Skip to content

zy v1.0.40

Choose a tag to compare

@iskandarputra iskandarputra released this 03 Jun 16:55

Official binary release for zy 1.0.40.

What's changed in 1.0.40

Added

  • Lower glibc floor for the .deb. Building the release package with
    make deb-bookworm (Debian bookworm toolchain) drops the install floor to
    GLIBC 2.35, so the .deb installs on older distributions (Ubuntu 22.04,
    Debian 12, and similar). Fixed several headers that were not self-contained
    and blocked the older toolchain.
  • Changelog discipline. A user-visible change or resolved defect now gets a
    [Unreleased] bullet in the same change, citing its tracker ID. This is documented
    in CONTRIBUTING.md and CLAUDE.md, and make bump rolls [Unreleased] into the
    dated release section.
  • Release notes now carry "what changed." publish-release.sh injects the
    CHANGELOG [VERSION] section into the GitHub release notes, above the
    verify/install boilerplate. Passing --notes "..." still overrides it.
  • check_changelog_public_safe.sh guard. Since the [Unreleased] section ships
    verbatim into the public release notes, this fails CI if it contains internal
    source paths, commit hashes, archived-doc references, the private repo name, or
    secrets (pre-commit, on CHANGELOG.md).
  • fff: streaming index publish. A large cold index walk now serves partial
    search results as soon as it has indexed a checkpoint of entries, instead of
    blocking until the whole tree is walked. The not-yet-released tail stays invisible
    behind the count fence, and small or medium trees still publish once at the end as
    before. Verified under ThreadSanitizer and the fff validation suites.
  • ZY_FFF_STREAM_CHECKPOINT env knob. Tunes the entry count at which a cold
    index walk starts streaming partial results (default 100,000). Lower it on a huge
    monorepo to surface results sooner. It also lets the test suite exercise the
    streaming path without a 100k-file corpus.

Changed

  • check_doc_version.sh also guards the CHANGELOG. It fails CI unless the
    released ZYSHELL_VERSION has a matching ## [x.y.z] section and an
    ## [Unreleased] buffer exists, so a version can't ship without its changelog entry.
  • System /etc/zy/zyrc is now single-sourced. The .deb ships the default
    system rc as /usr/share/zy/zyrc.system and its post-install step installs that
    file to /etc/zy/zyrc, instead of carrying a second embedded copy of the contents.
    (make install already copied the same file.) The installed /etc/zy/zyrc is
    byte-for-byte identical to before, verified by a real install, upgrade, and purge of
    the package in a Debian bookworm container. The old byte-compare drift guard is now
    a single-source wiring guard.

Fixed

  • fff: data race in the concurrent reader path. Under concurrent searches with
    the file watcher live (notably the fff-serve MCP server while files are being
    created), reader threads read the index's entry count without synchronisation
    while the watcher appended new entries. Readers now observe entries through a
    release/acquire count fence, so only fully-written entries are ever visible, with no
    torn reads. This was the groundwork for streaming index publish, verified race-free
    under ThreadSanitizer with a new concurrent-reader test.
  • fff: data race in the streaming index publish. When a freshly-walked index
    was published, the file watcher was already armed on the still-live snapshot, so
    the publish step's read of the entry count could race the watcher's concurrent
    append. The publish now reads the count through the same release/acquire fence as
    the rest of the read path. Caught by the concurrent-rebuild gate under
    ThreadSanitizer, which now passes.
  • Test suite is now clean under ThreadSanitizer and AddressSanitizer (no
    quarantine flag). Two fixes. First, the audit-policy tests run against an isolated,
    throwaway $HOME instead of the real ~/.zy ledger, so running the suite no longer
    writes test entries into (or races a live shell on) your actual audit database.
    Second, the interactive PTY tests now scale their timing windows under a
    sanitizer-slowed shell (ZY_TEST_TIMING_SCALE), which removes the timing flakes that
    previously only appeared under sanitizers.

Security

  • fff: use-after-free in the concurrent index acquire (ZY-022). Under
    concurrent searches while the indexed tree changed (e.g. the fff-serve MCP
    server), a reader could dereference an index snapshot that another thread freed
    in the same instant, because the snapshot was validated before its reference was
    taken. Acquisition now takes the reference under a publish lock held across the
    swap, so a snapshot stays alive until the reader owns a reference. Found and
    regression-guarded by new concurrent-reader ThreadSanitizer tests.
  • migrate import rejects non-regular tar members (ZY-014 follow-up). On top of
    refusing absolute or ..-traversing paths, an imported archive that contains a
    symlink, hardlink, or device/fifo/socket member is now refused before any
    extraction or privileged copy. Only regular files and directories are accepted.
    This closes the symlink-extraction and planted-link half of the import attack
    surface that was noted when ZY-014 was first fixed.

Verify your download

curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/zy_1.0.40_amd64.deb
curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/SHA256SUMS
curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/SHA256SUMS.minisig
curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/zy-release.pub

minisign -Vm SHA256SUMS -p zy-release.pub      # confirms maintainer signature
sha256sum -c SHA256SUMS --ignore-missing       # confirms the .deb hash matches

Full signing policy: docs/ops/RELEASE_SIGNING.md

VirusTotal scan

This release was uploaded to VirusTotal at publish time. Click through to see the live verdict from 65+ AV engines:

https://www.virustotal.com/gui/file/cfe17d44dececa1fa2b56b8994a1dc72806e8d671fecc6be678fc77acb4aaf3e/detection

(Scans run within ~5 minutes of upload. If the page shows "Item not found", wait a moment and refresh.)

Try without installing

docker run --rm -it ghcr.io/iskandarputra/zyshell:1.0.40

Install (Debian / Ubuntu)

The recommended path is the zy APT repository which handles upgrades automatically:

curl -1sLf 'https://dl.cloudsmith.io/public/iskandarputra/zyshell/setup.deb.sh' | sudo -E bash
sudo apt install zy

Or direct .deb install:

sudo dpkg -i zy_1.0.40_amd64.deb
sudo apt-get install -f