Fluxheim 1.6.32

[eldryoth]

Fluxheim 1.6.32 Release Notes

Fluxheim 1.6.32 continues the final native-runtime cutover work after the
cache/PHP adapter slice.

This checkpoint focuses on native runtime dispatch, native load-balancer state
sharing, and the first native WebSocket upgrade tunnel path. Rich proxy cache
remains an explicit compatibility gate until its native adapter proves full
lookup/fill/stale behavior in a later 1.6.x stop.

Highlights

• Metrics configuration now supports an optional metrics.token_file
  bearer-token source for the native metrics service. The token file path is
  resolved with the normal safe-path rules and rejected when it is empty,
  unsafe, or below a group/world-writable parent.
• Native metrics service construction now loads the configured token source,
  stores it in zeroizing memory, redacts it from debug output, and enforces it
  with constant-time comparison for GET/HEAD /metrics. It also exposes a
  Fluxheim-native background service factory that binds the native HTTP/1
  metrics listener under the native supervisor.
• Native metrics listener startup and runtime failures are fail-fast: bind
  failures and unexpected accept-loop failures now log at error level and exit
  instead of leaving a silent metrics blind spot after native cutover.
• Non-Unix metrics token-file loading now rejects a symlink leaf before opening
  the file, matching the Unix O_NOFOLLOW hardening as closely as the portable
  filesystem API allows.
• The Pingora compatibility metrics listener still relies on listener binding
  and network ACLs for access control until the final native runtime owns that
  listener, but Fluxheim now validates the native metrics token source at
  startup so bad token configuration fails before the cutover.
• The native runtime launch plan now carries a metrics service-policy row that
  records whether the final native MetricsHttp listener must enforce bearer
  auth, making token enforcement a diffable cutover contract instead of an
  implicit root-runtime detail.
• Stream and UDP proxy routes now expose Fluxheim-native background service
  task factories beside their Pingora compatibility services. The compatibility
  runtime validates those native factories at startup whenever stream or UDP
  services are enabled, so final native service registration exercises the same
  route parsing and listener task construction before the cutover.
• Load-balancer refresh services now expose a native-supervisor handoff while
  retaining the Pingora compatibility wrapper. This lets the final native
  runtime spawn the existing Fluxheim-owned discovery/health refresh loop
  directly instead of routing it through Pingora's service adapter.
• The Pingora compatibility load-balancer adapter now stores that native
  service handoff internally and dispatches through FluxBackgroundTask,
  keeping the compatibility path and final native supervisor path on the same
  task boundary.
• Native runtime launch plans now include LoadBalancerRefresh background-task
  inventory only for load-balanced pools that actually need a background loop:
  active health checks, file discovery, HTTP discovery, or DNS refresh. Static
  ordered/weighted pools with load_balance.health_check.enabled = false stay
  native-ready without a detached refresh task.
• That load-balancer service and background-task inventory is now gated by the
  fluxheim-server/load-balancer feature, so non-load-balancer builds do not
  advertise native supervisor work they cannot construct.
• Native runtime launch planning now rejects duplicate background-task kinds
  before supervisor startup, matching the existing duplicate listener binding
  guard and preventing ambiguous task ownership in the final native runner.
• Native runtime launch planning also rejects duplicate service kinds before
  listener expansion, so a final native runner cannot accidentally register two
  owners for the same service role.
• The compatibility runtime now also validates the native HTTP/1 host-router
  factory when the server plan reports the proxy surface as native-ready. This
  proves exact/wildcard host routing, default-vhost selection, trusted-proxy
  source parsing, and route proxy construction can be assembled as one native
  router before the production runner switches away from Pingora.
• Native HTTP/1 proxy planning now accepts static round-robin upstream pools
  that explicitly disable active load-balancer health checks, matching the
  native proxy's current static-upstream capability while still rejecting
  advanced load-balancer policies.
• Native HTTP/1 proxy planning now rejects active load-balancer health checks
  until the final native load-balancer bridge shares health/discovery state
  with the actual native upstream selector. This avoids a false native-ready
  signal where a compatibility refresh task would run but native traffic would
  not consume its state.
