • Require a CRL bundle when required client authentication is combined with a
    FIPS/ISO-required compliance mode; ordinary client auth retains explicit
    opt-in revocation behavior.
  • Stage OpenSSL CRLs from the exact bounded bytes already admitted by Fluxheim,
    preventing an OpenSSL pathname reopen from bypassing input admission.
  • Index one-label wildcard SNI certificates by normalized suffix, replacing an
    attacker-triggerable linear scan with expected constant-time lookup.
  • Build complete, policy-equivalent OpenSSL contexts for every SNI certificate
    and atomically switch contexts during ClientHello processing. Certificate/key
    mismatches now reject reload before the active context store is replaced.
  • Parse OpenSSL client-auth policy once per SNI store generation, share admitted
    CA objects across contexts, reject projected active-plus-reload policy input
    above 128 MiB, and divide a 4096-entry session cache budget across contexts.
  • Serialize OpenSSL SNI reload construction and attach generation leases to
    selected SSL connections. A reload that would create a third live generation
    now marks the oldest generation for drain; native OpenSSL HTTP/1, HTTP/2, and
    takeover streams use per-connection wake registrations so every retained
    connection closes before a bounded automatic retry. Reloads still fail closed
    if the generation cannot drain within 10 seconds. The connection lease uses
    one process-global OpenSSL ex-data index, preventing index growth when
    certificate stores are reconstructed in-process. Every attachment is read
    back immediately, and Fluxheim terminates if OpenSSL cannot preserve the
    lease.

Shared Cache Policy Hardening

  • Always bypass shared-cache lookup and storage for requests carrying
    Authorization or Proxy-Authorization.
  • Parse response Cache-Control as a strict quoted-string-aware policy,
    prioritize s-maxage over max-age, and reject malformed or conflicting
    security/freshness directives instead of falling back to configured TTLs.
  • Parse response Cache-Control without a directive vector and reject more
    than 16 KiB or 128 directives cumulatively.
  • Remove unused compatibility helpers that could collapse malformed freshness
    into an absent policy or split quoted extension values at commas.
  • Preserve the first received Age list member when calculating peer-fill
    remaining freshness.
  • Persist mandatory-revalidation state with native disk-cache metadata and
    prohibit stale reuse for must-revalidate, proxy-revalidate, and
    s-maxage; v1 and v2 metadata remain readable and derive the restriction
    from stored response headers.
  • Require one consistent satisfied Content-Range and Content-Length before
    range admission, reject impossible totals and duplicate metadata, and make
    zero-sized public slice planning return no slices instead of dividing by
    zero.
  • Reject percent-decoded forward-path segments that are not canonical UTF-8 or
    contain encoded Unicode control characters, preventing disagreement with
    permissive upstream decoders.
  • Detect symlinks in every existing configured web-path prefix even when a
    later child is absent, and deny non-UTF-8 dotfile components by their OS path
    representation.
  • Bound storage-bin manifests to 4 KiB and use no-follow, nonblocking regular
    file reads so oversized or special persistent files fail closed at startup.

Native Buffer and Cache-Encryption Hardening

  • Add server.limits.max_buffered_request_body_bytes, defaulting to 1GiB, as
    one weighted process-wide admission budget shared by HTTP/1 and HTTP/2.
    Fluxheim reserves validated Content-Length values in 64 KiB units and grows
    unknown-length HTTP/1 chunked and HTTP/2 reservations before each buffer
    extension. Public native-server handlers without an explicit policy share a
    mandatory 1 GiB process budget, and pinned HTTP/1 handlers provide the
    effective request budget. Exhaustion returns a bounded 503 with retry
    guidance.
  • Move content-length bodies out of the reusable HTTP/1 parser buffer without
    constructing a second full-body copy, release oversized connection-buffer
    capacity before keep-alive, and clear full body and chunk-decoder
    allocations through sanitization.
    ...
Read more

Fluxheim 1.7.11

Choose a tag to compare

@eldryoth eldryoth released this 14 Jul 16:24
Immutable release. Only release title and notes can be modified.
v1.7.11
8454031

Fluxheim 1.7.11 Release Notes

Fluxheim 1.7.11 delivers the zero-downtime process-upgrade slice after the
stable 1.7 Wasm policy milestones. It combines bounded native drain, strict
listener inheritance, readiness-gated handoff, and tested native and Podman
deployment patterns.

The release also completes the native HTTP/1 parser audit and tightens critical
background-service ownership without changing operator configuration defaults.

Added

  • Track accepted native HTTP, HTTPS, HTTP/2, and Unix-listener connections so
    shutdown stops new accepts while established connections drain.
  • Apply server.process.grace_period_seconds and
    server.process.graceful_shutdown_timeout_seconds in the native runtime.
  • Add live regressions for keep-alive drain behavior and bounded shutdown.
  • Add a real-binary SIGTERM smoke to the maintained native HTTP/1 gate and
    human test launcher.
  • Document the native binary, systemd socket-activation, and Podman blue/green
    handoff boundaries before exposing upgrade automation.
  • Adopt public HTTP/HTTPS TCP listeners from the standard systemd FD-3
    protocol, requiring a matching LISTEN_PID, bounded descriptor count, and
    exact one-for-one launch-plan address match.
  • Add unit coverage for malformed activation metadata and real-socket adoption,
    plus a real-binary smoke that serves through an inherited listener and proves
    malformed activation fails closed.
  • Report systemd readiness only after native listener/background-service startup
    completes, fail startup if a configured notification socket is unreachable,
    and report bounded-drain status after a shutdown signal.
  • Exercise an old and new Fluxheim process on one parent-owned listener. The
    maintained smoke proves a bad replacement leaves old serving, green readiness
    precedes drain, established old traffic completes, and new requests have no
    connection-refusal window.
  • Ship an optional RPM/systemd socket unit for the packaged port-80 listener.
    It remains disabled by default so existing direct-binding deployments do not
    change behavior during package installation.
  • Add a real rootless-Podman blue/green smoke. It verifies that direct published
    ports cannot be atomically replaced, then proves the supported stable-front
    pattern with failed-green rollback and old keep-alive drain.
  • Wait for every configured background service to reach its explicit ready
    point before systemd receives READY=1; a service that exits first makes the
    replacement fail closed and leaves the old generation serving.
  • Reject inherited descriptors that are not listening TCP sockets, including a
    live regression using a connected stream bound to the expected address.
  • Defer public/admin accept loops until background readiness succeeds, and add
    a live late-failure replacement test proving the old generation serves every
    request while the replacement aborts.
  • Explicitly abort outstanding listener and background tasks at the drain
    timeout instead of relying on whole-process teardown.
  • Remove listenfd from socket activation and receive descriptors through a
    focused Fluxheim crate with environment clearing disabled, preserving memory
    safety for multithreaded and embedded runtimes.
  • Claim inherited systemd descriptors exactly once per process and own the
    complete set before validating any item. Concurrent calls and retries fail
    before touching FD 3, while validation failures close the complete set.

Fixed

  • Use one validated HTTP/1 authority for routing, authorization, forwarding,
    and cache partitioning. Conflicting absolute-form authority and Host,
    malformed ports/IPv6/host syntax, non-HTTP absolute targets, and malformed
    absolute URIs now fail before request dispatch.
  • Reject every HTTP/1.0 Transfer-Encoding message before evaluating
    keep-alive. Chunked decoding now bounds encoded bytes, line length, extension
    bytes, and chunk count, validates extension grammar, streams decoded data into
    caller-owned output, and preserves identical parser results across every
    fragmented-read boundary, including a split terminal CRLF at the line limit.
  • Return only a semantically validated public HTTP/1 request-head type. Host and
    authority agreement, request-target grammar, body framing, and persistence
    are resolved before callers can inspect or route a request.
  • Enforce the RFC 3986 ASCII path/query grammar and reject malformed raw or
    percent-encoded target characters before routing.
  • Reject origin response status codes outside 100..=599, oversized PROXY v1
    lines, and PROXY v2 payloads that exceed policy or differ from the declared
    frame length.
  • Prevent construction of unvalidated protocol headers, share one bounded
    Connection option parser with hop-by-hop filtering, and add dedicated fuzz
    targets for HTTP/1 request/response heads, request targets, chunk bodies, and
    PROXY v1/v2 frames.
  • Route HTTP/2 requests exclusively by :authority; supplied Host fields are
    replaced and requests without authority fail closed.
  • Remove all fixed and Connection-nominated hop-by-hop origin response
    headers before delivery or cache admission, and reject malformed options.
  • Read through at most eight HTTP/1 informational origin responses to the final
    response, reject generic status 101, and reject transfer-coding chains that
    Fluxheim cannot decode completely.
  • Prevent oversized embedded HTTP/1 connection limits from reaching Tokio's
    panicking semaphore constructor.
  • Accept only ownership-checked critical task handles in the runtime watchdog.
    Attempted noncritical registration returns the original live handle instead
    of dropping it and cancelling cache, metrics, certificate, or maintenance
    services.
  • Stop accepting caller-controlled executable and temporary-root paths in the
    zero-downtime and Podman blue/green smoke helpers. Their executable and
    secure workspace locations are now derived from fixed repository paths and
    Python-managed mode-0700 temporary directories, resolving the associated
    CodeQL command/path alerts.
  • Poll the final SWR disk-cache assertion for a bounded interval so the smoke
    observes the supported asynchronous memory-publish/disk-persistence order
    without masking a disk-store failure.

Build And Packaging

  • Pin the source, container build images, and RPM build prerequisite to the
    Rust 1.97 toolchain line.
  • Include the disabled-by-default fluxheim.socket systemd unit in the RPM
    payload alongside the documented activation workflow.
  • Update the interactive RPM build menu to Fedora 44 and openSUSE Leap 16.0,
    removing the end-of-life openSUSE Leap 15 target.

