Add 0.5.5 release document

2024-05-14 01:32:42 +00:00 · 2024-02-03 21:21:15 -06:00 · 2024-02-03 21:21:15 -06:00 · 9e0cf418e8
parent 0bc14c810d
commit 9e0cf418e8
1 changed files with 91 additions and 0 deletions
--- a/releases/0.5.5.md
+++ b/releases/0.5.5.md
@ -0,0 +1,91 @@
+# pict-rs 0.5.5
+
+## Overview
+
+pict-rs 0.5.5 adds a bugfix for uploading images with trailing bytes and few new features for
+advanced deployments.
+
+### Features
+
+- [Imagemagick Security Policy Configuration](#imagemagick-security-policy-configuration)
+- [Serving with TLS](#serving-with-tls)
+
+
+### Bugfixes
+
+- [Broken Pipe Error](#broken-pipe-error)
+
+
+## Upgrade Notes
+
+There's no significant changes from 0.5.4, so upgrading should be as simple as pulling a new version
+of pict-rs.
+
+
+## Descriptions
+
+### Imagemagick Security Policy Configuration
+
+pict-rs now supports configuring the imagemagick security policy via the pict-rs.toml file,
+environment variables, or via the commandline. The security policy defines the boundaries that
+imagemagick will operate with, and will allow it to abort processing media that would exceed those
+boundaries.
+
+Currently, there are only a few items that can be configured.
+```toml
+# pict-rs.toml
+[media.magick]
+max_width = 10000
+max_hight = 10000
+max_area = 40000000
+```
+```bash
+# environment variables
+PICTRS__MEDIA__MAGICK__MAX_WIDTH=10000
+PICTRS__MEDIA__MAGICK__MAX_HEIGHT=10000
+PICTRS__MEDIA__MAGICK__MAX_AREA=40000000
+```
+```bash
+# commandline
+pict-rs run \
+    --media-magick-max-width 10000 \
+    --media-magick-max-height 10000 \
+    --media-magick-max-aread 40000000
+```
+
+It will also apply the configured `process_timeout` to the security policy.
+
+
+### Serving with TLS
+
+pict-rs can now be configured to serve itself over TLS if provided with a server key and a server
+certificate. This is for more advanced deployments that have Certificate Authority infrastructure in
+place. When serving over TLS, downstream services need to be configured to access pict-rs over TLS.
+
+```toml
+# pict-rs.toml
+[server]
+certificate = "/path/to/server.crt"
+private_key = "/path/to/server.key"
+```
+```bash
+# environment variables
+PICTRS__SERVER__CERTIFICATE=/path/to/server.crt
+PICTRS__SERVER__PRIVATE_KEY=/path/to/server.key
+```
+```bash
+# commandline
+pict-rs run \
+    --certificate /path/to/server.crt \
+    --private-key /path/to/server.key
+```
+
+
+### Broken Pipe Error
+
+In previous 0.5 releases with the default configurations, it was possible for valid images to fail
+to upload if they contained excess trailing bytes. This was caused by exiftool completing metadata
+processing on the image bytes before pict-rs had written the entire buffer to exiftool's stdin. The
+fix was to simply treat the case of stdin closing early as a success, rather than a failure. In the
+event there was actually an error in exiftool, the command will fail and pict-rs will return a
+proper status error instead.