• The native runtime cutover evidence gate now fails if the representative
  blocker-free config does not target NativeRuntime, if the launch plan is not
  ready, or if a launch-plan error is emitted.
• fluxheim-config-tester --runtime-cutover now labels the compatibility
  adapter row as native-runtime-compat-adapter, so blocker-free reports do
  not look like they will still start through Pingora when
  native-runtime-target-adapter is already NativeRuntime.
• Native HTTP/1 proxy planning now treats disabled root request-header policy
  as native-ready, matching the native request-header policy implementation
  instead of keeping that supported configuration behind the compatibility
  adapter.
• Native HTTP/1 route and vhost planning now also treats disabled request
  header overlays as native-ready. Runtime coverage proves a disabled route
  overlay suppresses inherited request-header mutations before proxying.
• The server crate now has a Fluxheim-owned native HTTP/1 proxy runtime boundary
  that binds proxy HTTP listeners from the native launch plan, builds the native
  host router once, serves requests through serve_native_http1_listener, and
  shuts down through the native background supervisor. HTTPS and downstream
  PROXY protocol listeners still fail closed at this boundary until their
  native listener handling lands.
• Rustls-backed native proxy HTTPS listeners can now bind from the native launch
  plan when tls.alpn = "http1". The runtime builds the downstream Rustls
  server config through fluxheim-tls, preserving certificate resolver and
  client-auth policy; HTTP/2 ALPN and downstream PROXY protocol remain
  fail-closed until their native listener dispatch is added.
• Plaintext native proxy listeners now accept trusted downstream PROXY protocol
  v1 and v2 from the native launch plan. The parsed source address is carried
  through access policy, rate-limit identity, and generated forwarding headers,
  while untrusted direct peers still fail closed before request parsing.
• Root startup now enters the Fluxheim-native runtime dispatcher when the
  server plan is blocker-free and targets NativeRuntime. The dispatcher
  starts the native HTTP proxy runtime plus native admin, metrics, stream, UDP,
  and load-balancer refresh tasks under NativeBackgroundSupervisor instead of
  the Pingora server loop.
• Native Rustls proxy HTTPS startup now exposes its certificate resolver to the
  root native runtime, so ACME renewal and the local certificate-reload control
  task can reload downstream certificates without the Pingora listener adapter.
• Native OpenSSL proxy HTTPS startup now binds through the Fluxheim-owned
  OpenSSL listener path for OpenSSL-only/FIPS builds when tls.alpn = "http1".
  It builds its downstream acceptor through fluxheim-tls, preserves the
  configured certificate and client-auth policy, and keeps HTTP/2 ALPN
  fail-closed until the native HTTP/2 listener dispatch is enabled. The native
  OpenSSL listener also preserves configured TLS policy and client-auth
  settings, installs SNI certificate selection through OpenSSL's callback API,
  and exposes the certificate store to the root native runtime so ACME renewal
  and local certificate reloads no longer require the Pingora listener adapter.
• Native runtime cutover evidence no longer treats downstream HTTP/2 listener
  dispatch as a standalone blocker once the TLS ALPN route can enter the
  native multi-stream H2 adapter. Remaining native proxy blockers are tied to
  HTTP/1 proxy/cache feature parity rather than the H2 listener handoff itself.
• Native HTTPS listeners can now dispatch selected h2 ALPN connections into
  the native multi-stream HTTP/2 route adapter, while http/1.1 and no-ALPN
  connections continue through the native HTTP/1 route path when the configured
  TLS ALPN policy permits HTTP/1. Live rustls and OpenSSL runtime tests prove
  tls.alpn = "http1-and-http2" negotiates HTTP/2 and reaches an ordinary
  native proxy upstream on both supported TLS backends.
• The machine-readable native cutover target table now points the downstream
  HTTP/2 blocker at the final rich-proxy parity release instead of the earlier
  preview milestone, keeping fluxheim-config-tester --runtime-cutover output
  consistent with the current Pingora-exit plan.
• The native HTTP/2 preview connection loop now accepts and serves multiple
  streams on one connection instead of dropping every stream after the first
  probe response. Tests cover same-connection multi-stream responses and the
  native TLS runtime now routes selected downstream H2 traffic into that stack.
