Merge pull request #2449 from zerotier/dependabot/cargo/rustybits/openssl-0.10.72

Bump openssl from 0.10.70 to 0.10.72 in /rustybits

.clang-format

@@ -0,0 +1,75 @@
+---
+BasedOnStyle: LLVM
+BreakBeforeBraces: Stroustrup
+IndentWidth: 4
+TabWidth: 4
+AlignAfterOpenBracket: AlwaysBreak
+AlignConsecutiveMacros: 'true'
+AlignConsecutiveAssignments: 'false'
+AlignConsecutiveDeclarations: 'false'
+AlignEscapedNewlines: Right
+AlignOperands: 'true'
+AlignTrailingComments: 'true'
+AllowAllArgumentsOnNextLine: 'false'
+AllowAllConstructorInitializersOnNextLine: 'false'
+AllowAllParametersOfDeclarationOnNextLine: 'false'
+AllowShortBlocksOnASingleLine: 'true'
+AllowShortCaseLabelsOnASingleLine: 'false'
+AllowShortFunctionsOnASingleLine: None
+AllowShortIfStatementsOnASingleLine: Never
+AlwaysBreakAfterReturnType: None
+BinPackArguments: 'false'
+BinPackParameters: 'false'
+BreakBeforeBinaryOperators: NonAssignment
+BreakBeforeTernaryOperators: 'true'
+BreakConstructorInitializers: BeforeComma
+BreakInheritanceList: BeforeComma
+CompactNamespaces: 'false'
+ConstructorInitializerAllOnOneLineOrOnePerLine: 'true'
+ConstructorInitializerIndentWidth: '4'
+ContinuationIndentWidth: '4'
+Cpp11BracedListStyle: 'false'
+FixNamespaceComments: 'true'
+IncludeBlocks: Regroup
+IndentCaseLabels: 'true'
+IndentPPDirectives: None
+IndentWrappedFunctionNames: 'false'
+KeepEmptyLinesAtTheStartOfBlocks: 'false'
+MaxEmptyLinesToKeep: '1'
+NamespaceIndentation: None
+PointerAlignment: Left
+ReflowComments: 'true'
+SortIncludes: 'true'
+SortUsingDeclarations: 'true'
+SpaceAfterCStyleCast: 'false'
+SpaceAfterLogicalNot: 'true'
+SpaceAfterTemplateKeyword: 'true'
+SpaceBeforeAssignmentOperators: 'true'
+SpaceBeforeCpp11BracedList: 'true'
+SpaceBeforeCtorInitializerColon: 'true'
+SpaceBeforeInheritanceColon: 'true'
+SpaceBeforeParens: ControlStatements
+SpaceBeforeRangeBasedForLoopColon: 'true'
+SpaceInEmptyParentheses: 'false'
+SpacesBeforeTrailingComments: '3'
+SpacesInAngles: 'false'
+SpacesInCStyleCastParentheses: 'false'
+SpacesInContainerLiterals: 'true'
+SpacesInParentheses: 'false'
+SpacesInSquareBrackets: 'false'
+UseTab: 'Always'
+
+---
+Language: Cpp
+Standard: Cpp03
+ColumnLimit: '240'
+---
+Language: ObjC
+ColumnLimit: '240'
+---
+Language: Java
+ColumnLimit: '240'
+---
+Language: CSharp
+ColumnLimit: '240'
+...

.clangd

@@ -0,0 +1,6 @@
+CompileFlags:
+  Add:
+    - "-std=c++17"
+    - "-I../ext"
+    - "-I../ext/prometheus-cpp-lite-1.0/core/include"
+    - "-I../ext/prometheus-cpp-lite-1.0/simpleapi/include"

.drone.jsonnet

@@ -0,0 +1,256 @@
+//
+// tweakables
+//
+
+local registry = "084037375216.dkr.ecr.us-east-2.amazonaws.com";
+local build_channel = "zerotier-builds";
+local release_channel = "zerotier-releases";
+
+local targets = [
+    { "os": "linux", distro: "redhat", "name": "el9",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag", "custom" ] },
+    { "os": "linux", distro: "redhat", "name": "el8",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
+    { "os": "linux", distro: "redhat", "name": "el7",      "isas": [ "386",          "amd64",          "ppc64le"],                                  "events": [ "tag" ] },
+    { "os": "linux", distro: "amazon", "name": "amzn2",    "isas": [                 "amd64", "arm64" ],                                            "events": [ "tag" ] },
+    { "os": "linux", distro: "amazon", "name": "amzn2022", "isas": [                 "amd64", "arm64" ],                                            "events": [ "tag" ] },
+    { "os": "linux", distro: "fedora", "name": "fc38",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
+    { "os": "linux", distro: "fedora", "name": "fc37",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
+    { "os": "linux", distro: "fedora", "name": "fc36",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
+    { "os": "linux", distro: "ubuntu", "name": "jammy",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "tag" ] },
+    { "os": "linux", distro: "ubuntu", "name": "focal",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "tag" ] },
+    { "os": "linux", distro: "ubuntu", "name": "bionic",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
+    { "os": "linux", distro: "ubuntu", "name": "xenial",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "tag" ] },
+    { "os": "linux", distro: "ubuntu", "name": "trusty",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "tag" ] },
+    { "os": "linux", distro: "debian", "name": "bookworm", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "tag"] },
+    { "os": "linux", distro: "debian", "name": "bullseye", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "push", "tag", "custom" ] },
+    { "os": "linux", distro: "debian", "name": "buster",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "tag" ] },
+    { "os": "linux", distro: "debian", "name": "stretch",  "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "tag" ] },
+    { "os": "linux", distro: "debian", "name": "jessie",   "isas": [ "386", "armv7", "amd64" ],                                                     "events": [ "tag" ] },
+
+//   { "os": "windows", distro: "windows", "name": "windows",  "isas": [ "amd64" ], "events": [ "push", "tag", "custom" ] },
+//   { "os": "darwin", distro: "darwin", "name": "darwin",  "isas": [ "amd64" ], "events": [ "push", "tag", "custom" ] },
+
+];
+
+local less_targets = [
+      { "os": "linux", distro: "redhat", "name": "el9",      "isas": [                 "amd64", "arm64" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "redhat", "name": "el8",      "isas": [                 "amd64", "arm64" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "ubuntu", "name": "jammy",    "isas": [        "armv7", "amd64", "arm64" ],             "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "ubuntu", "name": "focal",    "isas": [        "armv7", "amd64", "arm64" ],             "events": [ "push", "tag", "custom" ] },
+];
+
+
+local native_targets = [
+      { "os": "linux", distro: "debian", "name": "bullseye", "isas": [ "386", "armv7", "amd64", "arm64" ],            "events": [ "push", "tag", "custom" ] },
+];    
+
+local master_targets = [
+      //
+      // copypasta from here
+      //
+      { "os": "linux", distro: "redhat", "name": "el9",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "redhat", "name": "el8",      "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "redhat", "name": "el7",      "isas": [ "386", "amd64",          "ppc64le"],                                  "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "amazon", "name": "amzn2",    "isas": [                 "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "amazon", "name": "amzn2022", "isas": [                 "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "fedora", "name": "fc38",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "fedora", "name": "fc37",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "fedora", "name": "fc36",     "isas": [                 "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "ubuntu", "name": "jammy",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "ubuntu", "name": "focal",    "isas": [        "armv7", "amd64", "arm64", "ppc64le", "s390x", "riscv64" ],             "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "ubuntu", "name": "bionic",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "ubuntu", "name": "xenial",   "isas": [ "386", "armv7", "amd64", "arm64", "ppc64le", "s390x" ],                        "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "ubuntu", "name": "trusty",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "debian", "name": "sid",      "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x", "riscv64" ], "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "debian", "name": "bookworm", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "debian", "name": "bullseye", "isas": [ "386", "armv7", "amd64", "arm64", "mips64le", "ppc64le", "s390x" ],            "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "debian", "name": "buster",   "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "debian", "name": "stretch",  "isas": [ "386", "armv7", "amd64", "arm64" ],                                            "events": [ "push", "tag", "custom" ] },
+      { "os": "linux", distro: "debian", "name": "jessie",   "isas": [ "386", "armv7", "amd64" ],                                                     "events": [ "push", "tag", "custom" ] },
+      { "os": "windows", distro: "windows", "name": "win2k22", "isas": [ "amd64" ],                                                                     "events": [ "push", "tag", "custom" ] }
+];
+
+//
+// functions
+//
+
+local pipeline_type(os)  = if os == "darwin" then "exec" else "docker";
+local builder_image(os)  = if os == "linux" then registry + "/honda-builder" else registry + "/windows-builder";
+local tester_image(os)   = if os == "linux" then registry + "/honda-builder" else registry + "/windows-tester";
+local build_step_volumes(os) = if os == "linux" then [ { name: "zerotier-builds", path: "/zerotier-builds" } ] else [];
+local release_step_volumes(os) = if os == "linux" then [ { name: "zerotier-releases", path: "/zerotier-releases" } ] else [];
+local host_volumes(os)   = if os == "linux" then [
+  { name: "zerotier-builds", host: { path: "/zerotier-builds" } },
+  { name: "zerotier-releases", host: { path: "/zerotier-releases" } },
+] else [];
+
+local index_image(distro) =
+      if distro == "debian" || distro == "ubuntu" then
+          registry + "/apt-builder"
+      else if distro == "redhat" || distro == "fedora" || distro == "amazon" then
+          registry + "/dnf-builder"
+      else if distro == "windows" then
+          registry + "/msi-builder"
+;          
+
+local copy_commands(os, distro, name, isa, version) =
+  if os == "linux" then [
+      std.join(" ", [ "./ci/scripts/publish.sh", name, distro, isa, version, "${DRONE_BUILD_EVENT}" ])
+    ]
+    else if os == "windows" then [  
+      "C:\\scripts\\fix-ec2-metadata.ps1",
+      "Get-ChildItem windows",
+      // "aws s3 cp windows\\bytey-SetupFiles\\bytey.msi s3://zerotier-builds/windows/" + version + "/bytey.msi",
+    ] else if os == "darwin" then [
+        "echo hello"
+      ]
+;
+
+local index_commands(os, channel, distro, name, isas) =
+      if os == "linux" then
+        [ "/usr/local/bin/index " + channel + " " + distro + " " + name  + " " + std.join(" ", isas) ]
+      else if os == "windows" then
+        [ "Get-ChildItem -Recurse windows" ]
+;
+
+local build_commands(os, distro, name, isa, version) =
+      if os == "linux" then
+        [ std.join(" ", [ "./ci/scripts/build.sh", name, distro, isa, version, "${DRONE_BUILD_EVENT}" ]) ]
+      else
+        if os == "windows" then
+           [ "windows/build.ps1", "windows/package.ps1" ]
+      else
+        if os == "darwin" then
+           [ "whoami" ]
+;
+
+local test_commands(os, distro, name, isa, version) =
+  if os == "linux" then
+    [ std.join(" ", [ "./ci/scripts/test.sh", name, distro, isa, version, "${DRONE_BUILD_EVENT}" ]) ]
+  else
+    if os == "windows" then
+      [ "windows/testpackage.ps1 " + version ]
+;
+
+//
+// render
+//
+
+local Build(os, distro, name, isa, events) = {
+  "kind": "pipeline",
+  "type": pipeline_type(os),
+  "name": std.join(" ", [ name, isa, "build" ]),
+  "pull": "always",
+  "clone": { "depth": 1, [ if os == "darwin" then "disable" ]: true },
+  "steps": [
+    {
+      "name": "build",
+      "image": builder_image(os),
+      "commands": build_commands(os, distro, name, isa, "100.0.0+${DRONE_COMMIT_SHA:0:8}"),
+      "when": { "event": [ "push" ]},
+    },
+    {
+      "name": "release",
+      "image": builder_image(os),
+      "commands": build_commands(os, distro, name, isa, "${DRONE_TAG}"),
+      "when": { "event": [ "tag" ]},
+    },    
+    {
+      "name": "copy build",
+      "image": builder_image(os),
+      "commands": copy_commands(os, distro, name, isa, "100.0.0+${DRONE_COMMIT_SHA:0:8}"),
+      "volumes": build_step_volumes(os),
+      "when": { "event": [ "push" ]},
+    },
+    {
+      "name": "copy relase",
+      "image": builder_image(os),
+      "commands": copy_commands(os, distro, name, isa, "${DRONE_TAG}"),
+      "volumes": release_step_volumes(os),
+      "when": { "event": [ "tag" ]},      
+    },    
+  ],
+  "volumes": host_volumes(os),
+  "platform": { "os": os, [ if isa == "arm64" || isa == "armv7" then "arch" ]: "arm64" },
+  "trigger": { "event": events }
+};
+
+local Test(os, distro, name, isa, events) = {
+  "kind": "pipeline",
+  "type": pipeline_type(os),
+  "name": std.join(" ", [ name, isa, "test"]),
+  "pull": "always",
+  "clone": { "depth": 1 },
+  "steps": [
+    {
+      "name": "test build",
+      "image": tester_image(os),
+      "volumes": build_step_volumes(os),
+      "commands": test_commands(os, distro, name, isa, "100.0.0+${DRONE_COMMIT_SHA:0:8}"),
+      "when": { "event": [ "push" ]},
+    },
+    {
+      "name": "test release",
+      "image": tester_image(os),
+      "volumes": release_step_volumes(os),
+      "commands": test_commands(os, distro, name, isa, "${DRONE_TAG}"),
+      "when": { "event": [ "tag" ]},
+    },    
+  ],
+  "volumes": host_volumes(os),
+  "platform": { "os": os, [ if isa == "arm64" || isa == "armv7" then "arch" ]: "arm64" },
+  "depends_on": [ std.join(" ", [ name, "index" ]) ],
+  "trigger": { "event": events }
+};
+
+local Index(p) = {
+  "kind": "pipeline",
+  "type": pipeline_type(p.os),
+  "name": std.join(" ", [ p.name, "index" ]),
+  "pull": "always",
+  "clone": { "depth": 1 },
+  "steps": [
+    {
+      "name": "index build",
+      "image": index_image(p.distro),
+      "commands": index_commands(p.os, "zerotier-builds", p.distro, p.name, p.isas),
+      "volumes": build_step_volumes(p.os),
+      "environment":{ "GPG_PRIVATE_KEY": { from_secret: "gpg-private-key" }},
+      "when": { "event": [ "push" ]},
+    },
+    {
+      "name": "index release",
+      "image": index_image(p.distro),
+      "commands": index_commands(p.os, "zerotier-releases", p.distro, p.name, p.isas),
+      "volumes": release_step_volumes(p.os),
+      "environment":{ "GPG_PRIVATE_KEY": { from_secret: "gpg-private-key" }},
+      "when": { "event": [ "tag" ]},  
+    },    
+  ],
+  "volumes": host_volumes(p.os),
+  "platform": { "os": p.os },
+  depends_on: std.flattenArrays([ [ std.join(" ", [ p.name, isa, "build" ]) ] for isa in p.isas ]),
+  "trigger": { "event": p.events }
+};
+
+//
+// print
+//
+
+std.flattenArrays([
+    [
+      Build(p.os, p.distro, p.name, isa, p.events)
+        for isa in p.isas
+    ] +
+    [
+      Index(p)
+    ]
+    for p in native_targets
+ ]) +
+ std.flattenArrays([
+     [
+        Test(p.os, p.distro, p.name, isa, p.events)
+         for isa in p.isas
+     ]
+     for p in native_targets
+ ])
+ 