Checksums And Signatures

  • Commit: 84540314dc9a7e5cf8612794a522e8b14fccddeb
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • b545fb74282dfb88c92975cfe440595e0594f257168cc123b095f02cc47966ea fluxheim-1.7.11.tar.gz
    • 4e9c5c3b40cb5206c60db4e751d12aa791883a7374158f4a625b8e1b7524e456 fluxheim-1.7.11.zip
  • Binary checksums:
    • x86_64:
      • 2c8113a62cde403c7273109498a11bdca33071d4399a1834c4890ac59aa1b7d8 fluxheim-1.7.11-full-x86_64-linux.tar.gz
      • 2edb19f1de60d34a15246c220d17e89279c362ae1a93159d6de6e737612731d6 fluxheim-1.7.11-cache-x86_64-linux.tar.gz
      • 117ea4b893780341a2901317226872de7a818eb4e6526db713598115eb4bbd06 fluxheim-1.7.11-proxy-x86_64-linux.tar.gz
      • 271d3023e53eb9315a8b1d969ab8f699187214541dfb38b0467e1e3687828586 fluxheim-1.7.11-php-x86_64-linux.tar.gz
      • 922b084081c3cab14b88a997d205d7bbb874d6971adec091aa900c3f2d137cab fluxheim-1.7.11-load-balancer-x86_64-linux.tar.gz
      • 08e1c9feabab948dcfd1d1e78257e2d3f3f01e4b635c9cfae7f8f37542adf95d fluxheim-1.7.11-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 5539770bbb5ebc019d4449f93162b31a91b867f8708ee2c083138aa5da5f8016 fluxheim-1.7.11-full-aarch64-linux.tar.gz
      • 8e50c4e449660e90c883e33dcb881f0e6698c34d2efea360f83c6d3cedadd16e fluxheim-1.7.11-cache-aarch64-linux.tar.gz
      • 37dbd18c69539f3d40a23531d35a17e7114f094c370b06d3a9bcc750239c42e3 fluxheim-1.7.11-proxy-aarch64-linux.tar.gz
      • 63b5dab23d90d8016f447ce10ccf8796c0054b9ebd027574887d7eeaed2341ac fluxheim-1.7.11-php-aarch64-linux.tar.gz
      • 59d093cf525342a2760eec862122acba06b0586c6882dbc76178c053cec1f545 fluxheim-1.7.11-load-balancer-aarch64-linux.tar.gz
      • 89ec881a295f9d540fdd25793cc72b46a840122bd0e7fd071ee69dfc44e2a1a1 fluxheim-1.7.11-config-tester-aarch64-linux.tar.gz
    • macos:
      • a0eafba22b32b6b52ea11e92b024d47917ccbc521ab4485ca024843fb7da5979 fluxheim-1.7.11-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • 3cc60d910662e8a0b27e7983018f4142be8885c5d351a0ceefee8f9d3e61f808 fluxheim.spdx.json
    • d5b2602ac67a5a22aea165a83eaa6d1795816bd470153a803081e7fd8e5f4005 fluxheim.cyclonedx.json
  • Reproducible build:
    • 67b7a6d2181d3a70eaf2ec57633be0b68b3d3590c7d111b51c9d131de5db25b5 x86_64
    • 04b411f414e3b483d098105f55297975e8b64b49be6d4580afe6e18d93b1e7ed aarch64
    • c7ad1341dfc352983cda3dc7c8248333feff61cb2a389a7a76f48721b1d88d53 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1341df75e492bb96f7a6fdb55efe5f9666ca12362a53827c83dc61f5150221ec
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:268353ea6d3690c566df0996da011e6f4dad8ca326e10e46142965d666fc58ed
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:9be2dde57c30e1c82921f60ed63a2740870e4124c50e29edff0036f646be7e65
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:17c86052db91cf7ed1d195c30b2bc2ac8593e0a4852b8243cf85ac817d653f90
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2d2b58d42008ebd651acf9fb5b922d46fb1cdf186f3e5ebd48fd848e8c0b3a43
    • Alpine: `ghcr.io/valkyoth/fluxheim@sha256:1...
Read more

Fluxheim 1.7.10

Choose a tag to compare

@eldryoth eldryoth released this 13 Jul 10:32
Immutable release. Only release title and notes can be modified.
v1.7.10
e86a4ec

Fluxheim 1.7.10 Release Notes

Fluxheim 1.7.10 is the stabilization and release-gate hardening release for
the 1.7 WebAssembly policy line. It turns the documented migration examples
into explicit operator-selectable and release-gated acceptance evidence while
keeping the typed policy ABI constrained.

Added

  • Expose focused scripts/test_starter.py entries for F5 iRules-style,
    nginx Lua/OpenResty-style, HAProxy Lua/SPOE-style, and VCL-like Wasm policy
    examples.
  • Keep focused and aggregate Wasm policy checks on one implementation path,
    and validate that the deep release gate requires the complete Wasm smoke.
  • Audit every guest-controlled symbolic ID decoder for total, panic-free
    behavior over arbitrary integer inputs.
  • Make the in-process native host-callback contract explicit: finite symbolic
    operations only, with blocking I/O and third-party callback code requiring a
    future killable subprocess boundary.
  • Add opt-in response-hardening profiles and typed modern browser policy fields
    without changing the default response behavior.
  • Add validated request-aware CORS, local preflight handling, correct dynamic
    Vary, and live listener evidence that preflights do not reach the origin.
  • Add bounded Retry-After guidance to generated capacity-limit responses.

Compatibility Boundary

  • Fluxheim provides bounded capability mappings, not source-syntax or runtime
    compatibility with iRules, Lua/OpenResty, SPOE, or VCL.
  • New host capabilities that require blocking I/O or third-party native
    callback code remain out of process until a killable, bounded IPC runner is
    designed and proven.

Fixed

  • Strip the historical Proxy-Connection hop-by-hop header on native HTTP/1
    and HTTP/2 upstream paths through one shared header policy.
  • Strip Envoy, original-forwarding, Azure, Fly, proxy-user, and forwarded client
    certificate identity headers before trusted replacements are generated.
  • Treat the first Set-Cookie segment only as the cookie name/value pair, so
    cookies named Domain or Path are not mistaken for attributes.
  • Preserve closing quotes and trailing syntax while rewriting quoted exact-
    origin Refresh URLs.
  • Enforce CORS method allowlists on actual responses and serialize bounded
    Reporting-Endpoints dictionaries with strict keys and HTTPS collectors.

Security

  • Strip the distinct spoofable Client-IP identity header, including in
    privacy-mode request sanitization.
  • Reject repeated, embedded, and unbalanced quotes plus bracketed IPv4 in
    trusted X-Forwarded-For chains instead of normalizing malformed hops.
  • Make Forwarded construction fallible, use a typed HTTP/HTTPS protocol, and
    reject invalid host values before producing an upstream header.
  • Add a compile-gated fuzz target for trusted forwarding parsing, Forwarded
    construction, hop-by-hop policy, Refresh, and Set-Cookie rewrites.

Checksums And Signatures

  • Commit: e86a4ecc1c6dd7c2bf62f3920a643b5a44bfe06a
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • bd1e69759083bd082591821ee57934299f0878fff94686f2e2d8eff7862d3918 fluxheim-1.7.10.tar.gz
    • 7b32171a101fc105a6a1b2bcf05092177d28f66071df35e314ceefa2c5bf05f7 fluxheim-1.7.10.zip
  • Binary checksums:
    • x86_64:
      • d0da284b57d77d5699de4e25505e92db2ef9025e665fbd764b48d56fcbcc21cf fluxheim-1.7.10-full-x86_64-linux.tar.gz
      • 48186cc930922680fdc58d47aaf08e1a026d947181f50387bc15f4f72198cf86 fluxheim-1.7.10-cache-x86_64-linux.tar.gz
      • 337698ab3d79665ff4175daf0f223862a327ceaa95e02178a522ea80ca813e1f fluxheim-1.7.10-proxy-x86_64-linux.tar.gz
      • 52e330a6572e42178c642cf17908e68736924e141dd03565fe94c0f5dfe2661b fluxheim-1.7.10-php-x86_64-linux.tar.gz
      • eb35faa2a586f0a859f1e2a963b39ccbc44918df5f674778916b3151933cfa4d fluxheim-1.7.10-load-balancer-x86_64-linux.tar.gz
      • 52eed70769d9c488d1f9829bc1d9ffb6b166a0019eecafc5f0bfc23a12e5466e fluxheim-1.7.10-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 06ee8c79689245c5ad07a383c34c4287332d20ae8141ed39641951bc45166b21 fluxheim-1.7.10-full-aarch64-linux.tar.gz
      • c6f94884f34e978a426fb6be2efc5f2955188b636bf3e9e47df7ffefc6d8880b fluxheim-1.7.10-cache-aarch64-linux.tar.gz
      • ca6d9121ff08c02812aef7a6bd21548136f92720820592c3527a9c8024789532 fluxheim-1.7.10-proxy-aarch64-linux.tar.gz
      • 99862e52782702013cb9fee2932cda053b74e3b6cc913b540d26f87274f2f8de fluxheim-1.7.10-php-aarch64-linux.tar.gz
      • a1623f4dea00de896b618c55e2573c209a36595df21848db174521e05dd6d8f8 fluxheim-1.7.10-load-balancer-aarch64-linux.tar.gz
      • 87b9490f8c86e1252d8653fac3c14c9f754b27154346f0b49dabd133417c1a54 fluxheim-1.7.10-config-tester-aarch64-linux.tar.gz
    • macos:
      • b4ee10f598e76cf4ac8676aa3e8fcc0069bfb2924b4b42dcd270202c3c0afa34 fluxheim-1.7.10-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • 0d01222bde0b5964cfab329e8be3e142c15678a1071d04e59a9b52e2795ac256 fluxheim.spdx.json
    • d8c81f48767bf2c1180bb388f88fdd1676f3931212d138d081dc0428348782e7 fluxheim.cyclonedx.json
  • Reproducible build:
    • 373492627f919df004bb21708edcfec192a156fbb056a45375c1d1b640d7889e x86_64
    • 8520afc5b115ca34c56580b77700110a0b517c35946aeb929996091b5c1587a8 aarch64
    • ec027dec96121d999bb838c336abf953e8d21c3cbee5a129cec2b87d9c910826 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:38d2ca30f3a9dd2fa3a2a684807303f3890d6f7972e995841b0a59409185a820
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:bf07f44ff76f2ec694a10cc076fa67ece4d1ccd134c9fb2db63871495c6d08ad
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:35a6df827d93638e09110b61f15cdc7aa277bc65db513fbffefce94625b5f993
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:136d8df87a78a080aba7bc801e9b933ef330bebf9a0856dcdcf3dfd9e890d75c
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:20a8c0ebe8cb728b45a8282bf9008849b463d26620d92bb8b25ab167acdcf927
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:1aeb39c1199095c122673331bb1e8386eca541d628cde2396722695fcdbb88b8
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:60ac6b9771453199ccb0812b652b2fa5b35e18beebf8e814dc41dddac3991ea5
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:64f896f74790f6e57a2e9767ac144fa9a4f7d7e4a88489d6ae10fa162c7a44a3
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:4122f60b2218ee317187cf7806d2555c297453d0f6ea793d11f8d6049fd03ae5
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:8a99ab8fe7e6e5050ae1564b544f338fadae0d6e48308beb764654781db197b6
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:50b58a2f4ab9a5d6d7191721fe9c5cb1a1941187f9f020ba80219758381723c8
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:34dce0b19c44edf46ef8479dcf7b4271ddf69f6c320b092a1e5581e31e2c0b02
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:415abd0c52cffa04ec5d54cb782868446659cc2002ca82384edb487c19352e3d
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:20b807219c4c1216046e24aacf45bf8fc919feb39cb3c60fa8e4f987ef7f79ac
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:93a96b5750c8e766146df11079011e51e12733c9994cd77e4ecf37d1801ee255
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:21404682e73d54a2d43e0884816ba638bdef0d40a01495be4ef6a43a64cb41fd
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:634c2b5d8864f175c953be96eca213ed5e2ed633c7949958f8648428814c3ec6
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:480ee28b1fa4366826f38ef8047a5cea7199a89fdcb262e43e6b157a9a2a4cd9
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0c11ff2d5299db0eed231cd7306e0090872b42bf2e5d4f02cb00ff89fb3241be
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:7b13d51089f533acff532e1e25f16f25e8262fcb8c40c8251634a9e246fc0207
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

Fluxheim 1.7.9

Choose a tag to compare

@eldryoth eldryoth released this 12 Jul 19:43
Immutable release. Only release title and notes can be modified.
v1.7.9
e519f61

Fluxheim 1.7.9 Release Notes

Fluxheim 1.7.9 is the documentation and runnable-example parity release for
operators translating common F5 iRules, nginx Lua/OpenResty, HAProxy Lua/SPOE,
and VCL-style policy jobs into Fluxheim's typed WebAssembly policy ABI. It
provides capability mappings, not syntax or runtime compatibility with those
products.

