Skip to content

Fluxheim 1.6.20

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 20 Jun 11:07
· 152 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.6.20
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
5e23837
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.6.20 Release Notes

Fluxheim 1.6.20 starts the final Pingora runtime-removal phase by making the
remaining production cutover blockers explicit and moving the dependency policy
to a truthful multi-release exit plan.

Changed

  • Re-scope the remaining Pingora-exit plan into focused runtime slices instead
    of forcing a single unsafe cutover. The final normal-build Pingora-free proof
    target is now 1.6.24, after native background task orchestration, admin and
    metrics serving, stream/UDP listener startup, and HTTP runtime compatibility
    gaps are closed with tests.
  • Keep 1.6.20 focused on the native runtime cutover contract: native TLS and
    listener proof builds stay Pingora-free, while the remaining production
    compatibility adapter is retained only where the tested native path still has
    blockers.
  • Move Pingora dependency exception targets from 1.6.20 to 1.6.24 with the
    roadmap updated in the same release. This is not a relaxation of the policy:
    the gate remains active and will fail if Pingora appears outside the listed
    profiles or survives beyond the final proof target.
  • Update release metadata and container tag documentation for v1.6.20.
  • Add scripts/validate-native-runtime-cutover.sh and wire it into the stable
    release gate and developer checks. The script captures native runtime blocker
    tests, native HTTP/2 preview tests, native HTTP/1 proxy tests, and Pingora
    dependency policy output under target/release-evidence/native-runtime-cutover/.
  • Add fluxheim-config-tester --runtime-cutover, which prints the selected
    runtime adapter and a stable TSV blocker report for a real config. The native
    runtime cutover gate now records this report for a representative proxy,
    admin, metrics, and stream configuration.
  • Add docs/native-runtime-cutover-targets.tsv as the machine-readable target
    map for remaining native runtime blockers, and make the cutover gate fail if
    reported blocker keys, descriptions, or target releases drift from that map.

Security

  • Preserve the explicit pingora-compat boundary introduced in 1.6.19 while
    preventing a misleading final-cutover claim before native admin, metrics,
    stream, UDP, and production HTTP runtime coverage are complete.
  • Keep the dependency-policy gate enforcing every remaining Pingora crate by
    profile and removal target. New Pingora edges outside the documented
    compatibility surface remain release-blocking.
  • Add release evidence for the native runtime cutover blocker inventory so the
    final Pingora-removal work has a test-backed checklist instead of relying on
    roadmap prose.
  • Give each native-runtime blocker a stable key and planned target release so
    follow-up releases can remove blockers with a reviewable artifact trail.
  • Check native-runtime blocker reports against a committed target map so an
    accidental change cannot silently move security-relevant cutover work later.
  • Wrap OpenSSL downstream private-key PEM file buffers in the sanitization
    crate's SecretVec while parsing them, so Fluxheim wipes its owned key-file
    copy after OpenSSL has imported the key material.

Compatibility Boundary

  • Normal proxy profiles still use the Pingora compatibility runtime in this
    release. The 1.6.20 change is planning and evidence hardening for the final
    cutover, not a production runtime switch.
  • Native web TLS proof profiles remain Pingora-free and continue to be covered
    by release gates.