.drone.yml

@@ -0,0 +1,465 @@
+---
+clone:
+  depth: 1
+kind: pipeline
+name: bullseye 386 build
+platform:
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/build.sh bullseye debian 386 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: build
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/build.sh bullseye debian 386 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: release
+  when:
+    event:
+    - tag
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian 386 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian 386 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy relase
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+kind: pipeline
+name: bullseye armv7 build
+platform:
+  arch: arm64
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/build.sh bullseye debian armv7 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: build
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/build.sh bullseye debian armv7 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: release
+  when:
+    event:
+    - tag
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian armv7 100.0.0+${DRONE_COMMIT_SHA:0:8}
+    ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian armv7 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy relase
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+kind: pipeline
+name: bullseye amd64 build
+platform:
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/build.sh bullseye debian amd64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: build
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/build.sh bullseye debian amd64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: release
+  when:
+    event:
+    - tag
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian amd64 100.0.0+${DRONE_COMMIT_SHA:0:8}
+    ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian amd64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy relase
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+kind: pipeline
+name: bullseye arm64 build
+platform:
+  arch: arm64
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/build.sh bullseye debian arm64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: build
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/build.sh bullseye debian arm64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: release
+  when:
+    event:
+    - tag
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian arm64 100.0.0+${DRONE_COMMIT_SHA:0:8}
+    ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/publish.sh bullseye debian arm64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: copy relase
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+depends_on:
+- bullseye 386 build
+- bullseye armv7 build
+- bullseye amd64 build
+- bullseye arm64 build
+kind: pipeline
+name: bullseye index
+platform:
+  os: linux
+pull: always
+steps:
+- commands:
+  - /usr/local/bin/index zerotier-builds debian bullseye 386 armv7 amd64 arm64
+  environment:
+    GPG_PRIVATE_KEY:
+      from_secret: gpg-private-key
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/apt-builder
+  name: index build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - /usr/local/bin/index zerotier-releases debian bullseye 386 armv7 amd64 arm64
+  environment:
+    GPG_PRIVATE_KEY:
+      from_secret: gpg-private-key
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/apt-builder
+  name: index release
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+depends_on:
+- bullseye index
+kind: pipeline
+name: bullseye 386 test
+platform:
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/test.sh bullseye debian 386 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/test.sh bullseye debian 386 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test release
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+depends_on:
+- bullseye index
+kind: pipeline
+name: bullseye armv7 test
+platform:
+  arch: arm64
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/test.sh bullseye debian armv7 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/test.sh bullseye debian armv7 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test release
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+depends_on:
+- bullseye index
+kind: pipeline
+name: bullseye amd64 test
+platform:
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/test.sh bullseye debian amd64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/test.sh bullseye debian amd64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test release
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+clone:
+  depth: 1
+depends_on:
+- bullseye index
+kind: pipeline
+name: bullseye arm64 test
+platform:
+  arch: arm64
+  os: linux
+pull: always
+steps:
+- commands:
+  - ./ci/scripts/test.sh bullseye debian arm64 100.0.0+${DRONE_COMMIT_SHA:0:8} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test build
+  volumes:
+  - name: zerotier-builds
+    path: /zerotier-builds
+  when:
+    event:
+    - push
+- commands:
+  - ./ci/scripts/test.sh bullseye debian arm64 ${DRONE_TAG} ${DRONE_BUILD_EVENT}
+  image: 084037375216.dkr.ecr.us-east-2.amazonaws.com/honda-builder
+  name: test release
+  volumes:
+  - name: zerotier-releases
+    path: /zerotier-releases
+  when:
+    event:
+    - tag
+trigger:
+  event:
+  - push
+  - tag
+  - custom
+type: docker
+volumes:
+- host:
+    path: /zerotier-builds
+  name: zerotier-builds
+- host:
+    path: /zerotier-releases
+  name: zerotier-releases
+---
+kind: signature
+hmac: 887a3ef78d3fe8f0149911e1e4876401dd7dd313b36eb893e791fa42f45d7768
+
+...

.github/ISSUE_TEMPLATE/bugs-and-issues.md

@@ -11,39 +11,21 @@ assignees: ''
 
 _Using these will ensure you get quicker support, and make this space available for code-related issues. Thank you!_
 
-- [Knowledge Base](https://zerotier.atlassian.net/wiki/spaces/SD/overview) => Guides and documentation on how to use ZeroTier.
+- [Docs Site](https://docs.zerotier.com/zerotier/troubleshooting) => Troubleshooting, quickstarts, and more advanced topics.
 - [Discuss Forum](https://discuss.zerotier.com/) => Our discussion forum for users and support to mutually resolve issues & suggest ideas.
 - [Reddit](https://www.reddit.com/r/zerotier/) => Our subreddit, which we monitor regularly and is fairly active.
+- [Knowledge Base](https://zerotier.atlassian.net/wiki/spaces/SD/overview) => Older wiki.
+
+If you are having a connection issue, it's much easier to diagnose through the discussion forum or the ticket system. 
+
 
 # If you still want to file a Bug Report
 
-## Required
+## Please let us know
 
 - What you expect to be happening.
 - What is actually happening?
 - Any steps to reproduce the error.
-- Any screenshots that would help us out.
+- Any relevant console output or screenshots.
+- What operating system and ZeroTier version. Please try the latest ZeroTier release. 
 
-## Additional information 
-
-**Desktop (please complete the following information):**
- - OS: [e.g. Mac, Linux, Windows, BSD]
- - OS/Distribution Version
- - ZeroTier Version [e.g. 1.4.6]
-  
-**Smartphone (please complete the following information):**
- - Device: [e.g. iPhone6]
- - OS: [e.g. iOS8.1]
- - ZeroTier Version [e.g. 1.4.6]
-
- **Embedded & NAS (please complete the following information):**
- - Device: [e.g. Synology, Pi4]
- - OS/Distribution (if applicable)
- - ZeroTier Version [e.g. 1.4.6]
-
-**Additional context**
-- ZeroTier Network Configuration: IPv4 & IPv6 networks defined on your ZeroTier Central
-- Router Config: are you permitting port 9993, uPnP, and NAT-PMP?
-- Firewall Config: are you permitting port 9993 on your OS; setting it to "Private" on Windows?
-- Are you using this at home, in an office, college, etc?
-- Have you tried screaming into your router?

.github/workflows/build.yml

@@ -0,0 +1,126 @@
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+
+jobs:
+  build_ubuntu:
+    runs-on: ubuntu-latest
+    steps:
+    - name: gitconfig
+      run: |
+        git config --global core.autocrlf input
+      #        git config --global core.eol lf
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: stable
+        targets: x86_64-unknown-linux-gnu
+        components: rustfmt, clippy
+
+    - name: Set up cargo cache
+      uses: Swatinem/rust-cache@v2
+      continue-on-error: false
+      with:
+        key: ${{ runner.os }}-cargo-${{ hashFiles('rustybits//Cargo.lock') }}
+        shared-key: ${{ runner.os }}-cargo-
+        workspaces: |
+          rustybits/
+
+    - name: make
+      run: make
+    - name: selftest
+      run: |
+        make selftest
+        ./zerotier-selftest
+    - name: 'Tar files' # keeps permissions (execute)
+      run: tar -cvf zerotier-one.tar zerotier-one
+    - name: Archive production artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: zerotier-one-ubuntu-x64
+        path: zerotier-one.tar
+        retention-days: 7
+
+  build_macos:
+    runs-on: macos-latest
+    steps:
+    - name: gitconfig
+      run: |
+        git config --global core.autocrlf input
+      #        git config --global core.eol lf
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: Install Rust aarch64
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: stable
+        target: aarch64-apple-darwin
+        components: rustfmt, clippy
+    - name: Install Rust x86_64
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: stable
+        target: x86_64-apple-darwin
+        components: rustfmt, clippy
+    - name: Set up cargo cache
+      uses: Swatinem/rust-cache@v2
+      continue-on-error: false
+      with:
+        key: ${{ runner.os }}-cargo-${{ hashFiles('rustybits//Cargo.lock') }}
+        shared-key: ${{ runner.os }}-cargo-
+        workspaces: |
+          rustybits/
+    - name: make
+      run: make
+    - name: selftest
+      run: |
+        make selftest
+        ./zerotier-selftest
+    - name: 'Tar files' # keeps permissions (execute)
+      run: tar -cvf zerotier-one.tar zerotier-one
+    - name: Archive production artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: zerotier-one-mac
+        path: zerotier-one.tar
+        retention-days: 7
+
+
+  build_windows:
+    runs-on: windows-latest
+    steps:
+    - name: gitconfig
+      run: |
+        git config --global core.autocrlf true
+      #        git config --global core.eol lf
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: Install Rust
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: stable
+        target: aarch64-apple-darwin
+        components: rustfmt, clippy
+    - name: Set up cargo cache
+      uses: Swatinem/rust-cache@v2
+      continue-on-error: false
+      with:
+        key: ${{ runner.os }}-cargo-${{ hashFiles('rustybits//Cargo.lock') }}
+        shared-key: ${{ runner.os }}-cargo-
+        workspaces: |
+          rustybits/
+
+    - name: setup msbuild
+      uses: microsoft/setup-msbuild@v2
+    - name: msbuild
+      run: |
+        msbuild windows\ZeroTierOne.sln /m /p:Configuration=Release  /property:Platform=x64 /t:ZeroTierOne
+    - name: Archive production artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: zerotier-one-windows
+        path: windows/Build
+        retention-days: 7

