build01503: 2025-07-06

Freenet 0.7.5 build 1503 is now available. [overview]

This is a hotfix release that fixes regressions in 1502:

Fix a thread leak from the vulnerability mitigation that caused very fast nodes to overload after a few days, because the number of waiting threads exceeded the thread limit. Thanks to bertm for finding a minimally invasive solution and max_iops for reporting the problem and testing fixes!

Fix a problem displaying Freesites that include an input tag without type. Sites with such an incomplete input tag can now be visited again. Thanks to torusrxxx!

Fix the test for UserAlertManager where localization didn’t work correctly. Thanks to Bombe!

Add two new seednodes to speed up inital connection in Opennet. Thank you!

Thank you for using Hyphanet!

• AB

Developer changelog:

2025-07-06

Changes in 1503:

• fix thread leak from the vulnerability mitigation, thanks to bertm for finding a minimally invasive solution and max_iops for reporting the problem and testing fixes

• fix filter breakage when input tags had no type, thanks to torusrxxx

• fix UserAlertManagerTest, thanks to Bombe

• add two seednodes to the installers

• AB

[include shortlogs of any installer or plugin changes]

---

Arne Babenhauserheide (3):
contributing.md: Clarify that all functional changes must be reviewed
Update CONTRIBUTING.md
Update CONTRIBUTING.md

Arne Babenhauserheide (freenet releases) (3):
update debian package to 1502
Update default bookmark editions
Build 1503

Bert Massop (2):
Fix noderef folder permissions for Debian package
BlockTransmitter: prevent 0.2% of jobs from stalling

David ‘Bombe’ Roden (1):
🐛 Fix UserAlertManager test

torusrxxx (2):
Fix NullPointerException in input tag filter
Allow input tag without type

build01502: 2025-06-29

Hyphanet 0.7.5 build 1502 is now available. [overview]

The most important change is a fix to a vulnerability that enabled
attackers to differentiate between an uploading and a forwarding node
by analyzing the structure of packets in blocks. It was reported
responsibly by Yonghuan Xu and depended on block-level timing of
packet handling.

Thank you very much for reporting the vulnerability and creating and
testing a mitigation!

There were some additional privacy and safety improvements: do not
check reachability of global addresses to avoid a fallback to Echo
packets when a node does not support Ping, don’t show download to disk
for large file page on public gateway nodes, and make fproxy cross
origin isolated -- the latter by torusrxxx.

Torusrxxx also increased again the fraction of HTML and CSS elements
that can be used on Freesites. More and more pages should just work.
Freesites can now set robots, googlebot and referrer=no-referrer, for
example for the Spiders that update indizes, as well as use more CSS
properties.

And there is now support for animated, lossy webp images, recovering
some capabilities we lost when browsers removed support for the Theora
codec, and for WAV files for lossless audio. Thank you!

Also Freemail now allows inbound links with to=WOT_ID, so you can use
links on Freesites that directly open in Freemail.

Below the shutdown-button, there’s now an info how to disable
autostart in GNU Linux.

On the alerts page there are buttons to dismiss all alerts that do not
come from other nodes, or to delete all messages from other nodes.
This should unclutter alerts and make node-to-node messages much more
usable.

In the plugins visibility was adjusted to show in simple mode the
plugins that actually are easy to understand for newcomers.

Additionally there are visible Fixes:

• Update dependencies.properties wrapper files to files in
  java_installer to avoid downgrading the wrapper after the first
  start -- #1081 by ArneBab
• Fix regression: compress parameter was inverted on upload. Thanks to
  NewOne@umLZL for investigating! -- #1051 by ArneBab
• Build the Atom XML correctly -- #1080 by Bombe
• Do not fix case (upper/lower) of header key -- #1063 by torusrxxx
• Fix request distribution stats -- #1071 by bertm

And internal code fixes:

• Return valid length from RandomShortReadInputStream.read -- #1060 by
  bertm
• Fix single-byte read() in various InputStream implementations --
  #1058 by bertm

And improvements to the code to ease maintenance:

• 🐛 Allow Class Loader to Enumerate Directory Entries. Fixes Flyway
  usage -- #1049 by Bombe
• ♻️ Use accessor for NodeClientCore.mainExecutor -- #1079 by Bombe
• Add Accessors for PageNode’s Member Fields -- #1076 by Bombe
• Add Accessors for Two Member Fields Used in PeerNodeStatus -- #1075 by Bombe
• Fix Translation Handling in Tests -- #1074 by Bombe
• Remove main(...) methods and related test/debug routines -- #1070 by
  bertm
• Remove unused code and parameters from NodeStats -- #1069 by bertm
• Remove remaining code paths for disabled slow-down sending -- #1068
  by bertm
• Get rid of Hashtable in NodeStats -- #1067 by bertm

Finally there are optimizations to the code -- a lot of them
improvements to synchronization -- which should reduce CPU load of
nodes with many peers and make it easier to run simple routing nodes
(without messaging) on weak, cheap, energy conserving hardware:

• Fix synchronization of receive buffer -- #1044 by ArneBab. Thanks to
  Yonguan Xu for the catch!
• Do not synchronize on global variable in CryptoKey.fingerprint --
  #1066 by bertm
• Do not synchronize on access to AEADCryptBucket.readOnly -- #1065 by
  bertm
• Do not synchronize on global variable in crypt Util.makeKey -- #1064
  by bertm
• Do not synchronize on Rijndael cipher initialization or use -- #1061
  by bertm
• Use length hint for bucket creation in ChecksumChecker -- #1059 by
  bertm
• Optimize OCBBlockCipher_v149 by replacing Vector with List -- #1057
  by bertm
• Use JCE AES implementation for AEAD when available -- #1056 by bertm

Thank you for using Hyphanet!

