The easiest, most secure way to use WireGuard and 2FA.
| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
bencher: add config to suppress failures on benchmark regressions. This config update will let tailscale use bencher without worrying about the bencher check appearing as failed due to a benchmark regressing. Updates #2938 Signed-off-by: Nathan Dias <nathan@orijtech.com> | 4 年前 | |
.github,.policy-tests.yml: test .policy.yml in CI Add a .policy-tests.yml file with tests exercising the policy that was just landed: the tailcfg/ control-protocol-owners gate, the "policybot-override:" comment escape hatch (including defaults-regression guards so the override rule does not silently accept a normal review or a :+1: comment), and the always-on "any tailscale/dev review" baseline. Updates tailscale/corp#13972 Change-Id: I42afb06b0771658c803512cb5de4701450c8a704 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 5 天前 | |
appc,feature/conn25: use custom scheme resolvers for conn25 Currently we are picking a peer for the split dns routes when we get a netmap. Use the new custom scheme resolvers, installed per app in the config in the netmap, to allow us to choose which connector peer should handle a DNS request at the time the request is made. Fixes tailscale/corp#39858 Signed-off-by: Fran Bull <fran@tailscale.com> | 1 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
tstest/natlab/vmtest, client/web: add web client integration tests Adds two Gokrazy-based vmtests covering the tailscaled web client at port 5252: * TestWebClientLocalAccess enables the web client on a single node and exercises the canonical owner session flow against the node's own Tailscale IP: an unauthenticated GET /api/auth that identifies the caller, a GET /api/auth/session/new that issues a TS-Web-Session cookie, and a final GET /api/auth that reports authorized=true with the cookie. * TestWebClientRemoteAccess runs the same session flow from a peer node on the same tailnet against a second target node's web client, exercising netstack interception of incoming :5252 traffic, cross-node WhoIs, and the same-user "owner" path. It then flips the test control server's AllNodesSameUser off, re-logs in the client under a fresh identity, and asserts that GET /api/auth/session/new returns 401 with body "not-owner" -- exercising the cross-user rejection in client/web/auth.go. To make the natlab test environment exercise the same code path as production (check mode, where the web client posts to /machine/webclient/init via Noise and waits on a control-issued auth URL), this also: * Allowlists the natlab fake control hostname "control.tailscale" in client/web/auth.go's controlSupportsCheckMode so the web client follows the check-mode branch rather than the no-check-mode shortcut that immediately marks new sessions authenticated. * Adds /machine/webclient/{init,wait} handlers to testcontrol. init returns a placeholder auth ID and URL; wait returns Complete=true immediately, so the web client's awaitUserAuth resolves on its first call. Together these let the tests drive the full check-mode session lifecycle without a real browser-click loop. To support the multi-request HTTP flows from the test harness, this also adds: * vmtest.Env.HTTPGetStatus, a sister of HTTPGet that returns the upstream status code, body, and Set-Cookie cookies (as a vmtest.HTTPResponse) and accepts cookies on the outgoing request, so tests can drive flows that depend on cookie continuity. * Cookie pass-through in cmd/tta's /http-get handler: it forwards the Cookie request header upstream and surfaces upstream Set-Cookie response headers downstream. This is what lets HTTPGetStatus carry a session cookie across requests. Previously the only tests of the web client were in-process httptest-based handler tests in client/web/web_test.go; nothing exercised the actual port 5252 listener wiring, the cross-node auth path, cookie-driven session state transitions through the check-mode control round-trip, or the not-owner rejection end to end. Updates #13038 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Idb01486a89b53ac02c6ad3358bcfcceca90dbc36 | 2 天前 | |
util/progresstracking: add Ticker, NewWriter, and CountingWriter Add three new helpers to the existing progresstracking package: - Ticker: spawns a 1 Hz goroutine that calls a report function with the current value of an atomic counter and a total. Returns a stop function (safe to call multiple times via sync.OnceFunc) that fires one final report and blocks until the goroutine exits. - NewWriter: wraps an io.Writer and calls onProgress at most once per interval with the cumulative byte count. - CountingWriter: an io.Writer that atomically counts bytes written, for use with Ticker. These will be used by the appliance flash and OTA update code in subsequent commits. Updates #1866 Change-Id: If353cea6506f5351b6fb19bfdb7bc9b78fe7855e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 1 天前 | |
| 5 小时前 | ||