.github/workflows/validate-linux.sh

@@ -0,0 +1,497 @@
+#!/bin/bash
+
+# This test script joins Earth and pokes some stuff
+
+TEST_NETWORK=8056c2e21c000001
+RUN_LENGTH=30
+TEST_FINISHED=false
+ZTO_VER=$(git describe --tags $(git rev-list --tags --max-count=1))
+ZTO_COMMIT=$(git rev-parse HEAD)
+ZTO_COMMIT_SHORT=$(git rev-parse --short HEAD)
+TEST_DIR_PREFIX="$ZTO_VER-$ZTO_COMMIT_SHORT-test-results"
+
+TEST_OK=0
+TEST_FAIL=1
+
+echo "Performing test on: $ZTO_VER-$ZTO_COMMIT_SHORT"
+TEST_FILEPATH_PREFIX="$TEST_DIR_PREFIX/$ZTO_COMMIT_SHORT"
+mkdir $TEST_DIR_PREFIX
+
+# How long we will wait for ZT to come online before considering it a failure
+MAX_WAIT_SECS=30
+
+ZT_PORT_NODE_1=9996
+ZT_PORT_NODE_2=9997
+
+################################################################################
+# Multi-node connectivity and performance test                                 #
+################################################################################
+
+test() {
+
+	echo -e "\nPerforming pre-flight checks"
+
+	check_exit_on_invalid_identity
+
+	echo -e "\nRunning test for $RUN_LENGTH seconds"
+
+	export NS1="ip netns exec ns1"
+	export NS2="ip netns exec ns2"
+
+	export ZT1="$NS1 ./zerotier-cli -p9996 -D$(pwd)/node1"
+	# Specify custom port on one node to ensure that feature works
+	export ZT2="$NS2 ./zerotier-cli -p9997 -D$(pwd)/node2"
+
+	echo -e "\nSetting up network namespaces..."
+	echo "Setting up ns1"
+
+	ip netns add ns1
+	$NS1 ip link set dev lo up
+	ip link add veth0 type veth peer name veth1
+	ip link set veth1 netns ns1
+	ip addr add 192.168.0.1/24 dev veth0
+	ip link set dev veth0 up
+
+	$NS1 ip addr add 192.168.0.2/24 dev veth1
+	$NS1 ip link set dev veth1 up
+
+	# Add default route
+	$NS1 ip route add default via 192.168.0.1
+
+	iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 \
+		-o eth0 -j MASQUERADE
+	iptables -A FORWARD -i eth0 -o veth0 -j ACCEPT
+	iptables -A FORWARD -o eth0 -i veth0 -j ACCEPT
+
+	echo "Setting up ns2"
+	ip netns add ns2
+	$NS2 ip link set dev lo up
+	ip link add veth2 type veth peer name veth3
+	ip link set veth3 netns ns2
+	ip addr add 192.168.1.1/24 dev veth2
+	ip link set dev veth2 up
+
+	$NS2 ip addr add 192.168.1.2/24 dev veth3
+	$NS2 ip link set dev veth3 up
+	$NS2 ip route add default via 192.168.1.1
+
+	iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 \
+		-o eth0 -j MASQUERADE
+	iptables -A FORWARD -i eth0 -o veth2 -j ACCEPT
+	iptables -A FORWARD -o eth0 -i veth2 -j ACCEPT
+
+	# Allow forwarding
+	sysctl -w net.ipv4.ip_forward=1
+
+	################################################################################
+	# Memory Leak Check                                                            #
+	################################################################################
+
+	export FILENAME_MEMORY_LOG="$TEST_FILEPATH_PREFIX-memory.log"
+
+	echo -e "\nStarting a ZeroTier instance in each namespace..."
+
+	export time_test_start=$(date +%s)
+
+	# Spam the CLI as ZeroTier is starting
+	spam_cli 100
+
+	echo "Starting memory leak check"
+	$NS1 sudo valgrind --demangle=yes --exit-on-first-error=yes \
+		--error-exitcode=1 \
+		--xml=yes \
+		--xml-file=$FILENAME_MEMORY_LOG \
+		--leak-check=full \
+		./zerotier-one node1 -p$ZT_PORT_NODE_1 -U >>node_1.log 2>&1 &
+
+	# Second instance, not run in memory profiler
+	# Don't set up internet access until _after_ zerotier is running
+	# This has been a source of stuckness in the past.
+	$NS2 ip addr del 192.168.1.2/24 dev veth3
+	$NS2 sudo ./zerotier-one node2 -U -p$ZT_PORT_NODE_2 >>node_2.log 2>&1 &
+
+	sleep 10; # New HTTP control plane is a bit sluggish, so we delay here
+
+	check_bind_to_correct_ports $ZT_PORT_NODE_1
+	check_bind_to_correct_ports $ZT_PORT_NODE_2
+
+	$NS2 ip addr add 192.168.1.2/24 dev veth3
+	$NS2 ip route add default via 192.168.1.1
+
+	echo -e "\nPing from host to namespaces"
+
+	ping -c 3 192.168.0.1
+	ping -c 3 192.168.1.1
+
+	echo -e "\nPing from namespace to host"
+
+	$NS1 ping -c 3 192.168.0.1
+	$NS1 ping -c 3 192.168.0.1
+	$NS2 ping -c 3 192.168.0.2
+	$NS2 ping -c 3 192.168.0.2
+
+	echo -e "\nPing from ns1 to ns2"
+
+	$NS1 ping -c 3 192.168.0.1
+
+	echo -e "\nPing from ns2 to ns1"
+
+	$NS2 ping -c 3 192.168.0.1
+
+	################################################################################
+	# Online Check                                                                 #
+	################################################################################
+
+	echo "Waiting for ZeroTier to come online before attempting test..."
+	node1_online=false
+	node2_online=false
+	both_instances_online=false
+	time_zt_node1_start=$(date +%s)
+	time_zt_node2_start=$(date +%s)
+
+	for ((s = 0; s <= $MAX_WAIT_SECS; s++)); do
+		node1_online="$($ZT1 -j info | jq '.online' 2>/dev/null)"
+		node2_online="$($ZT2 -j info | jq '.online' 2>/dev/null)"
+		echo "Checking for online status: try #$s, node1:$node1_online, node2:$node2_online"
+		if [[ "$node2_online" == "true" && "$node1_online" == "true" ]]; then
+			export both_instances_online=true
+			export time_to_both_nodes_online=$(date +%s)
+			break
+		fi
+		sleep 1
+	done
+
+	echo -e "\n\nContents of ZeroTier home paths:"
+
+	ls -lga node1
+	tree node1
+	ls -lga node2
+	tree node2
+
+	echo -e "\n\nRunning ZeroTier processes:"
+	echo -e "\nNode 1:\n"
+	$NS1 ps aux | grep zerotier-one
+	echo -e "\nNode 2:\n"
+	$NS2 ps aux | grep zerotier-one
+
+	echo -e "\n\nStatus of each instance:"
+
+	echo -e "\n\nNode 1:\n"
+	$ZT1 status
+	echo -e "\n\nNode 2:\n"
+	$ZT2 status
+
+	if [[ "$both_instances_online" != "true" ]]; then
+		exit_test_and_generate_report $TEST_FAIL "one or more nodes failed to come online"
+	fi
+
+	echo -e "\nJoining networks"
+
+	$ZT1 join $TEST_NETWORK
+	$ZT2 join $TEST_NETWORK
+
+	sleep 10
+
+	node1_ip4=$($ZT1 get $TEST_NETWORK ip4)
+	node2_ip4=$($ZT2 get $TEST_NETWORK ip4)
+
+	echo "node1_ip4=$node1_ip4"
+	echo "node2_ip4=$node2_ip4"
+
+	echo -e "\nPinging each node"
+
+	PING12_FILENAME="$TEST_FILEPATH_PREFIX-ping-1-to-2.txt"
+	PING21_FILENAME="$TEST_FILEPATH_PREFIX-ping-2-to-1.txt"
+
+	$NS1 ping -c 16 $node2_ip4 >$PING12_FILENAME
+	$NS2 ping -c 16 $node1_ip4 >$PING21_FILENAME
+
+	ping_loss_percent_1_to_2=$(cat $PING12_FILENAME |
+		grep "packet loss" | awk '{print $6}' | sed 's/%//')
+	ping_loss_percent_2_to_1=$(cat $PING21_FILENAME |
+		grep "packet loss" | awk '{print $6}' | sed 's/%//')
+
+	# Normalize loss value
+	export ping_loss_percent_1_to_2=$(echo "scale=2; $ping_loss_percent_1_to_2/100.0" | bc)
+	export ping_loss_percent_2_to_1=$(echo "scale=2; $ping_loss_percent_2_to_1/100.0" | bc)
+
+	################################################################################
+	# CLI Check                                                                    #
+	################################################################################
+
+	echo "Testing basic CLI functionality..."
+
+	spam_cli 10
+
+	$ZT1 join $TEST_NETWORK
+
+	$ZT1 -h
+	$ZT1 -v
+	$ZT1 status
+	$ZT1 info
+	$ZT1 listnetworks
+	$ZT1 peers
+	$ZT1 listpeers
+
+	$ZT1 -j status
+	$ZT1 -j info
+	$ZT1 -j listnetworks
+	$ZT1 -j peers
+	$ZT1 -j listpeers
+
+	$ZT1 dump
+
+	$ZT1 get $TEST_NETWORK allowDNS
+	$ZT1 get $TEST_NETWORK allowDefault
+	$ZT1 get $TEST_NETWORK allowGlobal
+	$ZT1 get $TEST_NETWORK allowManaged
+	$ZT1 get $TEST_NETWORK bridge
+	$ZT1 get $TEST_NETWORK broadcastEnabled
+	$ZT1 get $TEST_NETWORK dhcp
+	$ZT1 get $TEST_NETWORK id
+	$ZT1 get $TEST_NETWORK mac
+	$ZT1 get $TEST_NETWORK mtu
+	$ZT1 get $TEST_NETWORK name
+	$ZT1 get $TEST_NETWORK netconfRevision
+	$ZT1 get $TEST_NETWORK nwid
+	$ZT1 get $TEST_NETWORK portDeviceName
+	$ZT1 get $TEST_NETWORK portError
+	$ZT1 get $TEST_NETWORK status
+	$ZT1 get $TEST_NETWORK type
+
+	# Test an invalid command
+	$ZT1 get $TEST_NETWORK derpderp
+
+	# TODO: Validate JSON
+
+	# Performance Test
+
+	export FILENAME_PERF_JSON="$TEST_FILEPATH_PREFIX-iperf.json"
+
+	echo -e "\nBeginning performance test:"
+
+	echo -e "\nStarting server:"
+
+	echo "$NS1 iperf3 -s &"
+	sleep 1
+
+	echo -e "\nStarting client:"
+	sleep 1
+
+	echo "$NS2 iperf3 --json -c $node1_ip4 > $FILENAME_PERF_JSON"
+
+	cat $FILENAME_PERF_JSON
+
+	# Let ZeroTier idle long enough for various timers
+
+	echo -e "\nIdling ZeroTier for $RUN_LENGTH seconds..."
+	sleep $RUN_LENGTH
+
+	echo -e "\nLeaving networks"
+
+	$ZT1 leave $TEST_NETWORK
+	$ZT2 leave $TEST_NETWORK
+
+	sleep 5
+
+	exit_test_and_generate_report $TEST_OK "completed test"
+}
+
+################################################################################
+# Generate report                                                              #
+################################################################################
+
+exit_test_and_generate_report() {
+
+	echo -e "\nStopping memory check..."
+	sudo pkill -15 -f valgrind
+	sleep 10
+
+	time_test_end=$(date +%s)
+
+	echo "Exiting test with reason: $2 ($1)"
+
+	# Collect ZeroTier dump files
+
+	echo -e "\nCollecting ZeroTier dump files"
+
+	node1_id=$($ZT1 -j status | jq -r .address)
+	node2_id=$($ZT2 -j status | jq -r .address)
+
+	$ZT1 dump
+	mv zerotier_dump.txt "$TEST_FILEPATH_PREFIX-node-dump-$node1_id.txt"
+
+	$ZT2 dump
+	mv zerotier_dump.txt "$TEST_FILEPATH_PREFIX-node-dump-$node2_id.txt"
+
+	# Copy ZeroTier stdout/stderr logs
+
+	cp node_1.log "$TEST_FILEPATH_PREFIX-node-log-$node1_id.txt"
+	cp node_2.log "$TEST_FILEPATH_PREFIX-node-log-$node2_id.txt"
+
+	# Generate report
+
+	cat $FILENAME_MEMORY_LOG
+
+	DEFINITELY_LOST=$(xmlstarlet sel -t -v '/valgrindoutput/error/xwhat' \
+		$FILENAME_MEMORY_LOG | grep "definitely" | awk '{print $1;}')
+	POSSIBLY_LOST=$(xmlstarlet sel -t -v '/valgrindoutput/error/xwhat' \
+		$FILENAME_MEMORY_LOG | grep "possibly" | awk '{print $1;}')
+
+	# Generate coverage report artifact and summary
+
+	FILENAME_COVERAGE_JSON="$TEST_FILEPATH_PREFIX-coverage.json"
+	FILENAME_COVERAGE_HTML="$TEST_FILEPATH_PREFIX-coverage.html"
+
+	echo -e "\nGenerating coverage test report..."
+
+	gcovr -r . --exclude ext --json-summary $FILENAME_COVERAGE_JSON \
+		--html >$FILENAME_COVERAGE_HTML
+
+	cat $FILENAME_COVERAGE_JSON
+
+	COVERAGE_LINE_COVERED=$(cat $FILENAME_COVERAGE_JSON | jq .line_covered)
+	COVERAGE_LINE_TOTAL=$(cat $FILENAME_COVERAGE_JSON | jq .line_total)
+	COVERAGE_LINE_PERCENT=$(cat $FILENAME_COVERAGE_JSON | jq .line_percent)
+
+	COVERAGE_LINE_COVERED="${COVERAGE_LINE_COVERED:-0}"
+	COVERAGE_LINE_TOTAL="${COVERAGE_LINE_TOTAL:-0}"
+	COVERAGE_LINE_PERCENT="${COVERAGE_LINE_PERCENT:-0}"
+
+	# Default values
+
+	DEFINITELY_LOST="${DEFINITELY_LOST:-0}"
+	POSSIBLY_LOST="${POSSIBLY_LOST:-0}"
+	ping_loss_percent_1_to_2="${ping_loss_percent_1_to_2:-100.0}"
+	ping_loss_percent_2_to_1="${ping_loss_percent_2_to_1:-100.0}"
+	time_to_both_nodes_online="${time_to_both_nodes_online:--1}"
+
+	# Summarize and emit json for trend reporting
+
+	FILENAME_SUMMARY="$TEST_FILEPATH_PREFIX-summary.json"
+
+	time_length_test=$((time_test_end - time_test_start))
+	if [[ $time_to_both_nodes_online != -1 ]];
+	then
+		time_to_both_nodes_online=$((time_to_both_nodes_online - time_test_start))
+	fi
+	#time_length_zt_join=$((time_zt_join_end-time_zt_join_start))
+	#time_length_zt_leave=$((time_zt_leave_end-time_zt_leave_start))
+	#time_length_zt_can_still_ping=$((time_zt_can_still_ping-time_zt_leave_start))
+
+	summary=$(
+		cat <<EOF
+{
+  "version":"$ZTO_VER",
+  "commit":"$ZTO_COMMIT",
+  "arch_m":"$(uname -m)",
+  "arch_a":"$(uname -a)",
+  "binary_size":"$(stat -c %s zerotier-one)",
+  "time_length_test":$time_length_test,
+  "time_to_both_nodes_online":$time_to_both_nodes_online,
+  "num_possible_bytes_lost": $POSSIBLY_LOST,
+  "num_definite_bytes_lost": $DEFINITELY_LOST,
+  "num_bad_formattings": $POSSIBLY_LOST,
+  "coverage_lines_covered": $COVERAGE_LINE_COVERED,
+  "coverage_lines_total": $COVERAGE_LINE_TOTAL,
+  "coverage_lines_percent": $COVERAGE_LINE_PERCENT,
+  "ping_loss_percent_1_to_2": $ping_loss_percent_1_to_2,
+  "ping_loss_percent_2_to_1": $ping_loss_percent_2_to_1,
+  "test_exit_code": $1,
+  "test_exit_reason":"$2"
+}
+EOF
+	)
+
+	echo $summary >$FILENAME_SUMMARY
+	cat $FILENAME_SUMMARY
+
+	exit 0
+}
+
+################################################################################
+# CLI Check                                                                    #
+################################################################################
+
+spam_cli() {
+	echo "Spamming CLI..."
+	# Rapidly spam the CLI with joins/leaves
+
+	MAX_TRIES="${1:-10}"
+
+	for ((s = 0; s <= MAX_TRIES; s++)); do
+		$ZT1 status
+		$ZT2 status
+		sleep 0.1
+	done
+
+	SPAM_TRIES=128
+
+	for ((s = 0; s <= SPAM_TRIES; s++)); do
+		$ZT1 join $TEST_NETWORK
+	done
+
+	for ((s = 0; s <= SPAM_TRIES; s++)); do
+		$ZT1 leave $TEST_NETWORK
+	done
+
+	for ((s = 0; s <= SPAM_TRIES; s++)); do
+		$ZT1 leave $TEST_NETWORK
+		$ZT1 join $TEST_NETWORK
+	done
+}
+
+################################################################################
+# Check for proper exit on load of invalid identity                            #
+################################################################################
+
+check_exit_on_invalid_identity() {
+	echo "Checking ZeroTier exits on invalid identity..."
+	mkdir -p $(pwd)/exit_test
+	ZT1="sudo ./zerotier-one -p9999 $(pwd)/exit_test"
+	echo "asdfasdfasdfasdf" > $(pwd)/exit_test/identity.secret
+	echo "asdfasdfasdfasdf" > $(pwd)/exit_test/authtoken.secret
+
+	echo "Launch ZeroTier with an invalid identity"
+	$ZT1 &
+	my_pid=$!
+
+	echo "Waiting 5 seconds"
+	sleep 5
+
+	# check if process is running
+	kill -0 $my_pid
+	if [ $? -eq 0 ]; then
+		exit_test_and_generate_report $TEST_FAIL "Exit test FAILED: Process still running after being fed an invalid identity"
+	fi
+}
+
+################################################################################
+# Check that we're binding to the primary port for TCP/TCP6/UDP                #
+################################################################################
+
+check_bind_to_correct_ports() {
+	PORT_NUMBER=$1
+	echo "Checking bound ports:"
+	sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier"
+	if [[ $(sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier" | grep "tcp") ]];
+	then
+		:
+	else
+		exit_test_and_generate_report $TEST_FAIL "ZeroTier did not bind to tcp/$1"
+	fi
+	if [[ $(sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier" | grep "tcp6") ]];
+	then
+		:
+	else
+		exit_test_and_generate_report $TEST_FAIL "ZeroTier did not bind to tcp6/$1"
+	fi
+	if [[ $(sudo netstat -anp | grep "$PORT_NUMBER" | grep "zerotier" | grep "udp") ]];
+	then
+		:
+	else
+		exit_test_and_generate_report $TEST_FAIL "ZeroTier did not bind to udp/$1"
+	fi
+}
+
+test "$@"