• AB

Developer changelog:

2025-06-29

Changes in 1502:

Fix reported vulnerability:

• Fix insert tracing vulnerability reported by Yonghuan Xu.
  Thank you very much for reporting the vulnerability and
  creating and testing a mitigation!
  This vulnerability enabled attackers to differentiate
  between an uploading and a forwarding node by analyzing
  the structure of packets in blocks. The fix randomizes
  the order of packets in blocks and adds a delay before
  the last packets are added to match the behavior when
  dispatching packets from received blocks.

Privacy / Safety improvements:

• Privacy do not check reachability of global addresses -- prevents
  Java from creating global TCP/7 (echo) connections when Ping fails
  -- #1047 by ArneBab
• Do not show download to disk for large file page on public gateway
  -- #1045 by ArneBab
• Make fproxy cross origin isolated -- #1053 by torusrxx

Freesite HTML and UX improvements:

• Add HTML elements meter,progress,input
  type=email,number,search,tel,url -- #1078 by torusrxxx
• Allow freesite to set robots, googlebot and referrer=no-referrer
  meta tag -- #1077 by torusrxxx
• Fix style -- #1072 by torusrxxx
• Add CSS properties -- #1050 by torusrxxx
• Add info how to disable autostart in GNU Linux -- #1073 by ArneBab
• Add dismiss all alerts and delete all messages buttons. -- #1046 by
  ArneBab
• Official plugins visibility adjustment: do not show unsupported
  plugins, always show KeyUtils, only show JSTUN, MDNSDiscovery,
  ThawIndexBrowser, and UPnP in advanced mode -- #1062 by ArneBab

Visible Fixes:

• Update dependencies.properties wrapper files to files in
  java_installer to avoid downgrading the wrapper after the first
  start -- #1081 by ArneBab
• Fix regression: compress parameter was inverted on upload. Thanks to
  NewOne@umLZL for investigating! -- #1051 by ArneBab
• Build the Atom XML correctly -- #1080 by Bombe
• Do not fix case (upper/lower) of header key -- #1063 by torusrxxx
• Fix request distribution stats -- #1071 by bertm

Internal code fixes:

• Return valid length from RandomShortReadInputStream.read -- #1060 by
  bertm
• Fix single-byte read() in various InputStream implementations --
  #1058 by bertm

Code improvement:

• 🐛 Allow Class Loader to Enumerate Directory Entries. Fixes Flyway
  usage -- #1049 by Bombe
• ♻️ Use accessor for NodeClientCore.mainExecutor -- #1079 by Bombe
• Add Accessors for PageNode’s Member Fields -- #1076 by Bombe
• Add Accessors for Two Member Fields Used in PeerNodeStatus -- #1075 by Bombe
• Fix Translation Handling in Tests -- #1074 by Bombe
• Remove main(...) methods and related test/debug routines -- #1070 by
  bertm
• Remove unused code and parameters from NodeStats -- #1069 by bertm
• Remove remaining code paths for disabled slow-down sending -- #1068
  by bertm
• Get rid of Hashtable in NodeStats -- #1067 by bertm

Optimization:

• Fix synchronization of receive buffer -- #1044 by ArneBab. Thanks to
  Yonguan Xu for the catch!

• Do not synchronize on global variable in CryptoKey.fingerprint --
  #1066 by bertm

• Do not synchronize on access to AEADCryptBucket.readOnly -- #1065 by
  bertm

• Do not synchronize on global variable in crypt Util.makeKey -- #1064
  by bertm

• Do not synchronize on Rijndael cipher initialization or use -- #1061
  by bertm

• Use length hint for bucket creation in ChecksumChecker -- #1059 by
  bertm

• Optimize OCBBlockCipher_v149 by replacing Vector with List -- #1057
  by bertm

• Use JCE AES implementation for AEAD when available -- #1056 by bertm

• AB

---

Arne Babenhauserheide (33):
Add recently merged PRs to NEWS
turn brief changelog into long form text
note Freemail
polish
Note Chrome/FF Theora removal
note that webp lossless and animation are still todo
Note that the IP Address can include Ping and RTO¹ in the peer list
Debian package 1501
Do not show download to disk for large file page on public gateway
Do not check reachability when sorting IPs.
Fix regression: compress parameter was inverted on upload. Thanks to NewOne@umLZL for investigating!
Adjust advanced state of official plugins to match what people need
Fix: do not show group if it only contains unsupported plugins
Add info how to disable autostart in GNU Linux
Refactor: inline single-use private methods into stream.
Compare enum with = -- thanks to Bombe!
Fix disabled logic, thanks to bertm
Disable download to disk on public gateway wherever disabled was checked
Add dismiss all alerts and delete all messages buttons.
fix: condition was inverted: if arg1 is good, return 1!
Extract reachability check.
Refactor: use thenComparing with prefer-approach. Thanks to bertm!
reverse arguments around == for better readability. Thanks to Bombe!
doc: fix docstring wording
Add IPv6FirstComparator Test thanks to Bombe
Cleanup prefer thanks to bertm
Remove unused constructor
Remove unused methods
Assign fields with this.field = in constructor
Remove unnecessary constructor
update Freemail to v0.2.9
Update dependencies.properties wrapper files to files in java_installer
Add braces around if condition

