root/NEWS

User visible changes in Foolscap (aka newpb/pb2).           -*- outline -*-

* Release 0.3.2 (14 Oct 2008)

** Compatibility: same as 0.2.6

Incident classifier functions (introduced in 0.3.0) have been changed: if you
have written custom functions for an Incident Gatherer, you will need to
modify them upon upgrading to this release.

** Logging Changes

The log.msg counter now uses a regular Python integer/bigint. The counter in
0.3.1 used itertools.count(), which, despite its documentation, stores the
counter in a C signed int, and thus throws an exception when the message
number exceeds 2**31-1 . This exception would pretty much kill any program
which ran long enough to emit this many messages, a situation which was
observed in a busy production server with an uptime of about three or four
weeks. The 0.3.2 counter will be promoted to a bigint when necessary,
removing this limitation. (ticket #99)

The Incident-Gatherer now imports classification functions from files named
'classify_*.py' in the gatherer's directory. This effectively adds
"classifier plugins". The signature of the functions has changed since the
0.3.0 release, making them easier to use. If you have written custom
functions (and edited the gatherer.tac file to activate them, using
gs.add_classifier()), you will need to modify the functions to take a single
'trigger' argument.

These same 'classify_*.py' plugins are used by a new "flogtool
classify-incident" subcommand, which can be pointed at an incident file, and
performs the same kind of classification as the Incident Gatherer. (#102).

The logfiles produced by the "flogtool tail" command and the internal
incident-reporter now include the PID of the reporting process. This can be
seen by passing the --verbose option to "flogtool dump", and will be made
more visible in later releases. (#80).

The "flogtool web-viewer" tool now marks Incident triggers (#79), and
features a "Reload Logfile" button to re-read the logfile on disk (#103).
This is most useful when running unit tests, in conjunction with the
FLOGFILE= environment variable.

** Other Changes

When running unit tests, if the #62 bug is encountered (pyopenssl >= 0.7 and
twisted <= 8.1.0 and selectreactor), the test process will emit a warning and
pause for ten seconds to give the operator a chance to halt the test and
re-run it with --reactor=poll. This may help to reduce the confusion of a
hanging+failing test run.

The xfer-client.py example tool (in doc/listings/) has been made more
useable, by calling os.path.expanduser() on its input files, and by doing
sys.exit(1) on failure (instead of hanging), so that external programs can
react appropriately.


* Release 0.3.1 (03 Sep 2008)

** Compatibility: same as 0.2.6

** callRemote API changes: DeadReferenceError

All partitioning exceptions are now mapped to DeadReferenceError. Previously
there were three separate exceptions that might indicate a network partition:
DeadReferenceError, ConnectionLost, and ConnectionDone. (a network partition
is when one party cannot reach the other party, due to a variety of reasons:
temporary network failure, the remote program being shut down, the remote
host being taken offline, etc).

This means that, if you want to send a message and don't care whether that
message makes it to the recipient or not (but you *do* still care if the
recipient raises an exception during processing of that message), you can set
up the Deferred chain like this:

 d = rref.callRemote("message", args)
 d.addCallback(self.handle_response)
 d.addErrback(lambda f: f.trap(foolscap.DeadReferenceError))
 d.addErrback(log.err)

The first d.addErrback will use f.trap to catch DeadReferenceError, but will
pass other exceptions through to the log.err() errback. This will cause
DeadReferenceError to be ignored, but other errors to be logged.

DeadReferenceError will be signalled in any of the following situations:

 1: the TCP connection was lost before callRemote was invoked
 2: the connection was lost after the request was sent, but before
    the response was received
 3: when the active connection is dropped because a duplicate connection was
    established. This can occur when two programs are simultaneously
    connecting to each other.

** logging improvements

*** bridge foolscap logs into twistd.log

By calling foolscap.logging.log.bridgeLogsToTwisted(), or by setting the
$FLOGTOTWISTED environment variable (to anything), a subset of Foolscap log
events will be copied into the Twisted logging system. The default filter
will not copy events below the log.OPERATIONAL level, nor will it copy
internal foolscap events (i.e. those with a facility name that starts with
"foolscap"). This mechanism is careful to avoid loops, so it is safe to use
both bridgeLogsToTwisted() and bridgeTwistedLogs() at the same time. The
events that are copied into the Twisted logging system will typically show up
in the twistd.log file (for applications that are run under twistd).

An alternate filter function can be passed to bridgeLogsToTwisted().

This feature provides a human-readable on-disk record of significant events,
using a traditional one-line-per-event all-text sequential logging structure.
It does not record parent/child relationships, structured event data, or
causality information.

*** Incident Gatherer improvements

If an Incident occurs while a previous Incident is still being recorded (i.e.
during the "trailing log period"), the two will be folded together.
Specifically, the second event will not trigger a new Incident, but will be
recorded in the first Incident as a normal log event. This serves to address
some performance problems we've seen when incident triggers occur in
clusters, which used to cause dozens of simultaneous Incident Recorders to
swing into action.

The Incident Gatherer has been changed to only fetch one Incident at a time
(per publishing application), to avoid overloading the app with a large
outbound TCP queue.

The Incident Gatherer has also been changed to scan the classified/* output
files and reclassify any stored incidents it has that are not mentioned in
one of these files. This means that you can update the classification
functions (to add a function for some previously unknown type of incident),
delete the classified/unknown file, then restart the incident gatherer, and
it will only reclassify the previously-unknown incidents. This makes it much
easier to iteratively develop classification functions.

*** Application Version data

The table of application versions, previously displayed only by the 'flogtool
tail' command, is now recorded in the header of both Incidents and the
'flogtool tail --save-to' output file.

The API to add application versions has changed: now programs should call
foolscap.logging.app_versions.add_version(name, verstr).