Added

  • Add a checked-in F5 iRules-style route access policy and complete config
    fixture using Fluxheim's typed access-decision ABI.
  • Add real listener coverage proving public requests reach origin, attached
    admin requests are denied before origin dispatch, and plugin traps fail
    closed.
  • Add scripts/smoke_wasm_policy_examples.sh to scripts/test_starter.py and
    the opt-in Wasm release gate.
  • Add a checked-in nginx Lua/OpenResty-style header policy and complete config
    fixture. Live coverage proves the allow-listed origin request mutation,
    client response mutation, upstream-header removal, and fail-closed rejection
    of unknown mutation IDs.
  • Add a checked-in HAProxy Lua/SPOE-style route policy and complete config
    fixture. Live coverage proves symbolic canary/mirror selection, unavailable
    branch rejection, selected-route policy enforcement, native load balancing,
    and managed-cookie persistence without exposing backend addresses.
  • Promote the existing cache lookup/store WAT pair to the validated VCL-like
    parity example. The live smoke now proves pass, MISS/HIT, bounded variants,
    image-only TTL/tag/header metadata, expiry, tag purge, non-image isolation,
    and fail-closed invalid mutations.
  • Add a deterministic policy builder that emits deployable .wasm files and
    SHA256SUMS under target/wasm-policy-examples/.
  • Add one complete Wasm smoke shared by scripts/test_starter.py and the
    opt-in stable/deep release gate, fixing the launcher's previous multi-script
    command wiring.
  • Add a standalone binary smoke using generated modules, exact digest pins, a
    private plugin root, file-based configuration, two local origins, and real
    HTTP traffic through every migration family.

Fixed

  • Stop attempting to initialize the native disk-cache backend for memory-only
    cache policies, avoiding an incorrect missing-path error at startup.

Security

  • ACME certificate installation now retains the exact trusted storage-boundary
    descriptor and reconciles every managed descendant to the selected UID/GID
    through descriptor-relative, no-symlink traversal. Restart repairs
    intermediate 0700 root:root directories left by an interrupted root-run
    handoff, while outside-boundary targets fail before mutation. Linux also
    enforces openat2(RESOLVE_NO_XDEV) and other Unix platforms reject device-ID
    changes before ownership mutation, preventing reconciliation through nested
    mount points. The bind-mount regression is explicitly ignored in
    ordinary Rust runs and executed by CI and the deep release gate through a
    dedicated smoke using root-mapped user and private mount namespaces, without
    a privileged container. Hosts that disable user namespaces use a
    digest-pinned, network-isolated, read-only container with every capability
    dropped except the mount operation's required SYS_ADMIN capability. The
    regression requires the precise EXDEV result from Linux RESOLVE_NO_XDEV
    using the namespace's mapped identity, so a later ownership error cannot
    produce a false pass.

  • Managed ACME account generation now creates P-256 material in zeroizing
    RustCrypto secret/document types before importing it into Ring and retaining
    the durable copy in sanitization::SecretVec, removing the transient
    non-zeroizing Ring PKCS#8 document.

  • Open private snapshot files with platform no-follow semantics before
    validating type and permissions from the opened descriptor. This removes a
    check-then-open race while retaining fail-closed symlink handling.

  • Use the snapshot store's atomic writer and descriptor-based permission
    changes for corruption fixtures, keeping negative security tests realistic
    without normalizing raw path mutation patterns.

  • Use one no-follow parent-directory descriptor for Unix snapshot publication,
    with descriptor-relative temporary creation, create-new linking, replacement,
    cleanup, metadata checks, and directory synchronization. This prevents
    parent replacement from redirecting an in-progress atomic write.

Compatibility Boundary

  • The migration examples use Fluxheim's typed, bounded policy ABI; they do not
    execute iRules, Lua, SPOE, or VCL source directly.
  • Every example remains bounded by configured symbolic IDs and denies arbitrary
    filesystem, network, secret, request-body, and cache-object access.

Checksums And Signatures

  • Commit: e519f61f7bf0df139933cc2831f6917be040d8d5
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 1dfdbb19535b18aecc50e37afe7fd33509a2b4734b1d5468b0368afb08254eef fluxheim-1.7.9.tar.gz
    • 16339d6794bf0a5d3832e2e509e2f61558c81fed36d34d20f64150b6af421354 fluxheim-1.7.9.zip
  • Binary checksums:
    • x86_64:
      • bfc1553d98cb019a5391f6d3f5234134c9e2040c76698acf73d1e430350a64bc fluxheim-1.7.9-full-x86_64-linux.tar.gz
      • 0940e0bb095182d56b1258e9ce55487dc07d2a94aae6c7ba89570c34cd270662 fluxheim-1.7.9-cache-x86_64-linux.tar.gz
      • 10ea8f355c3126c4bb0b9a660fd7677b449d14eb096e72114ee82c27b76ac5b5 fluxheim-1.7.9-proxy-x86_64-linux.tar.gz
      • 5369cde5b9077e42fcd0c676ff69b25167080e3735bce37e673790898a0c47f0 fluxheim-1.7.9-php-x86_64-linux.tar.gz
      • cccf9f6106044546daa915f10af4f82abca579c9a3671826ae870afd05c1c018 fluxheim-1.7.9-load-balancer-x86_64-linux.tar.gz
      • e8cb7e5dcc1a8f07dd58e6b8eeb3b00ca56605aaf978eab892ebb2c4602d8716 fluxheim-1.7.9-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 8bf812c771ba17652830b51e52c45f7bee56471f83e2993a9f055d555bb0c997 fluxheim-1.7.9-full-aarch64-linux.tar.gz
      • ef4be1c37e1d3ac302666724fe4121d25ad1d41907571da17a1dfbae75e3f47f fluxheim-1.7.9-cache-aarch64-linux.tar.gz
      • 03c51decace5fbb84378505bf2683cb1b373a8bb3d1696ebcc0a33941f184751 fluxheim-1.7.9-proxy-aarch64-linux.tar.gz
      • b0af61c8b40253a0c7b32f3bae5bcee179bda022e6852b95c5a331329bda9b5a fluxheim-1.7.9-php-aarch64-linux.tar.gz
      • 52bc13f5974fdd5019cf4fb34c04dbfe74725ec97a40351dfd45c5a5418e42a0 fluxheim-1.7.9-load-balancer-aarch64-linux.tar.gz
      • 33a4db9b8ceffc80e37636814886729c2ff3d6d28e6e30ec3013cba7bb211ad0 fluxheim-1.7.9-config-tester-aarch64-linux.tar.gz
    • macos:
      • f04427e1ea8c72a8fcc6c86610e68c547c5d195f14e395ed052d5cc2155cecba fluxheim-1.7.9-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • e828a1b78d9e88504c63bdabd424d7d59662addf9c26f26fea38f63de46fdb06 fluxheim.spdx.json
    • ca9b4f5434af58bd1bbf26ae431ca890cdb0945207c579d77c04d1c963c9f37f fluxheim.cyclonedx.json
  • Reproducible build:
    • 5f162d370d7e838111e28e2521daa5d2172eb2ddd0adb73e354420f3a473a2fc x86_64
    • 4ab04d472433f057f131451fe0e25c67e86795f69ab40b30dfeb1f71e11f7615 aarch64
    • 4fde8e05dd1d6afa822864e94de7d5b79a6deb14ee108c3edb7f752672bb66f1 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:04367b7d87273dd5cdbf55ad25b00733cbb1f8f044fe3c25a0159aa13c18a1f6
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:2df48353f7abc17f95595e27f12c585e51d4b46b65cc952a72da740e9025b9fb
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:a27c44c696061d9a663f0188c090b68c93369a375a0648d01788a454b2f1e9c0
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:64f8b7a68ca7a7e9a37f120ab6a4a03fc8aebc9e643340b8b949edc24b98433b
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1abba7e7de90316daa6841e7e8227eb5938297b132dade100ac62eeb05f31376
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:af9b18de1435fffb0ba44b549d7ed11149d4abe3a097c0f53a56b7196ba3caaa
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:3404c189198cd886bc96f03b124abdc7c23e0a9d3cbd2685d2cd2bf4b6dc6bc5
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:33cf42f29b659ac85b1bf45164353aae5b6545eeed75d519b38349e4cbb7435b
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:073a6657ab2cf4565e42e53ac49535ad8d0b70a2866703f0604b7cd7427cd7e0
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:2b11fa9ada18406a3ebba7a92c06559a6186bf9404243bd5f5338faf59c0463e
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:6599273d86a47bbb31b2c44fc7120d1930ab10dc45fc6ee3b2c0312940401e99
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:a02062b5e8e7b8b2b99b61954ea96360e7e8ee7837f3b1e57011077d75c58f45
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2f9c2c2987720a3e0b1f664f167db6ac8d159bb1bcf8cfdf738e491116ce8b94
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:49c3db68bf39714740cdd58fc82439c1afefdbe64906390c80a5355d2b528216
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:16b99092b64111631933f7399bf186483cd5fb303e097fc75b46e79dd28ca523
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:303514a229d2fe90019749fff52d01142a046205380168b03a4c1ccf4c86c7c2
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5225aea52c588afedb2b941470956b93e42f6795c4e39d8b3aaeb1c1d6d92aaa
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0f8d2cf891e1701017c675c6ecf1f1d1ee3d6c9733763e44b3a2240e8a04f7ed
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:70495df79b2d183fd3f2c3ab68ccec1f6dafdbe4a3023cd18ffa9fef0dfe2055
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:3b6531548e9ef5c6807ceaa3cda3fda3c81bf96fa9a0e42a4ba209ceaf949cc2
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

Fluxheim 1.7.8

Choose a tag to compare

@eldryoth eldryoth released this 12 Jul 06:43
Immutable release. Only release title and notes can be modified.
v1.7.8
b5a0574

Fluxheim 1.7.8 Release Notes

Fluxheim 1.7.8 starts the optional WASI Preview 1 capability boundary for
non-request-body policy plugins. This is a narrow access-decision preview, not
general-purpose WASI application hosting.