• Added a native HTTP/2-to-native-route adapter that maps ordinary H2 requests
  into the existing native HTTP/1 route handler pipeline and converts native
  responses back to H2 without collapsing duplicate response headers such as
  Set-Cookie. Native requests now carry request trailers, and tests prove H2
  request trailers reach the native route handler and H2 upstream request
  builder; connection takeover remains fail-closed because HTTP/2 upgrade
  semantics are separate from HTTP/1 tunnels.
• Native PHP-FPM routes now support Fluxheim-managed php-fpm process ownership
  through fluxheim-php-fpm, not the root crate. Managed routes create the
  private php-fpm config, validate the php-fpm binary path against symlink and
  insecure-parent traversal, start php-fpm on a private Unix socket, keep the
  process owner alive for the native route lifetime, and retain the bounded
  watchdog/restart behavior used by the legacy runtime.
• The legacy root PHP-FPM module now re-exports the managed process owner from
  fluxheim-php-fpm instead of carrying a second supervisor implementation.
  This keeps the Pingora compatibility route stable while removing duplicate
  process lifecycle code from the root crate.
• Native HTTP/1 proxy routing now shares Fluxheim-owned
  UpstreamLoadBalancer state with the native load-balancer refresh service.
  Static advanced pool policy, active health, dynamic file/HTTP/DNS discovery,
  persistence, passive health, backup/drain/disabled state, priority groups,
  locality preference, per-upstream in-flight caps, aliases/tags, and runtime
  weight handling are selected through the same native load-balancer state the
  background service updates.
• Dynamic native load-balancer selections now clone the already-vetted
  upstream transport policy onto selected discovery authorities. This preserves
  the configured TLS, HTTP version, timeout, socket, PROXY-protocol, and
  forwarding-header policy without accepting per-request transport changes from
  discovery data.
• Added Fluxheim-owned nginx/Pingora Ketama-compatible static-ring hash modes
  for operators migrating cache-stateful upstream pools that need nginx-style
  request-to-backend mapping. The new selections are
  nginx-consistent-source-hash (nginx-consistent-hash / ketama aliases),
  nginx-consistent-uri-hash, nginx-consistent-header-hash, and
  nginx-consistent-cookie-hash; they build a static CRC32 continuum from the
  configured proxy.upstreams pool and intentionally reject dynamic discovery
  pools and runtime backend-set mutations in this release.
• Native Ketama startup now rejects file, HTTP, and DNS discovery sources
  before building the ring, and logs if CRC32 point collisions reduce the
  continuum. The release documentation now calls out that Ketama remains
  unsalted for nginx/Pingora compatibility and is therefore not the right mode
  for attacker-controlled hash keys.
• Native HTTP/1 now has a connection-takeover handoff that preserves any
  bytes read after the request head. This prevents early WebSocket frames sent
  in the same TCP packet as the upgrade request from being lost when a handler
  takes ownership of the downstream stream.
• Native WebSocket proxying is now available for strict WebSocket upgrade
  requests on forced HTTP/1 static upstream routes. The native adapter writes a
  canonical upstream Connection: Upgrade / Upgrade: websocket request,
  validates the upstream 101 Switching Protocols response with the shared
  HTTP/1 parser, forwards prebuffered bytes in both directions, and runs the
  bidirectional tunnel under the configured upstream read timeout.
• Native WebSocket proxying now strips hop-by-hop request headers, including
  headers named by the downstream Connection field, before forwarding the
  upgrade upstream. The downstream 101 Switching Protocols response is now
  emitted as a canonical WebSocket handshake response instead of forwarding
  arbitrary upstream 101 headers such as Set-Cookie or Server.
• Native WebSocket proxying now also works with native load-balanced upstream
  pools. The proxy performs one normal load-balancer selection at upgrade time,
  then pins the tunnel to that selected upstream for the lifetime of the
  connection; HTTP/2 WebSocket upstream mode remains fail-closed because it
  does not use the HTTP/1 hop-by-hop upgrade mechanism.