.github/workflows/validate-report.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+################################################################################
+# Set exit code depending on tool reports                                      #
+################################################################################
+
+DEFINITELY_LOST=$(cat *test-results/*summary.json | jq .num_definite_bytes_lost)
+EXIT_CODE=$(cat *test-results/*summary.json | jq .exit_code)
+EXIT_REASON=$(cat *test-results/*summary.json | jq .exit_reason)
+
+cat *test-results/*summary.json
+
+echo -e "\nBytes of memory definitely lost: $DEFINITELY_LOST"
+
+if [[ "$DEFINITELY_LOST" -gt 0 ]]; then
+      exit 1
+fi
+
+# Catch-all for other non-zero exit codes
+
+if [[ "$EXIT_CODE" -gt 0 ]]; then
+      echo "Test failed: $EXIT_REASON"
+      exit 1
+fi

.github/workflows/validate.yml

@@ -0,0 +1,57 @@
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+
+jobs:
+  build_ubuntu:
+    runs-on: ubuntu-latest
+    steps:
+    - name: gitconfig
+      run: |
+        git config --global core.autocrlf input
+
+    - name: checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: Install Rust
+      uses: actions-rs/toolchain@v1
+      with:
+        toolchain: stable
+        target: x86_64-unknown-linux-gnu
+        override: true
+        components: rustfmt, clippy
+
+    - name: Set up cargo cache
+      uses: Swatinem/rust-cache@v2
+      continue-on-error: false
+      with:
+        key: ${{ runner.os }}-cargo-${{ hashFiles('zeroidc//Cargo.lock') }}
+        shared-key: ${{ runner.os }}-cargo-
+        workspaces: |
+          zeroidc/
+
+    - name: validate-1m-linux
+      env:
+        CC: 'gcc'
+        CXX: 'g++'
+        BRANCH: ${{  github.ref_name }}
+      run: |
+        sudo apt install -y valgrind xmlstarlet gcovr iperf3 tree
+        make one ZT_COVERAGE=1 ZT_TRACE=1
+        sudo chmod +x ./.github/workflows/validate-linux.sh
+        sudo ./.github/workflows/validate-linux.sh
+
+    - name: Archive test results
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{github.sha}}-test-results
+        path: "*test-results*"
+
+    - name: final-report
+      run: |
+        sudo chmod +x ./.github/workflows/validate-report.sh
+        sudo ./.github/workflows/validate-report.sh
+

.gitignore

@@ -6,6 +6,11 @@
 /zerotier
 /nltest
 
+# IDE stuff
+/.idea
+/.nova
+/compile_commands.json
+
 # OS-created garbage files from various platforms
 .DS_Store
 .Apple*
@@ -30,7 +35,6 @@ Thumbs.db
 /windows/WebUIWrapper/obj
 /windows/lib
 /ext/installfiles/windows/ZeroTier One-SetupFiles
-/ext/installfiles/windows/Prerequisites
 /ext/installfiles/windows/*-cache
 /ZeroTier One.msi
 *.vcxproj.backup
@@ -58,7 +62,6 @@ zt1-src.tar.gz
 *.opensdf
 *.user
 *.cache
-*.obj
 *.tlog
 *.pid
 *.pkg
@@ -103,7 +106,6 @@ windows/ZeroTierOne/Debug/
 *.swp
 *~.nib
 DerivedData/
-build/
 *.pbxuser
 *.mode1v3
 *.mode2v3
@@ -114,7 +116,6 @@ build/
 !default.perspectivev3
 *.xccheckout
 xcuserdata/
-ext/librethinkdbxx/build
 .vscode
 __pycache__
 *~
@@ -122,3 +123,20 @@ attic/world/*.c25519
 attic/world/mkworld
 workspace/
 workspace2/
+zeroidc/target/
+tcp-proxy/target
+
+#snapcraft specifics
+/parts/
+/stage/
+/prime/
+
+*.snap
+
+.snapcraft
+__pycache__
+*.pyc
+*_source.tar.bz2
+snap/.snapcraft
+tcp-proxy/tcp-proxy
+rustybits/target

.kick

@@ -0,0 +1,14 @@
+kick
+kick
+kick
+kick
+kick
+kick
+kick
+kick
+kick
+kick
+kick
+kick
+kick
+kick

Dockerfile.ci

@@ -0,0 +1,28 @@
+# vim: ft=dockerfile
+
+FROM ubuntu:21.04 as stage
+
+RUN apt-get update -qq && apt-get -qq install make clang
+COPY . .
+RUN /usr/bin/make
+RUN echo $PWD
+RUN cp zerotier-one /usr/sbin
+
+FROM ubuntu:21.04
+
+COPY --from=stage /zerotier-one /usr/sbin
+RUN ln -sf /usr/sbin/zerotier-one /usr/sbin/zerotier-idtool
+RUN ln -sf /usr/sbin/zerotier-one /usr/sbin/zerotier-cli
+
+RUN echo "${VERSION}" > /etc/zerotier-version
+RUN rm -rf /var/lib/zerotier-one
+
+
+RUN apt-get -qq update
+RUN apt-get -qq install iproute2 net-tools fping 2ping iputils-ping iputils-arping
+
+COPY entrypoint.sh.release /entrypoint.sh
+RUN chmod 755 /entrypoint.sh
+
+CMD []
+ENTRYPOINT ["/entrypoint.sh"]

Dockerfile.release

@@ -1,22 +1,23 @@
 # vim: ft=dockerfile
 
-FROM debian:buster as stage
+FROM debian:bookworm
 
-ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/
-ARG ARCH=amd64
 ARG VERSION
 