Added

  • Propagate the wasm-wasi feature through the root, config, server, and
    fluxheim-wasm crates.
  • Add the wasi-preview ABI and host-call namespace pair.
  • Add [wasm.plugins.wasi] with independent clocks and randomness grants,
    both disabled by default.
  • Add wasm.max_total_preview_concurrent_executions, defaulting to and capped
    at 32, for both WASI and proxy-ABI preview access hooks.
  • Add real WASI modules proving explicit randomness and clock grants work under
    the normal Fluxheim sandbox.
  • Add live native HTTP/1 coverage proving a granted WASI policy continues into
    normal route handling while an ungranted import fails closed before origin
    dispatch.
  • Add a checked-in WASI randomness policy/config example and include it in the
    standalone Wasm smoke.
  • Restore native-request GeoIP context lookup using the trusted-proxy-aware
    client address for HTTP/1 and HTTP/2 policy evaluation.
  • Decode CIRCL Geo Open combined Country and ASN databases, including their
    provider-specific string ASN field.
  • Add an opt-in, checksum-pinned CIRCL real-database smoke proving country and
    ASN policy on static, direct-proxy, and load-balanced request paths.

Security

  • Normalize IPv4-mapped and IPv4-compatible IPv6 DNS results before stream
    rebinding checks, closing access to embedded loopback, private, link-local,
    metadata, carrier-grade NAT, benchmark, and other reserved IPv4 addresses.
  • Keep both stream copy directions in persistent pinned futures and drive one
    shared idle deadline from their latest successful transfer. Partial writes
    can no longer be cancelled and silently discarded when reverse traffic wins
    the dispatcher race.
  • Clear each successfully forwarded plaintext prefix and clear complete stream
    copy buffers on drop through sanitization.
  • Reject zero, oversized, or overflowing weighted-stream totals inside
    StreamUpstreamSelector, preserving the config limits at the public runtime
    construction boundary.
  • Make configuration snapshots transactional and recoverable with mutation-wide
    private locking, explicit parent/generation history, create-new publication,
    temporary/orphan cleanup, retryable rollback, persisted self-healing state,
    redacted invalid-ID diagnostics, and typed clock errors.
  • Add optional HMAC-SHA-256 manifests backed by an external bounded key file.
    Config and metadata are verified before rollback parsing; legacy stores are
    reported as unverified rather than silently authenticated.
  • Persist an authenticated generation high-water mark and per-manifest
    generation witnesses so pruning cannot reuse audit generations and freshness
    scans remain bounded without rereading complete snapshot configurations.
  • Preserve authenticated manifests created before generation witnesses. A
    fully verified all-legacy store with no generation counter bootstraps from
    its highest generation, persists authenticated state first, migrates its
    manifests, and publishes the next snapshot at max + 1. Missing state still
    fails closed for V2 and mixed stores.
  • Route snapshot SHA-256 and HMAC-SHA-256 through the selected Ring,
    OpenSSL-FIPS, or AWS-LC-FIPS provider, returning provider failures to the
    administrative caller instead of aborting the data plane.
  • Require owner-only snapshot state and integrity-key files, keep integrity
    keys outside the snapshot store, and authenticate intentional pruning
    boundaries.
  • Add resilient listing plus snapshot show, diff, verify, doctor, and
    protected prune operations. Snapshot TOML remains plaintext and needs
    encrypted storage or backups when confidentiality is required.
  • Enforce OpenSSL cipher allow-lists across protocol families. A policy with
    only TLS 1.3 suites disables TLS 1.2, and a policy with only TLS 1.2 suites
    disables TLS 1.3, preventing inherited acceptor defaults from negotiating an
    unconfigured suite. Move to OpenSSL's Mozilla v5 acceptor baseline so the
    legacy v4 template cannot suppress configured TLS 1.3 listeners.
  • Replace synchronous rustls TLS-ALPN challenge loading on ClientHello with a
    bounded, atomically replaced in-memory SNI certificate table. Remote
    handshakes perform lookup only and cannot trigger file parsing or loader
    logging.
  • Limit certificate chains to 1 MiB and 16 certificates, private-key files to
    64 KiB, and client-auth CA bundles to 8 MiB and 4096 certificates in both
    downstream TLS providers.
  • Keep transient rustls private-key PEM and decoded DER bytes in
    sanitization::SecretVec until provider parsing completes. Read key files
    directly into protected storage so partial I/O and concurrent-growth errors
    also wipe initialized key bytes.
  • Decode Rustls private-key PEM payloads through base64-ng's staged
    constant-time-oriented decoder and report only the redacted decode-error
    class, never an offending secret-adjacent byte or input index.
  • Disable default provider features for rustls and tokio-rustls. Normal Ring
    builds no longer include AWS-LC; AWS-LC remains explicitly selected by the
    rustls FIPS profile.
  • Keep base64-ng out of default and OpenSSL-only fluxheim-tls dependency
    graphs; it is now activated only by the Rustls key-parsing boundary.
  • Validate each declared wasi_snapshot_preview1 import before instantiation.
    Clock imports require clocks = true; random_get requires
    randomness = true.
  • Keep environment, arguments, inherited stdio, filesystem, sockets/network,
    polling, and process-exit imports unavailable in this preview, regardless of
    capabilities granted for clocks or randomness.
  • Build a fresh WASI context per execution without inherited process state.
  • Cap each granted random_get call at 4096 bytes so guest-selected host work
    cannot request the full memory budget in one operation.
  • Restrict wasi-preview to access-decision, require explicit preview-ABI
    allowance, require pinned module digests for that security phase, and retain
    fail-closed composition.
  • Include WASI grants in compiled-module identity equality so differently
    authorized modules cannot share an identity.
  • Isolate preview hooks from native policy hooks with separate process-wide
    admission and 32-slot blocking-work pools, preventing preview saturation
    from consuming native fluxheim-policy-v1 capacity.
  • Apply one absolute PHP-FPM request deadline to request transmission and full
    FastCGI response collection, discarding timed-out pooled connections.
  • Open managed PHP-FPM executables without following symlinks, validate the
    opened file and every ancestor for trusted ownership and modes, and execute
    through the retained descriptor to close path-replacement races.
  • Run each managed PHP-FPM pool in a dedicated process group and terminate the
    complete group on shutdown, failed status checks, and watchdog restarts.
  • Unlink request-body spool files immediately after secure creation while
    retaining a descriptor for retry replay. Give every reader an independent
    logical offset backed by bounded positional reads so overlapping readers
    cannot corrupt each other's request body stream.
  • Hold PHP memory bodies and bounded spool-read buffers in
    sanitization::SecretVec, clear consumed spool buffers immediately, and
    clear full buffer capacity on cancellation, error, or drop.
  • Read each verified GeoIP database into an exact admitted-length buffer and
    probe growth with a separate stack byte, preventing a one-byte in-place
    append from triggering large Vec capacity growth before rejection.
  • Validate public GeoContext construction, canonicalize accepted two-letter
    ASCII countries to uppercase, and reject ASN zero before policy consumers can
    observe malformed security state.
  • Replace inherited managed PHP-FPM PATH handling with a fixed allowlisted
    search path after clearing the child environment.
  • Render unavailable directory-listing timestamps as - after checked epoch
    and year-9999 bounds, preventing attacker-influenced file metadata from
    reaching panic-prone timestamp formatters in release builds.
  • Replace unchecked SafeRelativePath component insertion with a validating
    single-normal-component API so the public type preserves its traversal-safety
    invariant for current and future static-serving callers.
  • Enforce crate-level hard ceilings for Wasm module, memory, table, fuel,
    execution-timeout, and compile-timeout limits, with matching config rejection
    and checked Instant deadline arithmetic.
  • Reject Wasm admission values above Tokio's semaphore capacity before
    constructing a semaphore, and create compilation workers through the fallible
    named thread builder instead of the panicking convenience API.
  • Check the absolute execution deadline before and after every synchronous host
    callback so late callback results fail as timeouts. Keep blocking callbacks
    prohibited until a killable subprocess runner exists.
  • Require in-process native Wasm callbacks to be panic-free and total for every
    guest integer, and property-test all current guest-ID decoders over arbitrary
    i32 inputs. Keep panic-prone or third-party native callbacks behind the
    future subprocess-isolation boundary.

Validation

cargo test --locked -p fluxheim-wasm --features wasi
cargo test --locked -p fluxheim-config --features wasm-wasi wasm_wasi
cargo test --locked -p fluxheim-server --features wasm-wasi native_wasm_wasi
cargo test --locked -p fluxheim-stream
cargo test --locked -p fluxheim-snapshot
cargo test --locked -p fluxheim-tls --no-default-features --features tls-rustls,acme
car...
Read more

Fluxheim 1.7.7

Choose a tag to compare

@eldryoth eldryoth released this 11 Jul 06:53
Immutable release. Only release title and notes can be modified.
v1.7.7
f1c2497

Fluxheim 1.7.7 Release Notes

Fluxheim 1.7.7 adds the first opt-in wasm-proxy-abi compatibility preview
boundary. This release does not claim that existing arbitrary proxy-wasm
plugins run unchanged. It establishes the safe shape for that work: explicit
ABI and host-call namespace validation, feature-gated config acceptance, and
deterministic unsupported-call rejection.

Added

  • Add wasm-proxy-abi feature propagation through the root, config, server,
    and fluxheim-wasm crates.
  • Add host_call_namespace = "proxy-wasm-preview" support for
    [[wasm.plugins]] entries when paired with abi = "proxy-wasm-preview".
  • Add manifest validation that rejects mismatched ABI and host-call namespace
    combinations.
  • Add native HTTP/1 proxy-ABI preview host-call stubs that reject unsupported
    calls deterministically instead of silently binding to Fluxheim's native
    policy namespace.
  • Reject module imports that are not explicitly bound for the selected
    host-call namespace before Wasm instantiation, with a stable import-specific
    error.
  • Add a live native HTTP/1 compatibility fixture using the canonical
    proxy-wasm env.proxy_log(i32, i32, i32) -> i32 import and prove that the
    unsupported call fails closed with 503 before the upstream is reached.