Arne Babenhauserheide (freenet releases) (2):
Update default bookmark editions
Build 1502

Bert Massop (34):
Optimize OCBBlockCipher_v149 by replacing Vector with List
Fix reading single bytes in AEADInputStream
Fix reading single bytes in RAFInputStream
Fix reading single bytes in PaddedBucket.MyInputStream
Fix rea...

build01501: 2025-02-16

Hyphanet 0.7.5 build 1501 is now available. [overview]

polish-crypt-tests-that-fail-in-gradle-but-not-in-intellij
bertm/fix-uskdatehint-eoy
bertm/fileutil-reflection
bertm/fileutils-use-nio
bertm/fileutil-global-sync
refactor--split-parsing-peers-into-multiple-simpler-steps
bertm/timeutil-java8-datetime
reduce-minimum-retransmission-timeout-to-be-fitting-for-within-country-transfer
torusrxxx/CSS
reduce-minimum-retransmission-timeout-to-be-fitting-for-within-country-transfer
reduce-bulk-preferring-probability-to-2-percent
only-log-errors-for-values-that-are-invalid-in-all-supported-versions

Thank you for using Hyphanet!

- Release manager name

Developer changelog:

2025-02-16

Changes in 1501:

polish-crypt-tests-that-fail-in-gradle-but-not-in-intellij
bertm/fix-uskdatehint-eoy
bertm/fileutil-reflection
bertm/fileutils-use-nio
bertm/fileutil-global-sync
refactor--split-parsing-peers-into-multiple-simpler-steps
bertm/timeutil-java8-datetime
reduce-minimum-retransmission-timeout-to-be-fitting-for-within-country-transfer
torusrxxx/CSS
reduce-minimum-retransmission-timeout-to-be-fitting-for-within-country-transfer
reduce-bulk-preferring-probability-to-2-percent
only-log-errors-for-values-that-are-invalid-in-all-supported-versions

- AB

---
Arne Babenhauserheide (21):
      Use assertArrayEquals and add proper error messages to asserts
      Fix rebase error
      Switch to Hamcrest matches to get better error reporting
      inline assertNotEquals
      import Matchers.not statically
      refactor: split parsing peers into multiple steps
      Fix affected whitespace
      Add braces for if/else
      Add braces for if/else
      Add space after if
      Tabifly + add space after if
      Add spaces before (
      Add spaces before (
      update debian package for 1500
      Fix: only log errors when the time was invalid in 1497, too
      fix: check correct variable, avoid unnecessary checks.
      reduce 10% chance for bulk to 2%
      reduce 10% chance for bulk to 2%
      Reduce minimum retransmission timeout (RTO)
      Remove whitespace at the end of the line
      Remove unnecessary cast

Arne Babenhauserheide (freenet releases) (2):
      Update default bookmark editions
      Build 1501

Bert Massop (6):
      Use Java built-in functionality for copying files
      Simplify file move/rename in FileUtil using Java NIO helpers
      Don't use reflection for updating file attributes
      Don't synchronize on the class while writing in FileUtil.fill(...)
      Rewrite USKDateHint using Java 8 Date-Time APIs
      Refactor TimeUtil: use Java 8 Date-Time API and improve time intervals

torusrxxx (1):
      Add CSS properties border-block/inline-start/end-color/style/width, border-end/start-end/start-radius

Freenet / Hyphanet build 1500: hotfixes and polish

This release fixes regressions that slipped in with 1499:

• an endless loop on hostname resolution on friend-to-friend nodes with all peers connected leading to very high CPU usage — thanks to bertm for the review!
• typo in text-decoration filter — thanks to Torusrxxx for the fix!
• NullPointerException when disabling and reenabling SSL — thanks to Torusrxxx for the Fix!

Also we added two small improvements

• In the first time wizard the save button is now named "Finish" to make it clear that the node starts after clicking it
• update Japanese translation — thanks to qupo1

Thank you for using Hyphanet!

Freenet / Hyphanet build 1499: privacy, networking, css, UX, cleanups

User changelog

This release mainly brings improvements in five areas:

• improved privacy protection
• optimized and fixed networking layer
• support for website authors
• better user experience
• clean ups and code purges

Privacy

The privacy improvements are reduced pings and DNS lookups. These make
it less likely that a node gets detected by pings it sends for other
nodes that use DNS addresses to have permanent addresses. Also thanks
to Torusrxxx SSL support is updated and when setting up a node for
access via SSL, unencrypted HTTP links now get upgraded to secured
HTTPS automatically.