-RUN apt-get update -qq && apt-get install curl -y
-RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
+RUN apt-get update -qq && apt-get install curl gpg -y
+RUN mkdir -p /usr/share/zerotier && \
+    curl -o /usr/share/zerotier/tmp.asc "https://download.zerotier.com/contact%40zerotier.com.gpg" && \
+    gpg --no-default-keyring --keyring /usr/share/zerotier/zerotier.gpg --import /usr/share/zerotier/tmp.asc && \
+    rm -f /usr/share/zerotier/tmp.asc && \
+    echo "deb [signed-by=/usr/share/zerotier/zerotier.gpg] http://download.zerotier.com/debian/bookworm bookworm main" > /etc/apt/sources.list.d/zerotier.list
 
-FROM debian:buster
-
-COPY --from=stage zerotier-one.deb .
-
-RUN dpkg -i zerotier-one.deb && rm -f zerotier-one.deb
-RUN echo "${VERSION}" >/etc/zerotier-version
+RUN apt-get update -qq && apt-get install zerotier-one=${VERSION} curl iproute2 net-tools iputils-ping openssl libssl3 -y
+RUN rm -rf /var/lib/zerotier-one
 
 COPY entrypoint.sh.release /entrypoint.sh
 RUN chmod 755 /entrypoint.sh
 
-CMD /entrypoint.sh
+HEALTHCHECK --interval=1s CMD bash /healthcheck.sh
+
+CMD []
+ENTRYPOINT ["/entrypoint.sh"]

Jenkinsfile

@@ -1,365 +0,0 @@
-pipeline {
-    options {
-        disableConcurrentBuilds()
-        preserveStashes(buildCount: 10)
-        timestamps()
-    }
-    parameters {
-        booleanParam(name: "BUILD_ALL", defaultValue: false, description: "Build all supported platform/architecture combos.  Defaults to x86/x64 only")
-    }
-    
-    agent none
-    
-    stages {
-        stage ("Build") {
-            steps {
-                script {
-                    def tasks = [:]
-                    tasks << buildStaticBinaries()
-                    tasks << buildDebianNative()
-                    tasks << buildCentosNative()
-                    
-                    parallel tasks
-                }
-            }
-        }
-        stage ("Package Static") {
-            steps {
-                script {
-                    parallel packageStatic()
-                }
-            }
-        }
-    }
-}
-
-def buildStaticBinaries() {
-    def tasks = [:]
-    def dist = ["alpine"]
-    def archs = []
-    if (params.BUILD_ALL == true) {
-        archs = ["arm64", "amd64", "i386", "armhf", "armel", "ppc64le", "s390x"]
-    } else {
-        archs = ["amd64", "i386"]
-    }
-
-    tasks << getTasks(dist, archs, { distro, platform -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                sh "echo ${distro}-${platform}"
-                def runtime = docker.image("ztbuild/${distro}-${platform}:latest")
-                runtime.inside {
-                    dir("build") {
-                        sh 'make -j8 ZT_STATIC=1 all'
-                        sh "file ./zerotier-one"
-                        sh "mv zerotier-one zerotier-one-static-${platform}"
-                        stash includes: 'zerotier-one-static-*', name: "static-${platform}"
-                    }
-                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-                }
-            }
-        }
-        return myNode
-    })
-    
-    return tasks
-}
-
-def getTasks(axisDistro, axisPlatform, task) {
-    def tasks = [:]
-    for(int i=0; i< axisDistro.size(); i++) {
-        def axisDistroValue = axisDistro[i]
-        for(int j=0; j< axisPlatform.size(); j++) {
-            def axisPlatformValue = axisPlatform[j]
-            tasks["${axisDistroValue}/${axisPlatformValue}"] = task(axisDistroValue, axisPlatformValue)
-        }
-    }
-    return tasks
-}
-
-def packageStatic() {
-    def tasks = [:]
-    
-    def centos6 = ["centos6"]
-    def centos6Arch = ["i386", "amd64"]
-    tasks << getTasks(centos6, centos6Arch, { distro, arch -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                runtime.inside {
-                    dir("build") {
-                        unstash "static-${arch}"
-                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one" 
-                        sh "make redhat"
-                        sh "mkdir -p ${distro}"
-                        sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
-                        archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
-                    }
-                }
-                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-            }
-        }
-        return myNode
-    })
-    
-    def centos7 = ["centos7"]
-    def centos7Arch = ["i386"]
-    tasks << getTasks(centos7, centos7Arch, { distro, arch -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                runtime.inside {
-                    dir("build") {
-                        unstash "static-${arch}"
-                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one" 
-                        sh "make redhat"
-                        sh "mkdir -p ${distro}"
-                        sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
-                        archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
-                    }
-                }
-                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-            }
-        }
-        return myNode
-    })
-    
-    if (params.BUILD_ALL == true) {
-        def clefos7 = ["clefos"]
-        def clefos7Arch = ["s390x"]
-        tasks << getTasks(clefos7, clefos7Arch, { distro, arch -> 
-            def myNode = {
-                node ('linux-build') {
-                    dir ("build") {
-                        checkout scm
-                    }
-                    def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                    runtime.inside {
-                        dir("build/") {
-                            unstash "static-${arch}"
-                            sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one" 
-                            sh "make redhat"
-                            sh "mkdir -p ${distro}"
-                            sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
-                            archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
-                        }
-                    }
-                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-                }
-            }
-            return myNode
-        })
-    }
-
-    def debianJessie = ["debian-jessie"]
-    def debianJessieArchs = []
-    if (params.BUILD_ALL == true) {
-        debianJessieArch = ["armhf", "armel", "amd64", "i386"]
-    } else {
-        debianJessieArch = ["amd64", "i386"]
-    }
-    tasks << getTasks(debianJessie, debianJessieArch, { distro, arch -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                runtime.inside {
-                    sh "ls -la ."
-                    dir('build/') {
-                        sh "ls -la ."
-                        unstash "static-${arch}"
-                        sh "pwd"
-                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one && file ./zerotier-one" 
-                        sh "mv -f debian/rules.static debian/rules"
-                        sh "make debian"
-                    }
-                    sh "mkdir -p ${distro}"
-                    sh "mv *.deb ${distro}"
-                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
-                }
-                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-            }
-        }
-        return myNode
-    })
-    
-    def ubuntuTrusty = ["ubuntu-trusty"]
-    def ubuntuTrustyArch = []
-    if (params.BUILD_ALL == true) {
-        ubuntuTrustyArch = ["i386", "amd64", "armhf", "arm64", "ppc64le"]
-    } else {
-        ubuntuTrustyArch = ["i386", "amd64"]
-    }
-    tasks << getTasks(ubuntuTrusty, ubuntuTrustyArch, { distro, arch -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                runtime.inside {
-                    sh "ls -la ."
-                    dir('build/') {
-                        sh "ls -la ."
-                        unstash "static-${arch}"
-                        sh "pwd"
-                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one && file ./zerotier-one" 
-                        sh "mv -f debian/rules.static debian/rules"
-                        sh "make debian"
-                    }
-                    sh "mkdir -p ${distro}"
-                    sh "mv *.deb ${distro}"
-                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
-                }
-                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-            }
-        }
-        return myNode
-    })
-    
-    def debianWheezy = ["debian-wheezy"]
-    def debianWheezyArchs = []
-    if (params.BUILD_ALL == true) {
-        debianWheezyArchs = ["armhf", "armel", "amd64", "i386"]
-    } else {
-        debianWheezyArchs = ["amd64", "i386"]
-    }
-    tasks << getTasks(debianJessie, debianJessieArch, { distro, arch -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                runtime.inside {
-                    dir('build/') {
-                        unstash "static-${arch}"
-                        sh "mv zerotier-one-static-${arch} zerotier-one && chmod +x zerotier-one && file ./zerotier-one" 
-                        sh "mv -f debian/rules.wheezy.static debian/rules"
-                        sh "mv -f debian/control.wheezy debian/control"
-                        sh "make debian"
-                    }
-                    sh "mkdir -p ${distro}"
-                    sh "mv *.deb ${distro}"
-                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
-                }
-                cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-            }
-        }
-        return myNode
-    })
-    
-    return tasks
-}
-
-def buildDebianNative() {
-    def tasks = [:]
-    def buster = ["debian-buster", "debian-stretch", "debian-bullseye", "debian-sid"]
-    def busterArchs = []
-    if (params.BUILD_ALL) {
-        busterArchs = ["s390x", "ppc64le", "i386", "armhf", "armel", "arm64", "amd64"]
-    } else {
-        busterArchs = ["amd64", "i386"]
-    }
-    
-    def build = { distro, arch -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                runtime.inside {
-                    dir("build") {
-                        sh 'make debian'
-                    }
-                    sh "mkdir -p ${distro}"
-                    sh "mv *.deb ${distro}"
-                    archiveArtifacts artifacts: "${distro}/*.deb", onlyIfSuccessful: true
-                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-                }
-            }
-        }
-        return myNode
-    }
-    
-    tasks << getTasks(buster, busterArchs, build)
-    
-    // bash is broken when running under QEMU-s390x on Xenial
-    def xenial = ["ubuntu-xenial"]
-    def xenialArchs = []
-    if (params.BUILD_ALL == true) {
-        xenialArchs = ["i386", "amd64", "armhf", "arm64", "ppc64le"]
-    } else {
-        xenialArchs = ["i386", "amd64"]
-    }
-    tasks << getTasks(xenial, xenialArchs, build)
-    
-    def ubuntu = ["ubuntu-bionic", "ubuntu-eoan"]
-    def ubuntuArchs = []
-    if (params.BUILD_ALL == true) {
-        ubuntuArchs = ["i386", "amd64", "armhf", "arm64", "ppc64le", "s390x"]
-    } else {
-        ubuntuArchs = ["i386", "amd64"]
-    }
-    tasks << getTasks(ubuntu, ubuntuArchs, build)
-    
-    def kali = ["kali-rolling"]
-    def kaliArchs = ["amd64"]
-    tasks << getTasks(kali, kaliArchs, build)
-    
-    return tasks
-}
-
-def buildCentosNative() {
-    def tasks = [:]
-    
-    def build = { distro, arch -> 
-        def myNode = {
-            node ('linux-build') {
-                dir ("build") {
-                    checkout scm
-                }
-                def runtime = docker.image("ztbuild/${distro}-${arch}:latest")
-                runtime.inside {
-                    dir("build") {
-                        sh 'make -j4'
-                        sh 'make redhat'
-                        sh "mkdir -p ${distro}"
-                        sh "cp -av `find ~/rpmbuild/ -type f -name \"*.rpm\"` ${distro}/"
-                        archiveArtifacts artifacts: "${distro}/*.rpm", onlyIfSuccessful: true
-                    }
-                    
-                    cleanWs deleteDirs: true, disableDeferredWipeout: true, notFailBuild: true
-                }
-            }
-        }
-        return myNode
-    }
-    
-    def centos8 = ["centos8"]
-    def centos8Archs = []
-    if (params.BUILD_ALL == true) {
-        centos8Archs = ["amd64", "arm64", "ppc64le"]
-    } else {
-        centos8Archs = ["amd64"]
-    }
-    tasks << getTasks(centos8, centos8Archs, build)
-    
-    def centos7 = ["centos7"]
-    def centos7Archs = ["amd64"]
-    tasks << getTasks(centos7, centos7Archs, build)
-    
-    return tasks
-}

LICENSE.txt

@@ -26,7 +26,7 @@ Additional Use Grant: You may make use of the Licensed Work, provided you
                       ZeroTier behind the scenes to operate a service not
                       related to ZeroTier network administration.
 
-                      * Create Non-Open-Source Commercial Derviative Works
+                      * Create Non-Open-Source Commercial Derivative Works
 
                       (2) Link or directly include the Licensed Work in a
                       commercial or for-profit application or other product
@@ -47,7 +47,7 @@ Additional Use Grant: You may make use of the Licensed Work, provided you
                       services, social welfare, senior care, child care, and
                       the care of persons with disabilities.
 
