layout: post title: “Tapestry 1.1 and 2.0 News!” date: 2018-09-20 10:00 -300 categories: Tapestry —

Tapestry 1.1.0 Released!

Tor those who missed it, yesterday I released version 1.1.0 of Tapestry for public consumption. The 1.1 series will be maintained up until the release of the next feature update, which in this case is Tapestry 2.0. More on that later.

1.1-series is the Network Functionality Update, which adds the “network configuration” section. At this time, the only network mode enabled is FTP/S - you could already get NFS functionality by just making sure your mount-points were mounted. This feature is intended for use in the preparation of automatic offsite backups.

1.1 also patches a major security hole, so if you haven’t already, I’d grab the 1.1.0 release from the repo. Make sure you double-check the signature.

Wait, security hole?

Speaking of signatures, there’s the rub. One of the principal features of Tapestry, recovery signature verification, turned out to be completely bypassable thanks to a flaw that was baked in at either 0.3.0 or in 1.0. A flaw in the verification function meant that the function would only verify (or prompt to bypass) for the first block it encountered when recovering multiple blocks from a single directory. Since the decryption function performed no validation of its own, it would then happily unpack whatever the hell was there.

While the risk was small, the potential nonetheless remained for a trust bypass, so I rewrote both functions to have validation function on a per-file basis, and that same validation now functions as a part of the decryption function, rather than an antecedent.

What else was changed?

Apart from the network mode and the main security fix, a number of other small changes were made to close some known issues, improve the look and feel of Tapestry’s CLI, and the overall tidiness and usefulness of the app.

Next Up: Tapestry 2.0

As is my practice, the 1.1.0 series will be maintained until the next feature release. While normally this would be 1.2.0, since a change in recovery file format is upcoming, we’re incrementing the major version number instead, to 2.0.

This will likely be a from-scratch (or nearly) rewrite. While the exact feature set is still in the air, here’s what’s changing so far:

  • Modification of the recovery file format to facilitate testing and future feature additions
  • Modification of the multiprocessing stack to allow windows compatibility.
  • Reorientation of the program design to allow better test coverage
  • At-runtime integrity testing of backups generated to enhance confidence in the reliability of the backup.
  • Other additions as necessary to lay ground for other features as 2.x-series releases.

It is not yet decided if Tapestry 2.0 will remain in python, or if the project will transition to another language which can be compiled as a standalone binary for portability.