Release Announcement for v7.6

['John Clements' via dev-redirect]

The release announcement sketch that I have so far is below. Please
mail me new items and/or edits.

Please phrase announcements using complete sentences and avoid the
word "now".
----------------------------------------------------------------------

* DrRacket has support for "dark mode"

* The web-server supports redirection in bitmap/url

* DrRacket has improved scrolling

* The web library features improved handling of web browser
request timeouts (& other things?)

* Racket includes a new "build and contributing" guide

* UDP users can set a TTL (time to live)

* The send-url behavior is improved on all platforms

(stencil-vector HAMT implementation?)

Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler, Ross
Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung You,
Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure, Timo
Wilken, Tommy McHugh, Winston Weinert, Zaoqi


Thanks!

John Clements

[Sam Tobin-Hochstadt]

The bitmap/url change is not in the web server, I think, and anyway shouldn't be in the release notes. 

Stencil vectors are not in 7.6. 

Sam

--
You received this message because you are subscribed to the Google Groups "Racket Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/0b8caa20-31e3-4eda-950a-2c65d3c8d083%40mtasv.net.

[Robby Findler]

On Sun, Jan 26, 2020 at 1:19 AM 'John Clements' via dev-redirect
<d...@plt-scheme.org> wrote:
>
> The release announcement sketch that I have so far is below. Please
> mail me new items and/or edits.
>
> Please phrase announcements using complete sentences and avoid the
> word "now".
> ----------------------------------------------------------------------
>
> * DrRacket has support for "dark mode"

* On macOS and Windows, DrRacket's dark mode support is much better.

(We had dark mode support before but it just was a bit hit-and-miss
which part of the GUI paid attention to it)

> * DrRacket has improved scrolling

* DrRacket's scrolling is much more responsive

("responsive" is the key word here)

Robby

[Ryan Culpepper]

On 1/26/20 8:19 AM, 'John Clements' via dev-redirect wrote:
> The release announcement sketch that I have so far is below. Please
> mail me new items and/or edits.
>
> Please phrase announcements using complete sentences and avoid the
> word "now".
> ----------------------------------------------------------------------

* The macro stepper has a new macro hiding algorithm that tracks
term identity through syntax protection (see `syntax-arm`),
making macro hiding work more reliably. The macro stepper UI
indicates protected and tainted syntax.

Ryan

[Matthias Felleisen]

Typos fixed.


* Racket CS is ready for production use. We will work to further improve
Racket CS before making it the default implementation, but it now
consistently passes all of our integration tests and generally performs
well. (Compiled code remains significantly larger compared to the default
implementation.)

* DrRacket's scrolling has been made responsive.

* DrRacket's dark mode support is usable on macOS and Windows.

* The PLT Web Server provides fine-grained control over the various aspects
to do with interacting with client connections (timeouts, buffer sizes,
maximum header counts etc.) via the new 'safety limits' construct.

We have decreased the web server's default level of trust in client
connections and detect additional maliciously-constructed requests.

* The PLT Web Server's handling of large files is improved, and its latency
for long-running request handlers is reduced.

* The Macro Stepper has a new macro hiding algorithm that tracks term

identity through syntax protection (see `syntax-arm`), making macro

hiding work more reliably. It UI indicates protected and tainted syntax.

* The Racket documentation includes a "build and contributing" guide.

* The UDP library permits setting a TTL (time to live).

* The net/send-url's library has been improved for all platforms.

Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler, Ross
Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung You,
Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure, Timo
Wilken, Tommy McHugh, Winston Weinert, Zaoqi

> On Jan 27, 2020, at 9:47 AM, Matthias Felleisen <matt...@felleisen.org> wrote:
>
>
> I propose the following minor edits:
> — every bullet indicates with the first two words which part of the repo it talks about. I used capitalization for bin-s.
> — I tried to eliminate comparisons without “than”. Thirty years after reading S&W for the first time, I am still allergic.
>
> I integrated Ryan’s bullet below the PLT Web Server one, keeping related things together. — Matthias
>
>
> ----------------------------------------------------------------------
>
>
> * Racket CS is ready for production use. We will work to further improve
> Racket CS before making it the default implementation, but it now
> consistently passes all of our integration tests and generally performs
> well. (Compiled code remains significantly larger compared to the default
> implementation.)
>
> * DrRacket's scrolling is responsive.
>
> * DrRacket's dark mode support is usable on macOS and Windows.
>
> * The PLT Web Server provides fine-grained control over the various aspects
> to do with interacting with client connections (timeouts, buffer sizes,
> maximum header counts etc.) via the new 'safety limits' construct.
>
> We have decreased the web server's default trust in client and detects
> additional maliciously-constructed requests.
>
> * The PLT Web Server's handling of large file is improved, and its latency
> for long-running request handlers is reduced.
>
> * The Macro Stepper has a new macro hiding algorithm that tracks term