-Change Date:          2025-01-01
+Change Date:          2026-01-01
 
 Change License:       Apache License version 2.0 as published by the Apache
                       Software Foundation

Makefile

@@ -26,3 +26,8 @@ endif
 ifeq ($(OSTYPE),NetBSD)
 	include make-netbsd.mk
 endif
+
+drone:
+	@echo "rendering .drone.yaml from .drone.jsonnet"
+	drone jsonnet --format --stream
+	drone sign zerotier/ZeroTierOne --save

OFFICIAL-RELEASE-STEPS.md

@@ -14,7 +14,7 @@ The version must be incremented in all of the following files:
     /debian/changelog
     /ext/installfiles/mac/ZeroTier One.pkgproj
     /ext/installfiles/windows/ZeroTier One.aip
-    /windows/WinUI/AboutView.xaml
+  ../DesktopUI/mac-app-template/ZeroTier.app/Contents/Info.plist
 
 The final .AIP file can only be edited on Windows with [Advanced Installer Enterprise](http://www.advancedinstaller.com/). In addition to incrementing the version be sure that a new product code is generated. (The "upgrade code" GUID on the other hand must never change.)
 

README.docker.md

@@ -0,0 +1,73 @@
+# ZeroTier One in a container!
+
+**NOTE:** _Most of this information pertains to the docker image only. For more information about ZeroTier, check out the repository_: [here](https://github.com/zerotier/ZeroTierOne) or the [commercial website](https://www.zerotier.com).
+
+[ZeroTier](https://www.zerotier.com) is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region.
+
+This is accomplished by combining a cryptographically addressed and secure peer to peer network (termed VL1) with an Ethernet emulation layer somewhat similar to VXLAN (termed VL2). Our VL2 Ethernet virtualization layer includes advanced enterprise SDN features like fine grained access control rules for network micro-segmentation and security monitoring.
+
+All ZeroTier traffic is encrypted end-to-end using secret keys that only you control. Most traffic flows peer to peer, though we offer free (but slow) relaying for users who cannot establish peer to peer connections.
+
+The goals and design principles of ZeroTier are inspired by among other things the original [Google BeyondCorp](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf) paper and the [Jericho Forum](https://en.wikipedia.org/wiki/Jericho_Forum) with its notion of "deperimeterization."
+
+Visit [ZeroTier's site](https://www.zerotier.com/) for more information and [pre-built binary packages](https://www.zerotier.com/download/). Apps for Android and iOS are available for free in the Google Play and Apple app stores.
+
+ZeroTier is licensed under the [BSL version 1.1](https://mariadb.com/bsl11/). See [LICENSE.txt](https://github.com/zerotier/ZeroTierOne/blob/master/LICENSE.txt) and the [ZeroTier pricing page](https://www.zerotier.com/pricing) for details. ZeroTier is free to use internally in businesses and academic institutions and for non-commercial purposes. Certain types of commercial use such as building closed-source apps and devices based on ZeroTier or offering ZeroTier network controllers and network management as a SaaS service require a commercial license.
+
+A small amount of third party code is also included in ZeroTier and is not subject to our BSL license. See [AUTHORS.md](https://github.com/zerotier/ZeroTierOne/blob/master/AUTHORS.md) for a list of third party code, where it is included, and the licenses that apply to it. All of the third party code in ZeroTier is liberally licensed (MIT, BSD, Apache, public domain, etc.).
+
+## Building the docker image
+
+Due to the network being a substrate for most applications and not an application unto itself, it makes sense that many people would want to build their own image based on our formula.
+
+The image is based on `debian:buster`.
+
+The `Dockerfile.release` file contains build instructions for building the described image in the rest of the README. The build is multi-arch and multi-release capable.
+
+These build arguments power the build:
+
+- `PACKAGE_BASEURL`: The base URL of the package repository to fetch from. (default: `https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/`)
+- `ARCH`: The architecture of the package, in debian format. Must match your image arch. (default: `amd64`)
+- `VERSION`: **REQUIRED** the version of ZeroTier to fetch.
+
+You can build this image like so:
+
+```
+docker build -f Dockerfile.release -t mybuild --build-arg VERSION=1.6.5 .
+```
+
+## Using the docker image
+
+The `entrypoint.sh` in the docker image is a little different; zerotier will be spawned in the background and the "main process" is actually just a sleeping shell script. This allows `zerotier-one` to gracefully terminate in some situations largely unique to docker.
+
+The `zerotier/zerotier` image requires the `CAP_NET_ADMIN` capability and the `/dev/net/tun` device must be forwarded to it.
+
+To join a network, simply supply it on the command-line; you can supply multiple networks.
+
+```
+docker run --name myzerotier --rm --cap-add NET_ADMIN --device /dev/net/tun zerotier/zerotier:latest abcdefdeadbeef00
+```
+
+Once joining all the networks you have provided, it will sleep until terminated. Note that in ZeroTier, joining a network does not necessarily mean you have an IP or can do anything, really. You will want to probe the control socket:
+
+```
+docker exec myzerotier zerotier-cli listnetworks
+```
+
+To ensure you have a network available before trying to listen on it. Without pre-configuring the identity, this usually means going to the central admin panel and clicking the checkmark against your zerotier identity.
+
+### Environment Variables
+
+You can control a few settings including the identity used and the authtoken used to interact with the control socket (which you can forward and access through `localhost:9993`).
+
+- `ZEROTIER_JOIN_NETWORKS`: additional way to set networks to join.
+- `ZEROTIER_API_SECRET`: replaces the `authtoken.secret` before booting and allows you to manage the control socket's authentication key.
+- `ZEROTIER_IDENTITY_PUBLIC`: the `identity.public` file for zerotier-one. Use `zerotier-idtool` to generate one of these for you.
+- `ZEROTIER_IDENTITY_SECRET`: the `identity.secret` file for zerotier-one. Use `zerotier-idtool` to generate one of these for you.
+- `ZEROTIER_LOCAL_CONF`: Sets the the `local.conf` file content for zerotier-one
+
+### Tips
+
+- Forwarding port `<dockerip>:9993` to somewhere outside is probably a good idea for highly trafficked services.
+- Forwarding `localhost:9993` to a control network where you can drive it remotely might be a good idea, just be sure to set your authtoken properly through environment variables.
+- Pre-generating your identities could be much simpler to do via our [terraform plugin](https://github.com/zerotier/terraform-provider-zerotier)

README.md

@@ -1,6 +1,7 @@
 ZeroTier - Global Area Networking
 ======
-This document is written for a software developer audience. For information on using ZeroTier, see the: [Website](https://www.zerotier.com), [Documentation Site](https://docs.zerotier.com), and [Discussion Forum](https://discuss.zerotier.com)
+
+*This document is written for a software developer audience. For information on using ZeroTier, see the: [Website](https://www.zerotier.com), [Documentation Site](https://docs.zerotier.com), and [Discussion Forum](https://discuss.zerotier.com).*
 
 ZeroTier is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region.
 
@@ -36,30 +37,41 @@ The base path contains the ZeroTier One service main entry point (`one.cpp`), se
  - `ext/`: third party libraries, binaries that we ship for convenience on some platforms (Mac and Windows), and installation support files.
  - `include/`: include files for the ZeroTier core.
  - `java/`: a JNI wrapper used with our Android mobile app. (The whole Android app is not open source but may be made so in the future.)
- - `macui/`: a Macintosh menu-bar app for controlling ZeroTier One, written in Objective C.
  - `node/`: the ZeroTier virtual Ethernet switch core, which is designed to be entirely separate from the rest of the code and able to be built as a stand-alone OS-independent library. Note to developers: do not use C++11 features in here, since we want this to build on old embedded platforms that lack C++11 support. C++11 can be used elsewhere.
  - `osdep/`: code to support and integrate with OSes, including platform-specific stuff only built for certain targets.
  - `rule-compiler/`: JavaScript rules language compiler for defining network-level rules.
  - `service/`: the ZeroTier One service, which wraps the ZeroTier core and provides VPN-like connectivity to virtual networks for desktops, laptops, servers, VMs, and containers.
  - `windows/`: Visual Studio solution files, Windows service code, and the Windows task bar app UI.
+ - `zeroidc/`: OIDC implementation used by ZeroTier service to log into SSO-enabled networks. (This part is written in Rust, and more Rust will be appearing in this repository in the future.)
+
+### Contributing
+
+Please do pull requests off of the `dev` branch.
+
+Releases are done by merging `dev` into `main` and then tagging and doing builds. 
 
 ### Build and Platform Notes
 
 To build on Mac and Linux just type `make`. On FreeBSD and OpenBSD `gmake` (GNU make) is required and can be installed from packages or ports. For Windows there is a Visual Studio solution in `windows/`.
 
  - **Mac**
-   - Xcode command line tools for OSX 10.8 or newer are required.
+   - Xcode command line tools for macOS 10.13 or newer are required.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
  - **Linux**
-   - The minimum compiler versions required are GCC/G++ 4.9.3 or CLANG/CLANG++ 3.4.2. (Install `clang` on CentOS 7 as G++ is too old.)
+   - The minimum compiler versions required are GCC/G++ 8.x or CLANG/CLANG++ 5.x.
    - Linux makefiles automatically detect and prefer clang/clang++ if present as it produces smaller and slightly faster binaries in most cases. You can override by supplying CC and CXX variables on the make command line.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
  - **Windows**
-   - Windows 7 or newer is supported. This *may* work on Vista but isn't officially supported there. It will not work on Windows XP.
-   - We build with Visual Studio 2017. Older versions may not work. Clang or MinGW will also probably work but may require some makefile hacking.
+   - Visual Studio 2022 on Windows 10 or newer.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
  - **FreeBSD**
    - GNU make is required. Type `gmake` to build.
+   - `binutils` is required.  Type `pkg install binutils` to install.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
  - **OpenBSD**
    - There is a limit of four network memberships on OpenBSD as there are only four tap devices (`/dev/tap0` through `/dev/tap3`).
    - GNU make is required. Type `gmake` to build.
+   - Rust for x86_64 and ARM64 targets *if SSO is enabled in the build*.
 
 Typing `make selftest` will build a *zerotier-selftest* binary which unit tests various internals and reports on a few aspects of the build environment. It's a good idea to try this on novel platforms or architectures.
 
@@ -75,14 +87,14 @@ On most distributions, macOS, and Windows, the installer will start the service
 
 A home folder for your system will automatically be created.
 
-The service is controlled via the JSON API, which by default is available at 127.0.0.1 port 9993. We include a *zerotier-cli* command line utility to make API calls for standard things like joining and leaving networks. The *authtoken.secret* file in the home folder contains the secret token for accessing this API. See [service/README.md](service/README.md) for API documentation.
+The service is controlled via the JSON API, which by default is available at `127.0.0.1:9993`. It also listens on `0.0.0.0:9993` which is only usable if `allowManagementFrom` is properly configured in `local.conf`. We include a *zerotier-cli* command line utility to make API calls for standard things like joining and leaving networks. The *authtoken.secret* file in the home folder contains the secret token for accessing this API. See [service/README.md](service/README.md) for API documentation.
 
 Here's where home folders live (by default) on each OS:
 
  * **Linux**: `/var/lib/zerotier-one`
  * **FreeBSD** / **OpenBSD**: `/var/db/zerotier-one`
  * **Mac**: `/Library/Application Support/ZeroTier/One`
- * **Windows**: `\ProgramData\ZeroTier\One` (That's for Windows 7. The base 'shared app data' folder might be different on different Windows versions.)
+ * **Windows**: `\ProgramData\ZeroTier\One` (That's the default. The base 'shared app data' folder might be different if Windows is installed with a non-standard drive letter assignment or layout.)
 
 ### Basic Troubleshooting
 
@@ -98,8 +110,88 @@ On CentOS check `/etc/sysconfig/iptables` for IPTables rules. For other distribu
 
 ZeroTier One peers will automatically locate each other and communicate directly over a local wired LAN *if UDP port 9993 inbound is open*. If that port is filtered, they won't be able to see each others' LAN announcement packets. If you're experiencing poor performance between devices on the same physical network, check their firewall settings. Without LAN auto-location peers must attempt "loopback" NAT traversal, which sometimes fails and in any case requires that every packet traverse your external router twice.
 
-Users behind certain types of firewalls and "symmetric" NAT devices may not able able to connect to external peers directly at all. ZeroTier has limited support for port prediction and will *attempt* to traverse symmetric NATs, but this doesn't always work. If P2P connectivity fails you'll be bouncing UDP packets off our relay servers resulting in slower performance. Some NAT router(s) have a configurable NAT mode, and setting this to "full cone" will eliminate this problem. If you do this you may also see a magical improvement for things like VoIP phones, Skype, BitTorrent, WebRTC, certain games, etc., since all of these use NAT traversal techniques similar to ours.
+Users behind certain types of firewalls and "symmetric" NAT devices may not be able to connect to external peers directly at all. ZeroTier has limited support for port prediction and will *attempt* to traverse symmetric NATs, but this doesn't always work. If P2P connectivity fails you'll be bouncing UDP packets off our relay servers resulting in slower performance. Some NAT router(s) have a configurable NAT mode, and setting this to "full cone" will eliminate this problem. If you do this you may also see a magical improvement for things like VoIP phones, Skype, BitTorrent, WebRTC, certain games, etc., since all of these use NAT traversal techniques similar to ours.
 
