Releases: deislabs/bindle
v0.9.0-rc.2
This is the second RC (release candidate) 0.9 release for Bindle! The update contains fixes and a few small quality of life features. For full release notes on breaking changes, see the release notes for RC1
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Major Features
- The
healthz
endpoint now returns the server version - We now push docker images to GHCR
- When running bindle server locally, you no longer have to pull the host key the first time you start the server
Breaking changes
None
Bug fixes
- The server now automatically trusts any of its signing keys in its keyring
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
What's next?
Our next anticipated version is the full 0.9.0 release (although we will cut a 0.9.0-rc.3 if necessary). Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!
Changelog
- Bumps to new RC version ecdf3d3 (Taylor Thomas)
- fix(server): Adds default host keys and signing keys to keychain 72c4e2c (Taylor Thomas)
- fix(release.yaml): add apt-get update in aarch64 build step (#360) e43a08c (Vaughn Dice)
- fix(wasm): Fixes deps for building in wasm 767ec06 (Taylor Thomas)
- Bump azure-blob-storage-upload to v2.0.1 a5ba2c9 (Matthew Fisher)
- feat(healthz): add version 9347ac3 (Frank Yang)
- feat: push docker image (#352) 218e4f2 (Frank Yang)
- Updates deny.toml with unicode license f026e9a (Taylor Thomas)
- Use Debian as base image in Dockerfile 6c047eb (Dan Norris)
- fix(docs/README.md): add missing EOF a0444c1 (Vaughn Dice)
- feat(docs): add using bindle-server in container 4ce8959 (Frank Yang)
- feat: add Dockerfile 3c9d5ae (Frank Yang)
- chore(*): Update dependencies to latest version 759bc0c (Taylor Thomas)
- Remove temp pipeline for regenerating binaries 49414ef (Taylor Thomas)
- Push rc as well 226a051 (Taylor Thomas)
- fix(ci): Fixes missing blobs 725562d (Taylor Thomas)
- Removes warning about not using in production c844d0f (Taylor Thomas)
v0.8.2
This is the 0.8.2 patch release for Bindle. This release only contains CI changes (see 'What's Changed' below), primarily so that we get Linux aarch64 artifacts from the release/0.8 branch. There are no code changes.
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
What's Changed
- chore(release/0.8): cherry-pick CI features/fixes by @vdice in #359
- fix(release.yaml): add apt-get update in aarch64 build step (#360) by @vdice in #361
- chore(Cargo.toml): bump version to 0.8.2 by @vdice in #363
Full Changelog: v0.8.1...v0.8.2
v0.8.1
This is the 0.8.1 patch release for Bindle. It contains 1 small bug fix that only affects the Rust crate. The bindle
CLI client and bindle-server
binaries are not affected. This addresses an issue where in some cases, upgraded dependencies (when someone ran a cargo update
) caused a missing feature flag for the tokio-util
crate. This led to the bindle crate not compiling.
NOTE: This fix is only needed for 0.8. The forthcoming 0.9 release is not affected due to us using the latest dependencies here
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
Changelog
- fix(cargo): Updates dependency tree to avoid a compile error on tokio_util ab5671e (Taylor Thomas)
v0.9.0-rc.1
This is the first RC (release candidate) 0.9 release for Bindle! The update contains fixes, improvements, and one significant breaking change. Due to this breaking change, we thought it would be appropriate to release this first as an RC, even though it is pre-1.0. There are various people across the WebAssembly community who have started using Bindle, and we want to give those users time to prepare an upgrade to the latest version of Bindle.
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Major Features
Spec/Server Changes
- A new optional KeyRing Protocol Specification has been added to the Bindle Spec and to the bindle server implementation. This enables easier fetching of host keys for validation now that signing and verification is required (see Breaking Changes for more details)
- Clients are now required to follow redirects for parcel
GET
requests. This enables servers to serve parcels from alternate storage locations.
CLI
- Key creation and management functions (including KeyRing management) has been added to a new
bindle keys
subcommand. This command makes it much easier to fetch, create, and manage keys for signing and verifying Bindles - There is a new
bindle clean
subcommand for cleaning up local caches. This is very useful for developers of bindle or those iterating on bindles with a local server bindle sign
has new--label
and--label-matching
flags to select which key to use for signing
Crate
- Better
cargo
feature management. Now, if you import thebindle
crate with no default features, only the core types and necessary dependencies are pulled in. - OpenSSL is no longer required as a transitive dependency if the
rustls-tls
feature is enabled - MSRV is now 1.60+
- 2 new helper traits for loading and saving KeyRings have been added:
KeyRingLoader
andKeyRingSaver
. These can be implemented for types that may load a KeyRing from a remote source. Default implementations for any types that implementAsRef<Path>
have been provided.
