Skip to content

Commit 41f75a8

Browse files
committed
add v1.5.1 and v1.5.2 release notes
1 parent 53c8c8e commit 41f75a8

1 file changed

Lines changed: 55 additions & 0 deletions

File tree

RELEASE_NOTES.md

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,58 @@
1+
# Release Notes — v1.5.2
2+
3+
**Release date:** June 16, 2026
4+
5+
v1.5.2 replaces URL-configured CT log discovery with a code-owned, signature-verified catalog registry, and adds the runtime controls to operate it safely.
6+
7+
## Trusted CT source discovery
8+
9+
CT log sources now come from a compile-time registry instead of operator-supplied URLs:
10+
11+
* **google_v3_usable** — verified against a pinned RSA-SHA256 trust anchor; authoritative by default.
12+
* **google_v3_all** — same pinned key; non-authoritative until opted in via `ct_log.catalog_authority_overrides`.
13+
* **apple** — TLS-authenticated via issuer-CA SPKI pinning (Apple publishes no detached signature); permanently non-authoritative.
14+
15+
Trust model: a source that does not verify can never auto-spawn watchers. An authority override can only *grant* authority to a source that currently verifies — it can never promote an unverified source such as Apple. A signature failure forces the source non-authoritative for that cycle while still exposing the raw bytes for audit (`certstream_ct_catalog_source_verified=0`).
16+
17+
## Operational controls
18+
19+
* Per-operator outbound rate limits: `ct_log.default_operator_rate_limit_ms` + `ct_log.operator_rate_limits`.
20+
* Per-log overrides: `batch_size` and `poll_interval_ms` on `custom_logs` / `static_logs`.
21+
* `expected_log_id` guards configured static-CT overrides against the discovered catalog identity (transport, fetch URL, and an explicitly declared checkpoint origin). The server refuses to start if a configured override contradicts the signed catalog, or if multiple resolved watchers would share a CT log ID.
22+
23+
## Breaking change
24+
25+
The `ct_logs_url` and `additional_log_lists` config keys — and the `CERTSTREAM_CT_LOGS_URL` / `CERTSTREAM_ADDITIONAL_LOG_LISTS` env vars — are removed. CT sources are now the code-owned registry. Apple-only or otherwise non-authoritative logs are ingested by declaring them under `static_logs` / `custom_logs`. Existing configs that still set the removed keys are ignored, not rejected.
26+
27+
## New dependencies
28+
29+
`rsa` (catalog signature verification), `rustls` + `rustls-native-certs` (pinned Apple TLS client); `reqwest` gains the `rustls` feature.
30+
31+
---
32+
33+
# Release Notes — v1.5.1
34+
35+
**Release date:** June 15, 2026
36+
37+
A small, focused patch release. Two operational improvements, no breaking changes, fully backward-compatible with v1.5.0 configs and Prometheus queries.
38+
39+
## Configurable static-CT tail overlap
40+
41+
Fresh static-CT watchers previously started at a fixed `tree_size - 256`. The overlap is now tunable:
42+
43+
* `ct_log.start_overlap_leaves` (default `256` — existing behavior preserved)
44+
* env override `CERTSTREAM_CT_LOG_START_OVERLAP_LEAVES`
45+
* validated with an upper bound of 100,000 leaves
46+
47+
## CT source observability & retry attribution
48+
49+
* new `certstream_ct_runtime_log_info` gauge (`source_id`, `log_id`, `log`, `operator`, `log_type`)
50+
* existing per-log metrics gain a stable `source_id` label (`ctlog:<log_id>`, or `url:<...>` for id-less sources) alongside the existing human-readable `log` label — old selectors keep working
51+
* new `certstream_ct_log_rate_limited_total` (labeled by `log_type`) and `certstream_ct_log_empty_responses_total` counters
52+
* RFC6962 watchers now honor the `Retry-After` header on 429s (clamped to 250 ms–10 min), matching the static-CT path
53+
54+
---
55+
156
# Release Notes — v1.5.0
257

358
**Release date:** May 19, 2026

0 commit comments

Comments
 (0)