v0.6.2 release: version bump + changelog

Six phase commits landed for v0.6.2 (2b through 2g) plus three pre-release fixes from the final audit pass: - 2b: control-post flow (delete / visibility change) + retire BlobDeleteNotice - 2c: remove audience primitive + retire PostPush / PostNotification / AudienceRequest / AudienceResponse - 2d: profile posts signed by the posting identity - 2e: rich comments with ref_post_id + signed preview - 2f: groups as a distinct primitive alongside circles - 2g: GroupKeyDistribute → encrypted post (last persona-signed direct push gone) - audit fix: reject group-key distribution posts where the claimed admin doesn't match the post author - audit fix: cap concurrent port-scan hole punches at one (the 10 Mbps-on-VPN storm) - audit fix: dedup concurrent outgoing connects to the same peer Wire-breaking fork from v0.6.1. Retired message types 0x42 (PostNotification), 0x43 (PostPush), 0x44 (AudienceRequest), 0x45 (AudienceResponse), 0x95 (BlobDeleteNotice), 0xA0 (GroupKeyDistribute) are not optional. 121/121 core tests pass.
2026-04-22 23:54:40 -04:00 · 2026-04-22 23:54:40 -04:00 · de6aa06acf
commit de6aa06acf
parent 8c40e0da48
6 changed files with 55 additions and 7 deletions
--- a/website/download.html
+++ b/website/download.html
@ -46,6 +46,38 @@
                <p style="margin: 0.5rem 0 0 0; font-size: 0.8rem; color: var(--text-muted);">v0.5.3 is kept online only as an upgrade bridge &mdash; it no longer connects to the live network.</p>
            </div>

+            <h2 style="margin-top: 2rem;">v0.6.2 &mdash; April 22, 2026</h2>
+            <p style="color: var(--text-muted); font-size: 0.85rem;">Every remaining persona-signed direct push is off the wire. Deletes, visibility changes, profile updates, and group-key distribution now travel as encrypted / signed posts through the CDN. Groups are a first-class primitive. Plus two pre-release fixes &mdash; an admin-forgery check on group keys and a cap on concurrent port-scan hole punches that explains the 10 Mbps upload storm some users saw on VPNs.</p>
+
+            <div class="downloads">
+                <a href="itsgoin-0.6.2.apk" class="download-btn btn-android">
+                    Android APK
+                    <span class="sub">v0.6.2</span>
+                </a>
+                <a href="itsgoin_0.6.2_amd64.AppImage" class="download-btn btn-linux">
+                    Linux AppImage
+                    <span class="sub">v0.6.2</span>
+                </a>
+                <a href="itsgoin-cli-0.6.2-linux-amd64" class="download-btn btn-linux">
+                    Linux CLI / Anchor
+                    <span class="sub">v0.6.2</span>
+                </a>
+            </div>
+
+            <ul style="color: var(--text-muted); font-size: 0.85rem; line-height: 1.6; margin-top: 1rem;">
+                <li><strong>Deletes + visibility changes travel as signed control posts</strong> through the CDN. The <code>DeleteRecord</code> / <code>VisibilityUpdate</code> direct pushes are gone.</li>
+                <li><strong>Profile display data (name, bio, avatar) travels as a persona-signed profile post.</strong> Peer-visible names are back &mdash; but bound to the posting identity, not the network endpoint.</li>
+                <li><strong>Rich comments</strong> &mdash; a comment can reference a separate post for long bodies or attachments; inline preview is signed alongside the reference.</li>
+                <li><strong>Groups as a primitive</strong> &mdash; many-way posting anchored at a public root post. Circles remain one-way (admin-only).</li>
+                <li><strong>Group keys distribute as encrypted posts</strong> &mdash; the <code>GroupKeyDistribute</code> wire message is gone.</li>
+                <li><strong>Audience removed.</strong> Simpler social graph; anyone-can-send model via follows.</li>
+                <li><strong>PostPush / PostNotification wire messages retired</strong> &mdash; all content propagates via CDN.</li>
+                <li><strong>Port-scan hole punches are now capped at 1 concurrent</strong> &mdash; fixes sustained multi-Mbps upload on obfuscated VPNs after anchor connect.</li>
+                <li><strong>Outgoing-connect dedup</strong> &mdash; auto-reconnect, rebalance, and relay-introduction no longer race to the same peer.</li>
+                <li><strong>Security fix: group-key distribution verifies the claimed admin matches the post author</strong>, preventing a pollution attack where a peer who knows your posting id could overwrite your stored group key.</li>
+            </ul>
+            <p style="color: var(--text-muted); font-size: 0.85rem;">v0.6.2 is a wire-breaking fork from v0.6.1 (the retired message types are not optional). Upgrade both ends.</p>
+
            <h2 style="margin-top: 2rem;">v0.6.1 &mdash; April 22, 2026</h2>
            <p style="color: var(--text-muted); font-size: 0.85rem;">Network identity is now fully separated from posting identity on every install. Plus: Android auto-backup disabled by default, Reset actually resets, import preserves your personas, and display name is optional.</p>