Networking

The networking layer got a fix for very fast nodes. On these the bulk
queue could be starved when realtime requests were received faster
than they could be completed. Also bertm fixed bulk backoff getting
ignored.

Juiceman removed unnecessary boxing and unboxing to reduce CPU load
and Torusrxxx improved IPv6 handling.

Website

Torusrxxx also added webp support to the content sanitation (filters),
so you can now use webp images on freesites and depending on the study
reduce the storage by around 30%. Minimizing storage is more critical
on Hyphanet compared to the clearnet, so webp can improve performance
for all sites.

In addition to webp, Torusrxxx also added support for more CSS
keywords: border-{top,bottom}-{left,right}-radius, color-scheme,
dominant-baseline, margin-block, margin-block-end, margin-block-start,
margin-bottom, margin-inline, margin-inline-end, margin-inline-start,
margin-right, math-style, padding-block, padding-block-end,
padding-block-start, padding-inline, padding-inline-end,
padding-inline-start, padding-right, padding-right, padding-top,
padding-top, scroll-behavior, scroll-snap-align, scroll-snap-stop,
scroll-snap-type, text-combine-upright, text-decoration-thickness,
text-orientation, text-underline-offset.

And font settings: monospace, system-ui, ui-serif, ui-sans-serif,
ui-monospace, ui-rounded, emoji, math, fangsong. Color keywords are
now checked case insensitively.

Ban link as well as visited (these can cause requests depending on
interaction), replace with any-link. Also add more CSS selectors:
default, disabled, empty, enabled, focus-visible, indeterminate,
in-range, invalid, only-child, only-of-type, optional, out-of-range,
placeholder-shown, read-only, read-write, required, root. The
combination of :root and color-scheme enables settings for
dark-mode. The MIME types image/avif, heic, and heif are now known
(but have no validation).

Also the :checked selector is now supported, so freesites can have
some CSS-based interactivity.

There’s one loss: Chrome removed Theora support in 2024 and Firefox
followed suit in version 130 (which broke brasilian banking OTPs ).
Firefox ESR (128) will still get support until may 27th 2025. Until
then we need sanitation for modern video formats like vp8 or vp9 and
webm to keep our video on demand (streaming) working.

User experience

There are two improvements of the interface itself: Qupo1 updated the
Japanese localization and bertm polished the bookmark editor and
directory listing in the Winterfacey theme.

And thanks to Bombe the Freemail plugin now has a settings page for
the SMTP and IMAP address and port to use.

The defunct new load management statistics are now gone — thanks to
Torusrxxx. These were just distracting.

When you change the auto-updater key, updates are now checked
instantly, not only after update (for example to get updates via a
testing key for checking an update before release).

And a bug was fixed that could lead to plugins being killed early
during shutdown.

Cleanups

Thanks to qupo1, Christophe, and Bombe, our gradle setup is more up to
date and cleaner.

And thanks to Bombe, Bertm, Venfernand, and Juiceman we purged a lot
of outdated code that is no longer needed on modern JVMs (the code
base once had to work with Java 1) or replaced it with more recent
paradigms. Those make it quite a bit more enjoyable to work with the
affected parts of the code.

Finally qupo1 fixed links and code badges in our readme and Bertm made
sure that our IPv6 preference setting keeps working in Java 24 and
later.

Technical changelog

Privacy and Security

• Reduce pings and DNS lookups — thanks to bertm for the careful review!
• Improve SSL: Fix SSL self-signed certificate, update cipher suite, Add HSTS header setting to upgrade FMS links to HTTPS — thanks to Torusrxxx!

Networking layer and Optimization

• Fix bulk backoff being ignored — thanks to bertm!
• Only prefer the realtime queue to bulk with 90% probability to avoid starving bulk on very fast nodes
• Avoid unnecessary boxing and unboxing — thanks to Juiceman!
• Improve IPv6 handling, thanks to Torusrxxx!

Expanded website support

• Add webp filter, so you can use webp on sites, thanks to Torusrxxx!
• Add many CSS options — thanks to Torusrxxx!
• recognize MIME types image/avif, heic, heif (no filters yet) — thanks to Torusrxxx!
• Do not recommend disabling js helpers in fproxy (these are reviewed, so they can be used)

User Experience

• Update Japanese localization, thanks to qupo1!
• Fix bookmark editor indentation on Winterfacey theme and improve directory listing layout — thanks to bertm!
• Hide no longer relevant new load management statistics, thanks to Torusrxxx!
• Ensure that the updater searches for updates from an updated update key without restart.
• Add more resilient plugin list exception handling to avoid problems on shutdown

Development support

• Update Gradle wrapper validation to latest version — thanks to qupo1!
• Update Gradle to 8.11 thanks to Christophe!
• Fix build info with gradle daemon, thanks to Bombe!
• Avoid duplicate files in jar file and and add checks — thanks to Bombe!
• Fix update.sh version in dependencies.properties (no longer pull in an older version with auto-update)

Cleanup and refresh code

• Kill no longer useful MemoryChecker with 🔥 — thanks to Bombe and bertm for the reviews!
• Remove SHA-256 special case in PluginManager — thanks to bertm!
• Improve MultiValueTable — thanks to venfernand!
• do not check for long gone JVM bugs — thanks to bertm!
• do not intern byte arrays — thanks to bertm!
• reduce stream handling duplication in FileUtil — thanks to bertm!
• replace Logger.OSThread-based PID logging that was always disabled by NOOP — thanks to bertm!
• Remove code related to NLM load sending — thanks to bertm!
• Remove unused but dangerous Logger.fatal(...) method — thanks to bertm!
• Remove gc meddling that hasn’t been necessary for many Java releases
• replace length = 0 checks with isEmpty() — thanks to Juiceman!