Security

  • proxy-wasm-preview host calls remain disabled unless the binary is compiled
    with wasm-proxy-abi and config explicitly sets allow_preview_abi = true.
  • Compiled WebAssembly module identities now include the host-call namespace,
    so future compile-cache reuse cannot cross from fluxheim-policy-v1 to
    proxy-wasm-preview.
  • Restrict proxy-ABI preview manifests to access-decision, and independently
    prevent native request-header, route, and cache host functions from being
    linked into the preview namespace.
  • Enforce [server.host_routing].strict = true for native HTTP/1 Host and
    HTTP/2 authority routing. Missing or invalid identity returns 400; an
    unknown host returns 421 instead of reaching the default tenant.
  • Acquire process, cache-vhost, plugin, and attachment Wasm admission before
    spawn_blocking; honor bounded queue_limit waiters and replace per-request
    watchdog threads with one process-wide shared epoch ticker.
  • Use Tokio semaphore admission in narrow-to-global order, preventing a
    saturated plugin or attachment from reserving broader process capacity, and
    cap active/queued Wasm budgets at 256.
  • Select an installed GCC 13/12/11 compiler pair automatically for release-mode
    rustls/AWS-LC FIPS validation when a rolling distribution's default compiler
    is outside the supported range; explicit compiler selections remain
    authoritative.
  • Bound external-auth work before blocking-pool submission with
    max_in_flight = 64 by default and a 256 process-wide ceiling shared by
    all routes. Saturation fails closed with 503.
  • Keep source-specific admin lockouts fail closed while allowing correctly
    authenticated operators through a global invalid-attempt lockout.
  • Bound persistent storage-bin index files, entry/key counts, cache metadata,
    header counts, and fallible allocations. Decoded local AES cache keys now
    remain in sanitization::SecretBytes<32> through key construction.
  • Pin third-party GitHub Actions to reviewed commit SHAs, pin cargo-deny and
    cargo-audit installs, and pin every container builder/runtime base image to
    a reviewed digest.
  • Reject duplicate canonical storage-bin roots during native router
    construction and verify persisted object identity before serving, preventing
    cross-policy allocator corruption from becoming cache disclosure.
  • Record strict Host/authority routing rejections through the native metrics
    bridge.
  • Inspect storage-bin objects only through the registered live cache and hold a
    lifetime-exclusive lock file so separate Fluxheim processes cannot allocate
    the same root concurrently. Standalone CLI inspection retains a bounded
    filesystem-backend index rebuild because that backend has no shared allocator.
  • Keep generated managed PHP-FPM Unix socket names compact and reject a final
    socket path that exceeds the platform address limit before spawning PHP-FPM.
  • Return explicit 431, 414, or 400 responses for bounded request-head
    parser failures instead of closing the HTTP/1 connection without a response.
  • Add one shared 256-slot request-driven blocking-work budget across Wasm,
    external auth, traffic mirrors, disk-cache operations, and ACME challenge
    reads. Explicitly cap Tokio's blocking pool at 384, leaving 128 slots
    outside request admission for operational work.
  • Acquire storage-bin ownership before any manifest or data-layout mutation,
    preventing a losing process from modifying first-start metadata.
  • Document that storage-bin ownership uses advisory filesystem locking: use a
    per-replica local/RWO volume by default, and require verified cross-node
    flock behavior plus orchestration-level single-writer enforcement before
    using shared RWX storage in high-assurance deployments.
  • Partition blocking work by class under 224 non-critical and 256 total
    ceilings, reserve 32 critical slots, and return 503 rather than contacting
    origin when disk-cache lookup admission is saturated and no stale memory
    object is available.
  • Harden the GeoIP runtime boundary: cap fallback databases at eight before
    allocation, admit aggregate descriptor sizes before reading/parsing, decode
    bounded borrowed country strings, require trusted ownership and non-writable
    modes for MMDB files and all parents, and reject files changed during loading.
  • Make reload classification fail closed through an explicit snapshot-safe
    allowlist. Client-authentication, compliance, listener trust/limits, stream,
    UDP, ACME, cache-purger, tracing, and other startup-owned changes now require
    process replacement instead of being accepted as snapshot reloads.
  • Extend reload ownership into nested vhosts and routes: managed ACME target
    identity/domain changes and managed PHP-FPM pool/process changes require
    process replacement, while ordinary routing and request-time PHP policy stay
    snapshot-safe. Exhaustive vhost, route, and PHP-FPM schema audits prevent new
    nested fields from silently bypassing review.
  • Require config sources, split-config directories, and every existing ancestor
    to have trusted ownership and non-writable group/other modes. Verify path and
    descriptor identity and reject config files modified during bounded reads.
  • Restore the all-feature config security suite, including tracing/privacy and
    dual-FIPS-backend feature combinations.
  • Bound Brotli, gzip, and Zstandard logical output before accepting excess
    encoded bytes, transfer emitted codec buffers into response bytes without
    copying, and permanently discard a codec after an output or allocation
    failure.
  • Fail response compression closed for malformed Accept-Encoding fields,
    honor explicit coding rejection over wildcard acceptance, and suppress
    compression for qualified Cache-Control: private="..." responses.
  • Perform config ownership, permission, and symlink traversal checks through
    no-follow statat metadata inspection, and remove environment-derived
    filesystem writes from storage-lease subprocess coverage.

Changed

  • Update base64-ng to 1.3.7, bytes to 1.12.1, regex to 1.13.0,
    sanitization to 1.2.4, and test-only wat to 1.253.0.
  • Update the workspace MSRV, pinned toolchain, and container builders to Rust
    1.97.0.
  • Exercise current MariaDB 12.3 LTS, PostgreSQL 18, and Valkey 9.1 container
    lines in the database and health-check smoke defaults.
  • Restore the standalone cargo-fuzz workspace and remove its obsolete Pingora
    dependency patch so the checked-in fuzz targets build against their current
    owning crates again. The fuzz validation gate now compiles every target.
  • Replace storage-bin request-path full-index sorting, rewriting, and syncing
    with one fallibly-created process-wide persistence worker. Maintain ordered
    eviction state so selecting the oldest object no longer scans the complete
    object map.
  • Add fluxheim-base-images.txt to generated release evidence beside SPDX and
    CycloneDX output so reviewed image digests are recorded for each build input.
  • Run filesystem-sensitive local release fixtures below private repository-owned
    smoke roots, using a compact root for Unix-socket tests, so the suite exercises
    the same full-ancestor trust policy enforced in production.

Operator Notes

  • Existing wasm configs using fluxheim-policy-v1 continue unchanged.
  • To test the preview namespace, build with --features wasm-proxy-abi, set
    allow_preview_abi = true, and declare both:
[wasm]
enabled = true
allow_preview_abi = true

[[wasm.plugins]]
name = "proxy_preview"
path = "/etc/fluxheim/plugins/proxy-preview.wasm"
abi = "proxy-wasm-preview"
host_call_namespace = "proxy-wasm-preview"
phases = ["access-decision"]
  • The preview namespace is intentionally narrow in this release. Unsupported
    calls fail closed through the plugin fail mode.

Checksums And Signatures

  • Commit: f1c2497bca3fcfd9112d08ad65b3bc2aafb2e421
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 5dbc0fd24140f2a81b52b46d63f09f70c3056c09fc1ec82cfcbd3860a0083f81 fluxheim-1.7.7.tar.gz
    • 40b33aea8811b6091c0fbe3e8e8368bc09843b59758a3c1bd6de2fc2defccbac fluxheim-1.7.7.zip
  • Binary checksums:
    • x86_64:
      • a03d30135990810b66cef61d3b401fe65063e5c8ed7d19304c15c9ec690eb35d fluxheim-1.7.7-full-x86_64-linux.tar.gz
      • `9775db4a60895845c436abb9104f9ed53d1d7e987eeaf68b0ba67d2ff2543959 fluxheim-1.7.7-cach...
Read more

Fluxheim 1.7.6

Choose a tag to compare

@eldryoth eldryoth released this 09 Jul 08:43
Immutable release. Only release title and notes can be modified.
v1.7.6
c231d0b

Fluxheim 1.7.6 Release Notes

Fluxheim 1.7.6 starts the mature WebAssembly runtime hardening pass after the
initial live hook families landed in 1.7.1 through 1.7.5.

Wasm Runtime Hardening

  • Compiled WebAssembly modules now carry an explicit cache identity made from
    the plugin SHA-256 digest, manifest ABI version, native hook feature surface,
    and Fluxheim crate version.
  • The native HTTP/1 hook registry compiles plugins through manifest-derived
    identities, so future module reuse cannot silently cross ABI, feature, or
    release boundaries.
  • The runtime compile API now has regression coverage proving a supplied
    compiled-module identity from one plugin cannot be accepted for another
    plugin's bytes.
  • Cache-lookup and cache-store Wasm hooks now acquire a derived per-vhost
    admission budget under the process-wide cache-hook budget, so one vhost
    cannot starve cache hook execution for another vhost.
  • Prometheus Wasm plugin metrics now preserve bounded labels for every current
    hook family, including route selection, cache lookup pass/bypass, cache-store
    skip/deny, and the cache-specific global and per-vhost admission scopes.
  • Authenticated admin status now reports both the general Wasm process-wide
    admission budget and the separate cache-policy process-wide admission budget.

Test Coverage

  • Add runtime tests proving ABI and feature-surface changes produce distinct
    compiled-module identities for the same plugin bytes.
  • Add runtime coverage for digest-mismatch rejection before module compilation
    can be accepted under the wrong identity.
  • Add live native HTTP/1 coverage proving a saturated cache hook on one vhost
    does not block cache hook execution on another vhost.
  • Extend metrics and admin-status tests for the mature hook-family visibility
    fields added in this release.
  • Add a live native HTTP/1 cross-family chain regression test that exercises
    access-decision, request-header mutation, route-decision branch selection,
    cache-key mutation, cache-store metadata, cached HIT behavior, and
    response-header mutation in one request flow.
  • Add reload classification regressions for Wasm plugin digest changes and
    attachment phase changes so module/hash and hook-chain updates remain
    process-upgrade events.

