Release 2026-01-26 - (expected chart version 5.26.0) #4981
+5,333
−4,319
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Master->Develop after release
…ved (#4958) This also makes it more consistent with PostgresUnmarshall
Looks like `buildRustPackage` improved. Thus, we can simplify this Nix derivation and - because rusty-jwt-tool now has a `Cargo.lock` file on toplevel - drop cargo lock file related logic. It does not hurt to ensure that our toolchain is correct by running `rusty-jwt-tool`'s tests. This can be overridden on higher level. The FFI bindings have been updated: The `now` parameter of `generate_dpop_access_token` has been removed; See https://github.com/wireapp/rusty-jwt-tools/blob/b5de03a239d41b51e7cf9cd7c2674fa6be205134/CHANGELOG.md#L22 This commit upgrade `rusty-jwt-tools` to version 0.14.0.
Log all changes to SAML IdPs that are triggered via the IdP REST API in Spar.
) * Add macOS (aarch64-darwin) build support This commit enables building wire-server components on macOS by fixing several platform-specific issues: - **cryptobox**: Fix dylib install_name on Darwin using install_name_tool to use absolute paths instead of relative paths - **rusty_jwt_tools_ffi**: Fix dylib install_name on Darwin for Rust FFI library to ensure proper dynamic linking - **text-icu-translit**: Add ICU library as pkgconfig dependency - **http2-manager**: Fix Cabal flag configuration by using disableCabalFlag instead of enableCabalFlag with negative flag syntax - Create macOS-compatible stub for federator package that removes Linux- specific hinotify dependency for file system monitoring - Implement SSL/TLS context creation without file monitoring (certificates require manual service restart on macOS instead of auto-reload) - Disable federator tests on Darwin (depend on filepath which was removed) - Export mkSSLContextWithoutCert for integration tests Note: The federator stub on macOS loses automatic certificate file monitoring/reloading functionality. This is acceptable for local development; production deployments on Linux retain full functionality. All modified files: - nix/manual-overrides.nix - nix/wire-server.nix - nix/pkgs/cryptobox/default.nix - nix/pkgs/rusty_jwt_tools_ffi/default.nix Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Replace hinotify with fsnotify for cross-platform file monitoring This replaces the Linux-only hinotify library with the cross-platform fsnotify library in the federator service, enabling native certificate file monitoring on both Linux and macOS. Changes: - federator.cabal: hinotify -> fsnotify dependency - Monitor.Internal.hs: Refactored to use fsnotify API - INotify -> WatchManager - RawFilePath -> FilePath - WatchDescriptor -> StopListening - Adapted event handling for fsnotify events - Test/Federator/Monitor.hs: Updated for FilePath-based API - haskell-pins.nix: Added fsnotify 0.4.4.0 hackage pin - manual-overrides.nix: Removed Darwin stub, added conditional dontCheck for fsnotify/federator on Darwin (FSEvents doesn't work in nix sandbox) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Use CloseWrite events instead of Modified for certificate monitoring fsnotify's CloseWrite event (Linux-only) indicates when a file write is complete, which is more reliable than Modified events that may fire multiple times during a write operation. This fixes the unit tests which were failing due to: 1. appendFile "" not generating Modified events (only CloseWrite) 2. copyFile generating both Modified and CloseWrite, causing duplicate reloads that confused the test assertions On macOS (FSEvents), CloseWrite is not available, but the tests are already disabled there (fsnotify tests don't work in nix sandbox). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Filter redundant WatchedFile entries to prevent duplicate events With fsnotify, both WatchedFile and WatchedDir entries end up watching the same directory. When a file event occurs, both handlers receive it, causing duplicate reloads. This led to test failures where the second reload would read files in an inconsistent state. Fix by filtering out WatchedFile entries when they're already covered by a WatchedDir entry for the same directory and filename. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Fix edge case in filterRedundant for root paths The property test found that WatchedFile "/" was incorrectly filtered when WatchedDir "/" {""} existed, because takeFileName "/" returns "". Fix by not filtering when the filename is empty. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * haskell-pins: No need to pin fsnotify, same version is in nixpkgs --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Akshay Mankar <itsakshaymankar@gmail.com>
This reverts commit 15d3d24. (I accidentally committed to the wrong branch, sorry!)
