Skip to content

v0.10.0 — encryption-aware completion + Docker distribution + hardening (4-round audit clean)

Choose a tag to compare

View all tags
@masumi-ryugo masumi-ryugo released this 07 Jun 14:51
· 53 commits to main since this release
v0.10.0
5ec27e3

Second v0.10-line cut (= first v0.10). Two-wave delivery of the encryption-aware sidecar completion + Docker image distribution + hardening theme, converged by a 4-round integrated audit (2 P2 fixes, clean R3 + R4).

Net diff vs v0.9.0: ~12 files / ~1,800 lines across s4-server, the Helm chart, the distribution workflows, and the docs.

Published to crates.io as s4-server@0.10.0, s4-codec@0.10.0, s4-config@0.10.0, s4-codec-py@0.10.0. Container images on ghcr.io: ghcr.io/abyo-software/s4:0.10.0 (multi-arch CPU) + ghcr.io/abyo-software/s4:0.10.0-gpu (nvCOMP, amd64) — built automatically by .github/workflows/docker.yml on this tag push. Install via cargo install s4-server or helm install s4 ./charts/s4 --set image.tag=0.10.0 --set backend.endpointUrl=https://....

Wave-1 — encryption-aware completion + Docker distribution

  • s4 repair-sidecar --sse-s4-key <PATH> (--sse-s4-key-rotated id=N,key=PATH) plumbing closes the v0.9 EncryptedSidecarUnsupported reject path. The CLI now decrypts SSE-S4 chunked (S4E6) bodies in-process via the keyring, frame-scans the recovered plaintext, and stamps a v3 sidecar so subsequent Range GETs hit the encryption-aware partial-fetch fast-path. New lib entry s4_server::repair::repair_sidecar_with_keyring; RepairReport::sse_v3_binding exposes the rebuilt SSE binding. RepairError::SseDecryptFailed for keyring mismatches. Hardened against attacker-controlled S4E6 header inflation via SSE_S4_REPAIR_MAX_OVERHEAD_BYTES + SSE_S4_REPAIR_MAX_CHUNK_SLACK_BYTES caps.

  • Official container images on GitHub Container Registry. New .github/workflows/docker.yml builds + pushes ghcr.io/abyo-software/s4:<version> (CPU multi-arch linux/amd64 + linux/arm64) and ghcr.io/abyo-software/s4:<version>-gpu (nvCOMP GPU, amd64 only — nvCOMP redist x86_64-only) on every v*.*.* tag push. SLSA build provenance (mode=max) + SPDX SBOM via Buildx. GHA-backed layer cache scoped per flavor. Mutable tags (latest, <major>.<minor>) gated on stable tag-push events only so prereleases (-rc1) and back-fill workflow_dispatch runs can't move them backward. workflow_dispatch supports build_ref + image_tag_override for back-filling images for tags that pre-date the workflow. Helm chart default image.repository flipped to ghcr (chart version 0.1.0 → 0.2.1, appVersion → 0.10.0); docker-compose.{,gpu}.yml add image: alongside build:.

  • SSE partial-fetch AEAD constraint documentation — new docs/security/sse-partial-fetch-constraint.md walks the AEAD authenticated-encryption contract (NIST SP 800-38D §7.2 quoted), per-mode wire layout, why only S4E6 escapes the constraint (per-chunk nonce + tag), and provisional S4E7 (chunked-KMS) / S4E8 (chunked-SSE-C) roadmap candidates. README §"Server-side encryption — Range GET fast-path matrix" makes the support matrix explicit.

Wave-2 — hardening

  • i686 runtime smoke CI — new i686-runtime-smoke job in .github/workflows/ci.yml installs gcc-multilib + libc6:i386, runs cargo test --target i686-unknown-linux-gnu -p s4-codec -p s4-config --release, builds the s4 binary for i686 (continue-on-error for the aws-sdk-rust / rustls / ring stack), and invokes s4 --help / s4 --version on the i686 ELF. README §"Supported targets" cell flips from "⚠️ compiles, untested at runtime" to "✅ compiles + --help / --version smoke (CI)".