Checksums And Signatures

  • Commit: c231d0ba594069e8344cf874c477aecc53c31c8d
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • c94b429c07259e8cde0657603dc408e94090509ff7c7d0ed7536095e69a82c49 fluxheim-1.7.6.tar.gz
    • 03d363b71af3454af89149425afe17950196f6843c833e4197e2a0b6f6f9cdbd fluxheim-1.7.6.zip
  • Binary checksums:
    • x86_64:
      • ba4034ad0465467c47e5fc1dfb5268ab52790401550aa1ba3b1feb5d229e7fb5 fluxheim-1.7.6-full-x86_64-linux.tar.gz
      • eaff8b4edd4722a35be7f331387caa131bdc1c019ddeeb5eb71260ca7c263dcf fluxheim-1.7.6-cache-x86_64-linux.tar.gz
      • aadb9a9395c6c520bdf5a3cac3d7c7aa40adb8de15fa05592fb20c6468a93209 fluxheim-1.7.6-proxy-x86_64-linux.tar.gz
      • a7e37c42511a04ebd4dac10740d8cc259bd9b2f712675abe911c0d78e7e88181 fluxheim-1.7.6-php-x86_64-linux.tar.gz
      • 4aa9be2ce7210746bcfe329291d68dd0001b0e7e3d342845949405a7b5a6d4db fluxheim-1.7.6-load-balancer-x86_64-linux.tar.gz
      • 6beceee3d220867007ee95ec2f7f40e6bae413283aa0eccefa938de96e712505 fluxheim-1.7.6-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 0465cf84d6cb458c71c4feeffc5817e18906618bfeeb41e890220e4342729bde fluxheim-1.7.6-full-aarch64-linux.tar.gz
      • cda18da6022f865a43a28513b7b85bb4649f71d6bf7cdfc2874e06e03f9f9d3d fluxheim-1.7.6-cache-aarch64-linux.tar.gz
      • b5f7277af6c5d91291d2a83a1246d99182a84988bd3d858b0988f94c46b03ef7 fluxheim-1.7.6-proxy-aarch64-linux.tar.gz
      • c659872adffce902dc509a60bbccf1cbca9283a825a08f5652887cd62b4bac91 fluxheim-1.7.6-php-aarch64-linux.tar.gz
      • 825e9e70b9e7e4f9f4ebd8706768f195eed301b4eadca2d6045b8700f5b1765b fluxheim-1.7.6-load-balancer-aarch64-linux.tar.gz
      • 790ec7e1e8a9e0c364d2fec5d42ea399f4e06a6dbbc4a4b5df3716a64ddbc3f8 fluxheim-1.7.6-config-tester-aarch64-linux.tar.gz
    • macos:
      • f0ccf2aaab50775c0f190f80972524bc045037523cb443ebda2c67b16535b908 fluxheim-1.7.6-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • ac35ec4409927685e4cae635bcca524c9736d9a52b276f72787a9ab71dd6ea80 fluxheim.spdx.json
    • d456b9b6f5b844ed4eee13245544b4915ec4923a95643629b4dc189be8803cd3 fluxheim.cyclonedx.json
  • Reproducible build:
    • 854523f27160e547093f5730eff3c15975fc2777a2f0410d6904cea3d501c2a8 x86_64
    • 877526f4c8aabe5f302658790de493710e60da34a3175281115db79aaa75937c aarch64
    • 3d1a69e5c99354e04e4f9dde5bd5fad0f3f79a89c026da8fa5a95f645bc82ded macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:462b98287a0eb0e405cd302b818c5bab0507e18845191eb0abe3732bfd953477
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:73fa2fac2aeafb9b6c526947feadbc593f64cad8d7e8cda151e251e7ddb1d264
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1b9f669cc292bc603f469bcf5f2bb1151e998f7c1e16cb8efbd8a65eaed95e4f
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:42c6bb83a9221d5a9197ae7650c6c9746b9f042ebb1d153b8a6b8d4a965e73f8
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:516e1b6a845fad44abd7adcb0e55ea4e4aff84fe5ba1f4f9f414274b8fae5b81
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:15499cba800245ee55f3539cbe8a284c46b111209d7fb977b4878eb3c78765ae
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:7b83328c5b2bcb904a185ef52ecaf33e3a54ab5c0b7a2b9902fa01e756c26252
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0dac5e12c5f77ef2e90e0cb9ebfe40d6e7d21b88226eb50761ebefee0de7668a
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:b4c53ff4fa77edd3ceb205794bceda9555c87c6d317e5ef3f12b48de5e13bcac
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:06b16018d2136d40fb38ae2d2fbdded43b806b8a11672dd1816a398bd8657a4b
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:83f47565b19863884df0842d32f0564f32f917ed8ad2be684414e5d410ebf411
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:96b321626f2356326daefb3d9394c0dbc382be8f66379b175201ea9d0bed21aa
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:65a3f46bcd7981319c8e38a1cf53e5b4fdd4ea745ca994682532d805e52f2d9d
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:617c59eeb6252d39bd7af50a701d78e5242c8bcf17755469887e954675c33288
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:380c4dd0cf9477265fca8e5cd63f96230b79dd4da9be065d45b8f02f55b3161d
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:888798aec2a6dd514c42821e149b4f279108164206c46f3c67d7400e12aed167
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5f9140cf1dcff8a6f74d7bbad2fe16cf854bfb88c1fc7b73beabdcb643923a9d
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:132c7659712399a2bd435e8b70560e7cbd43856202ecfca9e5abb293220797aa
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4a6dafe13049dc769504981026df8a733445349c7fb93e9d0e43784c49f2bd0a
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:243d9ae5e71d603d62c22dc6682afb287c6bc9ad7574626a503cb57c5c718184
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

Fluxheim 1.7.5

Choose a tag to compare

@eldryoth eldryoth released this 08 Jul 09:53
Immutable release. Only release title and notes can be modified.
v1.7.5
c849e33

Fluxheim 1.7.5 Release Notes

Fluxheim 1.7.5 continues the VCL-like WebAssembly cache-policy milestone with
the first bounded cache-key and cache-store metadata hooks. The new host-call
surface is intentionally low-cardinality: plugins can add a symbolic
device-class cache variant, choose fixed TTL/tag metadata, and set one fixed
stored-object response header, but still cannot emit arbitrary key bytes or
mutate arbitrary cached response headers.

Highlights

  • Add a bounded set_cache_key_component(label_id, value_id) host call for
    cache-lookup Wasm hooks.
  • Add symbolic X-Device-Class context under context(5, 0) for cache-policy
    plugins.
  • Allow only the fixed wasm-device-class=mobile and
    wasm-device-class=desktop cache-key components in this slice.
  • Add bounded set_cache_ttl(ttl_id, 0) and add_cache_tag(tag_id, 0) host
    calls for cache-store Wasm hooks.
  • Allow only fixed TTL classes and fixed cache tags in this slice.
  • Add bounded set_cache_store_header(name_id, value_id) for cache-store
    hooks, limited to fixed x-fluxheim-cache-policy values.
  • Add bounded cache-store response content-type inspection through a symbolic
    context(6, 0) class, without exposing raw response headers.
  • Thread Wasm-selected key components through native static-upstream and
    load-balanced proxy cache lookup paths.
  • Thread Wasm-selected key components through fixed-slice range-cache keys so
    ranged mobile and desktop variants cannot share slice objects.
  • Thread Wasm-selected TTL/tag metadata through native cache storage without
    exposing arbitrary response-header mutation.
  • Thread fixed stored response-header metadata into the cached object while
    leaving the immediate origin MISS response unchanged.
  • Add live native HTTP/1 listener coverage proving one URL can cache separate
    mobile and desktop variants, then HIT the original variant.
  • Add live native HTTP/1 listener coverage proving Wasm-selected key
    components also isolate fixed-slice range-cache objects.
  • Add live native HTTP/1 listener coverage proving a plugin TTL override
    expires an otherwise max-age=60 object and refills from origin.
  • Add live native HTTP/1 listener coverage proving a plugin can set the fixed
    stored response header on cache HIT and that forbidden header IDs fail
    closed.
  • Add negative coverage proving duplicate stored-header mutations fail closed
    and stored-header mutation caps are enforced.
  • Add negative coverage for aggregate cache-key component caps, cache-tag caps,
    and TTL singleton merge behavior.
  • Add examples/wasm/cache-lookup-policy.wat,
    examples/wasm/cache-store-policy.wat, and a matching config template for
    the bounded cache-policy ABI.
  • Add live native HTTP/1 listener tests that compile the checked-in example
    Wasm sources and prove image-only cache-store metadata, cache-key, TTL, and
    stored-header behavior.

Security Notes

  • Unknown component IDs, unknown values, duplicate component labels, and
    component counts above the hard cap fail through the plugin fail mode.
  • Duplicate cache-key component labels and aggregate component counts are
    enforced across the full cache-lookup hook chain, not only within a single
    plugin invocation.
  • Unknown TTL IDs, duplicate TTL overrides, unknown tag IDs, and tag counts
    above the hard cap fail through the plugin fail mode.
  • Unknown stored-header IDs, duplicate stored-header mutations, and stored
    header mutation counts above the hard cap fail through the plugin fail mode.
  • Cache-store metadata caps are scoped independently to TTL, tag, and stored
    header metadata so one exhausted metadata family cannot silently drop a later
    family.
  • Oversized cache-store candidates are rejected before cloning response bodies
    for stored-header metadata mutation.
  • Store hooks receive only symbolic content-type classes for response-header
    inspection; raw response header names and values remain unavailable.
  • The hook does not expose arbitrary request headers, raw cache-key bytes,
    request bodies, response bodies, filesystem access, network access, or cached
    object contents.
  • Built-in access, route, rate-limit, concurrency, header, and cache admission
    controls keep their normal order.

Operator Notes

  • This is a preview ABI for controlled cache-key variation. The only accepted
    cache-key label is currently wasm-device-class; the only accepted values
    are mobile and desktop.
  • Store TTL, tag, and stored response-header choices are fixed IDs, not
    arbitrary strings. Richer store admission mutation and cache response policy
    hooks remain staged for later 1.7.x slices.