Revert "control/controlclient: continue map poll during key expiry to receive extensions" (#20257) * Revert "control/controlclient: continue map poll during key expiry to receive extensions" This reverts commit 6a822dcc36a1abd628ac122d0acfd0e86c3561cd. This commit has caused test failures in the corp repo by unexpected changing the login behaviour when nodes have a valid node key. Updates tailscale/corp#43705 Updates #19326 Signed-off-by: Alex Chan <alexc@tailscale.com> * Revert "tsnet: test key extension after server restart" This reverts commit 317201375f92933d43bba86ee8d3590f5e54ab8d. This test relies on changes in 317201375f92933d43bba86ee8d3590f5e54ab8d, which is also being reverted because it causes test failures in corp. Updates tailscale/corp#43705 Updates #19326 Signed-off-by: Alex Chan <alexc@tailscale.com> --------- Signed-off-by: Alex Chan <alexc@tailscale.com> | 6 天前 | |
derp/derphttp: drop dial-only proxy port test Signed-off-by: Martin Zihlmann <martizih@outlook.com> | 1 个月前 | |
disco: remove experimental label from BindUDPRelayHandshakeState Updates #cleanup Signed-off-by: Jordan Whited <jordan@tailscale.com> | 3 个月前 | |
misc: rename install-git-hooks.go to add-git-hooks.go (#20144) `go run` builds a manifest-less .exe, so Windows applies installer- detection heuristics and requests admin privileges to programs that contains "install", "setup", or "update". Rename to dodge that. Updates #20133 Change-Id: I144d3fcb076d7a02e4a3eb9fd079ee022a035c76 Signed-off-by: Fernando Serboncini <fserb@tailscale.com> | 17 天前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
ipn/ipnlocal, drive: stop using netmap.NetworkMap in Taildrive too This applies the same treatment from PR #20162 (netlog) and PR #20171 (wglog) to the local Taildrive filesystem wiring, ending the per-netmap-update O(n) rebuild of the drive remotes list. This moves the O(n peers) taildrive-remote list rebuild from every peer change (which previously happened regardless of whether you were even using taildrive) to instead happen only as needed. That running on every netmap update and was a contributor to the broader quadratic behavior we want to eliminate when a single peer is added or removed. Instead, this introduces drive.RemoteSource, a small interface the Taildrive filesystem pulls from lazily on incoming WebDAV requests, and caches by a generation counter. ipn/ipnlocal installs a driveRemoteSource once at NewLocalBackend time and bumps LocalBackend.driveGen on the three events that can actually flip the drive-capable peer set: full netmap installs (domain + self caps), UpdateNetmapDelta (peer add/remove or per-peer address changes), and updatePacketFilter (since PeerCapability values are derived from the packet filter rules, not from peer.CapMap). The hook itself is kept but narrowed: it no longer takes a *netmap.NetworkMap and its only remaining job is to re-notify IPN bus listeners of the current local shares list on full installs. This is a dependency to removing the netmap.NetworkMap type from upstream callers, like wgengine.Engine in general. (Also add a bunch more tests) Updates #12542 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: I7e3d2f5b4a9c8e1d6f0a3b7c9e2d4f8a1b6c5e9d | 9 天前 | |
envknob/logknob: remove unused package (#19515) Added in 2023 and appears to be unused. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com> | 2 个月前 | |
| 4 小时前 | ||
| 5 小时前 | ||
all: don't repeat the the word "the" unnecessarily Updates #cleanup Change-Id: Ic1f430cd5dbf6cc1a385c59074a5d5cabe6fca57 Signed-off-by: Alex Chan <alexc@tailscale.com> | 14 天前 | |
clientupdate, cmd/tailscale: verify signed GAFs, wire up tailscale update for Gokrazy Builds on top of the unsigned URL-based GAF update flow added previously (see referenced issue for context). The pkgs.tailscale.com server now publishes signed GAFs for the unstable track, with detached ed25519 signatures produced by pkgsign's signdist path (the same distsign scheme used for every other release artifact). This change consumes them. The URL-based path (tailscale update --gokrazy-update-from-url=URL) now verifies the signature by default using clientupdate/distsign.Client, which fetches distsign.pub from the root of the host serving the GAF and checks the .sig against the root keys embedded in this binary. The --unsigned flag stays for TestGokrazyUpdatesItselfToSameImage, whose in-test fileserver does not publish distsign.pub. The bare tailscale update path is now wired up for the Tailscale appliance image. It fetches <pkgs>/<track>/?mode=json, picks the GAF whose key matches the local device (vm-amd64, vm-arm64, or pi-arm64, where arm64 is split via /sys/firmware/devicetree/base/model), confirms the version with the user, and reuses the verified download path above. To avoid wiping a user's custom Gokrazy build that happens to include tailscaled, the bare update path is gated on hostinfo.Package == "tsapp", which is only set when the new ts_appliance build tag is present (mirroring the existing ts_package_container tag). The gokrazy/tsapp*/config.json files now pass GoBuildTags ["ts_appliance"] for the tailscale and tailscaled packages so monogok bakes the tag into the official appliance builds. The TS_FORCE_ALLOW_TSAPP_UPDATE env var is an escape hatch for callers who want to force the appliance update path on a non-appliance build. The URL-based path stays ungated since it requires explicit user intent (and is exercised by the natlab vmtest). Updates #20002 Change-Id: I7c7856a88bf3dffb9eb8d3e9111fad0b3906743c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 2 天前 | |