* Release 0.3.0 (04 Aug 2008)

** Compatibility: same as 0.2.6

The wire-level protocol remains the same as other recent releases.

The new incident-gatherer will only work with applications that use Foolscap
0.3.0 or later.

** logging improvements

The "incident gatherer" has finally been implemented. This is a service, like
the log-gatherer, which subscribes to an application's logport and collects
incident reports: each is a dump of accumulated log messages, triggered by
some special event (such as those above a certain severity threshold). The
"flogtool create-incident-gatherer" command is used to create one, and twistd
is used to start it. Please see doc/logging.xhtml for more details.

The incident publishing API was changed to support the incident-gatherer. The
incident-gatherer will only work with logports using foolscap 0.3.0 or newer.

The log-publishing API was changed slightly, to encourage the use of
subscription.unsubscribe() rather than publisher.unsubscribe(subscription).
The old API remains in place for backwards compatibility with log-gatherers
running foolscap 0.2.9 or earlier.

The Tub.setOption("log-gatherer-furlfile") can accept a file with multiple
FURLs, one per line, instead of just a single FURL. This makes the
application contact multiple log gatherers, offering its logport to each
independently, e.g. to connect to both a log-gatherer and an
incident-gatherer.

** API Additions

RemoteReferences now have a getRemoteTubID() method, which returns a string
(base32-encoded) representing the secure Tub ID of the remote end of the
connection. For any given Tub ID, only the possessor of the matching private
key should be able to provide a RemoteReference for which getRemoteTubID()
will return that value. I'm not yet sure if getRemoteTubID() is a good idea
or not (the traditional object-capability model discourages making
access-control decisions on the basis of "who", instead these decisions
should be controlled by "what": what objects do they have access to). This
method is intended for use by application code that needs to use TubIDs as an
index into a table of some sort. It is used by Tahoe to securely compute
shared cryptographic secrets for each remote server (by hashing the TubID
together with some other string).

Note that the rref.getSturdyRef() call (which has been present in Foolscap
since forever) is *not* secure: the remote application controls all parts of
the sturdy ref FURL, including the tubid. A future version of foolscap may
remedy this.

** Bug fixes

The log-gatherer FURL can now be set before Tub.setLocation (the connection
request will be deferred until setLocation is called), and
getLogPort/getLogPortFURL cannot be called until after setLocation. These two
changes, in combination, resolve a problem (#55) in which the gatherer
connection could be made before the logport was ready, causing the
log-gatherer to fail to subscribe to receive log events.

** Dependent Libraries

Foolscap uses PyOpenSSL for all of its cryptographic routines. A bug (#62)
has been found in which the current version of Twisted (8.1.0) and the
current version of PyOpenSSL (0.7) interact badly, causing Foolscap's unit
tests to fail. This problem will affect application code as well
(specifically, Tub.stopService will hang forever). The problem only appears
to affect the selectreactor, so the current recommended workaround is to run
unit tests (and applications that need to shut down Tubs) with --reactor=poll
(or whatever other reactor is appropriate for the platform, perhaps iocp). A
less-desireable workaround is to downgrade PyOpenSSL to 0.6, or Twisted to
something older. The Twisted maintainers are aware of the problem and intend
to fix it in an upcoming Twisted release.


* Release 0.2.9 (02 Jul 2008)

** Compatibility: exactly the same as 0.2.6

** logging bugs fixed

The foolscap.logging.log.setLogDir() option would throw an exception if the
directory already existed, making it unsuitable for use in an application
which is expected to be run multiple times. This has been fixed.

** logging improvements

'flogtool tail' now displays the process ID and version information about the
remote process. The tool will tolerate older versions of foolscap which do
not offer the get_pid interface. (foolscap ticket #71)

The remote logport now uses a size-limited queue for messages going to a
gatherer or 'flogtool tail', to prevent the monitored process from using
unbounded amounts of memory during overload situations (when it is generating
messages faster than the receiver can handle them). This solves a runaway
load problem we've seen in Tahoe production systems, in which a busy node
sends log messages to a gatherer too quickly for it to absorb, using lots of
memory to hold the pending messages, which causes swapping, which causes more
load, making the problem worse. We frequently see an otherwise well-behaved
process swell to 1.4GB due to this problem, occasionally failing due to VM
exhaustion. Of course, a bounded queue means that new log events will be
dropped during this overload situation. (#72)

** serialization added for the Decimal type (#50)

** debian packaging targets added for gutsy and hardy

The Makefile now has 'make debian-gutsy' and 'make debian-hardy' targets.
These do the same thing as 'make debian-feisty'. (#76)


* Release 0.2.8 (04 Jun 2008)

** Compatibility: exactly the same as 0.2.6

** setuptools dependencies updated

Foolscap (when built with setuptools) now uses the "extras_require" feature
to declare that it needs pyOpenSSL if you want to use the
"secure_connections" feature. This makes easy_install easier to use in
projects that depend upon Foolscap (and also insist upon using secure
connections): they do not need to declare a dependency on pyOpenSSL
themselves, instead they declare a dependency on
"Foolscap[secure_connections]". See the following documentation for more
details:
http://peak.telecommunity.com/DevCenter/setuptools#declaring-extras-optional-features-with-their-own-dependencies

** New RemoteReference.getPeer() method

The new rref.getPeer() method will return address information about the far
end of the connection, allowing you to determine their IP address and port
number. This may be useful for debugging or diagnostic purposes.

** Minor bugs fixed

Tub.registerReference() with both name= and furlFile= arguments now works
even when the furlFile= already exists.

Tubs which have been shutdown now give more useful error messages when you
(incorrectly) try to use them again. Previously a bug caused them to emit a
TypeError.