> identity through syntax protection (see `syntax-arm`), making macro

> hiding work more reliably. It UI indicates protected and tainted syntax.
>
> * The Racket documentation includes a "build and contributing" guide.
>
> * The UDP library permits setting a TTL (time to live).
>
> * The net/send-url's library has been improved for all platforms.

>
> Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
> Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
> Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
> Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
> Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
> Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
> Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler, Ross
> Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung You,
> Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure, Timo
> Wilken, Tommy McHugh, Winston Weinert, Zaoqi
>
>
>
>

>> On Jan 26, 2020, at 12:06 PM, 'John Clements' via Release Management <release-m...@plt-scheme.org> wrote:
>>
>> I got additional items from Bogdan Papa and a current note on CS from Matthew, and removed items per Sam’s suggestion. Here’s what I have now:
>>
>> ----------------------------------------------------------------------
>>
>> * Racket CS is ready for production use. We will work to further
>> improve Racket CS before making it the default implementation, but
>> it now consistently passes all of our integration tests and
>> generally performs well. (Compiled code remains significantly larger
>> compared to the default implementation.)
>>
>> * DrRacket's scrolling is much more responsive.

>>
>> * On macOS and Windows, DrRacket's dark mode support is much better.
>>

>> * The web server provides fine-grained control over the various aspects
>> to do with interacting with client connections (timeouts, buffer sizes,
>> maximum header counts etc.) via the new 'safety limits' construct.
>> Client connections are trusted less by default and the server is more
>> secure against maliciously-constructed requests.
>>
>> * The web server handles large file uploads better, and long-running web
>> server request handlers may have lower latencies.
>>
>> * Racket includes a "build and contributing" guide.
>>
>> * UDP users can set a TTL (time to live).
>>
>> * The send-url behavior is improved on all platforms.

>>
>> Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
>> Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
>> Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
>> Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
>> Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
>> Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
>> Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler, Ross
>> Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung You,
>> Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure, Timo
>> Wilken, Tommy McHugh, Winston Weinert, Zaoqi
>>

>> ----------------------------------------------------------------------
>>
>>
>>
>>> On Jan 26, 2020, at 05:30, Robby Findler <ro...@cs.northwestern.edu> wrote:
>>>
>>> I think the scrolling-in-drracket item (that could probably use more
>>> wordsmithing) is the top item this time.
>>>
>>> Robby

[Sorawee Porncharoenwase]

Is the dark mode improvement on Windows or Linux? This announcement says it's Windows, but https://github.com/racket/drracket/commit/30c8a437f5ccf098d7c0a871095db927fe9462ea says it's Linux.

--
You received this message because you are subscribed to the Google Groups "Racket Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/0F6F3E8F-F90B-4636-A13A-C975E6A39CB3%40felleisen.org.

[Ryan Culpepper]

On 1/27/20 4:01 PM, Matthias Felleisen wrote:
>
> Typos fixed.
>
>
> * Racket CS is ready for production use. We will work to further improve
> Racket CS before making it the default implementation, but it now
> consistently passes all of our integration tests and generally performs
> well. (Compiled code remains significantly larger compared to the default
> implementation.)
>
> * DrRacket's scrolling has been made responsive.
>
> * DrRacket's dark mode support is usable on macOS and Windows.
>
> * The PLT Web Server provides fine-grained control over the various aspects
> to do with interacting with client connections (timeouts, buffer sizes,
> maximum header counts etc.) via the new 'safety limits' construct.

The phrase "aspects to do with" doesn't sound right to me. Maybe
"aspects of" instead? Or further shorten to "aspects of client connections"?