.github,.policy-tests.yml: test .policy.yml in CI Add a .policy-tests.yml file with tests exercising the policy that was just landed: the tailcfg/ control-protocol-owners gate, the "policybot-override:" comment escape hatch (including defaults-regression guards so the override rule does not silently accept a normal review or a :+1: comment), and the always-on "any tailscale/dev review" baseline. Updates tailscale/corp#13972 Change-Id: I42afb06b0771658c803512cb5de4701450c8a704 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 5 天前 | |
ipn/ipnlocal: fix reporting of active ipnext extensions We borked this in 30a89ad3781aa99ee8b92e1ecfdab0f90034a02c and started including skipped extensions (e.g., conn25 when TAILSCALE_USE_WIP_CODE != 1) in the list of active ones. This doesn't have any impact other than on logging, though. Updates #cleanup Signed-off-by: Nick Khyl <nickk@tailscale.com> | 23 小时前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
cmd/{containerboot,k8s-operator}: add 4via6 support in singleton egress (#19983) Add support for configuring egress to destinations reachable via 4via6 subnet routes, using either the synthesized 4via6 address or the MagicDNS name (in the form <IPv4-with-hyphens>-via-<siteID>[.*]). Also update the Connector to validate and advertise 4via6 subnet routes. Export net/netutil.ValidateViaPrefix so it can be reused by the Connector validation logic. This change only affects standalone egress proxies — ProxyGroup egress requires IPv6 support before it can use 4via6. Updates #19334 Change-Id: I6faecd6eb61ab55fc0cd97fe417af6b6a12fe7fc Signed-off-by: Becky Pauley <becky@tailscale.com> | 14 天前 | |
kube/certs: use Let's Encrypt's recommended retry schedule (#20292) Replace the doubling backoff (1m, 2m, 4m, ...) with LE's recommended 1m, 10m, 100m, daily. The old schedule burned retry attempts inside the rate-limit window without speeding recovery. Updates #20288 Updates #19895 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> | 1 天前 | |
licenses: update license notices Signed-off-by: License Updater <noreply+license-updater@tailscale.com> | 23 分钟前 | |
cmd/tailscale/cli: fix time in `tailscale routecheck` (#19956) When running `tailscale netcheck`, the reported timestamp used to be in UTC and formatted according to RFC 3339 with a `T` to separate the date from the time: sfllaw@h2co3:~$ tailscale netcheck | head -n3 Report: * Time: 2026-06-01T21:12:32.252620138Z This is machine-readable time leaking out to the user interface. Times in normal commands are formatted for humans to read: sfllaw@h2co3:~$ date Mon 01 Jun 2026 02:39:14 PM PDT sfllaw@h2co3:~$ journalctl -t tailscaled | tail -n1 Jun 01 14:35:21 h2co3 tailscaled[3328921]: wgengine: sending TSMP disco key advertisement to 100.90.144.102 sfllaw@h2co3:~$ timedatectl show Timezone=America/Los_Angeles LocalRTC=no CanNTP=yes NTP=yes NTPSynchronized=yes TimeUSec=Mon 2026-06-01 14:38:32 PDT RTCTimeUSec=Mon 2026-06-01 14:38:32 PDT sfllaw@h2co3:~$ uptime --since 2026-05-15 07:37:45 This PR makes the times printed by the CLI commands consistent: - For `tailscale routecheck`, it now prints local time as `2026-05-15 07:37:45-07:00`. - For `netlogfmt`, it has always printed local time with a space, but now includes the time zone. - All machine-readable outputs continue to be standard RFC 3339 in UTC, i.e. `--format=json`. As part of a general cleanup, this PR also adds standard common time.Format layouts as tstime constants. Fixes #19928 Signed-off-by: Simon Law <sfllaw@tailscale.com> | 30 天前 | |
logpolicy,tsnet: remove syspolicy dependency tsnet depends on logpolicy, which in turn depended on util/syspolicy because of a single LogTarget policy setting it uses. In this commit, we replace that dependency with a feature.Hook, which only tailscaled or its platform-specific alternatives should set. Updates #20031 Signed-off-by: Nick Khyl <nickk@tailscale.com> | 27 天前 | |
all: don't repeat the the word "the" unnecessarily Updates #cleanup Change-Id: Ic1f430cd5dbf6cc1a385c59074a5d5cabe6fca57 Signed-off-by: Alex Chan <alexc@tailscale.com> | 14 天前 | |
cmd/vet/lowerell, drive/driveimpl: forbid variables named "l" or "I" Add a new vet checker that rejects variables, parameters, named return values, receivers, range/type-switch bindings, type parameters, struct fields, and constants named "l" (lowercase ell) or "I" (uppercase i). Both are hard to distinguish from the digit "1" and from each other in too many fonts. Rename the two pre-existing struct fields named "l" (both of type net.Listener) in drive/driveimpl/drive_test.go to "ln", matching the convention used elsewhere for net.Listener locals. Rename the test-fixture struct fields "I" (single int label) to "Int" in metrics/multilabelmap_test.go and util/deephash/deephash_test.go, preserving the "first letters of types" convention used alongside neighboring fields like I8/I16/U/U8. Also teach pkgdoc_test.go to skip testdata/ directories, which the go tool ignores; they are not real packages. Fixes #19631 Change-Id: I71ad2fa990705f7a070406ebcdb8cefa7487d849 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 1 个月前 | |
misc: rename install-git-hooks.go to add-git-hooks.go (#20144) `go run` builds a manifest-less .exe, so Windows applies installer- detection heuristics and requests admin privileges to programs that contains "install", "setup", or "update". Rename to dodge that. Updates #20133 Change-Id: I144d3fcb076d7a02e4a3eb9fd079ee022a035c76 Signed-off-by: Fernando Serboncini <fserb@tailscale.com> | 17 天前 | |
