Action required: update your Upspin software

[Andrew Gerrand]

We have just committed a change that requires all users update their Upspin software, both clients and servers.

The change affects the way world-readable content (including Access and Group files) is stored.

Previously, such content was stored in clear text using the "EE Integrity" packer.

With today's change, world-readable content is now encrypted using the default "EE" packer, with the decryption key is stored in clear text in the corresponding directory entry.

The change yields two significant benefits:

1. It is now possible to add "read: all" access to a directory tree that already contains files, and doing so requires only that the directory entries be updated; the data does not need to be unpacked and rewritten with a different packing.

2. All Upspin content stored in a StoreServer is now encrypted, reducing the degree of trust you need to place in your storage provider.

To update your Upspin clients, download the binary release suitable for your system and replace your upspin, upspinfs, and cacheserver binaries.

To update your Upspin servers, update to the latest version (substitute the import path for the server you are using):

  $ go get -u -d gcp.upspin.io/cmd/upspinserver-gcp

Build it for the target os/architecture (linux/amd64 in this example):

  $ GOOS=linux GOARCH=amd64 go build -o upspinserver gcp.upspin.io/cmd/upspinserver-gcp

And then re-deploy it to your server (stop the service, copy the upspinserver binary, run setcap if necessary, and start the service again).

If you do not update: Older clients will be unable to read world-readable content in updated servers. Newer clients will be unable to write world-readable content to older servers.  

Apologies for the inconvenience.

Andrew