  • Docker / Helm distribution smoke CI — new .github/workflows/docker-smoke.yml validates the v0.10 #B1 distribution surface on every push that touches it (path-filtered to charts/**, Dockerfile*, docker-compose*.yml, plus the docker / docker-smoke workflow files). Three independent jobs: helm-lint-template (helm lint + three helm template invocations: default, pinned tag, GPU suffix), docker-compose-config (both compose files + assert ghcr image refs present), image-smoke (docker pull ghcr.io/abyo-software/s4:latest + --help / --version, continue-on-error: true on pull for the not-yet-published case).

  • Streaming PUT checksum coverage matrix doc — new docs/security/streaming-checksum-coverage.md documents the codec-API constraint that limits the v0.9 #streaming-checksum tee-into-hasher fast-path to single-PUT cpu-zstd / nvcomp-zstd (Codec::supports_streaming_compress() == true). Same "fundamental contract, not deferred plumbing" framing as the SSE-side #A2-doc. Three preconditions for streaming win (streaming codec + streaming downstream + no full-body framing dependency) + which paths meet how many + roadmap candidates (S4F3 streaming frame, streaming nvCOMP, multipart streaming upload_part) with the upstream API blockers for each.

Audit posture

  • 6 per-feature audits (15 Codex CLI rounds total): A1 = 5R, B1 = 4R, B2 = 1R, A2-doc = 1R, A3-doc = 0R, A4 = 0R.
  • 4-round integrated cross-feature audit on the full v0.9.0..main range. 2 P2 fixes (Dockerfile s4 s4 --help arg dup in the docker-smoke workflow; docker.yml back-fill :main + :sha-<x> mis-tag from dispatcher ref). Clean R3 + R4 — 2 consecutive convergence rounds.
  • Zero P1 across all rounds. Both P2 integrated-audit findings caught BEFORE the corresponding image actually shipped (back-fill v0.9.0 image build was in-flight at the time R2 caught the mis-tag; v0.10.0 ships with the fix in place).
  • cargo audit clean (same 4 documented ignores as v0.9.0 / v0.8.22: RUSTSEC-2026-0098/0099/0104 in the upstream aws-sdk-rust TLS stack, RUSTSEC-2025-0134 unmaintained dev-only rustls-pemfile).

Coverage

  • ~720 workspace tests pass, 0 failed (unchanged from v0.9.0).
  • v0.9.0 baseline plus: 4 new A1 unit tests in s4_server::repair, 3 new A1 MinIO E2E tests in sidecar_repair_via_minio.rs. Lib unit count in repair module now ~21.
  • New CI workflows: docker-smoke.yml (3 jobs), i686-runtime-smoke (added to ci.yml).

v0.11+ follow-up (deferred, scope-out)

  • Chunked SSE-KMS envelope (provisional S4E7) + chunked SSE-C (S4E8) → would enable Range GET partial-fetch for those modes.
  • S4F3 streaming frame format → would enable streaming PUT checksum verify for multipart upload_part.
  • Streaming nvcomp-bitcomp / nvcomp-gdeflate (= GPU codec API rework upstream of S4).
  • 32-bit s4-server runtime: end-to-end PUT/GET smoke (today's smoke is --help / --version only).
  • v0.9.0 ghcr.io back-fill: workflow_dispatch in flight at cut time will publish ghcr.io/abyo-software/s4:0.9.0 + :0.9.0-gpu. The 2 P2 fixes in the v0.10 integrated audit mean future back-fills don't mis-tag :main / :sha-<x> — but the v0.9.0 back-fill ran on the pre-fix workflow and may have published those mis-tags. Operator cleanup recipe: trigger gh workflow run docker.yml --ref main -f push=true (no inputs) once the back-fill finishes to refresh :main / :main-gpu to current main HEAD content, overwriting the mis-tagged v0.9.0 entries.

Full changelog

See CHANGELOG.md for the per-finding detail.

🤖 Generated with Claude Code

Assets 2
Loading