← Home

Open source update

A big thanks to Clojurists Together, Nubank, lambdaschmiede, and other sponsors of my open source work! I realise that it’s a tough time for a lot of folks and businesses lately, and that sponsorships aren’t always easy 🙏

2024 May - Jun

Recent work

Hi folks! 👋

The last couple months have been light on big-ticket releases. Have been focused on maintenance, support, and groundwork for future releases. Output included:

Nippy and Carmine security releases

If you haven’t yet, please do try update to the latest versions of Nippy and/or Carmine when possible:

These include a fix to address a security vulnerability described in more detail in Nippy’s release notes.

In short: Carmine uses Nippy for its serialization, and Nippy uses a Java compression library for its compression. Earlier releases of that Java library may be vulnerable when decompressing malicious data directly crafted by an attacker. The attack is believed to require arbitrary control of the data provided to Nippy for thawing.

Relevant posts were made to the Clojure subreddit, Clojurians Slack, and my X account.

Telemere

Work has continued on Telemere, my new structured logging and telemetry library for Clojure/Script.

There were numerous minor beta releases to address various issues that came up, and to polish sharp edges and documentation, etc.

Instead of detailing all that here, I’ll just point to the current release - v1.0.0-beta14. The latest beta release will always include a summary of all major recent changes.

I’m aiming to try cut RC1 around the end of August, but won’t needlessly rush. I’d like the API to be completely stable after v1 final is out, so I’d rather go a bit slower now to get things right.

Big thanks to early adopters and testers for all the valuable feedback so far! 🙏

Carmine

Work has continued on Carmine v4. It’s quite an undertaking, but I’ve recently updated and merged the first parts of the new v4 core into mainline.

The current plan is for all the new stuff to live in a parallel taoensso.carmine-v4 namespace. This’ll make it easier for me to roll out the new work in stages, and get feedback from early adopters without negatively impacting existing users.

There’ll be a lot to say on Carmine v4, but that’ll come later.

Upcoming work

My current roadmap can always be found here, and it’s now also possible to vote to help guide my priorities.

Current objectives for July-August include:

  • Continued efforts on Telemere.
  • Hopefully release the final stable version of Tempel - my new data security framework for Clojure. Before the final release I’m planning to investigate support for MFA, extend the docs re: use with OpenID, OWASP, and make a few other last improvements. Originally had this planned for earlier, but rescheduled so that I could prioritise the Nippy security topic.

Cheers!

- Peter Taoussanis