• The native server crate now has an internal PHP-FPM request-planning adapter
  under the php-fpm feature. It maps native HTTP/1 requests into the FastCGI
  parameter set using Fluxheim's existing PHP path-safety helpers:
  SCRIPT_NAME/PATH_INFO, deny prefixes, split PATH_INFO, UTF-8
  DOCUMENT_ROOT/SCRIPT_FILENAME, request headers, protected custom params,
  TLS scheme, and restored client address are all covered before the live
  FastCGI execution path is enabled.
• The same staged native PHP-FPM adapter now translates PHP stdout into a
  native response plan. It uses the shared PHP response parser, strips
  hop-by-hop headers, configured hidden headers, PHP internal offload headers,
  and Fluxheim-owned Content-Length, preserves HEAD response length without a
  body, and marks configured intercepted status codes before the live response
  writer is enabled.
• Native static-web resolution now exposes a PHP-specific, feature-gated
  script resolver for the upcoming live PHP-FPM adapter. It reuses the same
  canonical web-root/symlink-safe resolver as static serving while applying PHP
  SCRIPT_NAME, front-controller, deny-prefix, directory-index redirect, and
  decline-existing-static decisions.
• PHP-FPM in-memory request bodies now keep their FastCGI replay buffer inside
  Zeroizing<Vec<u8>> instead of cloning sensitive request bytes into a plain
  heap vector for the duration of the FastCGI exchange.
• metrics.token_env is parsed but rejected. Rust 2024 treats process
  environment mutation as unsafe, Fluxheim forbids unsafe code in the root
  crate, and leaving bearer tokens in /proc/self/environ is not acceptable
  for the native metrics listener. Use metrics.token_file instead.
• Native nginx/Pingora Ketama-compatible backend iteration now tracks seen
  backends with a set, preserving existing max_iterations behavior while
  avoiding quadratic duplicate checks on large weighted rings.
• The native admin control-plane and local ops listeners remain explicitly
  PROXY-protocol disabled even when the public HTTP/HTTPS listeners enable
  trusted downstream PROXY protocol. The server-plan tests continue to assert
  that only public HTTP/HTTPS listeners inherit that trust boundary.
• The staged native PHP-FPM adapter now has request-body planning for the
  upcoming live execution path. It enforces php.max_request_body_bytes, keeps
  small bodies in memory, and uses Fluxheim's existing private PHP spool-file
  creator/cleanup path when php.request_body_spool_threshold_bytes and
  php.request_body_spool_dir require a spooled body.
• The staged native PHP-FPM adapter now has a FastCGI execution wrapper that
  uses Fluxheim-owned endpoint selection, pooled or one-shot Unix/TCP
  connections, bounded connect/request timeouts, configured response-size
  limits, retryable error/status handling, STDERR failure-pattern handling, and
  the staged native response planner.
• Native HTTP/1 route/vhost PHP-FPM configs can now build a native PHP route
  action for external php-fpm endpoints. The route action resolves scripts
  through the native static resolver, enforces PHP in-flight/request-body
  limits, builds the shared FastCGI parameter plan, executes the staged
  FastCGI wrapper, and returns parsed native PHP responses.
• Native PHP-FPM routes now honor configured PHP custom error pages for
  intercepted statuses by rendering the configured static error page through
  the native static-file responder.
• The remaining rich-proxy native gates are now documented as intentional
  parity blockers rather than hidden launch blockers: proxy cache still needs
  native lookup/fill/stale/purge behavior before cache-enabled proxy routes
  can leave the compatibility path.
• HTTP/2 stream handling now treats bounded per-stream failures as stream
  responses instead of connection-level failures. Oversized request bodies,
  request-body timeouts, header-count rejection, oversized URIs, and handler
  timeouts return the matching 4xx/5xx response on that stream while allowing
  sibling streams on the same connection to continue.
• Native HTTP/1 request bodies now use zeroizing storage through the H2-to-H1
  route adapter so request-body copies do not lose the zero-on-drop behavior
  used by native H2.
• Native metrics bearer-token checks now compare fixed-size digests instead of
  branching on token length before the constant-time comparison. Metrics bearer
  auth now uses metrics.token_file; metrics.token_env is rejected to avoid
  local process-environment exposure.