net/dns: simplify split DNS compile path Cache the OS split-DNS capability while compiling DNS config and return directly for split-capable platforms that do not need the Apple base-config workaround. This removes the base-config sentinel pointer and keeps the iOS and sandboxed macOS fallback path explicit. Updates #1338 Change-Id: I836417c8fa775b35d3be9bc80cf6841d30cec222 Signed-off-by: Maisem Ali <maisem@bold.dev> | 2 小时前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
portlist: also tb.Skip benchmarks (not just tests) on bad Linux kernels Updates #16966 Change-Id: I0269927bdf8e6c4e949fcf755ce7e5fd21386d7d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 4 个月前 | |
posture: add HealthTracker for serial number retrieval (#19181) Device posture checking can fail while enabled if tailscaled does not have access to smbios. Previously, this was only observable by looking in the tailscaled logs. Fixes tailscale/corp#39314 Signed-off-by: Evan Lowry <evan@tailscale.com> | 2 个月前 | |
prober: deflake TestHTTPBandwidth The test transferred only 64 KiB over loopback, which can complete within a single clock tick on fast CI machines, causing time.Since(start).Seconds() to return 0 and the "transfer_time_seconds_total > 0" assertion to fail. Increase the payload to 1 MiB so zero is genuinely implausible, and retry up to 3 additional times. If the metric is still zero after 4 total attempts, fail hard — at that size it means the timing logic is actually broken. Fixes #20213 Change-Id: I3fab510ce8c567506fea5ad803d35acf40d65700 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 9 天前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
release/dist/synology: add GOARM=7,softfloat mode for hi3535 Fixes #6860 Change-Id: I36f3101e75dab35d03e76693555ac93da893f8d5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 1 个月前 | |
safesocket, ipn/ipnserver: use PeerCreds on solaris and illumos Updates tailscale/peercred#10 Signed-off-by: Nahum Shalman <nahamu@gmail.com> | 3 个月前 | |
all: don't repeat the the word "the" unnecessarily Updates #cleanup Change-Id: Ic1f430cd5dbf6cc1a385c59074a5d5cabe6fca57 Signed-off-by: Alex Chan <alexc@tailscale.com> | 14 天前 | |
scripts/installer.sh: update KDE Linux link (#19857) Signed-off-by: Yago Raña Gayoso <yago.rana.gayoso@gmail.com> | 1 个月前 | |
sessionrecording: close idle connections after upload If we don't close the connection between SSH server and recorder explicitly once it's idle after the upload stream is closed, the connection stays open and holds on to a port on the server. This leads to port exhaustion on the server in the medium to long run. To avoid this, close the idle connections explicitly. As an extra step of precaution, set an idleConnTimeout of 30 seconds on both the HTTP1 and HTTP2 recorder clients. Updates tailscale/corp#43742 Signed-off-by: Gesa Stupperich <gesa@tailscale.com> | 13 天前 | |
ssh/tailssh: dissallow purely numeric usernames for SSH Dissallow purely numeric usernames for SSH as these are ambiguous with numeric UID values. Updates https://github.com/tailscale/corp/issues/43245 Signed-off-by: Mario Minardi <mario@tailscale.com> | 20 天前 | |
cmd/vet: add subtestnames analyzer; fix all existing violations Add a new vet analyzer that checks t.Run subtest names don't contain characters requiring quoting when re-running via "go test -run". This enforces the style guide rule: don't use spaces or punctuation in subtest names. The analyzer flags: - Direct t.Run calls with string literal names containing spaces, regex metacharacters, quotes, or other problematic characters - Table-driven t.Run(tt.name, ...) calls where tt ranges over a slice/map literal with bad name field values Also fix all 978 existing violations across 81 test files, replacing spaces with hyphens and shortening long sentence-like names to concise hyphenated forms. Updates #19242 Change-Id: Ib0ad96a111bd8e764582d1d4902fe2599454ab65 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 2 个月前 | |
tailcfg,net/routecheck: add NodeAttrClientSideReachabilityRouteCheck (#20169) This patch adds a new `client-side-reachability-routecheck` node attribute to allow admins to selectively enable background routecheck probing on trial nodes. The current implementation is still experimental. It adds the routecheck.IsEnabled helper to check for the new `client-side-reachability-routecheck` node attribute alongside the existing `client-side-reachability` node attribute in this node’s self capabilities. This allows administrators to turn on and off this feature by editing the policy file. It adds the `TS_DEBUG_FORCE_CLIENT_SIDE_REACHABILITY_ROUTECHECK` environment variable which can be set to override the policy file. When set to `true`, it forcibly enables this feature. And when set to `false`, it forcibly disables it. Updates #17366 Updates tailscale/corp#33033 Signed-off-by: Simon Law <sfllaw@tailscale.com> | 6 天前 | |