Breaking Changes
bindle create-key
has been moved under the newbindle keys
subcommand asbindle keys create
bindle print-key
has been moved under the newbindle keys
subcommand asbindle keys print
- The
SecretKeyStorage
trait now has an additional methodget_all_matching
. Both methods of the trait now have an additionalOption
parameter for label matching
Required signing and verification
Since the beginning of the Bindle project, our intent has always been for signing to be required. We've seen multiple times in the past where projects that don't enforce signing, or add it later down the line, never have serious uptake on signing. Cryptographic verification of Bindles has been a core concept since the beginning, but our signing toolchain and early project iteration necessitated flexibility with requiring signing. However, now that the project is starting to stabilize somewhat, and with multiple projects taking a dependency on Bindle, we decided to put in the effort to improve the toolchain and require signing and verification of all Bindles.
So, what does this mean for you? Now there are several requirements that must be observed when using Bindle:
- You must have a key with which to sign your bindles. This can be done by running
bindle key create
. See the help text for the command for more advanced options. - All bindles must be signed before pushing it to a bindle server. This is done using
bindle sign
. By default, all that is required is a signature by a key with thecreator
role.bindle key create
without any additional arguments will create a key with thecreator
role - Bindle servers must have a KeyRing that contains the public keys of any
creator
key your bindles will be signed with. Locally, your bindle server and bindle client share the same keyring, so this is handled for you. For production use cases, you can define how you'd like to expose your keyring. - Bindles must always be verified when pulling from a bindle server. By default, the client must validate that it trusts the host. The bindle server automatically creates a signing key with the
host
role if one is not specified. As a client, you have one additional step of runningbindle keys fetch
once the bindle server is running to fetch the host's public key from the/bindle-keys
endpoint and add it your your keychain
For more information on keyrings, verification, and signing, check out the signing specification
Bug fixes
- The crate and CLI now return clearer error information in various cases
- When pushing large bindles, it was possible to get a "too many open files" error due to unlimited concurrency underneath the hood. The concurrent upload limit in the bindle client (CLI and crate) is now set to 1024.
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
What's next?
Our next anticipated version is the full 0.9.0 release (although we will cut a 0.9.0-rc.2 if necessary). Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!
Changelog
- Adds client code for fetching and adding host keys 1b0af6a (Taylor Thomas)
- feat(*): Adds bindle keys endpoint de685f1 (Taylor Thomas)
- added codec feature for tokio-util, cargo update b195e61 (Brooks Townsend)
- setup native-tls and rustls-tls features 54e2053 (Brooks Townsend)
- Replaced reqwest default-tls with rustls-tls 27ba682 (Brooks Townsend)
- Fixes link on README.md 7680de5 (Mikkel Mork Hegnhoj)
- fix: address "too many open files" error when pushing large bindles 2b2b104 (Joel Dice)
- minor fix to include both head and get methods for query '_q' 2025504 (VishnuJin)
- minor-update keys print command's '--label' argument to '--label-matching' to avoid ambiguity ab0b9b2 (VishnuJin)
- add label match arguments for sign-invoice a973a72 (VishnuJin)
- add build support for aarch64 linux binary (#328) f7e31cc (VishnuJin)
- Remove pinned indexmap dependency b04616e (Lann Martin)
- add overwrite option 2bf00ee (Matthew Fisher)
- Make "unknown error" client errors a bit more informative (#323) e6b6851 (itowlson)
- azure-blob-storage-upload v2.0.0 743158b (Matthew Fisher)
- potential fix to the anticipated issue that could occur when deleting a larger directory in windows using 'clean' subcommand f323ab2 (VishnuJin)
- create 'clean' subcommand a58da46 (VishnuJin)
- spec: Require clients follow redirects from parcel GETs d8839f6 (Lann)
- update the 'Using Bindle' section to stay current a9890ea (VishnuJin)
- remove the hard coded Bad request error message and display the actual error occured 4f18615 (VishnuJin)
- minor fix on typos to improve documentation 362015a (VishnuJin)
- fix(invoice): makes open options much better c31bcc9 (Taylor Thomas)
- ref(*): Better organizes features and dependencies 7db571f (Taylor Thomas)
- docs(*): fix erroneous code comment and docs typo (#305) bf8809b (Vaughn Dice)
- fix(file): Adds error log when IO errors occur on invoice/parcel create 62c26ce (Taylor Thomas)
- feat(*): Enforce signatures on server 027f509 (Taylor Thomas)
- ref(cli): Makes global bindle URL less annoying to work with 024f315 (Taylor Thomas)
- docs(spec): Adds new Keyring protocol spec 209531a (Taylor Thomas)
- feat(*): Adds required verification to the client c5416b2 (Taylor Thomas)
- feat(cli): Adds tests for new key functionality 8ad7285 (Taylor Thomas)
- feat(*): Updates CLI to automatically manage the keyring 38b7294...