* Add application message to commit bundles * Extract app message validation * Validate and send bundle app messages * Test application messages in bundles * Wrap ClientMap in a newtype * Send extra application message to new clients * Add CHANGELOG entry * Fix commit bundle roundtrip tests * Fix warnings * Send application message to new conversation members
Compatibility k8s 1.18 - >=1.25 was introduced in 58b7617 and some other PRs, but we no longer need support for ancient kubernetes versions now. This deletion of code should improve the readability of our helm charts.
* Changelog. * Integration test. * Postgres cli args in brig-index & fix type field in search. * Work on Makefile. - new target "es-migrate" (must be separate from "es-reset" because to avoid cyclical dep with `make cr`) - "cr" target now uses "es-reset" as dependency - new target "postgres-migrate", make it dependency of "db-migrate" - fix phonyness annotation of "postgres-schema" * Haddocks.
zebot
added
the
ok-to-test
fisx
approved these changes
Jan 26, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[2026-01-26] (Chart Release 5.26.0)
Release notes
Elasticsearch re-indexing requires postgres access now. If you run
brig-indexdirectly anywhere, make sure to add the relevant settings. The Elasticsearch index must be refilled from Cassandra in order for the changes to the search results to take effect. See https://docs.wire.com/latest/developer/reference/elastic-search.html?h=index#refill-es-documents-from-cassandraConversation codes can now be migrated to PostgreSQL. For existing installations:
postgresMigration.conversationCodes: migration-to-postgresqlin bothgalleyandbackground-worker.migrateConversationCodes: true.wire_conv_codes_migration_finishedto reach1.0.postgresMigration.conversationCodes: postgresqland disablemigrateConversationCodes. (WPB-22811 migrate conversation codes table to postgres #4961)The background-worker defaults for the postgres migration now match galley and point to cassandra (previously postgres). This currenlty only affects the background job, which is not expected to run before postgres is in use. However, if you relied on the defaults after migrating to postgres, please update your config to keep using postgres. (WPB-22901 [fix] background-worker default postgres settings #4965)
Since the index mapping has been updated, the elastic search index
needs to be refilled from Cassandra, see
https://docs.wire.com/latest/developer/reference/elastic-search.html?h=index#refill-es-documents-from-cassandra
Drop support for kubernetes versions below 1.27 (helm: drop support for ingress below k8s 1.27 #4969)
API changes
New end-point
GET /teams/:tid/appslisting all team apps. ([WPB-22793] GET /teams/:tid/apps #4960)Add
typefield to search results received fromGET /search/contacts(WPB-21366: Add user type field toGET /search/contacts#4913)Features
nginx-ingress-services: Add
federator.tls.issueroption to use a separate ClusterIssuer for federation mTLS certificates. (ingress-nginx chart: add seperate issuer for federator #4964)Log changes to IdP configurations made via the IdP REST API to syslog. (Log SAML IdP changes #4935)
Allow commit bundles to contain one application message. The message must be for the epoch after the commit, and it gets sent after the commit has been accepted. (Application message in commit bundles #4929)
Bug fixes and other updates
background-worker's default settings forpostgresMigrationhave been correctly set tocassandra. (WPB-22901 [fix] background-worker default postgres settings #4965)Internal changes
Circumvent potential performance issue with
TVar (Map ...)(WPB-22541 prevent performance issues with TVar Map #4948)Migration of conversation codes from cassandra to postgres (WPB-22811 Move CodeStore to wire-subsystems #4959, WPB-22811 migrate conversation codes table to postgres #4961)
Drop
cryptobox, handle prekey in pure Haskell. (WPB-19575: Drop Cryptobox #4719)Move Feature Flags read to
wire-subsystems. (WPB-21964: Add Wire Meetings creation endpoint #4918, WPB-21964 follow-up: moved TeamFeatureStore interpreter to subsystems #4974)Federator: Replace Linux-only hinotify with cross-platform fsnotify library
for certificate file monitoring. This enables native file system watching
on both Linux and macOS, removing the need for platform-specific stubs. (Add macOS build support and cross-platform fsnotify for federator #4955)
Simplify and modernize the Nix setup of
rusty-jwt-tools. This includesupdating to version
0.14.0. (Simplify rusty-jwt-tools Nix setup #4952)