misc/genreadme,tempfork/pkgdoc,tsnet: generate README.md files from godoc Adds a CI check to keep opted-in directories' README.md files in sync with their package godoc. For now tsnet (and its sub-packages under tsnet/example) is the only opted-in tree. The list of directories lives in misc/genreadme/genreadme.go as defaultRoots, so CI and humans both just run `./tool/go run ./misc/genreadme` with no arguments. The check piggybacks on the existing go_generate job in test.yml and fails if any README.md is out of date, pointing the user at the same command. Along the way: - tempfork/pkgdoc now emits Markdown instead of plain text: headings become level-2 with no {#hdr-...} anchors, and [Symbol] doc links resolve to pkg.go.dev URLs, including for symbols in the current package (which the default Printer would otherwise emit as bare #Name fragments with no backing anchor in a README). Parsing no longer uses parser.ImportsOnly, so doc.Package knows the package's symbols and can resolve [Symbol] links at all. - genreadme also emits a pkg.go.dev Go Reference badge at the top of a library package's README; suppressed for package main. - tsnet/tsnet.go's package godoc is expanded in idiomatic godoc syntax — [Type], [Type.Method], reference-style [link]: URL definitions — rather than Markdown-flavored [text](url) or backtick-quoted identifiers, so that both pkg.go.dev and the generated README.md render cleanly from a single source. Fixes #19431 Fixes #19483 Fixes #19470 Change-Id: I8ca37e9e7b3bd446b8bfa7a91ac548f142688cb1 Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: Walter Poupore <walterp@tailscale.com> Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 2 个月前 | |
tka: use a named constant to tidy up sig_test.go Updates #cleanup Change-Id: Ib6ff2e678670ecc001207a0b8be02b035958cb88 Signed-off-by: Alex Chan <alexc@tailscale.com> | 21 天前 | |
tool/gocross: retry downloading Go three times Occasionally CI jobs will flake because downloading from GitHub fails. Allow retrying up to 3 times to reduce CI flakiness. Updates #cleanup Change-Id: Ib019e89ac74b81d78f71a40099b20ff60014a81f Signed-off-by: Alex Chan <alexc@tailscale.com> | 6 天前 | |
all: migrate code off Notify.NetMap to Notify.SelfChange Move tailscaled's in-tree reactive users from of IPN bus Notify.NetMap updates to the narrower Notify.SelfChange signal introduced earlier in this series. Consumers that need additional state (peers, DNS config, etc.) fetch it on demand via the LocalAPI. It is a step toward the larger goal of not fanning Notify.NetMap out to every bus watcher on Linux/non-GUI hosts. A future change stops sending Notify.NetMap entirely on Linux and non-GUI platforms. (eventually once macOS/iOS/Windows migrate to the upcoming new Notify APIs, we'll remove ipn.Notify.NetMap entirely) Updates #12542 Change-Id: I51ea9d86bdca1909d6ac0e7d5bd3934a3a4e8516 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 2 个月前 | |
ipn/ipnlocal, cmd/tailscale/cli: auto-renew TLS certs and warn while pending The Tailscale daemon only refreshed TLS certs as a side effect of inbound TLS handshakes or "tailscale cert" CLI calls. A node that doesn't see inbound traffic during the renewal window silently rolls past expiry. Add a once-per-hour background loop on LocalBackend that enumerates Serve and Funnel HTTPS hostnames (filtered against the netmap's CertDomains so we don't poke ACME for other nodes' service hostnames) and calls the existing GetCertPEM path. The renewal decision (ARI window, then 2/3 expiry fallback) is unchanged; the loop just guarantees it runs. For visibility during initial issuance or restart with a long-expired cached cert, add a "tls-cert-pending" health Warnable that's set while ACME is in flight and no usable cached cert exists. Async renewal of a still-valid cert intentionally doesn't fire it. And then make the CLI "cert" subcommand print out a warning if it's blocking due to a cert fetch in flight, using that health info. Fixes #19911 Fixes #19912 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: I144e46c40e957b2e879587decace32a523a6eade | 30 天前 | |
ipn/ipnlocal,tsd: add NoiseRoundTripper to tsd.Sys Adds a new NoiseRoundTripper field to tsd.Sys to expose an http.RoundTripper to make requests over the control plane Noise connection. This will be used in PAM use cases soon. Updates tailscale/corp#41800 Signed-off-by: Adriano Sela Aviles <adriano@tailscale.com> | 1 个月前 | |
cmd/tailscaled, util/syspolicy: add JSON syspolicy file support Tailscaled had no way to seed device-scope syspolicy settings short of environment variables or a custom store wired up out of tree. Add a --syspolicy-file flag whose default points at a well-known JSON file that, when present, is parsed as a map[string]any and registered as a device-scope policy source. The default path is /etc/tailscale/syspolicy.json on every non-Windows platform (Linux, the BSDs, illumos/Solaris, and tailscaled-without-the-GUI on macOS) and %ProgramData%\Tailscale\syspolicy.json on Windows. The flag lets users running tailscaled by hand (development, custom installs) point it at an alternate file, and "" disables the load entirely. JSON values map to setting types as expected: strings to StringValue/PreferenceOptionValue/VisibilityValue/DurationValue (e.g. "24h" parsed by time.ParseDuration), booleans to BooleanValue, numbers to IntegerValue, and string arrays to StringListValue. The file is validated against the registered setting definitions at load time so unknown keys and value/type mismatches fail startup loudly rather than producing surprising defaults at first read. When HuJSON support is linked into the build (default; opt out with ts_omit_hujsonconf), the file may use HuJSON (comments, trailing commas). With ts_omit_hujsonconf it must be pure standard JSON. This mirrors the pattern used by ipn/conffile. On Windows the JSON file and the existing HKLM registry store both register at DeviceScope. rsop merges later-registered same-scope sources over earlier ones, so per-key values in the file override the registry while keys absent from the file fall back to the registry. The loader is registered via a feature.Hook from a file gated by !ts_omit_syspolicy, and called from main after flag parsing. tsnet still does not depend on the root syspolicy package, so embedders don't pick this up implicitly. Fixes #20305 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ie6326461c14efb226979ac162998a9c6373ce493 | 2 天前 | |