>
> We have decreased the web server's default level of trust in client
> connections and detect additional maliciously-constructed requests.
>
> * The PLT Web Server's handling of large files is improved, and its latency
> for long-running request handlers is reduced.
>
> * The Macro Stepper has a new macro hiding algorithm that tracks term
> identity through syntax protection (see `syntax-arm`), making macro
> hiding work more reliably. It UI indicates protected and tainted syntax.

"It UI" should be "Its UI".

>
> * The Racket documentation includes a "build and contributing" guide.

"building and contributing"?

>
> * The UDP library permits setting a TTL (time to live).
>
> * The net/send-url's library has been improved for all platforms.

1. "The net/send-url library"
2. This is vague. What does improved mean?

Ryan

[Robby Findler]

There are aspects of the improvement that are in cross-platform code
(most of them in fact) but there is a problem on windows that makes
many of them moot (because we cannot seem to reliably detect when the
OS is in dark mode). So, IMO, the external perspective is probably
that things are better on non-windows platforms overall (and just
remain silent about windows).

Robby

> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/CADcuegshQpRq9_wPfx7Xv0hQ%3DeTJVy%3D_nH%2BzXydEXtG_FSR%3DvQ%40mail.gmail.com.

[Matthias Felleisen]

@ John, almost all in one place:

~~ most suggested fixed incorporated.
~~ not incorporated: changing the name of the executable.
~~ not incorporated: Robby’s request to move scrolling up.
~~ bracketed the last bullet; I think it could be dropped.

The final decisions are yours. — Matthias

* Racket CS is ready for production use. We will work to further improve
Racket CS before making it the default implementation, but it now
consistently passes all of our integration tests and generally performs
well. (Compiled code remains significantly larger compared to the default
implementation.)

* DrRacket's scrolling has been made responsive.

* DrRacket's dark mode support is usable on macOS and Windows.

* The PLT Web Server provides fine-grained control over various aspects
of handling client connections (timeouts, buffer sizes, maximum header

counts etc.) via the new 'safety limits' construct.

We have decreased the web server's default level of trust in client
connections and detect additional maliciously-constructed requests.

* The PLT Web Server's handling of large files is improved, and its latency
for long-running request handlers is reduced.

* The Macro Stepper has a new macro hiding algorithm that tracks term
identity through syntax protection (see `syntax-arm`), making macro

hiding work more reliably. Its UI indicates protected and tainted syntax.

* The Racket documentation includes a "building and contributing" guide.

* The UDP library permits setting a TTL (time to live).

[[ * The net/send-url library’s send-url has been improved across all platforms. ]]

Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler, Ross
Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung You,
Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure, Timo
Wilken, Tommy McHugh, Winston Weinert, Zaoqi

> On Jan 27, 2020, at 10:39 AM, Matthias Felleisen <matt...@felleisen.org> wrote:
>
>
>
>> On Jan 27, 2020, at 10:36 AM, Sam Tobin-Hochstadt <sa...@cs.indiana.edu> wrote:
>>
>> I think we should avoid PLT as a term here.
>
>
>
> See ~plt/racket/bin. (We have been PLT for ~25 years.)
>
>
>> Also, the send-url phrasing is awkward. How about "The net/send-url library …"?
>
> I agree with Ryan, too.
>
> "The net/send-url library’s send-url has been improved across all platforms.”
>
> is proper and slightly more specific English. I suspect that it connects to browsers more easily than before. BUT honestly, I’d drop this bullet.
>
>
>
>
>>
>> Sam

>> Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
>> Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
>> Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
>> Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
>> Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
>> Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
>> Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler, Ross
>> Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung You,
>> Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure, Timo
>> Wilken, Tommy McHugh, Winston Weinert, Zaoqi
>>
>>
>>
>>

>>> On Jan 26, 2020, at 12:06 PM, 'John Clements' via Release Management <release-m...@plt-scheme.org> wrote:
>>>
>>> I got additional items from Bogdan Papa and a current note on CS from Matthew, and removed items per Sam’s suggestion. Here’s what I have now:
>>>
>>> ----------------------------------------------------------------------
>>>
>>> * Racket CS is ready for production use. We will work to further
>>> improve Racket CS before making it the default implementation, but
>>> it now consistently passes all of our integration tests and
>>> generally performs well. (Compiled code remains significantly larger
>>> compared to the default implementation.)
>>>

>>> * DrRacket's scrolling is much more responsive.

