Release proposal: v1.6.4

[Fishrock123]

This is primarily to get npm@2.7.5 (#1337) in somewhat quick, as it fixes a bug with installing private git deps (#1323), and contains some security fixes.

It may also be possible to get some of @indutny's timer unref fixes in from #1330 if everything proves stable.

• [3a69b7689b] - benchmark: add rsa/aes-gcm performance test (Shigeki Ohtsu) iojs/io.js#1325
• [1c709f3aa9] - benchmark: add/remove hash algorithm (Shigeki Ohtsu) iojs/io.js#1325
• [a081c7c522] - benchmark: fix chunky client benchmark execution (Brian White) iojs/io.js#1257
• [65d4d25f52] - build: default to armv7+vfpv3 for android (Giovanny Andres Gongora Granada) iojs/io.js#1307
• [6a134f7d70] - build: avoid passing private flags from pmake (Johan Bergström) iojs/io.js#1334
• [5094a0fde3] - build: Pass BSDmakefile args to gmake (Johan Bergström) iojs/io.js#1298
• [f782824d48] - deps: refactor openssl.gyp (Shigeki Ohtsu) iojs/io.js#1325
• [21f4fb6215] - deps: update gyp to e1c8fcf7 (Shigeki Ohtsu) iojs/io.js#1325
• [dac903f9b6] - deps: make node-gyp work with io.js (cjihrig) iojs/io.js#990
• [5eb983e0b3] - deps: upgrade npm to 2.7.5 (Forrest L Norvell) iojs/io.js#1337
• [008078862e] - deps: check in gtest, add util unit test (Ben Noordhuis) iojs/io.js#1199
• [48d69cf1bb] - _Revert_ "doc: fix typo in CHANGELOG.md" (Giovanny Andres Gongora Granada) iojs/io.js#1349
• [679596c848] - doc: add Docker WG (Peter Petrov) iojs/io.js#1134
• [d8578bad25] - doc: fix minor typos in COLLABORATOR_GUIDE.md (Kelsey) iojs/io.js#1320
• [bde2b3e397] - doc: fix typo in CHANGELOG.md (Giovanny Andres Gongora Granada) iojs/io.js#1342
• [8c6c376a94] - doc: add GPG fingerprint for Fishrock123 (Jeremiah Senkpiel) iojs/io.js#1324
• [ccbea18960] - doc: better formatting for collaborator GPG keys (Jeremiah Senkpiel) iojs/io.js#1324
• [87053e8aee] - doc: add back quote to boolean variable 'true' (Kohei TAKATA) iojs/io.js#1338
• [634e9629a0] - doc: add TC meeting minutes 2015-03-04 (Rod Vagg) iojs/io.js#1123
• [245ba1d658] - doc: fix util.isObject documentation (Jeremiah Senkpiel) iojs/io.js#1295
• [ad937752ee] - doc,src: remove references to --max-stack-size (Aria Stewart) iojs/io.js#1327
• [15f058f609] - gyp: fix build with python 2.6 (Fedor Indutny) iojs/io.js#1325
• [4dc6ae2181] - lib: remove unused variables (Brian White) iojs/io.js#1290
• [b6e22c4bd5] - src: setup cluster workers before preloading (Ali Ijaz Sheikh) iojs/io.js#1314
• [4a801c211c] - src: drop homegrown thread pool, use libplatform (Ben Noordhuis) iojs/io.js#1329
• [f1e5a13516] - src: wrap MIN definition in infdef (Johan Bergström) iojs/io.js#1322
• [6f72d87c27] - test: add test for a unref'ed timer leak (Fedor Indutny) iojs/io.js#1330
• [416499c872] - timers: remove redundant code (Fedor Indutny) iojs/io.js#1330
• [d22b2a934a] - timers: do not restart the interval after close (Fedor Indutny) iojs/io.js#1330
• [cca5efb086] - timers: don't close interval timers when unrefd (Julien Gilli)
• [0e061975d7] - timers: fix unref() memory leak (Trevor Norris) iojs/io.js#1330
• [ec7fbf2bb2] - tools: fix install source path for openssl headers (Oguz Bastemur) iojs/io.js#1354
• [644ece1f67] - tools: remove gyp test directory (Shigeki Ohtsu) iojs/io.js#1350
• [eb459c8151] - tools: fix gyp to work on MacOSX without XCode (Shigeki Ohtsu) iojs/io.js#1325
• [1e94057c05] - url: fix resolving from non-file to file URLs. (Jeffrey Jagoda) iojs/io.js#1277
• [382bd9d2e0] - v8: back-port openbsd/amd64 build fix (Ben Noordhuis) iojs/io.js#1318
• [efadffe861] - win,node-gyp: optionally allow node.exe/iojs.exe to be renamed (Bert Belder) iojs/io.js#1266

/cc @rvagg

[Fishrock123]

Hmm, changelog maker is a little confused because the last tag is somehow on an orphaned commit.

npm@2.7.4 landed in the last release, 1.6.3.

