From de6aa06acfe404556888e4b189e2fb8053919ade Mon Sep 17 00:00:00 2001 From: Scott Reimers Date: Wed, 22 Apr 2026 23:54:40 -0400 Subject: [PATCH] v0.6.2 release: version bump + changelog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Six phase commits landed for v0.6.2 (2b through 2g) plus three pre-release fixes from the final audit pass: - 2b: control-post flow (delete / visibility change) + retire BlobDeleteNotice - 2c: remove audience primitive + retire PostPush / PostNotification / AudienceRequest / AudienceResponse - 2d: profile posts signed by the posting identity - 2e: rich comments with ref_post_id + signed preview - 2f: groups as a distinct primitive alongside circles - 2g: GroupKeyDistribute → encrypted post (last persona-signed direct push gone) - audit fix: reject group-key distribution posts where the claimed admin doesn't match the post author - audit fix: cap concurrent port-scan hole punches at one (the 10 Mbps-on-VPN storm) - audit fix: dedup concurrent outgoing connects to the same peer Wire-breaking fork from v0.6.1. Retired message types 0x42 (PostNotification), 0x43 (PostPush), 0x44 (AudienceRequest), 0x45 (AudienceResponse), 0x95 (BlobDeleteNotice), 0xA0 (GroupKeyDistribute) are not optional. 121/121 core tests pass. --- Cargo.lock | 6 ++-- crates/cli/Cargo.toml | 2 +- crates/core/Cargo.toml | 2 +- crates/tauri-app/Cargo.toml | 2 +- crates/tauri-app/tauri.conf.json | 2 +- website/download.html | 48 ++++++++++++++++++++++++++++++++ 6 files changed, 55 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8fdd327..a895881 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2732,7 +2732,7 @@ checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" [[package]] name = "itsgoin-cli" -version = "0.6.1" +version = "0.6.2" dependencies = [ "anyhow", "hex", @@ -2744,7 +2744,7 @@ dependencies = [ [[package]] name = "itsgoin-core" -version = "0.6.1" +version = "0.6.2" dependencies = [ "anyhow", "base64 0.22.1", @@ -2767,7 +2767,7 @@ dependencies = [ [[package]] name = "itsgoin-desktop" -version = "0.6.1" +version = "0.6.2" dependencies = [ "anyhow", "base64 0.22.1", diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml index 4e58bf6..478c1d2 100644 --- a/crates/cli/Cargo.toml +++ b/crates/cli/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "itsgoin-cli" -version = "0.6.1" +version = "0.6.2" edition = "2021" [[bin]] diff --git a/crates/core/Cargo.toml b/crates/core/Cargo.toml index 0b7c6a0..a894f92 100644 --- a/crates/core/Cargo.toml +++ b/crates/core/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "itsgoin-core" -version = "0.6.1" +version = "0.6.2" edition = "2021" [dependencies] diff --git a/crates/tauri-app/Cargo.toml b/crates/tauri-app/Cargo.toml index 87f1f4d..17975ed 100644 --- a/crates/tauri-app/Cargo.toml +++ b/crates/tauri-app/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "itsgoin-desktop" -version = "0.6.1" +version = "0.6.2" edition = "2021" [lib] diff --git a/crates/tauri-app/tauri.conf.json b/crates/tauri-app/tauri.conf.json index 4bf316a..19dc5b3 100644 --- a/crates/tauri-app/tauri.conf.json +++ b/crates/tauri-app/tauri.conf.json @@ -1,6 +1,6 @@ { "productName": "itsgoin", - "version": "0.6.1", + "version": "0.6.2", "identifier": "com.itsgoin.app", "build": { "frontendDist": "../../frontend", diff --git a/website/download.html b/website/download.html index 1ef9567..2c06425 100644 --- a/website/download.html +++ b/website/download.html @@ -46,6 +46,38 @@

v0.5.3 is kept online only as an upgrade bridge — it no longer connects to the live network.