Misc

• Simplify peers parsing code
• Fix readme links and code badges — thanks to qupo1!
• Support IPV6_ADDR_PREFERENCES until Java 24 and beyond (move from reflection to unsafe) — thanks to bertm!
• Add copy of the cryptics general license (2-clause BSD)

Plugins

• Freemail plugin: add settings page, thanks to Bombe!

Freenet / Hyphanet 0.7.5 build 1498

Freenet 0.7.5 build 1498 is now available. [overview]

This release resolves the last blocker for Freenet / Hyphanet 0.8 by
providing an official Debian package. Additionally it optimizes the
networking and data transfer core and provides many improvements for
website authors and user experience.

Starting with this release, Freenet / Hyphanet has an official Debian
package built automatically via github actions. This was the most
important high-impact-task and the last release blocker of version
0.8 in our Roadmap. Big thanks go to DC*!

With this finally realized, the next step is to get in contact with
the many privacy focussed distributions which build on Debian to make
hyphanet-fred available where it is most important. Once this is
done, tools which build on Hyphanet — like FMS, but also jSite and
tools from pyFreenet — can be packaged to work out of the box, using
Hyphanet as an ordinary background service. That’s a step towards
Hyphanet as decentralized, privacy-preserving communication backend for
other applications.

Another step towards this is accepting the Schema hypha[net] to
simplify writing browser extensions that forward hypha:-links to
Hyphanet.

The networking layer was optimized significantly. Searching packet
types is often stopped early and common or cheaper checks are done
before less common or time-consuming checks. This gives significant
reductions of CPU load, especially for very fast nodes.

Juiceman fixed a bug limiting MTU to 1280 where not needed.

And recently failed and data not found cooldown times were reduced to
5 minutes and 3 minutes, reducing one of the big annoyances when
accessing a site quickly after upload.

On the data transfer layer, healing was optimized. After 1495 strongly
increased the amount of healing to keep large files available for
longer, 1498 specializes healing to keys close to the node location.
This reduces healing per file, but improves privacy, because healing
inserts are then more similar to forwarding — they mostly send data
close to the nodes location — and it reduces the network load of
healing, because the specialized healing inserts need fewer hops to
reach the optimal storage location in the network.

In addition to these changes deep down, there are a number of directly
visible improvements.

The plugins KeepAlive and Sharesite are updated (the latter now uses
the new Night Zen Garden style). The UPnP2 plugin is now visible in
simple mode. It can replace UPnP and should work better. On the
flipside the Library plugin is moved to advanced plugins, because it
does not work reliably enough.

The plugin list is easier to navigate by removing the defunct option
to download plugins from the clearnet and by adding better styling.
Downloading from the clearnet was an unnecessary privacy risk since
we’ve been bundling essential plugins with the installer for a few
years now.

The noderef for friend-to-friend connections is shown in simple mode
again, because it is robust enough with the changes in recent years.
This should remove a barrier to adding direct connections and enabling
fully confidential messages between friends.

There are new configuration options to allow connecting via local
services. That’s a step towards making it easy to add a second layer
of security, for example confining connections to a local network.
Thanks goes to s7r for these changes!

When bandwidth detection fails, the upload bandwidth now defaults to
160KiB/s. Also the NLM config is now disabled statically. This was a
testing setup which could still be active in old nodes, but it would
break connectivity nowadays.

The default bookmarks include the Opennet SeedNodes statistics,
the generate media site to create decentralized streaming sites, and
the high-impact-tasks. The bookmarks are also re-ordered to be a
better match for newcomers. Starting category: first steps, clean
spider, Index of Indexes. For the software category ordered by ease of
use from fproxy.

For website authors, more CSS elements, selectors and combinators
(:checked, word-wrap: anywhere, focus-within, ^=, $=, *=,
>, +, ~) and additional HTML elements (summary, details,
<meta name="Viewport"...>) are available. This strongly expands the
possibilities of websites authors in Hyphanet, because Javascript or
webassembly are no viable options in an environment where a privacy
breach could put people at risk. We’ve seen with Java applets, that
untrusted code will always break out of its containment. The CSS
improvements in contrast provide a safe way to enable limited
interactivity.

Streaming support via m3u lists was improved to allow accessing
segments of up to 200MiB.

And using -1 as version in a USK now properly finds version 0, if
this is the only existing version.

There were a number of Java 21 fixes, including all our tests (thanks
to Bombe!), and improvement to the github actions (thanks to
AHOHNMYC).