>>>
>>> * On macOS and Windows, DrRacket's dark mode support is much better.
>>>

>>> * The web server provides fine-grained control over the various aspects
>>> to do with interacting with client connections (timeouts, buffer sizes,
>>> maximum header counts etc.) via the new 'safety limits' construct.
>>> Client connections are trusted less by default and the server is more
>>> secure against maliciously-constructed requests.
>>>
>>> * The web server handles large file uploads better, and long-running web
>>> server request handlers may have lower latencies.
>>>
>>> * Racket includes a "build and contributing" guide.
>>>

>>> * UDP users can set a TTL (time to live).
>>>
>>> * The send-url behavior is improved on all platforms.

>>>
>>> Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
>>> Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
>>> Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
>>> Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
>>> Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
>>> Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
>>> Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler, Ross
>>> Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung You,
>>> Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure, Timo
>>> Wilken, Tommy McHugh, Winston Weinert, Zaoqi
>>>

>>> ----------------------------------------------------------------------
>>>
>>>
>>>
>>>> On Jan 26, 2020, at 05:30, Robby Findler <ro...@cs.northwestern.edu> wrote:
>>>>
>>>> I think the scrolling-in-drracket item (that could probably use more
>>>> wordsmithing) is the top item this time.
>>>>
>>>> Robby
>>>>
>>>> On Sun, Jan 26, 2020 at 7:29 AM Robby Findler <ro...@cs.northwestern.edu> wrote:
>>>>>

>> --
>> To unsubscribe from this group and stop receiving emails from it, send an email to samth+un...@plt-scheme.org.
>>
>

[Juan Carlos Olivo]

Thanks Robby,

Is that the reason why I still don't get full "dark mode" that was discussed in the thread (https://groups.google.com/forum/#!topic/racket-users/3GgHnr6IurQ) even in the latest 7.6.0.6--2020-01-27(c48afdb/a) snapshot build?

--JC

>> To unsubscribe from this group and stop receiving emails from it, send an email to racke...@googlegroups.com.

>> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/0F6F3E8F-F90B-4636-A13A-C975E6A39CB3%40felleisen.org.
>
> --
> You received this message because you are subscribed to the Google Groups "Racket Developers" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to racke...@googlegroups.com.

[Robby Findler]

I'm happy with either order wrt to CS and scrolling. Matthew did most
of both of them so perhaps his opinion would be useful.

Robby

On Mon, Jan 27, 2020 at 9:43 AM Matthias Felleisen

> --
> You received this message because you are subscribed to the Google Groups "Racket Developers" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/FAAD34B0-F495-47CE-8215-4FA2BE106A73%40felleisen.org.

[Matthew Flatt]

At Mon, 27 Jan 2020 09:37:12 -0600, Robby Findler wrote:
> [...] there is a problem on windows that makes

> many of them moot (because we cannot seem to reliably detect when the
> OS is in dark mode). So, IMO, the external perspective is probably
> that things are better on non-windows platforms overall (and just
> remain silent about windows).

I think Sorawee is asking about the fact that the bullet says "macOS
and Windows". Did you mean to say "Mac OS and Unix" (so, silent about
Windows)? Or really "Mac OS and Windows" (so, silent about Unix)?

[Robby Findler]

On Mon, Jan 27, 2020 at 10:07 AM Matthew Flatt <mfl...@cs.utah.edu> wrote:
>
> At Mon, 27 Jan 2020 09:37:12 -0600, Robby Findler wrote:

> > [...] there is a problem on windows that makes

> > many of them moot (because we cannot seem to reliably detect when the
> > OS is in dark mode). So, IMO, the external perspective is probably
> > that things are better on non-windows platforms overall (and just
> > remain silent about windows).
>

> I think Sorawee is asking about the fact that the bullet says "macOS
> and Windows". Did you mean to say "Mac OS and Unix" (so, silent about
> Windows)? Or really "Mac OS and Windows" (so, silent about Unix)?

Oops, yes. And yes, lets use "Mac OS"!

Robby

[Matthew Flatt]

My preferences are "more responsive" for scrolling, the scrolling
bullet first, "improved" for dark-mode support, the Racket CS bullet
third so that the DrRacket items stay together, and "The Web Server"
instead of "The PLT Web Server". I would also highlight that the web
server change is technically not backward-compatible.

If all of those preferences are ok, that would give us:

* DrRacket's scrolling has been made more responsive.

