v1.3.4

This release contains an important security fix: Upgrade github.com/mostynb/go-grpc-compression to avoid decompression bomb DoS (#755)

This issue was uncovered during a security audit performed by 7ASecurity, facilitated by OSTIF, for the OpenTelemetry project.

https://opentelemetry.io/blog/2024/cve-2024-36129/
GHSA-c74f-6mfw-mm4v

v2.4.4

Externally visible changes since v2.4.3:

• Add experimental gRPC proxy backend
• Add --min_tls_version flag (does not apply to proxy backends)
• [metrics] initialize hits/misses for each cache entry kind
• Fix container entrypoints
• Upgrade to debian12 base container images
• Fix infinite recursion with idle timer
• [s3proxy] add signature_type config option
• Upgrade azidentity to v1.5.2

Update 2024-07-11: replaced bazel-remote-2.4.4-linux-x86_64 with a version built on ubuntu 20.04.

v2.4.3

Externally visible changes since v2.4.2:

• Make config files work again (#694)
• Fix serving uncompressed blob as compressed (#691)

v2.4.2

The use of config files is broken in this release. Please upgrade to v2.4.3 for a fix.

Externally visible changes since v2.4.1:

• Log an error when unable to reserve enough space to download a blob from proxy backends. #649
• Always enable cgo in builds made with bazel. #655
• Require the max_size argument (or corresponding environment variable) when running the container images. #660
• Add s3 addressing style support. #662 #668
• Http proxy sets content length when uncompressed. #676
• Support HTTP proxy with mTLS. #679
• Make unsupported /metrics requests more obvious. #687

Note: the mac binaries attached here were made from 43755b3 - hopefully the release trigger works automatically in the next release.

v2.4.1

Externally visible changes since v2.4.0:

• Delete .DS_Store files when migrating cache dir, ignore them when loading a current cache dir #640
• Make bazel-remote packages consumable as a module #635

Update 2023-04-29: re-uploaded bazel-remote-2.4.1-linux-arm64 correctly built with cgo zstd support.

v2.4.0

Externally visible changes since v2.3.9:

• Faster startup by scanning cache dir in parallel, and optimising the LRU index sorting.
• Make idle_timeout setting also apply when using https.
• Shutdown gracefully on sigint (ctrl-c) and sigterm.
• Exit immediately if either of the HTTP or gRPC servers fail.
• Fix AC key mangling for gRPC.
• Always allow gRPC health check requests, even without authentication. #590
• Fix cache file permissions, they shouldn't be world-writable.
• Avoid a bunch of corner case crashes.
• Use a docker base container image without openssl. #605
• Advertise support up to REAPI version 2.3.
• Allow setting local timezone for logs.
• Allow logging without timestamps.

v2.3.9

Externally visible changes since v2.3.8:

• Add experimental Azure blob storage proxy backend (#560)
• Set log flags before logging anything
• Add -zstd_implementation=cgo option (#559, #485)
• Build linux release binaries on ubuntu 18.04
• Upgrade to go 1.19

v2.3.8

Externally visible changes since v2.3.7:

• Update s3 object timestamps on cache hit (#542)
• [disk] limit the number of concurrent file removals even more on mac (#556)

v2.3.7

Externally visible changes since v2.3.6:

• Add missing access log entry
• [metrics] add lru eviction idle time metric
• Correct FindMissingCasBlobs metrics
• Remove S3 performance note from README
• Make remoteHTTPProxyCache.Contains do HEAD request

v2.3.6

Externally visible changes since v2.3.5:

• Update minio-go in the bazel build too (fix release binaries + docker images) (#534)