 If a firewall between you and the Internet blocks ZeroTier's UDP traffic, you will fall back to last-resort TCP tunneling to rootservers over port 443 (https impersonation). This will work almost anywhere but is *very slow* compared to UDP or direct peer to peer connectivity.
 
 Additional help can be found in our [knowledge base](https://zerotier.atlassian.net/wiki/spaces/SD/overview).
+
+### Prometheus Metrics
+
+Prometheus Metrics are available at the `/metrics` API endpoint.  This endpoint is protected by an API key stored in `metricstoken.secret` to prevent unwanted information leakage.  Information that could be gleaned from the metrics include joined networks and peers your instance is talking to. 
+
+Access control is via the ZeroTier control interface itself and `metricstoken.secret`. This can be sent as a bearer auth token, via the `X-ZT1-Auth` HTTP header field, or appended to the URL as `?auth=<token>`. You can see the current metrics via `cURL` with the following command:
+
+    // Linux
+    curl -H "X-ZT1-Auth: $(sudo cat /var/lib/zerotier-one/metricstoken.secret)" http://localhost:9993/metrics
+
+    // macOS
+    curl -H "X-ZT1-Auth: $(sudo cat /Library/Application\ Support/ZeroTier/One/metricstoken.secret)" http://localhost:9993/metrics
+
+    // Windows PowerShell (Admin)
+    Invoke-RestMethod -Headers @{'X-ZT1-Auth' = "$(Get-Content C:\ProgramData\ZeroTier\One\metricstoken.secret)"; } -Uri http://localhost:9993/metrics
+
+To configure a scrape job in Prometheus on the machine ZeroTier is running on, add this to your Prometheus `scrape_config`:
+
+    - job_name: zerotier-one
+      honor_labels: true
+      scrape_interval: 15s
+      metrics_path: /metrics
+      static_configs:
+      - targets:
+        - 127.0.0.1:9993
+        labels:
+          group: zerotier-one
+          node_id: $YOUR_10_CHARACTER_NODE_ID
+      authorization:
+        credentials: $YOUR_METRICS_TOKEN_SECRET
+
+If neither of these methods are desirable, it is probably possible to distribute metrics via [Prometheus Proxy](https://github.com/pambrose/prometheus-proxy) or some other tool.  Note: We have not tested this internally, but will probably work with the correct configuration.
+
+Metrics are also available on disk in ZeroTier's working directory:
+
+   // Linux
+   /var/lib/zerotier-one/metrics.prom
+
+   // macOS
+   /Library/Application\ Support/ZeroTier/One/metrics.prom
+
+   //Windows
+   C:\ProgramData\ZeroTier\One\metrics.prom
+
+#### Available Metrics
+
+| Metric Name | Labels | Metric Type | Description |
+| ---         | ---    | ---         | ---         |
+| zt_packet | packet_type, direction | Counter | ZeroTier packet type counts |
+| zt_packet_error | error_type, direction | Counter | ZeroTier packet errors|
+| zt_data | protocol, direction | Counter | number of bytes ZeroTier has transmitted or received |
+| zt_num_networks | | Gauge | number of networks this instance is joined to |
+| zt_network_multicast_groups_subscribed | network_id | Gauge | number of multicast groups networks are subscribed to |
+| zt_network_packets | network_id, direction | Counter | number of incoming/outgoing packets per network |
+| zt_peer_latency | node_id | Histogram | peer latency (ms) |
+| zt_peer_path_count | node_id, status | Gauge | number of paths to peer |
+| zt_peer_packets | node_id, direction | Counter | number of packets to/from a peer |
+| zt_peer_packet_errors | node_id | Counter | number of incoming packet errors from a peer |
+
+If there are other metrics you'd like to see tracked, ask us in an Issue or send us a Pull Request!
+
+### HTTP / App server
+
+There is a static http file server suitable for hosting Single Page Apps at http://localhost:9993/app/<app-path>
+
+Use `zerotier-cli info -j` to find your zerotier-one service's homeDir
+
+``` sh
+cd $ZT_HOME
+sudo mkdir -p app/app1
+sudo mkdir -p app/appB
+echo '<html><meta charset=utf-8><title>appA</title><body><h1>hello world A' | sudo tee app/appA/index.html 
+echo '<html><meta charset=utf-8><title>app2</title><body><h1>hello world 2' | sudo tee app/app2/index.html 
+curl -sL http://localhost:9993/app/appA http://localhost:9993/app/app2 
+```
+
+Then visit [http://localhost:9993/app/app1/](http://localhost:9993/app/app1/) and [http://localhost:9993/app/appB/](http://localhost:9993/app/appB/)
+
+Requests to paths don't exist return the app root index.html, as is customary for SPAs. 
+If you want, you can write some javascript that talks to the service or controller [api](https://docs.zerotier.com/service/v1).

RELEASE-NOTES.md

@@ -1,6 +1,203 @@
 ZeroTier Release Notes
 ======
 
+# 2024-10-23 -- Version 1.14.2
+
+  * Fix for missing entitlement on macOS Sequoia.
+  * Fix for a problem correctly parsing local.conf to enable low bandwidth mode.
+  * Increment versions of some dependent libraries.
+  * Other fixes.
+
+# 2024-09-12 -- Version 1.14.1
+
+  * Multithreaded packet I/O support! Currently this is just for Linux and must
+    be enabled in local.conf. It will likely make the largest difference on small
+    multi-core devices where CPU is a bottleneck and high throughput is desired.
+    It may be enabled by default in the future but we want it to be thoroughly
+    tested. It's a little harder than it seems at first glance due to the need
+    to keep packets in sequence and balance load.
+  * Several multipath bug fixes.
+  * Updated the versions on a number of libraries related to OIDC support and HTTP.
+  * MacOS .app now shows the correct version in its Info.plist manifest.
+  * Sanitize MAC addresses in JSON format rules parser.
+  * Some basic information about the platform (OS, CPU architecture) is now reported
+    to network controllers when networks are joined so it can be displayed to
+    network admins and in the future used in policy checking and inventory operations.
+
+# 2024-05-02 -- Version 1.14.0
+
+  * Linux I/O performance improvements under heavy load
+  * Improvements to multipath
+  * Fix for port rebinding "coma" bug after periods offline (some laptop users)
+  * Fixed a rules engine quirk/ambiguity (GitHub Issue #2200)
+  * Controller API enhancements: node names and other node meta-data
+  * Other bug fixes
+
+# 2023-09-12 -- Version 1.12.2
+
+  * More improvements to macOS full tunnel mode.
+  * Faster recovery after changes to physical network settings.
+
+# 2023-08-25 -- Version 1.12.1
+
+  * Minor release to fix a port binding issue in Linux.
+  * Update Debian dependencies.
+  * No changes for other platforms.
+
+# 2023-08-23 -- Version 1.12.0
+
+  * Experimental Windows ARM64 support
+  * Fix numerous sleep/wake issues on macOS and other platforms
+  * Faster recovery after changes to physical network settings
+  * Prometheus compatible metrics support!
+  * Fix full tunnel mode on recent macOS versions
+  * Numerous macOS DNS fixes
+  * 10-30% speed improvement on Linux
+
+# 2023-03-23 -- Version 1.10.6
+
+  * Prevent binding temporary ipv6 addresses on macos (#1910)
+  * Prevent path-learning loops (#1914)
+  * Prevent infinite loop of UAC prompts in tray app
+
+# 2023-03-10 -- Version 1.10.5
+
+ * Fix for high CPU usage bug on Windows
+
+# 2023-03-07 -- Version 1.10.4
+
+ * SECURITY FIX (Windows): this version fixes a file permission problem on
+   Windows that could allow non-privileged users on a Windows system to read
+   privileged files in the ZeroTier service's working directory. This could
+   allow an unprivileged local Windows user to administrate the local ZeroTier
+   instance without appropriate local permissions. This issue is not remotely
+   exploitable unless a remote user can read arbitrary local files, and does
+   not impact other operating systems.
+
+ * Fix a bug in the handling of multiple IP address assignments to virtual
+   interfaces on macOS.
+
+# 2023-02-15 -- Version 1.10.3
+
+ * Fix for duplicate paths in client. Could cause connectivity issues. Affects all platforms.
+ * Fix for Ethernet Tap MTU setting, would not properly apply on Linux.
+ * Fix default route bugs (macOS.)
+ * Enable Ping automatically for ZeroTier Adapters (Windows.)
+ * SSO updates and minor bugfixes.
+ * Add low-bandwidth mode.
+ * Add forceTcpRelay mode (optionally enabled.)
+ * Fix bug that prevented setting of custom TCP relay address.
+ * Build script improvements and bug fixes.
+
+# 2022-11-01 -- Version 1.10.2
+
+ * Fix another SSO "stuck client" issue in zeroidc.
+ * Expose root-reported external IP/port information via the local JSON API for better diagnostics.
+ * Multipath: CLI output improvement for inspecting bonds
+ * Multipath: balance-aware mode
+ * Multipath: Custom policies
+ * Multipath: Link quality measurement improvements
+
+Note that releases are coming few and far between because most of our dev effort is going into version 2.
+
+# 2022-06-27 -- Version 1.10.1
+
+ * Fix an issue that could cause SSO clients to get "stuck" on stale auth URLs.
+ * A few other SSO related bug fixes.
+
+# 2022-06-07 -- Version 1.10.0
+
+ * Fix formatting problem in `zerotier-cli` when using SSO networks.
+ * Fix a few other minor bugs in SSO signin to prepare for general availability.
+ * Remove requirement for webview in desktop UI and instead just make everything available via the tray pulldown/menu. Use [libui-ng](https://github.com/libui-ng/libui-ng) for minor prompt dialogs. Saves space and eliminates installation headaches on Windows.
+ * Fix SSO "spam" bug in desktop UI.
+ * Use system default browser for SSO login so all your plugins, MFA devices, password managers, etc. will work as you have them configured.
+ * Minor fix for bonding/multipath.
+
+# 2022-05-10 -- Version 1.8.10
+
+ * Fixed a bug preventing SSO sign-on on Windows.
+
+# 2022-04-25 -- Version 1.8.9
+
+ * Fixed a long-standing and strange bug that was causing sporadic "phantom" packet authentication failures. Not a security problem but could be behind sporadic reports of link failures under some conditions.
+ * Fixed a memory leak in SSO/OIDC support.
+ * Fixed SSO/OIDC display error on CLI.
+ * Fixed a bug causing nodes to sometimes fail to push certs to each other (primarily affects SSO/OIDC use cases).
+ * Fixed a deadlock bug on leaving SSO/OIDC managed networks.
+ * Added some new Linux distributions to the build subsystem.
+
+# 2022-04-11 -- Version 1.8.8
+
+ * Fix a local privilege escalation bug in the Windows installer.
+ * Dependency fix for some Ubuntu versions.
+ * No changes for other platforms. Windows upgrade recommended, everyone else optional.
+
+# 2022-03-30 -- Version 1.8.7
+
+ * Fix for dependency installations in Windows MSI package.
+ * Fix for desktop UI setup when run by a non-super-user.
+ * Bug fix in local OIDC / SSO support for auth0 and other providers.
+ * Other minor fixes for e.g. old Linux distributions.
+
+# 2022-03-04 -- Version 1.8.6
+
+ * Fixed an issue that could cause the UI to be non-responsive if not joined to any networks.
+ * Fix dependency issues in Debian and RedHat packages for some distributions (Fedora, Mint).
+ * Bumped the peer cache serialization version to prevent "coma" issues on upgrade due to changes in path logic behaving badly with old values.
+
+# 2022-02-22 -- Version 1.8.5
+
+ * Plumbing under the hood for endpoint device SSO support.
+ * Fix in LinuxEthernetTap to tap device support on very old (2.6) Linux kernels.
+ * Fix an issue that could cause self-hosted roots ("moons") to fail to assist peers in making direct links. (GitHub issue #1512)
+ * Merge a series of changes by Joseph Henry (of ZeroTier) that should fix some edge cases where ZeroTier would "forget" valid paths.
+ * Minor multipath improvements for automatic path negotiation.
+
+# 2021-11-30 -- Version 1.8.4
+
+ * Fixed an ugly font problem on some older macOS versions.
+ * Fixed a bug that could cause the desktop tray app control panel to stop opening after a while on Windows.
+ * Fixed a possible double "release" in macOS tray app code that crashed on older macOS versions.
+ * Fixed installation on 32-bit Windows 10.
+ * Fixed a build flags issue that could cause ZeroTier to crash on older ARM32 CPUs.
+
+# 2021-11-15 -- Version 1.8.3
+
+ * Remove problematic spinlock, which was only used on x86_64 anyway. Just use pthread always.
+ * Fix fd leak on MacOS that caused non-responsiveness after some time.
+ * Fix Debian install scripts to set /usr/sbin/nologin as shell on service user.
+ * Fix regression that could prevent managed routes from being deleted.
+ * DesktopUI: Remove NSDate:now() call, now works on MacOS 10.13 or newer!
+
+# 2021-11-08 -- Version 1.8.2
+
+ * Fix multicast on linux.
+ * Fix a bug that could cause the tap adapter to have the wrong MAC on Linux.
+ * Update build flags to possibly support MacOS older than 10.14, but more work needs to be done. It may not work yet.
+ * Fix path variable setting on Windows.
+
+# 2021-10-28 -- Version 1.8.1
+
+ * Fix numerous UI issues from 1.8.0 (never fully released).
+ * Remove support for REALLY ancient 1.1.6 or earlier network controllers.
+ * MacOS IPv6 no longer binds to temporary addresses as these can cause interruptions if they expire.
+ * Added additional hardening against address impersonation on networks (also in 1.6.6).
+ * Fix an issue that could cause clobbering of MacOS IP route settings on restart.
+
+ * NOTE: Windows 7 is no longer supported! Windows 7 users will have to use version 1.6.5 or earlier.
+
+# 2021-09-15 -- Version 1.8.0 (preview release only)
+
+ * A *completely* rewritten desktop UI for Mac and Windows!
+ * Implement a workaround for one potential source of a "coma" bug, which can occur if buggy NATs/routers stop allowing the service to communicate on a given port. ZeroTier now reassigns a new secondary port if it's offline for a while unless a secondary port is manually specified in local.conf. Working around crummy buggy routers is an ongoing effort.
+ * Fix for MacOS MTU capping issue on feth devices
+ * Fix for mistakenly using v6 source addresses for v4 routes on some platforms
+ * Stop binding to temporary IPv6 addresses
+ * Set MAC address before bringing up Linux TAP link
+ * Check if DNS servers need to be applied on macOS
+ * Upgrade json.hpp dependency to version 3.10.2
+
 # 2021-09-21 -- Version 1.6.6
 