* DrRacket's dark mode support is improved for Mac OS and Unix.

* Racket CS is ready for production use. We will work to further
improve Racket CS before making it the default implementation, but
it now consistently passes all of our integration tests and
generally performs well. (Compiled code remains significantly larger
compared to the default implementation.)

* The Web Server provides fine-grained control over various aspects of

handling client connections (timeouts, buffer sizes, maximum header

counts, etc.) via the new "safety limits" construct.

Using this new construct, we have decreased the web server's default
level of trust in client connections and made it detect additional,
maliciously constructed requests. To get the old behavior for use in
trusted settings, start the web server with `#:safety-limits
(make-unlimited-safety-limits)`.

* The Web Server's handling of large files is improved, and its

latency for long-running request handlers is reduced.

* The Macro Stepper has a new macro hiding algorithm that tracks term
identity through syntax protection (see `syntax-arm`), making macro
hiding work more reliably. Its UI indicates protected and tainted
syntax.

* The Racket documentation includes a "building and contributing" guide.

Contributors: Alex Harsanyi, Alex Knauth, Alex Muscar, Alexis King, Ben
Greenman, Bogdan Popa, Brian Wignall, Dan Holtby, David K. Storrs,
Dionna Glaze, Dominik Pantůček, Fred Fu, Geoff Shannon, Gustavo
Massaccesi, Jack Firth, Jay McCarthy, Jens Axel Søgaard, Jesse Alama,
Joel Dueck, John Clements, Jordan Johnson, Julien Delplanque, Leo Uino,
Luka Hadži-Đokić, Luke Lau, Matthew Flatt, Matthias Felleisen, Mike
Sperber, Paulo Matos, Philip McGrath, Reuben Thomas, Robby Findler,
Ross Angle, Ryan Culpepper, Sage Gerard, Sam Tobin-Hochstadt, Shu-Hung
You, Sorawee Porncharoenwase, Stephen De Gabrielle, Syntacticlosure,
Timo Wilken, Tommy McHugh, Winston Weinert, Zaoqi

> https://groups.google.com/d/msgid/racket-dev/CAL3TdOOHXr82Xq_6iNjJ2OYBoAy%2B1Od
> L8Y3LABFCC6evwQXJMg%40mail.gmail.com.

[Philip McGrath]

On Mon, Jan 27, 2020 at 11:28 AM Matthew Flatt <mfl...@cs.utah.edu> wrote:

I would also highlight that the web
server change is technically not backward-compatible.

…

  * The Web Server provides fine-grained control over various aspects of
   handling client connections (timeouts, buffer sizes, maximum header
   counts, etc.) via the new "safety limits" construct.

   Using this new construct, we have decreased the web server's default
   level of trust in client connections and made it detect additional,
   maliciously constructed requests. To get the old behavior for use in
   trusted settings, start the web server with `#:safety-limits
   (make-unlimited-safety-limits)`.

It isn't only fully trusted settings that need to pay attention: for example, if you expect non-malicious file uploads larger than 10 MiB, you will need to make an adjustment.

Also, `(make-unlimited-safety-limits)` isn't quite the old behavior: I wouldn't get into this level of detail in the announcement, but the default behavior was closest to `(make-unlimited-safety-limits #:request-read-timeout 60)`, or, if you'd provided optional arguments `max-waiting` and `initial-connection-timeout` (which weren't accepted at all entry points), `(make-unlimited-safety-limits #:request-read-timeout initial-connection-timeout #:max-waiting max-waiting)`. (This is in the docs in even more detail.)

For those who haven't followed this discussion, there was a conflict here between wanting to provide safe defaults and strict backwards compatibility. The new construct gives programmers the ability to specify how they want to balance these concerns in the future, with `make-unlimited-safety-limits` meaning "don't impose any limits I haven't explicitly listed." This time, though, we had to make a choice, and safety seemed like the right choice for most cases, especially if you interpret the old behavior as "we'll try to do the right thing generally, and here are just a couple of tuning knobs."

Here's an attempt at putting that into a bullet:

 * The Web Server provides fine-grained control over various aspects of
   handling client connections (timeouts, buffer sizes, maximum header
   counts, etc.) via the new "safety limits" construct.