Edit: fixed manually..

[Fishrock123]

Update: Both #1337 and #1323 have landed.

@rvagg Should we make changelog-maker truncate names?

• [65d4d25f52] - build: default to armv7+vfpv3 for android (Giovanny Andres Gongora Granada) #1307

[Fishrock123]

Also worth noting:

@iojs/collaborators please don't merge anything semver-minor until this goes out. :)

[shigeki]

I will merge #1325 after releasing this.

[shigeki]

@Fishrock123 I've just merge #1325. Please add them to the list.

[rvagg]

@Fishrock123 can you do a git fetch origin to get the tag from the last release please, that should fix your commit list. I've been updating the original comment in each of these releases with a new commit list throughout the proposal period too fwiw.

And no, don't truncate names, that's a little disrespectful IMO

Next job: craft the changelog entry that goes above the commit list and iterate on it in here. I'm +1 on moving this out fairly quickly given that we have a decent sized list and the npm bugfix is worth getting in to people's hands.

[Fishrock123]

Jeremiah Senkpiel can you do a git fetch origin to get the tag from the last release please, that should fix your commit list. I've been updating the original comment in each of these releases with a new commit list throughout the proposal period too fwiw.

Already done that once :)

[rvagg]

@Fishrock123 do you have the latest changelog-maker? I'm constantly tweaking it to adapt to new conditions in the commit log in io.js. My commit list from changelog-maker --group:

• [3a69b7689b] - benchmark: add rsa/aes-gcm performance test (Shigeki Ohtsu) #1325
• [1c709f3aa9] - benchmark: add/remove hash algorithm (Shigeki Ohtsu) #1325
• [a081c7c522] - benchmark: fix chunky client benchmark execution (Brian White) #1257
• [65d4d25f52] - build: default to armv7+vfpv3 for android (Giovanny Andres Gongora Granada) #1307
• [6a134f7d70] - build: avoid passing private flags from pmake (Johan Bergström) #1334
• [5094a0fde3] - build: Pass BSDmakefile args to gmake (Johan Bergström) #1298
• [f782824d48] - deps: refactor openssl.gyp (Shigeki Ohtsu) #1325
• [21f4fb6215] - deps: update gyp to e1c8fcf7 (Shigeki Ohtsu) #1325
• [dac903f9b6] - deps: make node-gyp work with io.js (cjihrig) #990
• [5eb983e0b3] - deps: upgrade npm to 2.7.5 (Forrest L Norvell) #1337
• [008078862e] - deps: check in gtest, add util unit test (Ben Noordhuis) #1199
• [87053e8aee] - doc: add back quote to boolean variable 'true' (Kohei TAKATA) #1338
• [634e9629a0] - doc: add TC meeting minutes 2015-03-04 (Rod Vagg) #1123
• [245ba1d658] - doc: fix util.isObject documentation (Jeremiah Senkpiel) #1295
• [ad937752ee] - doc,src: remove references to --max-stack-size (Aria Stewart) #1327
• [15f058f609] - gyp: fix build with python 2.6 (Fedor Indutny) #1325
• [4dc6ae2181] - lib: remove unused variables (Brian White) #1290
• [b6e22c4bd5] - src: setup cluster workers before preloading (Ali Ijaz Sheikh) #1314
• [4a801c211c] - src: drop homegrown thread pool, use libplatform (Ben Noordhuis) #1329
• [f1e5a13516] - src: wrap MIN definition in infdef (Johan Bergström) #1322
• [6f72d87c27] - test: add test for a unref'ed timer leak (Fedor Indutny) #1330
• [416499c872] - timers: remove redundant code (Fedor Indutny) #1330
• [d22b2a934a] - timers: do not restart the interval after close (Fedor Indutny) #1330
• [cca5efb086] - timers: don't close interval timers when unrefd (Julien Gilli)
• [0e061975d7] - timers: fix unref() memory leak (Trevor Norris) #1330
• [eb459c8151] - tools: fix gyp to work on MacOSX without XCode (Shigeki Ohtsu) #1325
• [382bd9d2e0] - v8: back-port openbsd/amd64 build fix (Ben Noordhuis) #1318
• [efadffe861] - win,node-gyp: optionally allow node.exe/iojs.exe to be renamed (Bert Belder) #1266

[rvagg]

oh sorry, I see that npm@2.7.4 commit isn't in your list now, must have fixed it on your end already

[Fishrock123]

@rvagg I keep having to remove it by hand. The git is going to be weird until the next tag, apparently.