+

v0.6.2 — April 22, 2026

+

Every remaining persona-signed direct push is off the wire. Deletes, visibility changes, profile updates, and group-key distribution now travel as encrypted / signed posts through the CDN. Groups are a first-class primitive. Plus two pre-release fixes — an admin-forgery check on group keys and a cap on concurrent port-scan hole punches that explains the 10 Mbps upload storm some users saw on VPNs.

+ +
+ + Android APK + v0.6.2 + + + Linux AppImage + v0.6.2 + + + Linux CLI / Anchor + v0.6.2 + +
+ + +

v0.6.2 is a wire-breaking fork from v0.6.1 (the retired message types are not optional). Upgrade both ends.

+

v0.6.1 — April 22, 2026

Network identity is now fully separated from posting identity on every install. Plus: Android auto-backup disabled by default, Reset actually resets, import preserves your personas, and display name is optional.

@@ -128,6 +160,22 @@

Changelog

+
v0.6.2 — April 22, 2026
+
    +
  • Deletes and visibility changes travel as signed control posts. New VisibilityIntent::Control post type carries a signed DeletePost / UpdateVisibility operation. Receivers verify the ed25519 signature against the target post's author, then apply. DeleteRecord and VisibilityUpdate wire pushes are removed.
    • +
  • Persona display data (name / bio / avatar) travels as a signed profile post. New VisibilityIntent::Profile; authored by the posting identity, propagates via the CDN. The ProfileUpdate wire message keeps only routing fields (anchors, recent_peers, preferred_peers).
    • +
  • Rich comments. InlineComment gains an optional ref_post_id; when set, content is a short preview and the full body (long text, attachments) lives in the referenced post. Signature binds the reference so a peer can't strip or swap it.
    • +
  • Groups vs circles. Groups are a new many-way primitive — anchored at a public root post, any member can post to the group once they have the seed. Circles stay one-way (admin-only). The distinction is a canonical_root_post_id field on the group-key record; groups reuse the same encryption machinery.
    • +
  • Group-key distribution as an encrypted post. The GroupKeyDistribute (0xA0) wire push is retired. Admins publish an encrypted post carrying the seed; members decrypt with their posting secret. Removes the last persona-signed direct push.
    • +
  • Audience primitive removed. No more audience tables, no more AudienceRequest/AudienceResponse wire messages, no more SocialRelation::Audience/Mutual. Comment permission AudienceOnly renamed to FollowersOnly.
    • +
  • PostPush + PostNotification retired. All content propagates only via CDN (pull + header-diff neighbor propagation). BlobDeleteNotice also retired — orphan blobs on remote holders evict via LRU.
    • +
  • Security: group-key admin-forgery rejection. Distribution posts whose inner admin field doesn't match the post's author are rejected before storage. Prevents an attacker who knows a victim's posting id and the target group_id from overwriting the victim's legitimate group-key record.
    • +
  • Bandwidth: port-scan hole punch capped at one concurrent scanner. Each scanner fires ~100 QUIC ClientHellos/sec for up to 5 minutes. Without a cap, parallel referrals could drive sustained multi-Mbps upload — especially on obfuscated VPNs where every probe stalls at a proxy timeout. Extra callers fall back to the standard 2s-round hole punch.
    • +
  • Outgoing-connect dedup. PendingConnectGuard prevents auto-reconnect, rebalance-slots, and relay-introduction from racing to connect to the same peer. Same-peer only — different peers connect independently; inbound connections are unaffected.
    • +
  • Merged-pull bugfix. The pull query now includes every posting identity we hold (not just the network id), so DMs addressed to any of our personas are found via the recipient-match path.
    • +
+

v0.6.2 is a wire-breaking fork from v0.6.1. Retired message types (0x42 PostNotification, 0x43 PostPush, 0x44 AudienceRequest, 0x45 AudienceResponse, 0x95 BlobDeleteNotice, 0xA0 GroupKeyDistribute) are not optional — upgrade both ends.

+
v0.6.1 — April 22, 2026
  • Network ID and posting ID are now separate by default. Fresh installs generate two independent ed25519 keys. Upgraders rotate their network key on first launch; the old key stays as the default posting persona. Peers see the same author; only the QUIC endpoint changes.