   Using this new construct, we have decreased the web server's default
   level of trust in client connections and made it detect additional,

   maliciously constructed requests. Resource-intensive applications may

   need to adjust the default limits (for example, to accept large file uploads).

   In trusted settings, they can be disabled completely by starting the web server

[John Clements]

This bullet is a teensy bit bulky, but I stared at it for a few minutes and… I’d rather switch than fight. I guess that’s why I’m not a Tareyton smoker.

John

> --
> You received this message because you are subscribed to the Google Groups "Racket Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to racket-dev+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/CAH3z3gbLfyjE5F-BdNj5MbjBkihJgL65kKjZbZf3%3Dtd_cV8%3D1g%40mail.gmail.com.

[Robby Findler]

Looks like two bullets to me. Here's an edit:

* The Web Server provides fine-grained control over various aspects of
handling client connections (timeouts, buffer sizes, maximum header
counts, etc.) via the new "safety limits" construct.

* The web server's default level of trust in client connections is
lower. Resource-intensive applications may need to adjust the
defaults (e.g., to accept large file uploads).

I don't think anything I eliminated is essential for the release notes
(keeping in mind that many will learn about this when their website
doesn't work anymore -- they won't read the release notes at that
point I expect ....)

Robby


Robby

> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/d6371e41-40f1-4340-b5e4-302706ae34a5%40mtasv.net.

[John Clements]

Wouldn't it make sense to add a footnote to the release notes with a URL or more detailed information? I know, this sounds nuts. In my mind, though, the main body of the release notes should be short enough to skim to see whether there’s anything interesting, but I don’t see a better place to put the deeper information.

John

[Robby Findler]

For this particular issue, I think that a section in the webserver
docs that includes things like: how to adjust your old webserver setup
to the new, explains why you might not want to do that, and more
broadly discusses the threats and how the defaults are a good
compromise would be really great. And people will find it, I think,
even without a pointer explicit from the release notes. Still,
explicit pointers in the the release notes for backwards incompatible
changes do seem like good practice.

Robby

On Sat, Feb 1, 2020 at 12:20 PM 'John Clements' via Racket Developers

> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/d19d804a-f98f-4b65-acf0-3f0c9d346f80%40mtasv.net.

[John Clements]

That makes sense to me, but only if Philip has time to write that section. It also opens up a bit of a can of worms in that I’m not sure whether the docs currently has a good place for “discussion of changes relevant to a particular release.” I guess I was thinking that just appending it to the release notes would be simpler.

John

> To view this discussion on the web visit https://groups.google.com/d/msgid/racket-dev/CAL3TdOO7m_aG0a3L5%3D%2BqZg0fZAfenD-LUA9F-x6hy78N2FZesg%40mail.gmail.com.

[Robby Findler]

Definitely a suggestion I should have made when I first saw that we
were going to have backwards incompatibility this release!

Robby

[Philip McGrath]

I like Robby's division into two bullets, and I like the idea of a footnote.

I wrote a note in the documentation for the new safety limits construct that tries to address both compatibility with the old way(s) of configuring your webserver and compatibility going forward, in that programmers can now explicitly choose whether they want potential future protections by default (with the corresponding risk of breakage) or whether they prefer maximum compatibility (and correspondingly take on responsibility for staying abreast of relevant security developments). Here it is in the pre-release docs: https://pre-release.racket-lang.org/doc/web-server-internal/dispatch-server-unit.html#(elem._safety-limits-porting) I've tried to link to this note from every other part of the documentation at all affected by these changes, particularly from the `history` block. (One observation: these notes talk about the version of the web-server-lib package, but not the corresponding Racket version.)

Improvements are welcome! Including improvements that take the form of just pointing out things that are unclear or merit further detail. I think all of the points Robby mentions are covered at least somewhat, but the material that "more broadly discusses the threats" could probably be expanded, particularly for the Slowloris/denial-of-service attacks. (It may be a more obvious improvement that an attacker can no longer exhaust all available memory just by asking for it, before your code even sees the request.)

I do also want to note that we hope most applications will keep working with no changes. I believe Bogdan (who did the hard work of actually implementing these protections—I just tweaked the API and a few things at the end) looked at Nginx and maybe other servers to try to find good default values. The changes are permissive in various places where it doesn't create significant vulnerabilities, and we do not impose the any limits by default if you use low-level APIs.

-Philip