From 9e0cf418e869ec5df280ae0aa2000ae365848ab5 Mon Sep 17 00:00:00 2001 From: asonix Date: Sat, 3 Feb 2024 21:21:15 -0600 Subject: [PATCH] Add 0.5.5 release document --- releases/0.5.5.md | 91 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 releases/0.5.5.md diff --git a/releases/0.5.5.md b/releases/0.5.5.md new file mode 100644 index 0000000..ad45f1d --- /dev/null +++ b/releases/0.5.5.md @@ -0,0 +1,91 @@ +# pict-rs 0.5.5 + +## Overview + +pict-rs 0.5.5 adds a bugfix for uploading images with trailing bytes and few new features for +advanced deployments. + +### Features + +- [Imagemagick Security Policy Configuration](#imagemagick-security-policy-configuration) +- [Serving with TLS](#serving-with-tls) + + +### Bugfixes + +- [Broken Pipe Error](#broken-pipe-error) + + +## Upgrade Notes + +There's no significant changes from 0.5.4, so upgrading should be as simple as pulling a new version +of pict-rs. + + +## Descriptions + +### Imagemagick Security Policy Configuration + +pict-rs now supports configuring the imagemagick security policy via the pict-rs.toml file, +environment variables, or via the commandline. The security policy defines the boundaries that +imagemagick will operate with, and will allow it to abort processing media that would exceed those +boundaries. + +Currently, there are only a few items that can be configured. +```toml +# pict-rs.toml +[media.magick] +max_width = 10000 +max_hight = 10000 +max_area = 40000000 +``` +```bash +# environment variables +PICTRS__MEDIA__MAGICK__MAX_WIDTH=10000 +PICTRS__MEDIA__MAGICK__MAX_HEIGHT=10000 +PICTRS__MEDIA__MAGICK__MAX_AREA=40000000 +``` +```bash +# commandline +pict-rs run \ + --media-magick-max-width 10000 \ + --media-magick-max-height 10000 \ + --media-magick-max-aread 40000000 +``` + +It will also apply the configured `process_timeout` to the security policy. + + +### Serving with TLS + +pict-rs can now be configured to serve itself over TLS if provided with a server key and a server +certificate. This is for more advanced deployments that have Certificate Authority infrastructure in +place. When serving over TLS, downstream services need to be configured to access pict-rs over TLS. + +```toml +# pict-rs.toml +[server] +certificate = "/path/to/server.crt" +private_key = "/path/to/server.key" +``` +```bash +# environment variables +PICTRS__SERVER__CERTIFICATE=/path/to/server.crt +PICTRS__SERVER__PRIVATE_KEY=/path/to/server.key +``` +```bash +# commandline +pict-rs run \ + --certificate /path/to/server.crt \ + --private-key /path/to/server.key +``` + + +### Broken Pipe Error + +In previous 0.5 releases with the default configurations, it was possible for valid images to fail +to upload if they contained excess trailing bytes. This was caused by exiftool completing metadata +processing on the image bytes before pict-rs had written the entire buffer to exiftool's stdin. The +fix was to simply treat the case of stdin closing early as a success, rather than a failure. In the +event there was actually an error in exiftool, the command will fail and pict-rs will return a +proper status error instead.