• Native proxy listener accept-loop failures now mirror the metrics listener
  behavior: unexpected listener exit logs an error and terminates the process
  instead of leaving a live process that silently stopped accepting traffic.

Tests

• Added config tests for metrics bearer-token parsing and the fail-closed
  metrics.token_env rejection.
• Added native metrics tests for token loading from a file source,
  authenticated scrape acceptance, unauthenticated rejection, and debug
  redaction.
• Added native metrics listener tests proving the bearer-token policy works
  over an actual local TCP scrape request and that the background service task
  binds and stops under the native supervisor, not only through the in-memory
  handler.
• Added a native-supervisor load-balancer test that spawns the refresh service,
  observes readiness after the initial discovery update, checks the
  LoadBalancerRefresh task kind, and shuts it down through the Fluxheim
  supervisor path.
• Added adapter coverage proving the Pingora compatibility wrapper preserves
  native LoadBalancerRefresh task metadata.
• Added server-plan coverage proving active-health/dynamic load-balanced pools
  schedule the LoadBalancerRefresh task in the native runtime launch TSV,
  while static health-disabled pools do not.
• Added paired default-build and load-balancer-feature tests for
  LoadBalancerHealthChecks/LoadBalancerRefresh inventory.
• Added launch-plan coverage proving duplicate background-task kinds fail
  closed before task supervision begins.
• Added launch-plan coverage proving duplicate service kinds fail closed before
  listener registration begins.
• Extended native runtime launch-plan tests and cutover evidence validation to
  cover metrics bearer-token service policy.
• Added a runtime test proving a native-ready HTTP/1 proxy config builds the
  full native host-router factory, not only the individual proxy candidate.
• Added native proxy and server-plan coverage for static load-balanced pools
  with load_balance.health_check.enabled = false, plus rejection coverage for
  custom disabled-health-check policies that would otherwise be silently
  ignored by the native static proxy.
• Added native proxy planning coverage proving default active-health
  multi-upstream pools remain on the compatibility path until native
  load-balancer refresh state is wired into the native request path.
• Extended scripts/validate-native-runtime-cutover.sh so release validation
  proves the representative native runtime config is not only blocker-free but
  also selects the native target adapter and a ready launch plan.
• Added a live native runtime test that binds a planned HTTP proxy listener on
  an ephemeral address, proxies a real request to a local upstream through the
  native host router, and shuts the listener down through
  NativeBackgroundSupervisor.
• Added a Rustls native runtime listener test that generates a temporary
  certificate, binds a planned HTTPS listener, completes a real TLS handshake,
  proxies a request to a local upstream, and shuts the native listener down
  through the supervisor.
• Added an OpenSSL native runtime listener test that generates a temporary
  certificate, binds a planned HTTPS listener under the OpenSSL-only server
  feature, completes a real OpenSSL TLS handshake, proxies a request to a local
  upstream, and shuts the native listener down through the supervisor.
• Added live native runtime tests for trusted downstream PROXY protocol v1 and
  v2 listeners, proving the native listener parses the PROXY header and forwards
  the restored client IP to the upstream as X-Real-IP.
• Added root runtime coverage proving blocker-free plans select the native
  runtime target and that certificate background tasks are rejected unless a
  native reloader is available.
• Re-ran the admin listener smoke against the native startup path, proving the
  production binary serves the admin TCP listener and Unix ops socket under the
  native runtime dispatcher.
• Added native proxy coverage for shared load-balancer selection and refresh
  service state, including active-health/static advanced policy and dynamic DNS
  discovery construction.
• Added configuration and load-balancer tests for the nginx-compatible Ketama
  selectors, including alias parsing, header-hash requirements, dynamic
  discovery rejection for static-ring selections, native selection
  construction, and runtime backend-set mutation rejection.
• Added Ketama startup coverage proving dynamic discovery sources are rejected
  for nginx-compatible static-ring selections.
• Added HTTP/2 stream-isolation coverage proving an oversized request body on
  one stream returns 413 without aborting a sibling stream on the same
  connection.