In addition to that there was a lot of polish. Bert Massop and
Veniamin Fernandes replaced our homegrown CurrentTimeUTC with modern
Java options. Alex fixed the pronoun used in strings. Bombe added
getters for all direct field access in the node. Hiina reduced logging
level of store warnings so no unneeded backtraces are created for node
with large stores and Juiceman updated code to use more modern
structures.

Time-dependence of compressor selection was removed. This caused
non-determinism for inserts and could cause keys to be
non-reproducible on systems with faster or slower network.

And finally the new exe signing workflow we built to fulfill the
requirements of SignPath, our new windows installer signing provider
for the upcoming releases, runs the verify-build script on every
release to ensure that the jar we release has actually been built from
the sources. This provides a second safety net, in addition to
anonymous users running the script and posting the results (thanks to
all who did this — please keep it up, otherwise people have to fully
trust github). The release is not yet byte-by-byte reproducible,
because the jar MANIFEST defines among other info the exact java
version used to compile it, and the java version available differs by
distribution and time, so it would get harder over time to verify the
build.

A special thanks goes to Bombe for many careful reviews!

Thank you for using Freenet!

• AB

Developer changelog:

2024-04-28

Changes in 1498:

high impact tasks

merge debian package as default build action thanks to DC*/desyncr! This resolves one of our high impact tasks.

Plugins

Update KeepAlive to commit 86e47a101f26fd1d3be0437681a043aa4ae3f22c
Update Sharesite to 0.5.1
Move UPnP2 to normal plugins. It does not seem broken, but UPnP does
Move Library plugin to advanced plugins because new users tend to get lost with it
💄 Add better styling to the plugin list in winterfacey to make it easier to understand at a glance — thanks to Bombe
🔥 Remove option to load plugins from central server — thanks to Bombe! This was an unnecessary privacy risk, since we’re already bundling essential plugins with the installer, and it made plugin handling harder to understand.

Bookmarks

Add high-impact-tasks to bookmarks
Add generate media site to the default bookmarks
Add Opennet SeedNodes stats site
Reorder starting bookmarks: FFS → clean spider → Index of Indexes
Reorder default software bookmarks by ease of use from fproxy
Disable activelink for Index of Indexes (workaround, because it fails)

Optimize networking and transfer layer

break early when condition is met — thanks to Juiceman
Check the HashCode before equals. This saves ~20% method-runtime.
Re-order or’ed MessageFilters so the most likely is checked first
specialize healing to keys close to the node
fix healing decision: do not divide 0-1 by MAX_VALUE — thanks to Bombe for the review!
Reduce recently failed and data not found wait times

Filters

CSS: Fix: checked only the first char of the key part of CSS selectors, Add test that would catch too lax filtering.
CSS: Support pseudo-element checked. This enables limited interactivity via CSS.
CSS: Support the attribute selectors ^= $= *=, Add tests.
CSS: Support Combinators > + and ~, add test for ~ and simplify the implementation
CSS: Support word-wrap: anywhere and CSS selector focus-within.
HTML: allow summary and details html element. Thanks to naejadu
HTML: accept <meta name="Viewport" ...>, thanks to torusrxxx

Constants

Show the noderef in basic-mode: it is now robust enough

Configuration

accepting localhost in NodeIPPortDetector and allowBindToLocalhost configurable — thanks to s7r!
Provide static methods for simpler boolean config creation
Increase default bandwidth to 160KiB upload, when detection fails
disable setting for new-load-management (NLM broke nodes)
add utility to disable a config option, thanks to Bombe

Misc

add m3u-player insertion test: is added at end of body
[CI] Update actions, fix actions cache
♻️ add and use getters and setters for access to node fields
Increase max transparent passthrough to 200MiB links in m3u-lists.
Remove time-dependence of compressor selection. This caused
non-determinism for inserts and could cause keys to be
non-reproducible.
improve date object construction in CurrentTimeUTC.get()
Support Schema hypha[net] to simplify writing browser extensions that forward hypha://-links to Hyphanet.
polish: show datastore size warning with GiB suffix
Remove hash generation to native bi...

build01497: 2023-02-28

Freenet 0.7.5 build 1497 is now available. [overview]

This release fixes a severe vulnerability in path folding that allowed
to distinguish between downloaders and forwarders with an adapted
node that is directly connected via opennet.

This vulnerability was reported to the Project by Prof. Ming Yang and
Prof. Zhen Ling from the School of Computer Science and Engineering,
Southeast University, Prof. Xinwen Fu from the Miner School of
Computer & Information Sciences, University of Massachusetts Lowell,
and Yonghuan Xu from School of Cyber Science and Engineering,
Southeast university.

Yonghuan also provided support in fixing the vulnerability. Thank you
very much!

To reduce the probability of hitting other problems in path folding,
we also merged the pull-request to completely avoid path folding at
HTL 17 or higher.

Thank you for using Freenet!

• AB

Developer changelog:

2023-02-28

Changes in 1497:

This release fixes a severe vulnerability in path folding that allowed
to distinguish between downloaders and forwarders with an adapted
node that is directly connected via opennet.

This vulnerability was reported to the Project by Prof. Ming Yang and
Prof. Zhen Ling from the School of Computer Science and Engineering,
Southeast University, Prof. Xinwen Fu from the Miner School of
Computer & Information Sciences, University of Massachusetts Lowell,
and Yonghuan Xu from School of Cyber Science and Engineering,
Southeast university.