Checksums And Signatures

  • Commit: c849e3311d9862e336ddeb1171a19a1c064b568a
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • d3316196c58aa0f01a99e4f9f8ec9fe6c45f5ea76d7b43fb63f2f2320bb0bcf8 fluxheim-1.7.5.tar.gz
    • a928f0c6dd9cfaa227871d487135dae167ab9ce23bbd9d1b0deabb7ef31788a8 fluxheim-1.7.5.zip
  • Binary checksums:
    • x86_64:
      • 6275ae5d6542285e15fcf207be68372edd7c8123e3a9d608eae0232b67d52135 fluxheim-1.7.5-full-x86_64-linux.tar.gz
      • d703ce77cec7828eb758188fbbab703843dce91d3762593d9ab1d665fa4f46a5 fluxheim-1.7.5-cache-x86_64-linux.tar.gz
      • 329ca82c825a092c877f92670e65ba5bf2bca969a2c89e31f416fe6774e26b91 fluxheim-1.7.5-proxy-x86_64-linux.tar.gz
      • 87a982cba770134b0334b45beb1ed04ce0fe371c4169bbe380f643c2619c1d05 fluxheim-1.7.5-php-x86_64-linux.tar.gz
      • 99e06ae168e71c277616ebb31c9c1295a5e61cc6e6ee0ce47213476da60dc6b1 fluxheim-1.7.5-load-balancer-x86_64-linux.tar.gz
      • dba07e8f18b8537e667a18056f1ed4bb75681028ad1078a855001d1708e8f376 fluxheim-1.7.5-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 014e86f4fb850cd69428fa1db73126f33448352d78af906d4cadfb71738b1d79 fluxheim-1.7.5-full-aarch64-linux.tar.gz
      • 1144eb8637e9770e4e8b8ba858ecf07719372e8a4fe9e8ba3f1b82c6f6c53688 fluxheim-1.7.5-cache-aarch64-linux.tar.gz
      • eb177989c3067cdb5e9abc4b0da5cc5f0217b98c4f50ab69787f792db225cb32 fluxheim-1.7.5-proxy-aarch64-linux.tar.gz
      • 02d6c7cbc52f53ba87b5134096739ea25fa3268dc8325106cbf3c4bf167c66e8 fluxheim-1.7.5-php-aarch64-linux.tar.gz
      • 0bceaab3d5897db69b879107d2bc55f1eba1898526d543839a61b56dcc64c606 fluxheim-1.7.5-load-balancer-aarch64-linux.tar.gz
      • 3960a6fde3ffa1f11ce02eb5c7dd081641f2524e61b7aa31be7fbe82a2de36f1 fluxheim-1.7.5-config-tester-aarch64-linux.tar.gz
    • macos:
      • ce34af1384e0936e083c8dc06fc51c962c811b314be94c2edbadadf7767a06ea fluxheim-1.7.5-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • 0c0fb4585b18442ab1df9f814142d8325aa1a3cbfcce6acfe013b97b077aa0d7 fluxheim.spdx.json
    • 788380fb58d94d8738eedb1b82a02da814172fc67a5fa9991ec1e3c4e8d3a258 fluxheim.cyclonedx.json
  • Reproducible build:
    • 16056a59918c939fccfe1522b11cb1e8ce4a748ea73222bd4f03f146ca3ea072 x86_64
    • add39ef66006d018dfa76ba4d18f7114e1d7fafaf7c61b906ca6e5b2c8495a8e aarch64
    • ec83da96f971f05914d7bda079577be2f2434f31142412aafce21d3a6b1adbfd macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:39db6caa5b498a68f4455e2f08bba1c109d7f6c6c1c70a3e5ce792bdfcc887ac
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:495ef2913bdfd2c8b0db91101f54cd6e025c7f66f262cd91581d62544b414485
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0ae64c168a1e5ac435f9922f9db626f4479e6ee1dc3794ab42f33bddcb546e08
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:adb9829ad3c63132ed06b560089ba0703064ab413b7f9aa987ed7f9b47f3bda6
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:22894fbae4dcfc3d0712226eb12a30a8d998792c945f52de8de48070946f5522
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:72c71aaeff9407ec1320de6098ec397fae396e1752649b7cab275d4ca1cf5c42
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:16121cd319cd58155acff3dff193019620c4cd9f14a07bd4a3668b237d8a5a5d
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:ab618b9b41bddcbfe51548d2fe0a91513c871c3ae357898d058c77e1d318a510
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2f3c2116106612b831ffe85d335b1a3fbfbd7590cbff2361788a5b3dd8627769
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:05d923cac92dd7bf78874a75b6bcceb5e19e5cd34f44ecf74a42b9d89a956e10
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ce7c41edb4a4dda642573146ac984a5ec5454af31bac94942becac709e34ec91
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0248a039b063a5095600388abdf6a68af4d769bfef5390a0d492ff7db837f55f
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:a38e17bad99759a05cff5ad3a6aeade67cf912632c1035b4fb7ff12399f0e328
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:4f2dfcc04e2d53738f489590b1d1d61a98aa9409f92c1e024e1b95dd4e3ab851
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:12f2faeadc9c57d45619073bc4d0bbfa502a40b3e8a3c6704ae1871f50a9f28c
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:4487c4d9307b5d7c6cfa9a0965051c853cbb81f24871cc2a7d62a82e74512875
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:4247e06fe5562382e32589aa6e7da22fc3f73054e191b1cddda5ae2ebffcc57e
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:7c1d596a35346fe4cab29c6ac83468e7fe5db0f4149dd3a9a20488feb5c65bde
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4b8fc026d8500e3fbec5b65dbf2210681d203e28452aef19a16ea5debd4ef97a
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:46f5527a86c369e08597a814da7887f1bedfb91415a0e446e21b486498f4d19a
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

Fluxheim 1.7.4

Choose a tag to compare

@eldryoth eldryoth released this 07 Jul 14:07
Immutable release. Only release title and notes can be modified.
v1.7.4
befc640

Fluxheim 1.7.4 Release Notes

Fluxheim 1.7.4 starts the VCL-like cache-policy part of optional WebAssembly
extensibility. The first live cache hook is intentionally constrained: plugins
can decide whether cache lookup proceeds, passes through origin, bypasses
cache, skips storage after an origin response, or denies, but cannot yet mutate
raw keys, TTLs, tags, response headers, or stored metadata.

Highlights

  • Add live native HTTP/1 cache-lookup Wasm hook execution for vhost and route
    attachments.
  • Add live native HTTP/1 cache-store Wasm hook execution after origin
    response and before memory/disk cache writes.
  • Add a bounded fluxheim_cache_lookup() -> i32 preview ABI under the existing
    fluxheim_policy_v1 host-call namespace.
  • Add cache lookup outcomes:
    • 0: continue normal cache lookup and storage;
    • 1: pass through origin without lookup or storage;
    • 2: bypass cache lookup and storage;
    • 3: deny with 403.
  • Add cache store outcomes:
    • 0: continue normal cache storage;
    • 1: serve the origin response but skip storage;
    • 2: deny with 403.
  • Apply cache-lookup hooks before native proxy-cache slice lookup, normal
    lookup, peer-fill, request collapsing, origin-fill protection, and store
    admission.
  • Thread selected route/vhost Wasm hooks into route-proxy cache paths so cache
    decisions use the same attachment model as access, header, and route hooks.
  • Add wasm.max_total_cache_concurrent_executions as a separate process-wide
    admission ceiling for cache-lookup and cache-store hooks.
  • Add live listener tests proving a plugin can pass /api/* without storing
    while normal cacheable paths still produce MISS then HIT.
  • Add live listener tests proving a plugin can skip storage after an origin
    response and deny before cache write/client delivery.
  • Add live listener coverage proving a later cache-store deny wins over an
    earlier skip.
  • Add fail-closed live coverage for cache-lookup deny behavior.

Security Notes

  • The cache-policy hooks are constrained to integer outcomes and coarse path or
    response-status context. They do not expose raw headers, bodies, filesystem,
    network, admin APIs, private keys, cache-key bytes, or cached object bodies.
  • Built-in access policy, rate limits, concurrency limits, route selection, and
    header policy keep their normal order; the cache hook cannot bypass them.
  • Cache hooks use their own process-wide cache admission ceiling so hot
    cache-policy routes cannot starve access-decision, route-decision, or header
    hooks on unrelated vhosts.
  • Cache-store hook chains are most-restrictive-wins: every hook runs unless a
    hook returns deny, and deny wins over an earlier skip.
  • Plugin execution failures still follow the configured fail mode:
    fail-closed denies with 503, while fail-open continues normal cache
    behavior.
  • The wasm feature remains optional and is still rejected with
    privacy-mode.
  • The release gate updates crossbeam-epoch to 0.9.20 to clear
    RUSTSEC-2026-0204.

Operator Notes

  • Plugins that use cache-lookup export fluxheim_cache_lookup() -> i32.
  • Plugins that use cache-store export fluxheim_cache_store() -> i32.
  • pass and bypass outcomes report x-cache-status: BYPASS with
    x-cache-reason: wasm-pass or wasm-bypass when cache status headers are
    enabled.
  • pass and bypass share the external BYPASS cache status but record
    distinct cache-policy activity as pass and bypass.
  • Richer cache-policy hooks for bounded cache-key components, TTL override,
    tag assignment, store-admission mutation, and safe response-header mutation
    remain staged for later 1.7.x slices.

Checksums And Signatures

  • Commit: befc640024b3718e490ba5b5744d1726371f6acf
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 73c21bd501c6067477b7478a8d2147133646763dc743a07b81694bd0b8308763 fluxheim-1.7.4.tar.gz
    • 7dd086c160f49b1ca7b59149f916ece9d0c29fe4cd7a592e4669c12cbac23900 fluxheim-1.7.4.zip
  • Binary checksums:
    • x86_64:
      • c24bfda56df17a3b0fea6c5d7984d5234d2985f98d97836209bccb62876d033a fluxheim-1.7.4-full-x86_64-linux.tar.gz
      • ae310dcaae7873b337d12eafeeabb5445fe9ae1a37b5ab9230895e60188d4753 fluxheim-1.7.4-cache-x86_64-linux.tar.gz
      • cb2683a7e29a5ce4a990b5f0bce216a518ff687624c0575e3fc7739f7fbf95a4 fluxheim-1.7.4-proxy-x86_64-linux.tar.gz
      • c608addb563b38e729e31c7e6d8b3be0e68a2976a61e7b17137dbf0d406c06d7 fluxheim-1.7.4-php-x86_64-linux.tar.gz
      • 33feefe76ab7082c5b19581d2c3525dce4b6a48c22c87430fd12bb4a5eabcf91 fluxheim-1.7.4-load-balancer-x86_64-linux.tar.gz
      • b28007bbf0778a023141c5de7a2faaa865031890a5ea6d3e710c4493f2199da3 fluxheim-1.7.4-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • a0c62b041b7f261dbcf4d23f507c36e87305439ba661894952c4afc97c9871cb fluxheim-1.7.4-full-aarch64-linux.tar.gz
      • 3ea635b2ff883a84dd453521a51445f1651151152b9e14082cad0192ce29d744 fluxheim-1.7.4-cache-aarch64-linux.tar.gz
      • 9ede717945867b9edabda103b81b701ff589484b9128ef00372adec5d9f98531 fluxheim-1.7.4-proxy-aarch64-linux.tar.gz
      • d4ccdf264d72b0811d56513eef244015fd9550b6e5e517662d2915a4999f2e80 fluxheim-1.7.4-php-aarch64-linux.tar.gz
      • 666ca2a57fb51716b532cd642a84f5964f7c68a47141205135a76193a5593b27 fluxheim-1.7.4-load-balancer-aarch64-linux.tar.gz
      • a728616b18ff81e86cf4c3bb4135e357cb9bb2fb0feb922110e1af6c701800a6 fluxheim-1.7.4-config-tester-aarch64-linux.tar.gz
    • macos:
      • 5131694028fe19c4d4918745814f9d8e35ec8ff176ab24c6bec9d3c7b58c4ddf fluxheim-1.7.4-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • 621d1868a28d782a439c252d1a4bb7b1511b3e5c5e88b1527a32594fb0010e41 fluxheim.spdx.json
    • 6a0a727a2814c6ddf91d965d38ede300e51c6d168e8dbbcd8d37e770ee84ddc6 fluxheim.cyclonedx.json
  • Reproducible build:
    • cb13c979cb1fcf036cab9a69bdee22949946d9bceb85f966b12844fd174bdbd1 x86_64
    • f5f6b2338628c3ef525a3b0ae7c0da8fe9ae4d0948247510a685b1ca2a185d01 aarch64
    • 8ef32281b2227cf23e337d5e00344b14a80be8505d51e6ea0013250fa4e5c465 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:398d019d80aa15cfe26506506dba67f67b3e1a3583a17bb894af2288945e76b9
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:634cab1db3054b01750a25c65f9c7baa244ec93240ee0b90081d67f1c37f4981
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:b3221a2d5910ec08a779cd024920defe715fbc9643ca653592d239e46ac71f1d
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:c220b2c6b58561f43f391b964a1226a1b9cc31ff859195a01beed4dc4a8d6091
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5e7475427223812a04e54ea72517ffc97a2b3fce88f91341f34e0e93641b0b34
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:ed9222cc22773ca54a6517d6701ab90b991ca017651a66d56e904c2f29125320
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:6e6fcb4d88f0ee0470c61bd68622f9728db1a33b1271a1c07ff934c034e27426
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:284f65e27589ecf6e3b9f4d41c342749b53ce09405d2f813bce70ad075f300bc
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:541a33fa75070779d397a6befe950d869c2cdc842658ebe0ec5039ff0c766231
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:19b648c78277770a13e7366ebdee181334b9dcfcd22e30a8295f81986168cc89
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1bf0212048daa4fbda4479fffd526b66797a5cb3875d68834aeb03bb678be0f5
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:cd5fc3880948367dec623b3133e150f324faf141d23147d5b1906399618b41f4
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:bf1c533b2ba75bca8b97d2d94b6b73f72f62d3a3e99c161b287b35b1a18c6d96
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:65a3452a111107c81d6253cbab35e616fee5c4be48ced1a5ca4b71671b22eb44
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:bbeafeb00f8303d593e8f7b1145b54b52b935d8bad6a61bf42f121d76d30f3c5
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:81a159f9bc07df0302aa2a588e057eaf9ee4b9f57c5d8eac7d8c26972ac9d527
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1cc26ae633ed681f9c8ae2d56285fdeeecbcea956a3129aa9e78d2f4decc02d4
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:09521f3c366001644bb81fffd85fe41b62e604e83095038936ee918edfd45006
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:457f2783d0c2d0272557646935b0a43f9ef3c8378fab9a5754956342305efe46
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:171e2b339403aca700a857af40f573b9d94cb30045d9c4c9588da3dac4d3eda5
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