v0.8.0
This is the 0.8 release of Bindle! The update contains a handful of fixes, improvements, one new major feature, and a fix for crate consumers
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Major Features
- The bindle CLI and the
StandaloneWrite
andStandaloneRead
types now support standalone bindles as tarballs! This is mostly a quality of life feature that enables passing around a single file rather than a directory when using a standalone bindle - We now build and release binaries that run on Apple processors
Breaking Changes
None
Bug fixes
- The big bug fix this release affected users of the Bindle crate. The
Signature
trait was including the use of the underlying signing mechanism trait and causing compilation issues. This has now been fixed. See #287 for more detailed information
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
What's next?
Our next anticipated version is 0.9.0 (although we will cut a 0.8.1 if necessary). Our main focus for 0.9 will be finishing signing and verification on the Client and addressing any fixes and feature needs from other projects that will be consuming bindle. Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!
Changelog
- chore(Cargo.toml): bump version to 0.8.0 (#289) e09f969 (Vaughn Dice)
- Fix for crate consumers not finding Signature trait methods (#287) d46c371 (itowlson)
- fix(ci): Uses the correct var name 053cb8a (Taylor Thomas)
- feat(ci): Adds support for m1 Macs and auto crate pushing f0dd36e (Taylor Thomas)
- feat(cli): Adds support for standalone tarballs to client 5a05dd2 (Taylor Thomas)
- feat(standalone): Adds tarball support to standalone bindles 3f3fbfc (Taylor Thomas)
- fix(*): Fixes various clippy lints 2bc895b (Taylor Thomas)
- chore(Cargo.toml): bump tracing-subscriber dependency per #279 (#281) 3de704c (Vaughn Dice)
- docs(reference-spec.md): fix SemVer 2 link (#278) d2fcdbd (Vaughn Dice)
v0.7.1
This is the 0.7.1 patch release for Bindle. It contains 2 small cosmetic bug fixes. The main purpose of this release is to build new binaries based on Rust 1.58.1 to address the recent Rust CVE. There are no other changes to the underlying library. If you are using Bindle as a crate, this issue does not affect you directly so long as you are using Rust 1.58.1 or greater. If you are using the compiled bindle client and bindle server, it is highly recommended to use this new version.
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
What's next?
Our next anticipated version is 0.8.0 (although we will cut a 0.7.2 if necessary). Our main focus for 0.8 will be finishing signing and verification on the Client and addressing any fixes and feature needs from other projects that will be consuming bindle. Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!
Changelog
v0.7.0
This is the 0.7 feature release for Bindle. This release contains a bunch of small features and fixes
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
Major Features
- Logging now supports ansi logging only with a TTY
- Adds the
--insecure
flag for the CLI when you want to ignore certificate errors - Better error messages are now returned in the CLI
Breaking Changes
This release now uses the Rust 2021 edition
What's next?
Our next anticipated version is 0.8.0 (although we will cut a 0.7.1 if necessary). Our main focus for 0.8 will be finishing signing and verification on the Client and addressing any fixes and feature needs from other projects that will be consuming bindle. Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!
Changelog
- feat(client): add insecure flag 4ab9281 (Adam Reese)
- feat(cli): only use ansi logging on tty 535638a (Adam Reese)
- Adds codeowners 06fbe61 (Taylor Thomas)
- Removes cargo audit d9d53b7 (Taylor Thomas)
- Updates deps to avoid importing chrono 8db4635 (Taylor Thomas)
- chore(*): Updates deps, removes chrono, and fixes clippy errors 6971ae4 (Taylor Thomas)
- Updates pipelines to use latest rust 9b10aee (Taylor Thomas)
- chore(*): Bumps bindle to use the 2021 edition eb98b1c (Taylor Thomas)
- fix(server): move /v1/healthz to /healthz c1d7a76 (Adam Reese)
- fix(Makefile): add default value for BINDLE_DIRECTORY var 8ff11f6 (Vaughn Dice)
- fix(README.md): fix typo. connections -> connects 42efedd (Michelle Noorali)
- Update license from MIT to Apache v2 7f5674e (Radu M)
- fix(provider): Fixes missing slash for doc comments c5a70f8 (Taylor Thomas)
- fix test 0096452 (Simon Davies)
- custom message if no bindles 0f4943f (Simon Davies)
- improve error messages for network connection failures (#232) 6a66116 (Matt Butcher)
- Remove cargo2bindle and as2bindle from the release action 7916139 (Adam Reese)
- Run cargo update 1fee640 (Adam Reese)
- chore(bin): move cargo2bindle and as2bindle to examples e8cb0a5 (Adam Reese)
- fix(Makefile): remove hard-coded bindle directory efbb18a (Adam Reese)
- typo in build instructions c0610c8 (Ralph Squillace)
- Upgrade deps with
cargo upgrade
. 9e4a59a (Peter Huene)
Bindle v0.6.0
This is the 0.6 feature release for Bindle. The main feature in this release is alpha level authentication support and a more efficient default storage option.