[rvagg]

@Fishrock123 maybe git fetch origin; git checkout origin/v1.x; git branch -D v1.x; git checkout -b v1.x (I'm sure there's a shortcut for that!). This discrepancy is a concern, if there's something off with your commit log then you may not be releasing the same thing as the rest of us have.

[rvagg]

Here's the git command it should be running to get the list:

git log --pretty=full --since="$(git show -s --format=%ad `git rev-list --max-count=1 --tags`)" --until="

It'll manually prune the two commits at the beginning from the last release.

[Fishrock123]

I have an alias setup to do !git remote update -p; git merge --ff-only @{u}, has always worked fine before.. Hmmm

[Fishrock123]

@rvagg that command stalls for me, but I got the one from the releases doc to work earlier. I thought we used changelog-maker for this..?

[rvagg]

changelog-maker runs the above git command internally

[Fishrock123]

Sorry, I had been running changelog-maker --group --start-ref=245ba1d658 iojs io.js | pbcopy because the 1.6.3 tag is on an orphaned commit.
(see the commit at: https://github.com/iojs/io.js/releases/tag/v1.6.3)

Perhaps it is tagged right (but incorrectly) on your end?

See: https://gist.github.com/Fishrock123/f01006c81762364d376e

[rvagg]

OK, I don't understand what's going on, perhaps one of the git geniuses from @iojs/tc can help explain. It's very possible that I messed 1.6.3 up somehow, it was done in a hurry but it's still pretty straight-forward so I can't see how, I also can't find evidence of a force push that would mess things up.

e5d1a42 is the commit I tagged and was used for release and apparently orphaned.

4845f9c is identical and on v1.x and not the tagged one.

@Fishrock123 changelog-maker is still working for me because it works on tag date, see it on a fresh clone here: https://gist.github.com/rvagg/d865c151ef31cb5d4457

@iojs/tc should I delete that tag and re-tag 4845f9c so it's on v1.x? It appears to be identical.

[Fishrock123]

It says what branch the commit is on at the bottom above the author/commiter:

And the tagged commit is most certainly not on any branch.
(Here, or in my clone. I also think I heard someone else notice this in irc a few days ago.)

[bnoordhuis]

@rvagg I say delete and retag.

[rvagg]

I'll do that then.

@Fishrock123 don't let this hold up a release. One thing to be aware of when promoting the builds--you'll get some permission errors, these are inconsequential and can be ignored, they are related to cleaning out the staging directory and don't impact promotion. They are kind of noisy and make it look bad but they are not a big deal.

[rvagg]

re-tagged v1.6.3

[Fishrock123]

Jeremiah Senkpiel don't let this hold up a release

I sorta had been because of

This discrepancy is a concern, if there's something off with your commit log then you may not be releasing the same thing as the rest of us have.

---

re-tagged v1.6.3

Ok, I'll try to get a changelog out here today, but family things may be happening, so if I don't and someone else has more time that'd be great.

Speaking of which, how do we compile NPM's changelog?

[Fishrock123]

CI: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/443/

Also, changelog-maker is working fine with the fixed tag.

[Fishrock123]

Anyone have better wording for this?

timers: a minor memory leak when timers are unreferenced was fixed, which should solve the last of the memory leak reported in #1075, alongside some related timers issues #1330 (Fedor Indutny).

(I can re-add #1075 as an existing issue, but I believe we can confidently say it isn't anymore.)
(Edit: updated, see below..)

[Fishrock123]

2015-03-31, Version 1.6.4, @Fishrock123

Notable changes

• npm: upgrade npm to 2.7.5. See npm CHANGELOG.md for details. Includes two important security fixes. Summary:
  • 300834e
tar@2.0.0: Normalize symbolic links that point to targets outside the
    extraction root. This prevents packages containing symbolic links from
    overwriting targets outside the expected paths for a package. Thanks to Tim
    Cuthbertson and the team at Lift
    Security for working with the npm team to identify
    this issue. (@othiym23)
  • 0dc6875
semver@4.3.2: Package versions can be no more than 256 characters long.
    This prevents a situation in which parsing the version number can use
    exponentially more time and memory to parse, leading to a potential denial of
    service. Thanks to Adam Baldwin at Lift Security for bringing this to our
    attention. (@isaacs)
  • eab6184
    #7766 One last tweak to ensure that
    GitHub shortcuts work with private repositories.
    (@iarna)
  • a840a13
    #7746 Only fix up git URL paths when
    there are paths to fix up. (@othiym23)
• deps: preliminary work has been done for an upcoming upgrade to OpenSSL 1.0.2a #1325 (Shigeki Ohtsu). See #589 for additional details.
• timers: a minor memory leak when timers are unreferenced was fixed, alongside some related timers issues #1330 (Fedor Indutny). This appears to have fixed the remaining leak reported in #1075.
• build: it is now possible to compile io.js for Android and related devices #1307 (Giovanny Andres Gongora Granada).

