Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.
1.5.0
This minor release introduces the following new features
- The CoAP adapter has been promoted from experimental to fully supported.
- The Hono Client now supports several configuration properties that can be used to limit its resource usage. In particular the AMQP connection's max-frame-size, the AMQP session's incoming window size and the max-message-size of receiver links can be configured (and thus limited).
- A new Hono Clients component has been added which provides use case specific modules that can be used to access Hono's APIs in a transport protocol agnostic way. The (legacy) client implicitly assumes that the transport protocol being used is AMQP 1.0. In an attempt to support Apache Kafka as an alternative to the AMQP 1.0 Messaging Network for sending messages downstream, a new set of Java client interfaces has been created which make no assumption regarding the underlying transport protocol. The initial implementation of these interfaces is based on the legacy client using AMQP 1.0. In future versions, a Kafka client based implementation will be added.
- A new way of routing Command & Control messages from the AMQP messaging network to the target protocol adapters has been introduced. For that, a new Command Router service component is used, receiving command messages and routing them to the appropriate protocol adapters. Protocol adapters supply routing information to the component by means of a new Command Router API. Protocol adapters can be configured to either use that new API or they can continue using the now deprecated Device Connection API instead, meaning command routing will be done without using the Command Router.
The project leadership certifies that the APIs in this release are "Eclipse Quality".
Some work has gone into the build process in order to harmonize the way container images based on Spring Boot and Quarkus are being built. All container images now use the run-java.sh script for starting the JVM and the container images are being created using the Docker Maven plugin.
The newly added Command Router API and its implementation, the Command Router component, are the first step of moving the functionality for routing commands out of the protocol adapters and into a distinct component. This will reduce the overall compexity of Hono's standard protocol adapters and will also make it much easier to implement new adapters.
This release includes a fix for
- CVE-2020-27217
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP 1.0 protocol explicitly disallows a peer to send such messages, a hand crafted AMQP 1.0 client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.
During the last year we have done many (minor) releases which we tried to support as best as we could, given that the Hono team has limited resources only. In an effort to allow us to focus on evolving the project while still providing the best possible support, we have decided to only support the two most recent minor release versions of Hono from now on.
This means that with the release of Hono 1.5.0 we will actively support Hono versions 1.4.x and 1.5.x. Once Hono 1.6.0 has been released, we will no longer support 1.4.x. Users are therefore encouraged to always update to the two most recent minor version.
The protocol adapters' support for the singleTenant configuration property had been deprecated in 1.4.0 and has been removed completely in 1.5.0.
The Device Connection API and its corresponding implementations are being deprecated and will be replaced by the newly added Command Router API in a future release. Existing installations can be configured to continue to use the Device Connection service until then.
- Log in to post comments