Yonghuan also provided support in fixing the vulnerability. Thank you
very much!

To reduce the probability of hitting other problems in path folding,
we also merged the pull-request to completely avoid path folding at
HTL 17 or higher.

Due to changes in the infrastructure, this release has to re-use the
Windows Installer from 1496, so newly installed nodes on Windows will
still be vulnerable for a few minutes after installation until they
auto-update. This should get fixed in 1498.

Besides this change, there’s a German translation fix by an anonymous
contributor: Email → E-Mail.

And a fix for a test that points towards the need to check the
compression code on newer JDKs.

- AB

[include shortlogs of any installer or plugin changes]

---
Arne Babenhauserheide (3):
      Fix l10n: Email → E-Mail. Anonymous contribution - thank you!
      re-add delay; check noderef to match RequestHandler.finishOpennetInner
      Do not send a duplicate Ack on path folding — thanks to Yonghuan

Arne Babenhauserheide (freenet releases) (2):
      Update default bookmark editions
      Build 1497

Matthew Toseland (5):
      Don't relay noderefs at high HTL
      Don't accept noderefs either at high HTL
      Missing return, oops
      Comments
      Replace outdated comment with an assertion

Veniamin Fernandes (1):
      Fix compression result comparison in the GzipCompressorTest for newer JDKs

build01496

2023-01-07

Freenet 0.7.5 build 1496 is now available.

Fix keepalive
-------------

This fixes breakage in keepalive by ignoring a negative maxsize.
This was broken by a fix to the client
to actually honor the maxsize which was ignored before,
so ignoring invalid values provides a compatibility layer
for old plugins.

Update translations
-------------------

Imported updated translations from transifex.

The biggest changes were done by the Russian team,
adding or updating almost 200 translations.

The German team changed over 70 translations.

And 1 to 7 changes were done by teams
es, fa, fi, fr, hu, it, ja, nb-no,
nl, pt (br and PT), sv, zh-cn and zh-tw.

A big thank you for your work!

Bookmark curation
-----------------

Replaced the unmaintained freemail site in the default bookmarks
by a maintained one — thanks to Cynthia!

Further changes
---------------

- add meta charset tests
- add missing test annotations — thanks to vwoodzell!

Thank you for using Freenet!

- AB

Developer changelog:

2023-01-07

Changes in 1496:

- fix keepalive regression — thanks to PlantEater for tracking it down and fixing it!
    - fix negative maxsize per new fetch override
    - also override maxTempLength
    - LowLevelGetException also return the throwable because the error doesnt help, the real gets hidden
- update translations, thanks to the translators on transifex, especially the Russian ones!
- add meta charset tests
- replace unmaintained freemail site by maintained one — thanks to Cynthia!
- add missing test annotations — thanks to vwoodzell!

- AB

---
Arne Babenhauserheide (5):
      Add meta Charset tests
      bookmarks: replace unmaintained freemail site by maintained one — thanks to Cynthia!
      fix: actually detect charset
      de-horrify test :-)
      CONTRIBUTING.md with easy to work with rule

Arne Babenhauserheide (freenet releases) (5):
      update translations
      remove more references to Frost from translations
      update news
      Update default bookmark editions
      Build 1496

PlantEater (1):
      - fix negative maxsize per new fetch override - also override maxTempLength - LowLevelGetException also return the throwable because the error doesnt help, the real gets hidden

Vaughan Woodzell (1):
      Add missing test annotations

Freenet 0.7.5 build 1495

2022-12-29

Freenet 0.7.5 build 1495 is now available with many improvements.

New users

There is a new firsttime wizard for single-step setup, contributed
by redwerk and finally merged after resolving dependency-requirements.

To further ease the start, the bookmarks are re-organized with
"starting points" at the top.

User experience

For integration in browser extensions, TheSeeker added support for
the schemes web+freenet and ext+freenet which do not need further
allow-listing by browsers to use.

CometZ@6DtYG~ created a new theme sky-dark-static, a clean dark scheme,
simpler than Winterfacey.

To enable more beautiful Freesites, Spider Admin, naejadu and vwoodzell
extended the CSS filter to enable sticky, transition, and word-wrap.

The m3u-player is now only inserted into sites which contain at least
one video or audio tag. When a part of a stream fails, it is now skipped,
allowing for continuous playback without user-intervention.

Performance

For better lifetime of larger files, the healing size is increased
from 16 to 256 MiB, so a 512 MiB file will keep working if accessed
once every 10 days. To keep alive files explicitly, you can use the
keepalive plugin.

And the pending keys optimizations by Eleriseth should reduce the CPU
load on very fast nodes with many peers.

Further technical improvements

• finally merged the HashingAPI by unixninja92, a GSoC project that had
  gotten lost in the pull requests. This provides an easy and
  well-tested way to create and verify different types of Hashes from byte
  arrays, including Sha256 and TigerTree.
  #258
• old announcement fixes by toad were finally merged
• unit tests were upgraded to junit4, thanks to vwoodzell!
• the client getter method now honors the max size argument

Thank you for using Freenet!

build01494: 2022-06-25

Freenet 0.7.5 build 1494 is now available.