Known issues

• Some problems with unreferenced timers running during beforeExit are still to be resolved. See #1264.
• Surrogate pair in REPL can freeze terminal #690
• Not possible to build io.js as a static library #686
• process.send() is not synchronous as the docs suggest, a regression introduced in 1.0.2, see #760 and fix in #774
• Calling dns.setServers() while a DNS query is in progress can cause the process to crash on a failed assertion #894

Commits

[Fishrock123]

This is new on win2008r2.. windows config issue maybe?

=== release test-debug-port-from-cmdline ===
Path: parallel/test-debug-port-from-cmdline
c:\workspace\iojs+any-pr+multi\nodes\iojs-win2008r2\test\parallel\test-debug-port-from-cmdline.js:19
    process._debugProcess(child.pid);
            ^
Error: Access is denied.
    at Error (native)
    at ChildProcess.onChildMsg (c:\workspace\iojs+any-pr+multi\nodes\iojs-win2008r2\test\parallel\test-debug-port-from-cmdline.js:19:13)
    at emitTwo (events.js:87:13)
    at ChildProcess.emit (events.js:169:7)
    at handleMessage (child_process.js:306:10)
    at Pipe.channel.onread (child_process.js:334:11)
Command: c:\workspace\iojs+any-pr+multi\nodes\iojs-win2008r2\Release\iojs.exe c:\workspace\iojs+any-pr+multi\nodes\iojs-win2008r2\test\parallel\test-debug-port-from-cmdline.js

Building a nightly: https://jenkins-iojs.nodesource.com/job/iojs+release+nightly/126/

[rvagg]

@Fishrock123 I've been putting deps at the bottom of the list of notable changes, and can I suggest you change the openssl one to be prefixed with **openssl**: rather than **deps**:, you could do the same for **Android**:, I've been doing this from a user-perspective while the commit messages are for internal consumption.

I think I've seen that win2008 failure before so I wouldn't let it hold you up. Here's another run I just did for another purpose where it's passed just fine: https://jenkins-iojs.nodesource.com/job/iojs+any-pr+multi/444/nodes=iojs-win2008r2/console

[Fishrock123]

I've been putting deps at the bottom of the list of notable changes

Sure, but here they are the important bits..

**openssl** (..)

Yup, will do.

---

@rvagg how do you feel about this bit in particular, and in terms of removing #1075 from "known issues"?

timers: a minor memory leak when timers are unreferenced was fixed, alongside some related timers issues #1330 (Fedor Indutny). This appears to have fixed the remaining leak reported in #1075.

[jbergstroem]

Can we perhaps get #1350 in (assuming others want it) so we don't grow the tarball for "no" reason?

[rvagg]

@Fishrock123 yeah that timers bit sounds fine, I'd err on the side of caution and still report possible leak in Known issues _but_ it seems like we may be close enough to remove it so it's a judgement call for you to make since this is your release.

@jbergstroem there's enough LGTM's in there so it's up to @shigeki as to whether he can land it in time but I'd suggest that this release is ready to roll so could be pushed out right now so #1350 may have to wait till the next release.

[jbergstroem]

(#1350 just landed)

[Fishrock123]

Updated CI: https://jenkins-iojs.nodesource.com/view/iojs/job/iojs+any-pr+multi/446/
Updated Test Nightly: https://jenkins-iojs.nodesource.com/job/iojs+release+nightly/127/

[gabeio]

I don't know if this is relevant but, node-gyp rebuild failed on my osx with v1.6.4 (I installed using nvm):

gyp ERR! stack Error: 404 status code downloading tarball

[Fishrock123]

@gabeio it's not promoted yet, please stand by. (yay gpg subkey fun!)

[gabeio]

ah ok sorry wasn't sure I just nvm installed and it pulled iojs-v1.6.4

[Fishrock123]

Yeah, it (possibly erroneously) updates the /latest/ dist folder somewhat pre-emptively.

[Fishrock123]

@gabeio It should work now. (note: armv6 takes much longer to build and will be uploaded later.)

[gabeio]

yup thanks!

[Fishrock123]

Whoops, thanks @silverwind!