cmd/tailscaled, util/syspolicy: add JSON syspolicy file support Tailscaled had no way to seed device-scope syspolicy settings short of environment variables or a custom store wired up out of tree. Add a --syspolicy-file flag whose default points at a well-known JSON file that, when present, is parsed as a map[string]any and registered as a device-scope policy source. The default path is /etc/tailscale/syspolicy.json on every non-Windows platform (Linux, the BSDs, illumos/Solaris, and tailscaled-without-the-GUI on macOS) and %ProgramData%\Tailscale\syspolicy.json on Windows. The flag lets users running tailscaled by hand (development, custom installs) point it at an alternate file, and "" disables the load entirely. JSON values map to setting types as expected: strings to StringValue/PreferenceOptionValue/VisibilityValue/DurationValue (e.g. "24h" parsed by time.ParseDuration), booleans to BooleanValue, numbers to IntegerValue, and string arrays to StringListValue. The file is validated against the registered setting definitions at load time so unknown keys and value/type mismatches fail startup loudly rather than producing surprising defaults at first read. When HuJSON support is linked into the build (default; opt out with ts_omit_hujsonconf), the file may use HuJSON (comments, trailing commas). With ts_omit_hujsonconf it must be pure standard JSON. This mirrors the pattern used by ipn/conffile. On Windows the JSON file and the existing HKLM registry store both register at DeviceScope. rsop merges later-registered same-scope sources over earlier ones, so per-key values in the file override the registry while keys absent from the file fall back to the registry. The loader is registered via a feature.Hook from a file gated by !ts_omit_syspolicy, and called from main after flag parsing. tsnet still does not depend on the root syspolicy package, so embedders don't pick this up implicitly. Fixes #20305 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Change-Id: Ie6326461c14efb226979ac162998a9c6373ce493 | 2 天前 | |
cmd/tailscale/cli: fix time in `tailscale routecheck` (#19956) When running `tailscale netcheck`, the reported timestamp used to be in UTC and formatted according to RFC 3339 with a `T` to separate the date from the time: sfllaw@h2co3:~$ tailscale netcheck | head -n3 Report: * Time: 2026-06-01T21:12:32.252620138Z This is machine-readable time leaking out to the user interface. Times in normal commands are formatted for humans to read: sfllaw@h2co3:~$ date Mon 01 Jun 2026 02:39:14 PM PDT sfllaw@h2co3:~$ journalctl -t tailscaled | tail -n1 Jun 01 14:35:21 h2co3 tailscaled[3328921]: wgengine: sending TSMP disco key advertisement to 100.90.144.102 sfllaw@h2co3:~$ timedatectl show Timezone=America/Los_Angeles LocalRTC=no CanNTP=yes NTP=yes NTPSynchronized=yes TimeUSec=Mon 2026-06-01 14:38:32 PDT RTCTimeUSec=Mon 2026-06-01 14:38:32 PDT sfllaw@h2co3:~$ uptime --since 2026-05-15 07:37:45 This PR makes the times printed by the CLI commands consistent: - For `tailscale routecheck`, it now prints local time as `2026-05-15 07:37:45-07:00`. - For `netlogfmt`, it has always printed local time with a space, but now includes the time zone. - All machine-readable outputs continue to be standard RFC 3339 in UTC, i.e. `--format=json`. As part of a general cleanup, this PR also adds standard common time.Format layouts as tstime constants. Fixes #19928 Signed-off-by: Simon Law <sfllaw@tailscale.com> | 30 天前 | |
cmd/tailscale/cli: fix time in `tailscale routecheck` (#19956) When running `tailscale netcheck`, the reported timestamp used to be in UTC and formatted according to RFC 3339 with a `T` to separate the date from the time: sfllaw@h2co3:~$ tailscale netcheck | head -n3 Report: * Time: 2026-06-01T21:12:32.252620138Z This is machine-readable time leaking out to the user interface. Times in normal commands are formatted for humans to read: sfllaw@h2co3:~$ date Mon 01 Jun 2026 02:39:14 PM PDT sfllaw@h2co3:~$ journalctl -t tailscaled | tail -n1 Jun 01 14:35:21 h2co3 tailscaled[3328921]: wgengine: sending TSMP disco key advertisement to 100.90.144.102 sfllaw@h2co3:~$ timedatectl show Timezone=America/Los_Angeles LocalRTC=no CanNTP=yes NTP=yes NTPSynchronized=yes TimeUSec=Mon 2026-06-01 14:38:32 PDT RTCTimeUSec=Mon 2026-06-01 14:38:32 PDT sfllaw@h2co3:~$ uptime --since 2026-05-15 07:37:45 This PR makes the times printed by the CLI commands consistent: - For `tailscale routecheck`, it now prints local time as `2026-05-15 07:37:45-07:00`. - For `netlogfmt`, it has always printed local time with a space, but now includes the time zone. - All machine-readable outputs continue to be standard RFC 3339 in UTC, i.e. `--format=json`. As part of a general cleanup, this PR also adds standard common time.Format layouts as tstime constants. Fixes #19928 Signed-off-by: Simon Law <sfllaw@tailscale.com> | 30 天前 | |
