Tahoe-LAFS 1.9.1 Security Release

Kevan Carstensen discovered a security vulnerability in Tahoe-LAFS 1.9.0.

"This vulnerability would allow a sufficiently clever attacker to corrupt the retrieval of mutable files or directories which are retrieved with v1.9.0 or, in some cases, to corrupt the stored copy of mutable files or directories which are updated with v1.9.0." [1]

The recommended resolution prior to the 1.9.1 release was for users to either downgrade to 1.8.3 or refrain from using mutable files (SDMF and MDMF) in 1.9.0. A FAQ covering downgrading from 1.9.0 to 1.8.3 is provided. Ticket #1654 provides further details on the security vulnerability.

The Tahoe-LAFS released 1.9.1 to resolve this vulnerability. As a further bonus, all Tahoe-LAFS source tarballs, starting with 1.9.1, will be signed with the new Tahoe-LAFS Release Signing Key (0x68666A7A).

TWN Scribe Strives to Become Developer Part 2

As mentioned in the last issue, I (Patrick ) decided to seriously pursue my goal of learning programming. Ticket #1333 is the first ticket on which I am working. I already made the patch to the program. I still need to write a unit test and learn how to use git to generate a patch. Brian was kind of enough to point me to Pro Git. I am in the middle of reading it to understand git. Hopefully by the next TWN, I will understand git enough. My goal is to land this patch by 01/31.

accounts.url option in SFTP and FTP frontends

Jimmy Tang wanted some clarification in the accounts.url option in the SFTP and FTP frontends. Patrick and Brian both responded to the question. accounts.url specifies a login service. Tahoe-LAFS would send your credentials, email address and password to the service and if correct, the service would return a rootcap. Allmydata used to run a service. Patrick has an action item to update the documentation and Brian asked Peter to check for the code which Allmydata used to run the login service.