* Release 0.2.7 (13 May 2008)

** Compatibility: exactly the same as 0.2.6

** flogtool works again

The "flogtool" utility was completely non-functional in 0.2.6 . This has been
fixed.

** Known Issues

*** some debian packages are wrong

When using the 'make debian-dapper' target (to build a .deb for a dapper
system), the resulting .deb sometimes includes a full copy of Twisted, and is
probably unsuitable for installation. This appears to be a result of
installation behavior changing due to setuptools being imported (even though
it is not explicitly used). No other platforms .deb files seem to be affected
this way. Package builders are advised to examine the generated .deb closely
before using it.


* Release 0.2.6 (06 May 2008)

** Compatibility

All releases between 0.1.3 and 0.2.6 (inclusive) are fully wire-compatible.

The saved logfiles produced (by e.g. 'flogtool tail --save-to' and the
log-gatherer) in 0.2.6 and beyond are not readable by tools (e.g. 'flogtool
dump' and 'flogtool filter') from 0.2.5 and earlier.

FURLs which contain "extensions" (described below) will not be tolerated by
foolscap 0.2.5 or earlier. If, at some point in the future, we add such
extensions to published FURLs, then such an application will require
foolscap-0.2.6 or later to interpret those FURLs.

** Logging Changes

*** "Incident" Logging

This release finally implements the "strangeness-triggered logging" espoused
in doc/logging.xhtml . By giving the foolscap logging code a directory to
work with, the logging system will automatically save a compressed pickled
logfile containing the messages that lead up to sufficiently-severe log
event. The docs explain how to control what "sufficiently-severe" means.
These events are retrievable through the logport, although no tools have been
written yet to actually extract them. They are also retrievable by using
'flogtool dump' directly on the incident files.

*** 'flogtool as a subcommand

The implementation of the 'flogtool' executable has been rearranged to make
it possible to add a 'flogtool' subcommand to some other executable.

*** 'flogtool filter' now has --above LEVEL and --from TUBID options
*** 'flogtool dump' has --rx-time option, also shows failure tracebacks
*** gatherer: don't add erroneous UTC-implying "Z" suffix to filename timestamps
*** 'flogtool tail': don't add spurious "0" to timestamps

** constraints no longer reject ('reference',) sequences

The foolscap/banana serialization protocol responds to sending two separate
copies of the same object in the same callRemote message by emitting one
serialized object sequence and one 'reference' sequence: this is the standard
way by which cycles are broken in the serialized data. Unfortunately, the
wire-level constraint checkers in 0.2.5 and earlier would reject reference
sequences with a Violation exception: if they were expecting a tuple, they
would reject anything else, even a reference sequence that pointed at a
tuple.

Worse yet, python's normal constant-object folding code can produce shared
references where you might not expect. In the following example, the two
tuples are identical objects (and result in a 'reference' sequence on the
wire), despite the programmer having typed them separately:

 rref.callRemote("haveTwoTuples", (0,1), (0,1) )

Foolscap-0.2.6 now allows reference sequence in all wire-level constraint
checks, to avoid this false-negative Violation. The post-deserialization
check will still enforce the constraint properly. It just does it late enough
to be able to tell what the reference points to.

** Twisted/pyopenssl compatibility

*** compatible with Twisted-8.0.x

Some unit test failures under Twisted-8.0.x (the most recent release) were
fixed: tests now pass against Twisted-8.0.x, and a buildbot is used to make
sure compatibility is maintained in the future.

*** incompatible with pyOpenSSL-0.7

An incompatibility has been discovered with the most recent version of
PyOpenSSL. pyopenssl 0.6 works correctly, but pyopenssl 0.7 causes modern
versions of Twisted (both 2.5.x and 8.0.x) to follow a code path that breaks
the Foolscap unit tests. This may or may not cause a problem in actual
application use (the symptom is that the non-winning parallel connections are
not disconnected properly, and several negotiation timers are left running).
Until a fix is developed for either Twisted or PyOpenSSL, the recommended
workaround is to downgrade to PyOpenSSL-0.6 . Twisted bug #3218 and Foolscap
bug #62 exist to track this problem.

** setup.py is more setuptools-friendly

The foolscap version string is located with a regular expression rather than
an import, allowing setuptools to install Foolscap as a build-dependency of
some other project without having Twisted available first. If setuptools is
available, we also declare a dependency upon Twisted (at least 2.4.0), to
give more information to the setuptools dependency-auto-installer.

** Unauthenticated FURLs can now contain multiple connection hints

Previously they were limited to a single one

** FURLs can now contain extensions, providing forwards-compatibility

The parsing of FURLs has been refined to tolerate (and ignore) certain kinds
of extensions. The "tubid" section will be able to have additional
identifiers (perhaps stronger hashes for the public key, or an
encryption-ready EC-DSA public key). In addition, the "connection hints"
section will be able to contain alternate protocol specifiers (for TCP over
IPv6, or a less connection-oriented UDP transport).

By ignoring such extensions, foolscap-0.2.6 will tolerate FURLs produced
(with extensions) by some future version of foolscap. This marks the
beginning of a "transition period": when such extensions are introduced,
0.2.6 will be the oldest version still capable of interoperating with the
extension-using new version.


* Release 0.2.5 (25 Mar 2008)

** Compatibility

All releases between 0.1.3 and 0.2.5 (inclusive) are fully wire-compatible.

The new 'flogtool tail --catch-up' command requires a log publisher running
0.2.5 or later. 'flogtool tail' without the --catch-up option will work with
earlier publishers.

** Licensing clarification

Foolscap is distributed under the (very liberal) terms of the MIT license,
which is the same license that Twisted uses. It's been like this since the
beginning, but this is the first release to make this obvious by including a
LICENSE file.