ipn: remove the last traces of Prefs.AllowSingleHosts We stopped reading this field nearly two years ago, with a TODO comment to remove it sometime in 2025. It is now 2026. Updates #12058 Change-Id: I8ddf1c2e4c3c428e8d45a6491d3899368ec52c30 Signed-off-by: Alex Chan <alexc@tailscale.com> | 6 天前 | |
util/progresstracking: add Ticker, NewWriter, and CountingWriter Add three new helpers to the existing progresstracking package: - Ticker: spawns a 1 Hz goroutine that calls a report function with the current value of an atomic counter and a total. Returns a stop function (safe to call multiple times via sync.OnceFunc) that fires one final report and blocks until the goroutine exits. - NewWriter: wraps an io.Writer and calls onProgress at most once per interval with the cumulative byte count. - CountingWriter: an io.Writer that atomically counts bytes written, for use with Ticker. These will be used by the appliance flash and OTA update code in subsequent commits. Updates #1866 Change-Id: If353cea6506f5351b6fb19bfdb7bc9b78fe7855e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 1 天前 | |
cmd/tailscaled, version/distro: default to userspace-networking on Crostini cros-garcon NULL-derefs on cold-boot netlink enumeration when tailscale0 is present, preventing the Crostini container and ChromeOS Terminal from starting cleanly. This is an upstream ChromiumOS bug in cros-garcon; tailscaled can work around it by defaulting to userspace-networking mode on Crostini. Tailscale SSH continues to work via tailscaled's netstack. Users can override with --tun=tailscale0 on ChromeOS builds where cros-garcon is fixed. Crostini is detected via /opt/google/cros-containers/bin/garcon, which is present in every Crostini penguin container. ssh/tailssh extends the existing Debian default-PATH case to cover Crostini, since Crostini is Debian-based and benefits from the same SSH PATH defaults. RELNOTE: Crostini now defaults to userspace-networking. Fixes #19488 Updates #12090 Signed-off-by: ferrumclaudepilgrim <ferrumclaudepilgrim@users.noreply.github.com> | 30 天前 | |
wf: allow limited broadcast to/from permitted interfaces when using an exit node on Windows Similarly to allowing link-local multicast in #13661, we should also allow broadcast traffic on permitted interfaces when the killswitch is enabled due to exit node usage on Windows. This always includes internal interfaces, such as Hyper-V/WSL2, and also the LAN when "Allow local network access" is enabled in the client. Updates #18504 Signed-off-by: Nick Khyl <nickk@tailscale.com> | 5 个月前 | |
wgengine/magicsock: fix data race in TestNetworkSendErrors (#20261) `TestNetworkSendErrors/network-down` causes a data race because it tried to `tstest.Replace` the `checkNetworkDownDuringTests` global while `wgengine.Conn.networkDown` would read from it. This patch moves this flag into a field within the `wgengine.Conn` struct, so there’s no chance that two tests could trample on each other. It also renames this field to `Conn.checkNetworkUpDuringTests`, because `Conn.networkUp` is the name of the field that gets checked. Fixes #20260 Signed-off-by: Simon Law <sfllaw@tailscale.com> | 3 天前 | |
wif: add AWS ecs for autogenerated OIDC tokens Adds the ability to detect when running on AWS ECS and fetch tokens from the ECS metadata endpoints in addition to IMDSv2 Fixes #18909 Signed-off-by: Patrick Guinard <patrick@public.com> | 3 个月前 | |
words: add "cat" to scales.txt (#20106) Updates #words Signed-off-by: aspyn ect <96669439+aspynect@users.noreply.github.com> | 20 天前 | |
.gitattributes: explicitly mark text files as such with eol I'm not keen on us having to deal with the bad side effects of the autocrlf default, but alas, if it makes things easier. Fixes #16175 Closes #16176 Signed-off-by: James Tucker <james@tailscale.com> | 9 天前 | |
| 5 小时前 | ||
.golangci.yml: enforce gliderssh import alias via importas linter Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> | 2 个月前 | |
.github,.policy-tests.yml: test .policy.yml in CI Add a .policy-tests.yml file with tests exercising the policy that was just landed: the tailcfg/ control-protocol-owners gate, the "policybot-override:" comment escape hatch (including defaults-regression guards so the override rule does not silently accept a normal review or a :+1: comment), and the always-on "any tailscale/dev review" baseline. Updates tailscale/corp#13972 Change-Id: I42afb06b0771658c803512cb5de4701450c8a704 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 5 天前 | |
.policy.yml: tweak policy after testing The override comment didn't work as expected. (I'll be updating the policytest package to handle this) Updates tailscale/corp#13972 Change-Id: Ic5c16eed09c8cb5fa8dab37d43cf05f8dfa75d49 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 6 天前 | |
Add .stignore for syncthing (#18540) This symlink tells synchting to ignore stuff that's in .gitignore. Updates https://github.com/tailscale/corp/issues/36250 Signed-off-by: Andrew Lytvynov <awly@tailscale.com> | 5 个月前 | |
docker: bump alpine v3.19 -> 3.22 (#17155) Updates #15328 Change-Id: Ib33baf8756b648176dce461b25169e079cbd5533 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com> | 9 个月前 | |