@ -128,6 +160,22 @@
        <section>
            <h2>Changelog</h2>
            <div class="changelog">
+                <div class="changelog-date">v0.6.2 &mdash; April 22, 2026</div>
+                <ul>
+                    <li><strong>Deletes and visibility changes travel as signed control posts.</strong> New <code>VisibilityIntent::Control</code> post type carries a signed <code>DeletePost</code> / <code>UpdateVisibility</code> operation. Receivers verify the ed25519 signature against the target post's author, then apply. <code>DeleteRecord</code> and <code>VisibilityUpdate</code> wire pushes are removed.</li>
+                    <li><strong>Persona display data (name / bio / avatar) travels as a signed profile post.</strong> New <code>VisibilityIntent::Profile</code>; authored by the posting identity, propagates via the CDN. The <code>ProfileUpdate</code> wire message keeps only routing fields (anchors, recent_peers, preferred_peers).</li>
+                    <li><strong>Rich comments.</strong> <code>InlineComment</code> gains an optional <code>ref_post_id</code>; when set, <code>content</code> is a short preview and the full body (long text, attachments) lives in the referenced post. Signature binds the reference so a peer can't strip or swap it.</li>
+                    <li><strong>Groups vs circles.</strong> Groups are a new many-way primitive &mdash; anchored at a public root post, any member can post to the group once they have the seed. Circles stay one-way (admin-only). The distinction is a <code>canonical_root_post_id</code> field on the group-key record; groups reuse the same encryption machinery.</li>
+                    <li><strong>Group-key distribution as an encrypted post.</strong> The <code>GroupKeyDistribute</code> (0xA0) wire push is retired. Admins publish an encrypted post carrying the seed; members decrypt with their posting secret. Removes the last persona-signed direct push.</li>
+                    <li><strong>Audience primitive removed.</strong> No more audience tables, no more <code>AudienceRequest</code>/<code>AudienceResponse</code> wire messages, no more <code>SocialRelation::Audience</code>/<code>Mutual</code>. Comment permission <code>AudienceOnly</code> renamed to <code>FollowersOnly</code>.</li>
+                    <li><strong>PostPush + PostNotification retired.</strong> All content propagates only via CDN (pull + header-diff neighbor propagation). <code>BlobDeleteNotice</code> also retired &mdash; orphan blobs on remote holders evict via LRU.</li>
+                    <li><strong>Security: group-key admin-forgery rejection.</strong> Distribution posts whose inner <code>admin</code> field doesn't match the post's author are rejected before storage. Prevents an attacker who knows a victim's posting id and the target group_id from overwriting the victim's legitimate group-key record.</li>
+                    <li><strong>Bandwidth: port-scan hole punch capped at one concurrent scanner.</strong> Each scanner fires ~100 QUIC ClientHellos/sec for up to 5 minutes. Without a cap, parallel referrals could drive sustained multi-Mbps upload &mdash; especially on obfuscated VPNs where every probe stalls at a proxy timeout. Extra callers fall back to the standard 2s-round hole punch.</li>
+                    <li><strong>Outgoing-connect dedup.</strong> <code>PendingConnectGuard</code> prevents auto-reconnect, rebalance-slots, and relay-introduction from racing to connect to the same peer. Same-peer only &mdash; different peers connect independently; inbound connections are unaffected.</li>
+                    <li><strong>Merged-pull bugfix.</strong> The pull query now includes every posting identity we hold (not just the network id), so DMs addressed to any of our personas are found via the recipient-match path.</li>
+                </ul>
+                <p style="color: var(--text-muted); font-size: 0.8rem; font-style: italic; margin-bottom: 1rem;">v0.6.2 is a wire-breaking fork from v0.6.1. Retired message types (0x42 PostNotification, 0x43 PostPush, 0x44 AudienceRequest, 0x45 AudienceResponse, 0x95 BlobDeleteNotice, 0xA0 GroupKeyDistribute) are not optional &mdash; upgrade both ends.</p>
+
                <div class="changelog-date">v0.6.1 &mdash; April 22, 2026</div>
                <ul>
                    <li><strong>Network ID and posting ID are now separate by default.</strong> Fresh installs generate two independent ed25519 keys. Upgraders rotate their network key on first launch; the old key stays as the default posting persona. Peers see the same author; only the QUIC endpoint changes.</li>