Fluxheim 1.7.3

Choose a tag to compare

@eldryoth eldryoth released this 06 Jul 11:10
Immutable release. Only release title and notes can be modified.
v1.7.3
d406056

Fluxheim 1.7.3 Release Notes

Fluxheim 1.7.3 starts the HAProxy-Lua/SPOE-style routing-policy part of the
optional WebAssembly extensibility line. The first live route-decision hook is
intentionally constrained: plugins can continue, deny, or select a symbolic
configured route branch, but they cannot invent upstream addresses, bypass
route matching, or override built-in Fluxheim access policy.

Highlights

  • Add live native HTTP/1 route-decision Wasm hook execution for vhost and
    route attachments.
  • Add a bounded fluxheim_route_decision() -> i32 preview ABI under the
    existing fluxheim_policy_v1 host-call namespace.
  • Add symbolic request context for route decisions, including the existing path
    class plus bounded x-canary: 1 and x-mirror: 1 signals for the first
    configured-branch routing examples.
  • Add configured-route branch selection for the canary and mirror branches.
    Fluxheim accepts the decision only when a configured route with that name also
    matches the current request method and path.
  • Add live listener tests with two local origins proving a Wasm route decision
    can move a request from the standard route to the configured canary route.
  • Add live native load-balancer route coverage proving a Wasm-selected route
    still delegates backend choice to the configured Fluxheim load-balancer
    policy.
  • Add live managed-cookie persistence coverage proving a Wasm-selected
    load-balanced route still pins the backend through Fluxheim's configured
    persistence policy.
  • Add live traffic-mirror listener coverage proving a Wasm route decision can
    select an already configured mirror route without giving plugins dynamic
    shadow-target access.
  • Add fail-closed coverage for a plugin that selects an unavailable branch.

Security Notes

  • route-decision hooks cannot create destinations or bypass route matchers.
    A selected branch must map to an existing configured route with a matching
    method and path.
  • Built-in vhost ACLs, vhost rate limits, and vhost concurrency limits run
    before route-decision execution, so denied or shaped clients cannot spend
    the process-wide Wasm admission budget first.
  • Built-in preselected/decoded route ACLs run before route-decision
    execution, while selected-route ACLs and route-specific rate/concurrency
    limits run after the final route decision. A plugin-selected route cannot
    bypass its own configured route policy.
  • Selected-route body limits, redirect policy, and request/response header
    policy still apply after the Wasm decision selects a route.
  • If a plugin selects an unavailable branch, Fluxheim returns 503 rather than
    falling back silently.
  • Wasm module compilation now waits for a bounded compile slot with a condition
    variable inside the configured compile timeout instead of polling in 1 ms
    sleeps under startup/reload contention.
  • The wasm feature remains optional and is still rejected with
    privacy-mode.

Operator Notes

  • Plugins that use route-decision export
    fluxheim_route_decision() -> i32.
  • The initial preview return values are:
    • 0: continue with normal route selection;
    • 1: select the configured matching route named canary;
    • 2: deny with 403;
    • 3: select the configured matching route named mirror.
  • Direct backend pool/member choice, plugin-provided persistence-key choice,
    and dynamic mirror/shadow target decisions remain staged for later 1.7.x
    slices.
  • Refresh dependency pins for aws-lc-rs, bytes, maxminddb, zeroize,
    getrandom, arc-swap, and env_logger; base64-ng, sanitization,
    cargo security tools, smoke images, and GitHub Actions pins were checked and
    already current.

Checksums And Signatures

  • Commit: d40605659539632f184a01ea536e2f79e7c5fa31
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 472f7ed39708f020cde7ccde01d109d9cde08090ffb8396190cf148a22806a50 fluxheim-1.7.3.tar.gz
    • bd82e4e10c242ba86663a0ef2b31b03a4bd796f641cc535ac07df831c7ad84ff fluxheim-1.7.3.zip
  • Binary checksums:
    • x86_64:
      • ac76cf1e38c9f6d110ab9e1a82651a41ff0600bf6cc8362e3b6e7e676d640ad3 fluxheim-1.7.3-full-x86_64-linux.tar.gz
      • 87e7e509f35e654b24d80f03829287d7f623ec58f41e1215b0bf3a3398ecfe5e fluxheim-1.7.3-cache-x86_64-linux.tar.gz
      • 06112b0e91bb985d470659b8315cc807f9fddae2fdfe140d3c586c050aab080b fluxheim-1.7.3-proxy-x86_64-linux.tar.gz
      • d2dd5bb649ca32a3e6437519a4d3bfa94a317323250909a5dc78f1e2546df592 fluxheim-1.7.3-php-x86_64-linux.tar.gz
      • e067b34f4aabc7b941e81b58e962043681f9f177d8c7cd6c284e96b163037ee7 fluxheim-1.7.3-load-balancer-x86_64-linux.tar.gz
      • cbe01af881f9cf0dafdcd4541ebe385132ccc940d6d18d5ee23a883b905a2bdd fluxheim-1.7.3-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 83d7bdf4cd3a48267faf1cc4aeaec085325a3db632ac419a9c6338847f306054 fluxheim-1.7.3-full-aarch64-linux.tar.gz
      • 07bc1317b5d9dc18e52cf6e242e120952c2b91ad82f231c63e120cf10660cc1d fluxheim-1.7.3-cache-aarch64-linux.tar.gz
      • b3ef93bd0452f1a6d1d4edc976e05dd3fb20b31a942280e1d632954afa718e2d fluxheim-1.7.3-proxy-aarch64-linux.tar.gz
      • 2aad1a1d455c4b270605a3be7b40b5ddc9b012a8c63910ebe0ed6183085de654 fluxheim-1.7.3-php-aarch64-linux.tar.gz
      • 5507d0bd781b458946371a23e9f2c15c8c44dea1cf76eb665d71bd0e9445b32a fluxheim-1.7.3-load-balancer-aarch64-linux.tar.gz
      • ed066af4cbfdce353021e53e5be355ca3968626ed13d232315dc22c48837fdad fluxheim-1.7.3-config-tester-aarch64-linux.tar.gz
    • macos:
      • 535cb3e9ceb46e45336c6d890bfddf61baa9b94a42e71928e1c5c83eec0ae7aa fluxheim-1.7.3-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • e2bf218c025acd5f691e76062f2223ad7f6167d60e10acddcc927b7823ba233e fluxheim.spdx.json
    • 6a469063e11fca5af15b909de7193750ed0d97af7a816e703ad173c6bf863f4f fluxheim.cyclonedx.json
  • Reproducible build:
    • 54b2c6baa21061bf55685a8d2b3f4983ec93188d7db4f1f5fd9dc691ce32440b x86_64
    • 61ab7b28bb374ba31ddbc1fec3fa949bd5fcd7b6a1e33421634488ca5fb9f254 aarch64
    • cf09cd6db45a5b4ac8c173b80762ae5f126c24103b5474039082589051bfbc60 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:30049a8decddc2cbba0b28af61c22c6567095acbe4f42209235b7f790442bf22
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:707a38b54b46b1a7333b62a1943cdf04c8e03c4fbafc964e3a22684c9fa11d3e
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:8d9475cc2efc77845978dff3b2911d0a71ca1a58085b4cc75a0bde4eb60174a4
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0909da492f90b6c110f8bee83f2f0ffc10ec94513b8f100a5e93200cc94badaa
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:f1329ca0db6f2421048667cdf3b8812afc09e6773b84bd7fe24bb8d3fb972b3b
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:2478849264307489ae484c9441323bbec136703434b6e18e2104b20e3cc0f7ec
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1b88e1036f09447008f2fc0d1ebe0a02e80e1a87bdfa76fce04f17e7bfb77bbf
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0208ea8b86d409390b698706c6a3834024f6b76958a362b5941b74c453711dae
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2e39f5126f6840ebfb9f9c8c59d661df57385edb270daa85e01cb7d242617f3c
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:25380d5a9a5c156cb2af21cfeae968bdc9d03d267046053101a15d9d4bfb309b
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:5b0cbe914807346e90a68e7df720426b485c9e826b527dbb15670827d4289a0d
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:118ce74ecf4b3a08760baa2918471061c4b5f29c1abd2405274f86a555e0dc5b
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:09b23f9d2acdfb0efd48cdc70fd9da131b73690276db9c91bbe8fb9a1b080e94
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:6474f973a8b0c228e510f8133fd1729aeb5692e544e83a10d9cd623dab89b1f4
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:09eb9fd2d399250529283d85c84d07956f45ce9e4b936e4a745dfadf6d817ebf
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:486d6a5c6e1321e77b8be3ba79750d58f246acf1b6f985f9e6a31d3d69d7614a
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1afa3c43f841365fcb8922252699f9f7140d2ac0c36d94688936391c98296df1
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:2f67c0c911846347423d2652a30e386fc0235e768ea90f5bf0f076474e2f33d4
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:276591dd49fa339d613edc348fe97cb2f86477c37897a4c4034aa4f3161c84aa
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:4db34538477dde07a5fe8d4234f71cee6d10d59abeff116db93655b299674cb6
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4