• Added WebSocket request/response sanitization tests proving hop-by-hop
  request headers are stripped and arbitrary upstream 101 response headers
  are not forwarded downstream.
• Added a live native HTTP/1 runtime test that binds a real listener and serves
  a downstream request through a nginx-compatible Ketama URI-hash upstream pool.
• Added native runtime launch-plan tests proving proxy.websocket = true is
  native-ready at root, vhost, and route scope when the upstream mode is forced
  HTTP/1, plus rejection coverage for WebSocket with HTTP/2 upstream mode.
• Added live native HTTP/1 proxy and route-proxy WebSocket tests. Both tests
  perform a real downstream 101 Switching Protocols upgrade through a local
  upstream listener and prove bytes sent immediately after the downstream
  request head are preserved and tunneled.
• Added live native load-balanced WebSocket coverage proving a configured
  proxy.load_balance pool can select an upstream once and tunnel WebSocket
  bytes through that pinned backend.
• Added focused native connection-takeover coverage proving handlers receive
  prebuffered downstream bytes when taking ownership of a parsed HTTP/1
  connection.
• Added PHP-FPM feature tests for the native FastCGI request planner, including
  core CGI parameter mapping, duplicate request-header joining, protected
  custom-param rejection, denied script-prefix rejection, and unsafe
  PATH_INFO rejection.
• Added PHP-FPM feature tests for the native response planner, including
  hop-by-hop/configured/internal header stripping, HEAD content-length
  preservation, and intercepted status classification.
• Added PHP-FPM feature tests proving the native static-web resolver can
  resolve explicit PHP scripts, use the front controller for missing paths,
  decline existing non-PHP static files when configured, and reject denied
  script prefixes.
• Added PHP-FPM feature tests for native request-body planning, including
  memory bodies, configured body-limit rejection, spool-file creation, and
  cleanup on request-body drop.
• Added PHP-FPM feature tests for the staged native FastCGI execution boundary,
  including fail-closed rejection when no PHP-FPM endpoint is configured.
• Added native route-proxy PHP-FPM tests proving PHP routes reject missing
  roots and fail closed with 502 Bad Gateway when a configured external
  php-fpm endpoint is unavailable.
• Added a live native route-proxy PHP-FPM test with a minimal in-test FastCGI
  responder, proving the native route sends FastCGI records, parses PHP stdout,
  strips configured PHP response headers, and returns the parsed HTTP response.

Checksums And Signatures

• Commit: 0cabc801b65693830ce51aabaa07b43cff1253bc
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 61788956b0e7bc36085e42a3ccd028d04f242e6cc6dfcd9951b9e084bf3c67cc fluxheim-1.6.32.tar.gz
  • f73369e33edef4aed39ba5ef715c5241e12db6c5685a6837d8e9204a7658f9f5 fluxheim-1.6.32.zip
• Binary checksums:
  • x86_64:
    • 346a4258bc151cc021159ec5f2c138c5fa599305c7f74917abaa2a77bd3fbaf3 fluxheim-1.6.32-full-x86_64-linux.tar.gz
    • dcd1c27cc907bbb1795afbd67e1a82d6d0b009629d10ca307a8b4c6e46fc4140 fluxheim-1.6.32-cache-x86_64-linux.tar.gz
    • 036055e3c9acc7faefb92b2e2660c935cd9702d66a198f4f621d51b91d555f07 fluxheim-1.6.32-proxy-x86_64-linux.tar.gz
    • fd349b5ecc69e1d3f7d85c168e1815a1c16f6ed6489c3ee05759d337ed682791 fluxheim-1.6.32-php-x86_64-linux.tar.gz
    • 3f2aeb426eacb420108095acea7335fb73600842a4b3b236e8c3784a12315ccd fluxheim-1.6.32-load-balancer-x86_64-linux.tar.gz
    • 2ee2d52949fd76353b895cbec7af41f03adea60e5938e030e6ca7df15931b4c7 fluxheim-1.6.32-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • eec7554d4f7408090ef0c3604294c144fcf3cbb3e9245d2191b331825d6a8c2f fluxheim-1.6.32-full-aarch64-linux.tar.gz