** foolscap.logging Changes

'flogtool tail' now has a --catch-up option, which prompts the remote
publisher to deliver stored historical events to the subscribe, in proper
sequential order. This allows you to connect to a process that has just done
something interesting and grab a copy of the log events relevant to that
event.

'flogtool tail' also has a --save-to option, which specifies a filename to
which all captured events should be saved. This file can be processed further
with 'flogtool dump', 'flogtool filter', or 'flogtool web-viewer'. This
behaves much like the unix 'tee' utility, except that the saved data is
recorded in a lossless binary format (whereas the text emitted to stdout is
not particularly machine-readable).

'flogtool tail' and 'flogtool dump' both emit human-readable log messages by
default. The --verbose option will emit raw event dictionaries, which contain
slightly more information but are harder to read.

'flogtool create-gatherer' will create a log gatherer .tac file in a new
working directory. This .tac file can be launched with 'twistd', the standard
Twisted daemon-launching program. This is significantly easier to work with
than the previous 'flogtool gather' command (which has been removed). The new
--rotate option will cause the log-gatherer to switch to a new output file
every N seconds. The --bzip option will make it compress the logfiles after
rotating them. For example, a log gatherer that rotates and compresses log
files once per day could be created and launched with:

 flogtool create-gatherer --rotate 86400 --bzip ./workdir
 (cd workdir && twistd -y gatherer.tac)

** New sample programs

doc/listings/command-server.py and command-client.py are a pair of programs
that let you safely grant access to a specific command. The server is
configured with a command line to run, and a directory to run it from. The
client gets a FURL: when the client is executed, the server will run its
preconfigured command. The client gets to see stdout and stderr (and the exit
status), but does not get to influence the command being run in any way.
This is much like setting up an ssh server with a restricted command, but
somewhat easier to configure.

doc/listings/xfer-server.py and xfer-client.py are similar, but provide file
transfer services instead of command execution.

** New Features

Tub.setLocationAutomatically() will try to determine an externally-visible IP
address and feed it to Tub.setLocation(). It does this by preparing to send a
packet to a well-known public IP address (one of the root DNS servers) and
seeing which network interface would be used. This will tend to find the
outbound default route, which of course is only externally-visible if the
host is externally-visible. Applications should not depend upon this giving a
useful value, and should give the user a way to configure a list of
hostname+portnumbers so that manually-configured firewalls, port forwarders,
and NAT boxes can be dealt with.


* Release 0.2.4 (28 Jan 2008)

** Compatibility

All releases between 0.1.3 and 0.2.4 (inclusive) are fully wire-compatible.

** foolscap.logging Changes

*** 'flogtool filter' command added

This mode is used to take one event-log file and produce another with a
subset of the events. There are several options to control the filtering:
"--strip-facility=foolscap" would remove all the foolscap-related messages,
and "--after=start --before=end" will retain events that occur within the
given period. The syntax is still in flux, expect these options to change in
the next few releases. The main idea is to take a very large logfile and turn
it into a smaller, more manageable one.

*** error logging

Applications should avoid recording application-specific instances in log
events. Doing so will forces the log viewer to access the original source
code. The current release of foolscap uses pickle, so such instances will be
loadable if the viewer can import the same code, but future versions will
probably switch to using Banana, at which point trying to log such instances
will cause an error.

In this release, foolscap stringifies the type of an exception/Failure passed
in through the failure= kwarg, to avoid inducing this import dependency in
serialized Failures. It also uses the CopiedFailure code to improve
portability of Failure instances, and CopiedFailures have been made
pickleable.

The preferred way to log a Failure instance is to pass it like so:

 def _oops(f):
   log.msg("Oh no, it failed", failure=f, level=log.BAD)
 d.addErrback(_oops)

Finally, a 'log.err()' method was added, which behaves just like Twisted's
normal log.err(): it can be used in a Deferred errback, or inside an
exception handler.

*** 'flogtool web-viewer'

Adding a "sort=time" query argument to the all-events viewing page URL will
turn off the default nested view, and instead will sort all events strictly
by time of generation (note that unsynchronized clocks may confuse the
relative ordering of events on different machines). "sort=number" sorts all
events by their event number, which is of dubious utility (since these
numbers are only scoped to the Tub). "sort=nested" is the default mode.

The web-viewer now provides "summary views", which show just the events that
occurred at a given severity level. Each event is a hyperlink to the line in
the all-events page (using anchor/fragment tags), which may make them more
convenient to bookmark or reference externally.


* Release 0.2.3 (24 Dec 2007)

** Compatibility

All releases between 0.1.3 and 0.2.3 (inclusive) are fully wire-compatible.

** Bug Fixes

RemoteReference.getSturdyRef() didn't work (due to bitrot). It has been
fixed.

** foolscap.logging Changes

This release is mostly about flogging improvements: some bugs and misfeatures
were fixed:

*** tolerate '%' in log message format strings

Dictionary-style kwarg formatting is now done with a twisted-style style
format= argument instead of happening implicitly. That means the acceptable
ways to call foolscap.logging.log.msg are:

 log.msg("plain string")
 log.msg("no args means use 0% interpolation")
 log.msg("pre-interpolated: %d apples" % apples)
 log.msg("posargs: %d apples and %d oranges", apples, oranges)
 log.msg(format="kwargs: %(numapples)d apples", numapples=numapples)

The benefit of the latter two forms are that the arguments are recorded
separately in the event dictionary, so viewing tools can filter on the
structured data, think of something like:

  [e for e in allEvents if e.get("numapples",0) > 4]

*** log facility names are now dot-separated, to match stdlib logging
*** log levels are derived from numerical stdlib logging levels
*** $FLOGFILE to capture flog events during 'trial' runs

One challenge of the flogging system is that, once an application was changed
to write events to flogging instead of twisted's log, those events do not
show up in the normal places where twisted writes its logfiles. For full
applications this will be less of an issue, because application startup will
tell flogging where events should go (flogging is intended to supplant
twisted logging for these applications). But for events emitted during unit
tests, such as those driven by Trial, these events would get lost.