This build improves four broad areas:

• streaming on demand,
• configuration,
• security, and
• bugfixes.

Streaming provides improved video and audio:
Video sizes are more robust when the size changes between subsequent videos.
Audio tags no longer try to display the overlay.
This finally enables convenient Samizdat Radio

To help modernize the configuration of existing nodes,
Freenet now shows a user alert once every Freenet update if the datastore is
below 10% of available space with a link to the store size wizard page
to make it easy to increase the store. Thanks to Trivuele!

Also the bandwidth settings now parse the bit suffix correctly
(lowercase b in kbps is bit, not byte).

The security received improvements both for friend to friend mode,
for opennet, and to tools for Freesites:

Friend-to-Friend mode now randomizes pitch black defense times
and waits at least 12 hours between pitch black mitigations
to prevent timing attacks.

Opennet is hardened by disabling the write local to datastore
functionality when opennet is enabled; it can be useful on a
small darknet, but on opennet it makes it easier to find downloaders.
Thanks to Trivuele!

Also a FOAF mitigation was fixeb that wasn't operational, because it lacked
a conversion to percent. Thanks to freedom-of-depression!

The /imagecreator/ tool, among other changes, now ensures
that requested image sizes are sane — thanks to Oleh from Redwerk

Finally it’s now easier to build fred without network access. Thanks to Trivuele!

In addition to these improvements, bugs got fixed:

• fix build with modern Java: add opens jvmargs on java 17.
• remove Frost on ChatForumsToadlet from non-updated translations
  (removed 2019 from the original english).
• fix parts of the German translation.
• Do not store blocks in the cache, if they are eligible for the store
  (should increase usable cache size). Thanks to Trivuele!

A big thank you to all contributors and reviewers
for getting this release in shape!

And thank you for using Freenet!

• AB

Developer changelog:

2022-06-24

Changes in 1494:

• Show a user alert (once every Freenet update) if the datastore is
  below 10% of available space with a link to the store size wizard page
  to make it easy to increase the store ― thanks to Trivuele

• Do not store blocks in the cache, if they are eligible for the store
  (should increase usable cache size) thanks to Trivuele

• m3u-player: more robust sizes, do not use overlay for audio. This
  finally enables convenient Samizdat Radio

• randomize pitch black defense times and wait at least 12 hours
  between pitch black mitigations to prevent timing attacks

• bandwidth settings: parse bit suffix correctly

• improve /imagecreator/ thanks to Oleh from Redwerk

• Disable write local to datastore functionality when opennet is
  enabled; it can be useful on a small darknet, but on opennet it
  makes it easier to find downloaders. thanks to Trivuele

• make it easier to build fred without network access thanks to Trivuele

• fix build with modern Java: add opens jvmargs on java 17

• fix: a FOAF mitigation wasn t operational, because it lacked a
  conversion to percent. thanks to freedom-of-depression

• remove Frost on ChatForumsToadlet from non-updated translations
  (removed 2019 from the original english)

• fix parts of the German translation

• AB

---

Arne Babenhauserheide (12):
randomize pitch black defense times
remove unnecessary import
remove more unnecessary imports
use UTC clock
wait at least 12 hours between pitch black mitigations
bandwidth: parse bit suffix correctly
fix parts of de-translation
remove Frost on ChatForumsToadlet from non-updated translations (removed 2019 from the original english)
add opens jvmargs on java 17
m3u-player: more robust sizes, do not use overlay for audio.
remove old unconditional logging line that has been ignored for a decade now and pollutes the log
change misleading naming — thanks to Steve for the review!

Arne Babenhauserheide (freenet releases) (4):
Update default bookmark editions
updated NEWS
updated NEWS
Build 1494

Oleh Shklyar (12):
allow /imagecreator/?width=200&height=100&text=200x100 url from freesites
Path availability Fix (using link filter)
Validate image size
Optimization of maximum font size algorithm
Validate image size
Clean
Clean
Timestamp
ImageCreatorToadletTest
Removed alignment using spaces
To date, there is no reason to open access
Reducing opened API

Trivuele (6):
Make it easier to build without network access
Allow only doing a single wizard step
User alert if datastore is below 10% of available space -- rebased without new datastore settings
Disable write local to datastore functionality when opennet enabled
Nothing ever triggers onAbortDownstreamTransfers()
Stop storing blocks twice

freedom-of-depression (1):
fix FOAFMitigationHack

What's Changed

• Allow ImageCreator url from freesites by @Olezha in #682
• randomize pitch black defense times by @ArneBab in #747
• bandwidth: parse bit suffix correctly by @ArneBab in #764
• Propagate translation changes by @ArneBab in #767
• m3u-player: more robust sizes, do not use overlay for audio. by @ArneBab in #768
• add opens jvmargs when building on java 17 by @ArneBab in #769
• remove old unconditional logging line that has been ignored for a dec… by @ArneBab in #770
• fix FOAFMitigationHack by @ArneBab in #772
• Trivuele batch 1 v3 by @ArneBab in #776
• Stop storing blocks twice by @ArneBab in #779

Full Changelog: build01493...build01494