From ryanc at ccs.neu.edu Mon Feb 8 11:13:14 2016 From: ryanc at ccs.neu.edu (Ryan Culpepper) Date: Mon, 8 Feb 2016 11:13:14 -0500 Subject: [Racket announcement] Racket v6.4 Message-ID: <56B8BE9A.7@ccs.neu.edu> Racket version 6.4 is now available from http://racket-lang.org/ - We fixed a security vulnerability in the web server. The existing web server is vulnerable to a navigation attack if it is also enabled to serve files statically; that is, any file readable by the web server is accessible remotely. For more information see http://blog.racket-lang.org/2016/02/racket-web-server-security-vulnerability.html - DrRacket's scrolling is faster. - Incremental garbage-collection mode can eliminate long pauses in a program. For example, incremental mode is useful for avoiding pauses in games and animations. Programs must specifically request incremental mode with `(collect-garbage 'incremental)`, but libraries such as `2htdp/universe` include the request as part of the library's implementation. - The default package catalog is an HTTPS address instead of HTTP, and package operations properly validate server certificates when using HTTPS. - Documentation may define their own categories for the manual top- level page by using strings, rather than only symbols that name pre-defined categories. - The Racket cheat sheet is included in the main distribution. - DrRacket is available in Bulgarian, thanks to Alexander Shopov. - The contract Typed Racket generates for the `Any` type is more permissive, allowing more typed/untyped programs to work without contract errors. - Redex supports binding specifications; describe which variables bind in which expressions and your metafunctions and reduction relations automatically become scope-sensitive. Thanks to Paul Stansifer for this improvement. - All `pict` functions accept `pict-convertible`s. This allows for transparent interoperability between `pict` and libraries like `2htdp/image`. - The `raco profile` and `raco contract-profile` commands provide easy access to profiling tools, without requiring program modifications. Feedback Welcome From samth at cs.indiana.edu Mon Feb 8 11:17:45 2016 From: samth at cs.indiana.edu (Sam Tobin-Hochstadt) Date: Mon, 8 Feb 2016 11:17:45 -0500 Subject: [Racket announcement] Racket Web Server Security Vulnerability Message-ID: We recently discovered a serious security vulnerability in the Racket web server, which can lead to unintended disclosure of files on the machine running the web server. This vulnerability is fixed in Racket version 6.4, just released, and we encourage people to upgrade to that version. The vulnerability affects web servers that serve static files using the `#:extra-static-files` option, including the default value of this option. If you do not use the Racket web serve to serve static files, or you do so via a mechanism that does not use the `make-url->path` function, then you are likely not vulnerable. Affected web serves will allow specially-crafted URLs to access files outside of the specified paths, potentially exposing any file that the web server process is able to read. If you cannot immediately upgrade to version 6.4, we have provided a package catalog with updated versions of the "web-server-lib" package for versions of Racket back to 6.0. That catalog is located at http://download.racket-lang.org/patches/web-server-1/ To use it to upgrade your Racket installation, add it as a catalog using `raco pkg config`. To make this process easier, you can download the Racket script available at https://gist.github.com/samth/c81e1e2fabc744759970. Then run: $ racket add-catalog.rkt $ raco pkg update -i web-server-lib On some systems, this may need to be run with administrator or super-user privileges, if Racket was installed with those privileges. If you need advice on updating Racket installations older than version 6.0, please let us know and we will provide them. To test that your Racket installation is fixed, you can run the program here: https://gist.github.com/samth/740cc39eb6c0d9bd7bc3 Thanks to Rob Henderson for the discovery of this issue. Sam, for the Racket team From ryanc at ccs.neu.edu Thu Apr 28 15:58:00 2016 From: ryanc at ccs.neu.edu (Ryan Culpepper) Date: Thu, 28 Apr 2016 15:58:00 -0400 Subject: [Racket announcement] Racket v6.5 Message-ID: <57226B48.2030701@ccs.neu.edu> Racket version 6.5 is now available from http://racket-lang.org/ - Typed Racket and the `racket/contract` library generate code with lower overhead, speeding up typed/untyped interaction in a number of gradual typing programs we studied. - Macros written using `syntax-parse` automatically emit more accurate error messages. - The contract profiler captures costs from more contract combinators, including all those in the main distribution. - Hash table and set iteration, via both existing and new non-generic sequences, is more performant, up to twice as fast on microbenchmarks. - The Racket optimizer detects many more optimization opportunities, including when variables always hold numbers. - The `db` library supports single-result CALL statements in MySQL. - The `net/dns` library supports SRV records. - The `racket/unix-socket` library supports listen and accept operations. The following people contributed to this release: Adrien Tateno, Alex Knauth, Alexander Shopov, Alexis King, Andrew Kent, Asumu Takikawa, Ben Greenman, Chen Xiao, Chris Jester-Young, Daniel Feltey, Eric Dobson, Georges Dup?ron, Gustavo Massaccesi, Ian Harris, Jay McCarthy, Jens Axel S?gaard, John Clements, Leandro Facchinetti, Lehi Toskin, Leif Andersen, ?ukasz D?bek, Marc Kaufmann, Matthew Flatt, Matthias Felleisen, Michael McConville, Mike Sperber, Paul Stansifer, Philippe Meunier, Robby Findler, Rodrigo Setti, Ryan Culpepper, Sam Caldwell, Sam Tobin-Hochstadt, Sorawee Porncharoenwase, Spencer Florence, Stephen Chang, Tony Garnock-Jones, Vincent St-Amour, WarGrey Gyoudmon Ju, and William J. Bowman. Feedback Welcome From stamourv at eecs.northwestern.edu Fri Jul 22 19:51:25 2016 From: stamourv at eecs.northwestern.edu (Vincent St-Amour) Date: Fri, 22 Jul 2016 18:51:25 -0500 Subject: [Racket announcement] Racket v6.6 Message-ID: Racket version 6.6 is now available from http://racket-lang.org/ - The new Macro Profiler command-line tool (`raco macro-profiler`) shows how macros contribute to the final expanded code size of a program. - Typed Racket supports intersection types. This allows the type system to track more information, and for programmers to express more precise types. - Typed Racket produces up to 4x smaller compiled files compared with Racket 6.5, reducing the size of the Racket distribution by 50M. - Typed Racket issues warnings in cases where the contract generated for `Any` was not strict enough in the past. These warnings will become errors in a future release. Warnings are enabled via View -> Show Log in DrRacket, and shown by default on command-line Racket. - Typed Racket enforces uses of `cast` more correctly, by checking both the "casted-to" and "casted-from" types. Previously, only the former were checked. In some cases, this will produce contract errors in programs that did not have errors before. - `syntax-parse` raises an error when an ellipsis pattern has an empty match rather than diverging, and it logs a warning when it statically detects a nullable pattern, such as `((~seq) ...)`. In the next version of Racket, it will reject the pattern instead, and it will remove special handling that currently makes some uses of such patterns terminate. - `htdp/dir`: The `create-dir` function delivers data information for files in a new field. The domain of its functions are backwards compatible. The following people contributed to this release: Alex Knauth, Alexander Shopov, Alexis King, Andrew Kent, Asumu Takikawa, Ben Greenman, Bernardo Sulzbach, Brian Lachance, Chris Jester-Young, Dan Feltey, Eric Dobson, Georges Dup?ron, Gustavo Massaccesi, James Bornholt, Jay McCarthy, John Clements, Leandro Facchinetti, Leif Andersen, Maksim Kochkin, Matthew Flatt, Matthias Felleisen, Mike Sperber, Paul Stansifer, Pedro Caldeira, Philip McGrath, Robby Findler, Ryan Culpepper, Sam Tobin-Hochstadt, Spencer Florence, Stephen Chang, Stephen De Gabrielle, Tim Brown, Tony Garnock-Jones, Vincent St-Amour, WarGrey Gyoudmon Ju, William J. Bowman, and Zeina Migeed. Feedback Welcome From stamourv at eecs.northwestern.edu Wed Oct 26 19:37:08 2016 From: stamourv at eecs.northwestern.edu (Vincent St-Amour) Date: Wed, 26 Oct 2016 18:37:08 -0500 Subject: [Racket announcement] Racket v6.7 Message-ID: Racket version 6.7 is now available from http://racket-lang.org/ - Racket supports building graphical applications on Android through the racket-android project: https://github.com/jeapostrophe/racket-android - The Racket REPL comes with line-editing, command and result history, and various meta-commands out of the box, via the `racket/interactive` module. See the `racket/interactive` and `xrepl` documentation for details. - The package system supports authentication when installing packages from git, using the `raco pkg config git-checkout-credentials` configuration option. - HTTP libraries, as well as `raco pkg`, support proxying via HTTP CONNECT. - Typed Racket provides typed versions of `racket/os` and `racket/db/sqlite`. - The `PLT_COMPILED_FILE_CHECK` environment variable provides more fine-grained control over when ".zo" files are consulted. - The documentation search supports searching for "#lang"s and "#reader"s via the "L:" and "R:" search prefixes. - The `file/glob` module implements globbing for path-strings. - Optimizations in the bytecode compiler improve performance for structure, list, string, and byte-string operations. The following people contributed to this release: Alex Knauth, Alex Harsanyi, Alexis King, Andrew Kent, Asumu Takikawa, Ben Greenman, Brian Lachance, Chongkai Zhu, Daniel Feltey, Georges Dup?ron, Gustavo Massaccesi, Jay McCarthy, John Clements, Jonathan Schuster, Leif Andersen, Marc Burns, Matthew Butterick, Matthew Flatt, Matthias Felleisen, Mike Sperber, Robby Findler, Rohin Shah, Ryan Culpepper, Sam Tobin-Hochstadt, Spencer Florence, Stephen Chang, Stephen De Gabrielle, Tim Brown, Tony Garnock-Jones, Vincent St-Amour, WarGrey Gyoudmon Ju, and William J. Bowman. Feedback Welcome