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
Major Features
This release had no major features added.
Breaking Changes
The server must now be started with a flag that specifies the authentication mechanism.
What's next?
Our next anticipated version is 0.7.0 (although we will cut a 0.7.1 if necessary). Our main focus for 0.7 will be finishing signing and verification on the Client, adding support for multiple concurrent authentication methods, and adding more authorization. Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!
Changelog
- Updated versions to 0.6.0 842bafb (Matt Butcher)
- feat(client): add json output to bindle info 66b1a20 (Adam Reese)
- fix(Makefile): default to unauthenticated in Makefile 5691bc4 (Adam Reese)
- let less nits c44013d (sam boyer)
- Refactor merging config with cli options a8dd4af (Adam Reese)
- Add unauthenticated flag to bindle-server 22f7764 (Adam Reese)
- Don't require a value passed for the --use-embedded-db 633c99c (Adam Reese)
- Clearer error on bad token file (#230) 9edc12b (itowlson)
- updated newest routes with boxen 4bcaa83 (Matt Butcher)
- more boxes 33d4d64 (Matt Butcher)
- boxen all the things 9e0f7b6 (Matt Butcher)
- Respect config file values ed24145 (Adam Reese)
v0.5.0
This is the 0.5 feature release for Bindle. The main feature in this release is alpha level authentication support and a more efficient default storage option.
Installing
You can download the prebuilt binaries for the Bindle CLI client and the Bindle server from the following links:
Once downloaded, you can follow the installation and getting started instructions
Using as a crate
Besides the pre-compiled binaries, we also publish a fully featured crate (that the binaries also use). You can find docs here.
Caveats
Please note that this is NOT production-ready software, but it is in a usable/consumable state. Because this is pre-1.0 software, we make no guarantees about spec, Rust API, or CLI compatibility. However, we will do our best to call out every breaking change in future release notes. Once we hit 1.0, backwards compatibility guarantees will be in effect.
Major Features
- Bindle server now supports authentication using HTTP Basic auth and OIDC token auth. Please note that the authentication behavior and
/login
endpoint is still very much in beta and could change in the future
Binary specific
bindle-server
now has an optional embedded database option that provides better performance than the old filesystem method. This can be turned on by using the--use-embedded-db
option. In the future, the filesystem storage for bindle server will be removed and replaced with the embedded DB option- If authentication is enabled, the default authorization scheme will allow anonymous GET requests. All other create or modify operations will require an authenticated user. More complex authorization schemes will be enabled in the future
Crate specific
- The
Client
now has support for various authentication strategies, as well as support for refresh tokens
Bug Fixes
- The
http2_prior_knowledge
config option on the client now defaults tofalse
. Having it set to true as a default was leading to various configuration issues with downstream consumers of a bindle server
Known Issues/Missing Features
- The standalone bindle implementation does not currently handle tarballs. This will be added in a future release
- Signing and verification is not automatically done in the
Client
or thebindle
CLI
Breaking Changes
- The
Client
struct now requires aTokenManager
in order to construct. There are various token authentication methods provided that are available atbindle::client::tokens
:
pub struct Client<T> {
...
}
impl<T: tokens::TokenManager> Client<T> {
pub fn new(base_url: &str, token_manager: T) -> Result<Self> {
...
}
...
}
What's next?
Our next anticipated version is 0.6.0 (although we will cut a 0.5.1 if necessary). Our main focus for 0.6 will be finishing signing and verification on the Client, adding support for multiple concurrent authentication methods, and adding more authorization. Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!
v0.4.1
This is the 0.4.1 bugfix release for Bindle. This release contains a single fix for a missing trait marker on one of the new traits. It does not affect the binaries and only the users of the Rust crate
Installing
You can download the prebuilt binaries for the Bindle CLI client, the Bindle server, and 2 helper CLI tools from the following links:
Once downloaded, you can follow the installation and getting started instructions
What's next?
Our next anticipated version is 0.5.0 (although we will cut a 0.4.2 if necessary). Our main focus for 0.5 will be finishing signing and verification. Please give things a try and feel free to open PRs or issues with your feedback. In fact, your feedback is crucial as we continue to solidify the spec and features desired in Bindle!