  * Backport COM hash check mitigation against network member impersonation.
@@ -175,7 +372,7 @@ We're trying to fix all these issues before the 1.6.0 release. Stay tuned.
 # 2017-04-20 -- Version 1.2.4
 
  * Managed routes are now only bifurcated for the default route. This is a change in behavior, though few people will probably notice. Bifurcating all managed routes was causing more trouble than it was worth for most users.
- * Up to 2X crypto speedup on x86-64 (except Windows, which will take some porting) and 32-bit ARM platforms due to integration of fast assembly language implementations of Salsa20/12 from the [supercop](http://bench.cr.yp.to/supercop.html) code base. These were written by Daniel J. Bernstein and are in the public domain. My Macbook Pro (Core i5 2.8ghz) now does almost 1.5GiB/sec Salsa20/12 per core and a Raspberry Pi got a 2X boost. 64-bit ARM support and Windows support will take some work but should not be too hard.
+ * Up to 2X crypto speedup on x86-64 (except Windows, which will take some porting) and 32-bit ARM platforms due to integration of fast assembly language implementations of Salsa20/12 from the [supercop](http://bench.cr.yp.to/supercop.html) code base. These were written by Daniel J. Bernstein and are in the public domain. My MacBook Pro (Core i5 2.8ghz) now does almost 1.5GiB/sec Salsa20/12 per core and a Raspberry Pi got a 2X boost. 64-bit ARM support and Windows support will take some work but should not be too hard.
  * Refactored code that manages credentials to greatly reduce memory use in most cases. This may also result in a small performance improvement.
  * Reworked and simplified path selection and priority logic to fix path instability and dead path persistence edge cases. There have been some sporadic reports of persistent path instabilities and dead paths hanging around that take minutes to resolve. These have proven difficult to reproduce in house, but hopefully this will fix them. In any case it seems to speed up path establishment in our tests and it makes the code simpler and more readable.
  * Eliminated some unused cruft from the code around path management and in the peer class.

SECURITY.md

@@ -0,0 +1,93 @@
+# Security
+
+ZeroTier takes the security of our software products and services seriously, which 
+includes all source code repositories managed through our GitHub organization.
+
+## Supported Versions
+
+The following versions of ZeroTier One receive security updates
+
+| Version  | Supported          |
+| -------- | ------------------ |
+| 1.14.x   | :white_check_mark: |
+| 1.12.x   | :white_check_mark: |
+| < 1.12.0 | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do not report security issues through public GitHub issues**
+
+Instead, please report vulnerabilities via email to security@zerotier.com. If possible,
+please encrypt with our PGP key (see below).
+
+Please include the following information, or as much as you can provide to help us 
+understand the nature and scope of the issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## security@zerotier.com PGP key
+
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGQGOVIBEACalXTnNqaiSOVLFEiqHpDMg8N/OI5D5850Xy1ZEvx3B3rz7cbn
+k30ozHtJKbh+vqpyItE7DjyQAuF19gP5Q64Yh0Y+MmLHq60q/GwOwAYz7cI+UzA3
+5x8YqcmTp32LAM1xJn+iMlMLBuAmJl4kULKmOXPlpqPiyTFs5saizvm7fgRmfgJJ
+HpsnIrTkaDFJhAR+jvMJohVYwmhuydeI0DsHu7KGpG1ddcHDrUjOPNqXnnAPSPwx
+llw4yfKlQb8GYErsv/G5QVyzd5+SxEuiI4MARRnrk8LlMQ33CR6pzIQ/Bk5AAmye
+mHqfEAknkiOf++urYhRs9BL3Kz3MdV0cg92zr9EFOg0u56jxf5OnAiTOhGUUA0hn
+dS7peVGl46R9Oy2JYIazNDGi+4NIsYDFXsnsss9xOQVygPyeQd71zFHfix0jct9w
+j3o/kj7Egsnm9nc13354bYT6bbalqXiRWwGH1eAFpjueNWiVFwZS6NZUP3WeNDiY
+BlPo1LodvolbXiJcTILTCyEkERJPCK2zoE2nTdVfvTLWsuehw1M6Yd2/q74TVYy/
+RY+KjHkrChEBQ9PqXsXRHj6opKbT8JLfZkvU5k+3IiqqxOpB+QXFI/whj493CxWW
+so7QAmzOCyJq8GDVPxzkwUac22YIkXdiOmb8i/HWq+kLY/HjQE259Gx6KwARAQAB
+tClaZXJvVGllciBTZWN1cml0eSA8c2VjdXJpdHlAemVyb3RpZXIuY29tPokCTAQT
+AQoANhYhBH1HQGb+4jzl6mnFqf09m6uqADkABQJkBjlSAhsDBAsJCAcEFQoJCAUW
+AgMBAAIeAQIXgAAKCRD9PZurqgA5ACqPD/sFt6SG6Tu0HwTY2ofJtYsa2GBLL0pf
+dYlX4cWSs1PVB5+m5Oj18y+GB2umA9GnsVtmvaSfp3XEngt2zNWX27uUsVfL35b2
+/5TVVe8RjzOedqMN+lQWMvO+f/C1zmWYXjjpC+iGjgMMaRRrofkkn+7uL4N9y6gY
+rcXtpACT1rYFC+i1AKnZfUO8Vr5ji7odq0f7bDkN/N38rB0kRRwEmO8wqdpQK6gK
+nxf9vgJl5ggimDk5Xtz1sfd3y28bf5N4hdOCkXUbd10nUFY3wDNTM4VxozxTGJeG
+imdcc19Wuw/1fGUZ5SIjgPanCdPLGYwSTr+M6Fuern9uTtlC1GOby3BUtmVGP6EU
+1pSAJSRpmoBPHKKOYtSMwV8PCboXru9P1ab8y8STKM3SKyghUJrl17gdc0LaksZa
+E54pJudGPIQMFRqZjMdV6jgMuaLTozjZ4mW8EThf4mkX4xDkO8l7cOn0225ZYJZC
+lZKpdnwzk9owkJA80u4KBNJxTtB4ZAPzjBsD5hFzCZQTLNQp/psU3EjZsau28eXT
+E/C1QjEQHgy4ohkgQlCm1H1+clKssCWcdmsVGXuS1u8gh4K6X9b0Z6LeCGRaQvH2
++DB8oTAdqp9nUZv9rP4pbo+sR4fF67CFLriVuxjedAiFkbM4uHMFcL4tc/X9+DRo
+YN5X7oEkZvO507kCDQRkBjlSARAAz58UMF7K1qKyQjzKTcutaYZ5SaIGky9lCLZn
+/2vjpFCoBogkxS/6IKQcwZk8b4S9QstaaQZDFEkxqNeKC0GiFTAMAb6SmYcK495h
+EZnHl0NA5Nc2dBlZk5E/ENzTCz2bXaxCcVESc2z+xCzu07brbhGrqvliKiwOUzt9
+JzqEsar6I95OutBcZvkFCs44/Uf9bS1qf1w4klE8w3vdMtGH23umrET4tFZ+sh6o
+ZFtQx0u2eKjsRdn/RMtsxLNaJlcE1DdIAqBpQrcmuwMC8v5wUGfCGZjhClzmyQlq
+akUkayir7UtbHbFT/mgO+YI77YGXWk5QrwPscqqT2l8KB/YMujNDmaWa/0KV1lIY
+zr5s4dzVeiwqFLR9ANFIhzFwzf3JLi6XSx123Qix0TxZoYPZCHl7yoi9qi6qybz5
+0Od2LSz3jbApeKYymZ+zjE+YV5y9DI6Wzy1j2M1FogNvTO9fMk+6dLt4HhTdSNvH
+cKya462YCcy+tnZTkhmh+FTebbJlV6D4wG7skE5KCdBhjm53xLwp6XW9L6n2CrkL
+W1IDBcCz0oPd1sMkXbO3wnxdXprV2XurCfsg/R2nszSNzvdJ8/xj3cr9hpoJ714R
+qqyoEDRZ1Ss9kGL166o5MpN5qb/EewdkqGgWP7YFXbhsdHQiW7Z7dAqzjoaybD4O
+nakkwyUAEQEAAYkCNgQYAQoAIBYhBH1HQGb+4jzl6mnFqf09m6uqADkABQJkBjlS
+AhsMAAoJEP09m6uqADkAax0P/Rh8EZYRqW6dPYTl1YQusAK10rAcRNq3ekjofXGk
+oXK1S7HWGoFgl5++5nfSfNgFJ5VLcgIM56wtIf49zFjWe5oC6fw8k+ghh4d2chMP
+hdDILx6e0c30Iq1+EvovGR9hWa0wJ4cKTdzlwhY9ZC09q0ia+bl2mwpie1JQDR0c
+zXCjt+PldLeeK9z1/XT0Q7KowYC+U18oR+KFm+EaRV4QT85JVequnIeGkmaHJrHB
+lH4T5A5ib7y8edon1c0Zx3GsaxJUojkEJ0SX7ffVDu6ztUZfkHfCVpMW4VzUeGA/
+m+CtFO9ciLRGZEkRa+zhIGoBvwEXU0GiwiF4nZ0F2C8UioeW0YIEV9zl3nXJctYE
+ZKc2whSENQRTGgaYHVoVZhznt71LKWgFLshwBo81UCXVkzwAjMW1ActDnmPw5M7q
+xR5Qp5G49Z1GmfSozazha0HVFPKNV5i3RlTzs4yLUnZyH0yC9IvtOefMHcLjG96L
+N5miEV97gvJJjrn8rhRvpUwAWgmT/9IuYjBNQTtNN40arto5HxezR76WCjdKYxdL
+p3dM1iiBDShHNm7LdyZlLFhTOMU0tNBxJJ7B09ar5gakeZjD+2aB1ODX9VuFtozL
+onBjI2gIkry0UIkuznHfFw05lZAZAiqHEVgVi/WTk4C/bklDZNgE0lx+IWzEz2iS
+L455
+=lheL
+-----END PGP PUBLIC KEY BLOCK-----
+```