To address this problem, the 0.2.3 flogging code looks for the "FLOGFILE"
environment variable at import time. This specifies a filename where flog
events (a series of pickled event dictionaries) should be written. The file
is opened at import time, events are written during the lifetime of the
process, then the file is closed at shutdown using a Twisted "system event
trigger" (which happens to be enough to work properly under Trial: other
environments may not work so well). If the FLOGFILE filename ends in .bz2,
the event pickles will be compressed, which is highly recommended because it
can result in a 30x space savings (and e.g. the Tahoe unit test run results
in 90MB of uncompressed events). All 'flogtool' modes know how to handle a
.bz2 compressed flogfile as well as an uncompressed one.

The "FLOGTWISTED" environment variable, if set, will cause this same code to
bridge twisted log messages into the flogfile. This makes it easier to see
the relative ordering of Twisted actions and foolscap/application events.
(without this it becomes very hard to correlate the two sources of events).

The "FLOGLEVEL" variable specifies a minimum severity level that will be put
into the flogfile. This defaults to "1", which puts pretty much everything
into the file. The idea is that, for tests, you might as well record
everything, and use the filtering tools to control the display and isolate
the important events. Real applications will use more sophisticated tradeoffs
between disk space and interpretation effort.

The recommended way to run Trial on a unit test suite for an application that
uses Foolscap is:

 FLOGFILE=flog.out FLOGTWISTED=1 trial PACKAGENAME

Note that the logfile cannot be placed in _trial_temp/, because trial deletes
that directory after flogging creates the logfile, so the logfile would get
deleted too. Also note that the file created by $FLOGFILE is truncated on
each run of the program.


* Release 0.2.2 (12 Dec 2007)

** Compatibility

All releases between 0.1.3 and 0.2.2 (inclusive) are fully wire-compatible.
New (optional) negotiation parameters were added in 0.2.1 (really in 0.2.0).

** Bug Fixes

The new duplicate-connection handling code in 0.2.1 was broken. This release
probably fixes it.

There were other bugs in 0.2.1 which were triggered when a duplicate
connection was shut down, causing remote calls to never be retired, which
would also prevent the Reconnector from doing its job. These should be fixed
now.

** Other Changes

Foolscap's connection-negotiation mechanism has been modified to use foolscap
logging ("flog") instead of twisted.log .

Setting the FLOGFILE= environment variable will cause a Foolscap-using
program to write pickled log events to a file of that name. This is
particularly useful when you want to record log events during 'trial' unit
test run. The normal API for setting this file will be added later. The
FLOGTWISTED= environment variable will cause the creation of a twisted.log
bridge, to copy all events from the twisted log into the foolscap log.

The 'flogtool web-view' mode has been enhanced to color-code events according
to their severity, and to format Failure tracebacks in a more-readable way.


* Release 0.2.1 (10 Dec 2007)

** Compatibility

All releases between 0.1.3 and 0.2.1 (inclusive) are fully wire-compatible.
0.2.1 introduces some new negotiation parameters (to handle duplicate
connections better), but these are ignored by older versions, and their lack
is tolerated by 0.2.1 .

** New Features

*** new logging support

Foolscap is slowly acquiring advanced diagnostic event-logging features. See
doc/logging.xhtml for the philosophy and design of this logging system. 0.2.1
contains the first few pieces, including a tool named bin/flogtool that can
be used to watch events on a running system, or gather events from multiple
applications into a single place for later analysis. This support is still
preliminary, and many of the controls and interfaces described in that
document are not yet implemented.

*** better handling of duplicate connections / NAT problems

The connection-management code in 0.1.7 and earlier interacted badly with
programs that run behind NAT boxes (especially those with aggressive
connection timeouts) or on laptops which get unplugged from the network
abruptly. Foolscap seeks to avoid duplicate connections, and various
situtations could cause the two ends to disagree about the viability of any
given connection. The net result (no pun intended) was that a client might
have to wait up to 35 minutes (depending upon various timeout values) before
being able to reestablish a connection, and the Reconnector's exponential
backoff strategy could easily push this into 90 minutes of downtime.

0.2.1 uses a different approach to accomplish duplicate-suppression, and
should provide much faster reconnection after netquakes. To benefit from
this, both ends must be running foolscap-0.2.1 or newer, however there is an
additional setting (not enabled by default) to improve the behavior of
pre-0.2.1 clients: tub.setOption("handle-old-duplicate-connections", True).

*** new Reconnector methods

The Reconnector object (as returned by Tub.connectTo) now has three utility
methods that may be useful during debugging. reset() drops the backoff timer
down to one second, causing the Reconnector to reconnect quickly: you could
use this to avoid an hour-long delay if you've just restarted the server or
re-enabled a network connection that was the cause of the earlier connection
failures. getDelayUntilNextAttempt() returns the number of seconds remaining
until the next connection attempt. And getLastFailure() returns a Failure
object explaining why the last connection attempt failed, which may be a
useful diagnostic in trying to resolve the connection problems.

** Bug Fixes

There were other minor changes: an OS-X unit test failure was resolved,
CopiedFailures are serialized in a way that doesn't cause constraint
violations, and the figleaf code-coverage tools (used by foolscap developers
to measure how well the unit tests exercise the code base) have been improved
(including an emacs code-used/unused annotation tool).


* Release 0.2.0 (10 Dec 2007)

This release had a fatal bug that wasn't caught by the unit tests, and was
superseded almost immediately by 0.2.1 .


* Release 0.1.7 (24 Sep 2007)

** Compatibility

All releases between 0.1.3 and 0.1.7 (inclusive) are fully wire-compatible.