Checksums And Signatures

  • Commit: 5e23837a8b6c3a1d35f7ce9916e0ae06016e452d
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • ad990a2d5fa34ad2a4fce70c57a2828444c8147a9a7bd825b79b3b198e274af1 fluxheim-1.6.20.tar.gz
    • 614ea99d8de3f227b10b8543edd175a44faaf6003074f543134a63dc52aebb26 fluxheim-1.6.20.zip
  • Binary checksums:
    • x86_64:
      • f82d8eef184ab96703518a39016d9f0b39f450d4af72108a3e32ce273029b4e7 fluxheim-1.6.20-full-x86_64-linux.tar.gz
      • 1d04a5203d15c4072941f1bb1e5a8ee9c9247c3fd56c66732774bafe95668a2c fluxheim-1.6.20-cache-x86_64-linux.tar.gz
      • 173d3958fae50b03ce70c13e42174b3287ad3ba1d71f1831fd80ee8e4267b885 fluxheim-1.6.20-proxy-x86_64-linux.tar.gz
      • 9a36cfd5687e953251a86ea345d79df6e048a3233a9556f0712950b15850ec23 fluxheim-1.6.20-php-x86_64-linux.tar.gz
      • afee78a4567b2ae3868e8f409500c4e9901f4247b55cc47150079575170488c5 fluxheim-1.6.20-load-balancer-x86_64-linux.tar.gz
      • 0b7249056dba05b14fa7ea8b9c529c2dd6a907d495a6572cccd7f4a56215f45f fluxheim-1.6.20-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • f69ddde132576af7d99df8abd46f6cd20dd280383ffcfa5a27f2638f89dc0dd8 fluxheim-1.6.20-full-aarch64-linux.tar.gz
      • f58f9ed4d9ba629d944da61b9a0ed2ae1b3fd8f5227af16f4d56d42ecfd00e0b fluxheim-1.6.20-cache-aarch64-linux.tar.gz
      • d781dc3d242f37fd88df2264bbd880aea4588e1cc5a69e0c0eda3517a89e2d92 fluxheim-1.6.20-proxy-aarch64-linux.tar.gz
      • 6feed7bdee0956e63f5ccf4d5559c1fef8a1b9e1aa7a0184b75f87329732244e fluxheim-1.6.20-php-aarch64-linux.tar.gz
      • ec16fe7f4743a4ccc130e9dd155c72011398bd60f7deb8e468b182c699a7c8db fluxheim-1.6.20-load-balancer-aarch64-linux.tar.gz
      • 03476121ee33bfc18f5840b390809d5c71db70db350a67f7027d6f077bbcb8f6 fluxheim-1.6.20-config-tester-aarch64-linux.tar.gz
    • macos:
      • 8085b534dc96cacbd2b6e461ebc564d9d59e66c933592755b45ed3011fce82d3 fluxheim-1.6.20-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • 2eebc1be1c191cc693eb4539d94c8338bedc2b1f96c6872cc5d924281e24e62b fluxheim.spdx.json
    • d213b8ed8220528a58cc39545fbfde1f455b5a30bb9a12c8ac59365d57ba4654 fluxheim.cyclonedx.json
  • Reproducible build:
    • fe710785b3258ee91d2a6bef0816e6af5ed91a1541ea8a0914fa077b3634267c x86_64
    • 7a85bc92bb479aa7096a497d552be8c48707c90bf8cea6bb391316f46b22f60b aarch64
    • a3a91953e8194331d1a1be982c9ed4b61a36dabb20328bb0c5a19e3473489d8c macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8b22653f7959628debe1311cdc822bdeeec163954723bfc112dd2e7155e838fd
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:24005fe23aeb2c4936352d84c98489b45e8d7012c67491fe8c861bef72059d8b
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1c1dd1cb8bc95817bbf3035ee0f470d2e24ea5edf3daaf4c671e16f76731f219
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:38a55e0dc6e54d21b4beaea0d4e17bcb7ce634d96d4fd79ab5e55ccaf392e7e6
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:af6d8b3895536b344602a381046a0b15f9a192dee39710cced72c6f9e57118bd
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:63b4ec270056b3d046d30a9440e1950817a640cf644c3f3e03d6ea27cc3221f3
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0cf79939eca8511c8f1ddcf17e1575cdde53a3d81211cbb8fe5c0c3a49ba033c
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:2ed2b39a7299b72823e44ef3e5b9b2e3683366861fe505f7e814469355fb7c02
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:17c11f6ddac6df99e1a659ffd92575445c6f76a1c6d00ea0343cacd8897afd90
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:45d0d85a616918690cc79f71def7988cb3a9239252e5ad645a75126a33c9d9e6
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:5adadaa78a29b1cbf95fdba084321998d38c2df0ea9514d035e080a61f1b860f
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:702714306ab902856cb781c81e75ed6457dfbc7e86e3f84bd41b9c4739456208
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:276795bc52fa8d53258e9a25121756e4e82f1cf40e977194f948b6915fb13cf8
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:c67658ad8271b3adb3bb258f9ba40d124654fbc724b1d803801a2832e58cb965
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4572c5c257d64add235869616fc34604a4eea46ec3f994422a7a27b57e8c3e3d
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:c0b5e37924c822ec1bd79b3dbb194544b636880d035c6dc70e9e77932be696d0
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:64ed68a3217c244dce99b627b894039d13d839ebe3f033475b426f55621e91f9
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:28929499234e9438aee5143816de0ed4dfaea4b1f705bc61abcabc2fbb60245c
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:2a9280969efaf8f72bddbe3f0acc0a9dcbd9418db88f10be6911ad53b1773ead
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0c8c05924a7cf67f89cdedba5bcd462160f2e83da84ce552f50b2ff5a36b1c2b
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 16
Loading
0 Join discussion