    • 4ffaebf6754831df09b5451065ad75ec4f0733a889ad652d7d3c48d67e8bbbd4 fluxheim-1.6.32-cache-aarch64-linux.tar.gz
    • 33ef80443ec187b1eb4215fe4f176b58a757cc65eeac9df74625740f08e1329b fluxheim-1.6.32-proxy-aarch64-linux.tar.gz
    • 88bd7d8d701544d5b43830176df1b25676c7dd405e22fda34e6704435788eeb2 fluxheim-1.6.32-php-aarch64-linux.tar.gz
    • bf916680a39cebf38cfc1b18e63c44c32b668173730972413970ed56a1d146e5 fluxheim-1.6.32-load-balancer-aarch64-linux.tar.gz
    • f2e684b53424761fba9262bab141ba1787858cb9d3b4d2467d9075eb1fd221c4 fluxheim-1.6.32-config-tester-aarch64-linux.tar.gz
  • macos:
    • a68f6c3949dddf4c879c3c20ceeba68ee9686b711f0251e1e9f68972983136fd fluxheim-1.6.32-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • e3ede817802cede66a658787a31026757b49991ae4a9a96a21a858b99df15e40 fluxheim.spdx.json
  • 40398e9f0b7d8f49121d4025a0d89a46f46f04bf7e45d58268c04c1c5cb96e16 fluxheim.cyclonedx.json
• Reproducible build:
  • 7b21639f49e2e8a3e4afb3b787a81de262b5227dc0bf2909aa6f75f6041c0b56 x86_64
  • 8b15b04722f56613cfb317bddbd2d134e74a8f179d17a18bfb92f2f84ddd5325 aarch64
  • 0866cf6d7422e6e1f9c90c22231dd1bfe5ae89e4d0c9427e8083ba19b2ece439 macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:12ce6bc65648929281b71b9f19c2ac241b81b637a6e1fe5b67009ab45c1ca62e
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:286c27d78edb76d19e548a1b13862efb58009ef2568b8bee13210a45abbabf92
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:3d26131457132dd066fb56cc32511966f1ac3bfa3b1882ce788c3d025b5cc327
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:c1e793c14d5c9fc2a8908a01559b66fd596691fa7d2380fde57e656d77044c2e
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:12c2b1676241e2a3a1110883e902145419ca3d3c3378b0cc34d7d7bae412c63d
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:61ca40591f13930a5be530b0d4f5c1d66b5e10da8649cb99c303ddebb0419aa3
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:40db05985ec31d3edfe056f1a013dc01f020709e23eb2bcf7e7b0add3428db30
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:83bdb2dbd549d07fd4feb708d2d0f5d69f980769fd4096267d383971f2fa6669
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:252b23e8d43e3ff78cb6da9c6e7ee4700090c15d709d25d894e5db685346a725
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:030f7a25d5c567715f58a652e37ad167c7c3a53fb2f388cc4f7ec4a156875a78
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:79855239a556f9f257ed6aa1e1d59f2743bc6cf246c0254aefbff96c66ec7a9f
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:1f0332c03244396f669f366da4840c3e68ca1731596a3f965b0380e4731e2aea
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:7cd237a64854188431a9726e4d9758dfe055c09d6df2f8c411998a08411f38ff
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:e1cf4bbef2c099692083328091376060b442084624fb1ca011ca88991c67df97
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:01124f94aeb520a33e60c83c5ebe1dccb117c4425ae8ae4a8172da1e41a08465
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:b21f72f1c78ba87301f088dffbbd8976a2e2dacdac84a27a2c3a05e577a6de12
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:7ddd7678a7bcf812a3d5e3737550cb461375a6e31ac97bfdbe8bf37b0103f8f6
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:6a2fd227b95d9b53218627fbaa64e6a09f90848dbde21b9103f8be3e5daa1ac7
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:38a0424821474515dca31dbd55f80fead545d7e308219fee7ddd69390014deaf
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:7ff0475700b460b2a0f84db6349fcd6947f4cfbb94a6f39b66fa44f141ead580
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

---

This discussion was created from the release Fluxheim 1.6.32.