** Bug Fixes

*** slow remote_ methods shouldn't delay subsequent messages (#25)

In earlier releases, a remote_ method which runs slowly (i.e. one which
returns a Deferred and does not fire it right away) would have the
unfortunate side-effect of delaying all subsequent calls from the same
Broker. Those later calls would not be delivered until the first message had
completed processing. If, for some reason, that Deferred were never fired,
this Foolscap bug would prevent any other remote_ methods from ever being
called.

This is not how Foolscap's message-ordering logic is designed to work.
Foolscap guarantees in-order *delivery* of messages, but does not require
that they be completed/retired in that same order.

This has now been fixed. The invocation of remote_* is done in-order: any
further sequencing is up to the receiving application.

For example, in the following code:

 sender:
   rref.callRemote("quick", 1)
   rref.callRemote("slow", 2)
   rref.callRemote("quick", 3)

 receiver:
   def remote_quick(self, num):
     print num
   def remote_slow(self, num):
     print num
     d = Deferred()
     def _done():
       print "DONE"
       d.callback(None)
     reactor.callLater(5.0, _done)
     return d

The intended order of printed messages is 1,2,3,DONE . This bug caused the
ordering to be 1,2,DONE,3 instead.

*** default size limits removed from all Constraints (#26)

Constraints in Foolscap serve two purposes: DoS attack mitigation, and strong
typing on remote interfaces to help developers find problems sooner. To
support the former, most container-based Constraints had default size limits.
For example, the default StringConstraint enforced a maximum length of 1000
characters, and the ListConstraint had a maxLength of 30 elements.

In practice, these limits turned out to be more surprising than helpful.
Applications which worked fine in testing would mysteriously break when
subjected to data that was larger than expected. Developers who used
Constraints for their type-checking properties were surprised to discover
that they were getting size limitations as well. In addition, the
DoS-mitigation code in foolscap is not yet complete, so the cost/benefit
ratio of this feature was dubious.

For these reasons, all default size limits have been removed from this
release. The 0.1.7 StringConstraint() schema is equivalent to the 0.1.6
StringConstraint(maxLength=None) version. To get the 0.1.6 behavior, use
StringConstraint(maxLength=1000). The same is true for ListConstraint,
DictConstraint, SetConstraint, and UnicodeConstraint.

** New features

*** Tub.registerReference(furlFile=)

In the spirit of Tub(certFile=), a new argument was added to
registerReference that instructs Foolscap to find and store a
randomly-generated name in the given file. This makes it convenient to allow
subsequent invocations of the same program to use the same stable (yet
unguessable) identifier for long-lived objects. For example, a Foolscap-based
server can make its Server object available under the same FURL from one run
of the program to the next with the following startup code:

  s = MyServer()
  furl = tub.registerReference(s, furlFile=os.path.join(basedir, "server"))

If the furlFile= exists before registerReference is called, a FURL will be
read from it, and a name extracted to use for the object. If not, the file
will be created and filled with a FURL that uses a randomly-generated name.

*** Tub.serialize()

Work is ongoing to implement E-style cryptographic Sealers/Unsealers in
Foolscap (see ticket #20). Part of that work has made it into this release.
The new Tub.serialize() and Tub.unserialize() methods provide access to the
underlying object-graph-serialization code. Normally this code is used to
construct a bytestream that is immediately sent over an SSL connection to a
remote host; these methods return a string instead. Eventually, a Sealer will
return an encrypted version of this string, and the corresponding Unsealer
will take the encrypted string and build a new object graph.

The foolscap.serialize() and .unserialize() functions have existed for a
while. The new Tub.serialize()/.unserialize() methods are special in that you
can serialize Referenceables and RemoteReferences. These are encoded with
their FURLs, so that the unserializing Tub can establish a new live reference
to their targets. foolscap.serialize() cannot handle referenceables.

Note that both Tub.serialize() and foolscap.serialize() are currently
"unsafe", in that they will serialize (and unserialize!) instances of
arbitrary classes, much like the stdlib pickle module. This is a significant
security problem, as this results in arbitrary object constructors being
executed during deserialization. In a future release of Foolscap, this mode
of operation will *not* be the default, and a special argument will have to
be passed to enable such behavior.


** Other Improvements

When methods fail, the error messages that get logged have been improved. The
new messages contain information about which source+dest TubIDs were
involved, and which RemoteInterface and method name was being used.

A new internal method named Tub.debug_listBrokers() will provide information
on which messages are waiting for delivery, either inbound or outbound. It is
intended to help diagnose problems like #25. Any message which remains
unresolved for a significant amount of time is likely to indicate a problem.


* Release 0.1.6 (02 Sep 2007)

** Compatibility

All releases between 0.1.3 and 0.1.6 (inclusive) are fully wire-compatible.

** Bug Fixes

Using a schema of ChoiceOf(StringConstraint(2000), None) would fail to accept
strings between 1000 and 2000 bytes: it would accept a short string, or None,
but not a long string. This has been fixed. ChoiceOf() remains a troublesome
constraint: having it is awfully nice, and things like ChoiceOf(str,None)
seem to work, but it is unreliable. Using ChoiceOf with non-terminal children
is not recommended (the garden-path problem is unlikely to be easy to solve):
schemas are not regular expressions.

The debian packaging rules have been fixed. The ones in 0.1.5 failed to run
because of some renamed documentation files.

** Minor Fixes

Several minor documentation errors have been corrected. A new 'make api-docs'
target has been added to run epydoc and build HTML versions of the API
documentation.

When a remote method fails and needs to send a traceback over the wire, and
when the traceback is too large, trim out the middle rather than the end,
since usually it's the beginning and the end that are the most useful.


