zy v1.0.40
Official binary release for zy 1.0.40.
What's changed in 1.0.40
Added
- Lower glibc floor for the
.deb. Building the release package with
make deb-bookworm(Debian bookworm toolchain) drops the install floor to
GLIBC 2.35, so the.debinstalls on older distributions (Ubuntu 22.04,
Debian 12, and similar). Fixed several headers that were not self-contained
and blocked the older toolchain. - Changelog discipline. A user-visible change or resolved defect now gets a
[Unreleased]bullet in the same change, citing its tracker ID. This is documented
inCONTRIBUTING.mdandCLAUDE.md, andmake bumprolls[Unreleased]into the
dated release section. - Release notes now carry "what changed."
publish-release.shinjects the
CHANGELOG[VERSION]section into the GitHub release notes, above the
verify/install boilerplate. Passing--notes "..."still overrides it. check_changelog_public_safe.shguard. Since the[Unreleased]section ships
verbatim into the public release notes, this fails CI if it contains internal
source paths, commit hashes, archived-doc references, the private repo name, or
secrets (pre-commit, onCHANGELOG.md).- fff: streaming index publish. A large cold index walk now serves partial
search results as soon as it has indexed a checkpoint of entries, instead of
blocking until the whole tree is walked. The not-yet-released tail stays invisible
behind the count fence, and small or medium trees still publish once at the end as
before. Verified under ThreadSanitizer and the fff validation suites. ZY_FFF_STREAM_CHECKPOINTenv knob. Tunes the entry count at which a cold
index walk starts streaming partial results (default 100,000). Lower it on a huge
monorepo to surface results sooner. It also lets the test suite exercise the
streaming path without a 100k-file corpus.
Changed
check_doc_version.shalso guards the CHANGELOG. It fails CI unless the
releasedZYSHELL_VERSIONhas a matching## [x.y.z]section and an
## [Unreleased]buffer exists, so a version can't ship without its changelog entry.- System
/etc/zy/zyrcis now single-sourced. The.debships the default
system rc as/usr/share/zy/zyrc.systemand its post-install step installs that
file to/etc/zy/zyrc, instead of carrying a second embedded copy of the contents.
(make installalready copied the same file.) The installed/etc/zy/zyrcis
byte-for-byte identical to before, verified by a real install, upgrade, and purge of
the package in a Debian bookworm container. The old byte-compare drift guard is now
a single-source wiring guard.
Fixed
- fff: data race in the concurrent reader path. Under concurrent searches with
the file watcher live (notably thefff-serveMCP server while files are being
created), reader threads read the index's entry count without synchronisation
while the watcher appended new entries. Readers now observe entries through a
release/acquire count fence, so only fully-written entries are ever visible, with no
torn reads. This was the groundwork for streaming index publish, verified race-free
under ThreadSanitizer with a new concurrent-reader test. - fff: data race in the streaming index publish. When a freshly-walked index
was published, the file watcher was already armed on the still-live snapshot, so
the publish step's read of the entry count could race the watcher's concurrent
append. The publish now reads the count through the same release/acquire fence as
the rest of the read path. Caught by the concurrent-rebuild gate under
ThreadSanitizer, which now passes. - Test suite is now clean under ThreadSanitizer and AddressSanitizer (no
quarantine flag). Two fixes. First, the audit-policy tests run against an isolated,
throwaway$HOMEinstead of the real~/.zyledger, so running the suite no longer
writes test entries into (or races a live shell on) your actual audit database.
Second, the interactive PTY tests now scale their timing windows under a
sanitizer-slowed shell (ZY_TEST_TIMING_SCALE), which removes the timing flakes that
previously only appeared under sanitizers.
Security
- fff: use-after-free in the concurrent index acquire (ZY-022). Under
concurrent searches while the indexed tree changed (e.g. thefff-serveMCP
server), a reader could dereference an index snapshot that another thread freed
in the same instant, because the snapshot was validated before its reference was
taken. Acquisition now takes the reference under a publish lock held across the
swap, so a snapshot stays alive until the reader owns a reference. Found and
regression-guarded by new concurrent-reader ThreadSanitizer tests. migrate importrejects non-regular tar members (ZY-014 follow-up). On top of
refusing absolute or..-traversing paths, an imported archive that contains a
symlink, hardlink, or device/fifo/socket member is now refused before any
extraction or privileged copy. Only regular files and directories are accepted.
This closes the symlink-extraction and planted-link half of the import attack
surface that was noted when ZY-014 was first fixed.
Verify your download
curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/zy_1.0.40_amd64.deb
curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/SHA256SUMS
curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/SHA256SUMS.minisig
curl -LO https://github.com/iskandarputra/zyshell/releases/download/v1.0.40/zy-release.pub
minisign -Vm SHA256SUMS -p zy-release.pub # confirms maintainer signature
sha256sum -c SHA256SUMS --ignore-missing # confirms the .deb hash matchesFull signing policy: docs/ops/RELEASE_SIGNING.md
VirusTotal scan
This release was uploaded to VirusTotal at publish time. Click through to see the live verdict from 65+ AV engines:
(Scans run within ~5 minutes of upload. If the page shows "Item not found", wait a moment and refresh.)
Try without installing
docker run --rm -it ghcr.io/iskandarputra/zyshell:1.0.40Install (Debian / Ubuntu)
The recommended path is the zy APT repository which handles upgrades automatically:
curl -1sLf 'https://dl.cloudsmith.io/public/iskandarputra/zyshell/setup.deb.sh' | sudo -E bash
sudo apt install zyOr direct .deb install:
sudo dpkg -i zy_1.0.40_amd64.deb
sudo apt-get install -f