* Release 0.1.5 (07 Aug 2007)

** Compatibility

This release is fully compatible with 0.1.4 and 0.1.3 .

** CopiedFailure improvements

When a remote method call fails, the calling side gets back a CopiedFailure
instance. These instances now behave slightly more like the (local) Failure
objects that they are intended to mirror, in that .type now behaves much like
the original class. This should allow trial tests which result in a
CopiedFailure to be logged without exploding. In addition, chained failures
(where A calls B, and B calls C, and C fails, so C's Failure is eventually
returned back to A) should work correctly now.

** Gift improvements

Gifts inside return values should properly stall the delivery of the response
until the gift is resolved. Gifts in all sorts of containers should work
properly now. Gifts which cannot be resolved successfully (either because the
hosting Tub cannot be reached, or because the name cannot be found) will now
cause a proper error rather than hanging forever. Unresolvable gifts in
method arguments will cause the message to not be delivered and an error to
be returned to the caller. Unresolvable gifts in method return values will
cause the caller to receive an error.

** IRemoteReference() adapter

The IRemoteReference() interface now has an adapter from Referenceable which
creates a wrapper that enables the use of callRemote() and other
IRemoteReference methods on a local object.

The situation where this might be useful is when you have a central
introducer and a bunch of clients, and the clients are introducing themselves
to each other (to create a fully-connected mesh), and the introductions are
using live references (i.e. Gifts), then when a specific client learns about
itself from the introducer, that client will receive a local object instead
of a RemoteReference. Each client will wind up with n-1 RemoteReferences and
a single local object.

This adapter allows the client to treat all these introductions as equal. A
client that wishes to send a message to everyone it's been introduced to
(including itself) can use:

  for i in introductions:
    IRemoteReference(i).callRemote("hello", args)

In the future, if we implement coercing Guards (instead of
compliance-asserting Constraints), then IRemoteReference will be useful as a
guard on methods that want to insure that they can do callRemote (and
notifyOnDisconnect, etc) on their argument.

** Tub.registerNameLookupHandler

This method allows a one-argument name-lookup callable to be attached to the
Tub. This augments the table maintained by Tub.registerReference, allowing
Referenceables to be created on the fly, or persisted/retrieved on disk
instead of requiring all of them to be generated and registered at startup.


* Release 0.1.4 (14 May 2007)

** Compatibility

This release is fully compatible with 0.1.3 .

** getReference/connectTo can be called before Tub.startService()

The Tub.startService changes that were suggested in the 0.1.3 release notes
have been implemented. Calling getReference() or connectTo() before the Tub
has been started is now allowed, however no action will take place until the
Tub is running. Don't forget to start the Tub, or you'll be left wondering
why your Deferred or callback is never fired. (A log message is emitted when
these calls are made before the Tub is started, in the hopes of helping
developers find this mistake faster).

** constraint improvements

The RIFoo -style constraint now accepts gifts (third-party references). This
also means that using RIFoo on the outbound side will accept either a
Referenceable that implements the given RemoteInterface or a RemoteReference
that points to a Referenceable that implements the given RemoteInterface.
There is a situation (sending a RemoteReference back to its owner) that will
pass the outbound constraint but be rejected by the inbound constraint on the
other end. It remains to be seen how this will be fixed.

** foolscap now deserializes into python2.4-native 'set' and 'frozenset' types

Since Foolscap is dependent upon python2.4 or newer anyways, it now
unconditionally creates built-in 'set' and 'frozenset' instances when
deserializing 'set'/'immutable-set' banana sequences. The pre-python2.4
'sets' module has non-built-in set classes named sets.Set and
sets.ImmutableSet, and these are serialized just like the built-in forms.

Unfortunately this means that Set and ImmutableSet will not survive a
round-trip: they'll be turned into set and frozenset, respectively. Worse
yet, 'set' and 'sets.Set' are not entirely compatible. This may cause a
problem for older applications that were written to be compatible with both
python-2.3 and python-2.4 (by using sets.Set/sets.ImmutableSet), for which
the compatibility code is still in place (i.e. they are not using
set/frozenset). These applications may experience problems when set objects
that traverse the wire via Foolscap are brought into close proximity with set
objects that remained local. This is unfortunate, but it's the cleanest way
to support modern applications that use the native types exclusively.

** bug fixes

Gifts inside containers (lists, tuples, dicts, sets) were broken: the target
method was frequently invoked before the gift had properly resolved into a
RemoteReference. Constraints involving gifts inside containers were broken
too. The constraints may be too loose right now, but I don't think they
should cause false negatives.

The unused SturdyRef.asLiveRef method was removed, since it didn't work
anyways.

** terminology shift: FURL

The preferred name for the sort of URL that you get back from
registerReference (and hand to getReference or connectTo) has changed from
"PB URL" to "FURL" (short for Foolscap URL). They still start with 'pb:',
however. Documentation is slowly being changed to use this term.


* Release 0.1.3 (02 May 2007)

** Incompatibility Warning

The 'keepalive' feature described below adds a new pair of banana tokens,
PING and PONG, which introduces a compatibility break between 0.1.2 and 0.1.3
. Older versions would throw an error upon receipt of a PING token, so the
version-negotiation mechanism is used to prevent banana-v2 (0.1.2) peers from
connecting to banana-v3 (0.1.3+) peers. Our negotiation mechanism would make
it possible to detect the older (v2) peer and refrain from using PINGs, but
that has not been done for this release.

** Tubs must be running before use

Tubs are twisted.application.service.Service instances, and as such have a
clear distinction between "running" and "not running" states. Tubs are
started by calling startService(), or by attaching them to a running service,
or by starting the service that they are already attached to. The design rule
in operation here is that Tubs are not allowed to perform network IO until
they are running.

This rule was not enforced completely in 0.1.2, and calls to
getReference()/connectTo() that occurred before the Tub was started would
proceed normally (initiating a TCP connection, etc). Starting with 0.1.3,
this rule *is* enforced. For now, that means that you must start the Tub
before calling either of these methods, or you'll get an exception. In a
future release, that may be changed to allow these early calls, and queue or
otherwise defer the network IO until the Tub is eventually started. (the
biggest issue is how to warn users who forget to start the Tub, since in the
face of such a bug the getReference will simply never complete).

** Keepalives

Tubs now keep track of how long a connection has been idle, and will send a
few bytes (a PING of the other end) if no other traffic has been seen for
roughly 4 to 8 minutes. This serves two purposes. The first is to convince an
intervening NAT box that the connection is still in use, to prevent it from
discarding the connection's table entry, since that would block any further
traffic. The second is to accelerate the detection of such blocked
connections, specifically to reduce the size of a window of buggy behavior in
Foolscap's duplicate-connection detection/suppression code.

This problem arises when client A (behind a low-end NAT box) connects to
server B, perhaps using connectTo(). The first connection works fine, and is
used for a while. Then, for whatever reason, A and B are silent for a long
time (perhaps as short as 20 minutes, depending upon the NAT box). During
this silence, A's NAT box thinks the connection is no longer in use and drops
the address-translation table entry. Now suppose that A suddenly decides to
talk to B. If the NAT box creates a new entry (with a new outbound port
number), the packets that arrive on B will be rejected, since they do not
match any existing TCP connections. A sees these rejected packets, breaks the
TCP connection, and the Reconnector initiates a new connection. Meanwhile, B
has no idea that anything has gone wrong. When the second connection reaches
B, it thinks this is a duplicate connection from A, and that it already has a
perfectly functional (albeit quiet) connection for that TubID, so it rejects
the connection during the negotiation phase. A sees this rejection and
schedules a new attempt, which ends in the same result. This has the
potential to prevent hosts behind NAT boxes from ever reconnecting to the
other end, at least until the the program at the far end is restarted, or it
happens to try to send some traffic of its own.

The same problem can occur if a laptop is abruptly shut down, or unplugged
from the network, then moved to a different network. Similar problems have
been seen with virtual machine instances that were suspended and moved to a
different network.

The longer-term fix for this is a deep change to the way duplicate
connections (and cross-connect race conditions) are handled. The keepalives,
however, mean that both sides are continually checking to see that the
connection is still usable, enabling TCP to break the connection once the
keepalives go unacknowledged for a certain amount of time. The default
keepalive timer is 4 minutes, and due to the way it is implemented this means
that no more than 8 minutes will pass without some traffic being sent. TCP
tends to time out connections after perhaps 15 minutes of unacknowledged
traffic, which means that the window of unconnectability is probably reduced
from infinity down to about 25 minutes.

The keepalive-sending timer defaults to 4 minutes, and can be changed by
calling tub.setOption("keepaliveTimeout", seconds).

In addition, an explicit disconnect timer can be enabled, which tells
Foolscap to drop the connection unless traffic has been seen within some
minimum span of time. This timer can be set by calling
tub.setOption("disconnectTimeout", seconds). Obviously it should be set to a
higher value than the keepaliveTimeout. This will close connections faster
than TCP will. Both TCP disconnects and the ones triggered by this
disconnectTimeout run the risk of false negatives, of course, in the face of
unreliable networks.

** New constraints

When a tuple appears in a method constraint specification, it now maps to an
actual TupleOf constraint. Previously they mapped to a ChoiceOf constraint.
In practice, TupleOf appears to be much more useful, and thus better
deserving of the shortcut.

For example, a method defined as follows:

  def get_employee(idnumber=int):
      return (str, int, int)  # (name, room_number, age)

can only return a three-element tuple, in which the first element is a string
(specifically it conforms to a default StringConstraint), and the second two
elements are ints (which conform to a default IntegerConstraint, which means
it fits in a 32-bit signed twos-complement value).

To specify a constraint that can accept alternatives, use ChoiceOf:

  def get_record(key=str):
      """Return the record (a string) if it is present, or None if
          it is not present."""
      return ChoiceOf(str, None)

UnicodeConstraint has been added, with minLength=, maxLength=, and regexp=
arguments.

The previous StringConstraint has been renamed to ByteStringConstraint (for
accuracy), and it is defined to *only* accept string objects (not unicode
objects). 'StringConstraint' itself remains equivalent to
ByteStringConstraint for now, but in the future it may be redefined to be a
constraint that accepts both bytestrings and unicode objects. To accomplish
the bytestring-or-unicode constraint now, you might try
schema.AnyStringConstraint, but it has not been fully tested, and might not
work at all.

** Bugfixes

Errors during negotiation were sometimes delivered in the wrong format,
resulting in a "token prefix is limited to 64 bytes" error message. Several
error messages (including that one) have been improved to give developers a
better chance of determining where the actual problem lies.

RemoteReference.notifyOnDisconnect was buggy when called on a reference that
was already broken: it failed to fire the callback. Now it fires the callback
soon (using an eventual-send). This should remove a race condition from
connectTo+notifyOnDisconnect sequences and allow them to operate reliably.
notifyOnDisconnect() is now tolerant of attempts to remove something twice,
which should make it easier to use safely.

Remote methods which raise string exceptions should no longer cause Foolscap
to explode. These sorts of exceptions are deprecated, of course, and you
shouldn't use them, but at least they won't break Foolscap.

The Reconnector class (accessed by tub.connectTo) was not correctly
reconnecting in certain cases (which appeared to be particularly common on
windows). This should be fixed now.

CopyableSlicer did not work inside containers when streaming was enabled.
Thanks to iacovou-AT-gmail.com for spotting this one.

** Bugs not fixed