CODEOWNERS,.policy.yml: replace CODEOWNERS with a policy-bot policy GitHub's built-in CODEOWNERS only supports a hard "block until a team member reviews" rule, with no way to leave an audit trail when the requirement is intentionally bypassed. Move review enforcement to palantir/policy-bot (https://github.com/palantir/policy-bot) running at https://policybot.corp.ts.net, which lets us express the same tailcfg/ -> control-protocol-owners rule plus an explicit override: any other @tailscale/dev member can post policybot-override: <reason> as a PR comment and that comment counts as their approval, with the reason recorded in the PR conversation as a permanent audit trail. CODEOWNERS is kept as a one-screen comment so anyone landing on it expecting the old behavior is directed to .policy.yml. Updates tailscale/corp#13972 Change-Id: I2dc3619c498d4c4a6decae29aa123f6d67905eed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 6 天前 | |
CODE_OF_CONDUCT.md: update code of conduct Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 7 个月前 | |
go.toolchain.branch: switch to Go 1.26 Updates #18682 Change-Id: I1eadfab950e55d004484af880a5d8df6893e85e8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 3 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
| 5 小时前 | ||
Move Linux client & common packages into a public repo. | 6 年前 | |
README: update the version of Go in the README (#19168) Updates #18682 Signed-off-by: Evan Lowry <evan@tailscale.com> | 3 个月前 | |
Add a SECURITY.md for vulnerability reports. Signed-off-by: David Anderson <dave@natulte.net> | 6 年前 | |
VERSION.txt: this is v1.101.0 (#19992) Signed-off-by: croakerbcts <christopher@tailscale.com> | 29 天前 | |
{api.md,publicapi}: remove old API docs (#13468) Now that we have our API docs hosted at https://tailscale.com/api we can remove the previous (and now outdated) markdown based docs. The top level api.md has been left with the only content being the redirect to the new docs. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com> | 1 年前 | |
.: permit running binary built with TS_GO_NEXT=1 The old check was too aggressive and required TS_GO_NEXT=1 at runtime as well, which is too strict and onerous. This is a sanity check only (and an outdated one, at that); it's okay for it to be slightly loose and permit two possible values. If either is working, we're already way past the old bug that this was introduced to catch. Updates tailscale/corp#36382 Change-Id: Ib9a62e10382cd889ba590c3539e6b8535c6b19fe Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 4 个月前 | |
Add --strip option to build_dist Add support for --strip option to strip symbols. Building a rather custom binary with custom flags needs some additional work, and thought to contribute this back up. Signed-off-by: Jamie Sinn <james.sinn@sinndevelopment.com> | 30 天前 | |
docker: add riscv64 to container image architectures Add riscv64 to the GOARCH list passed to mkctr for all Docker image builds. Go already cross-compiles for riscv64, so this just adds the architecture to the container manifest. Updates #17812 Signed-off-by: Bruno Verachten <gounthar@gmail.com> | 3 个月前 | |
util/cibuild, cache_key_test: skip TestTsgoRevInCacheKey outside Tailscale CI cibuild.On() returns true for any CI environment that sets CI=true, including Alpine Linux's package build CI. TestTsgoRevInCacheKey was guarded by cibuild.On() (or use of tsgo), so it ran under Alpine's CI with stock Go, where go.toolchain.rev isn't blended into build cache keys, and unsurprisingly failed. Add cibuild.OnTailscaleCI, which keys off GITHUB_REPOSITORY_OWNER to distinguish tailscale/tailscale's own GitHub Actions CI from arbitrary downstream CI, and use it in TestTsgoRevInCacheKey. Fixes #19754 Change-Id: Id31cfe71903a235f1460dca1e2fdf334e3ba1ee5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 1 个月前 | |
nix: update flakes to get a nixpkgs version with go 1.26 We override 1.26, but its not in the old commit we are tracking. Updates #18682 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> | 3 个月前 | |
| 5 小时前 | ||
| 5 小时前 | ||
| 5 小时前 | ||
go.mod: update ts-gokrazy for local dev workflow Update ts-gokrazy to b83088f which includes: - Skip hardware watchdog when nowatchdog is on kernel cmdline - gokrazy.log_to_serial=1 tees service logs to /dev/console - Fix /etc/resolv.conf symlink (point at /tmp/resolv.conf where userspace DHCP writes, not /proc/net/pnp which is always empty) All these things are more emulating a Raspberry Pi in qemu when doing local development of the appliance image. Updates #1866 Change-Id: Iba7847e5deb237b1e485b74a4126e31fd118333a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 22 小时前 | |
go.toolchain.branch: switch to Go 1.26 Updates #18682 Change-Id: I1eadfab950e55d004484af880a5d8df6893e85e8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 3 个月前 | |
tool/gocross, pull-toolchain.sh: support a "next" Go toolchain When TS_GO_NEXT=1 is set, update/use the go.toolchain.next.{branch,rev} files instead. This lets us do test deploys of Go release candidates on some backends, without affecting all backends. Updates tailscale/corp#36382 Change-Id: I00dbde87b219b720be5ea142325c4711f101a364 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 5 个月前 | |
go.toolchain.rev: bump to Go 1.26.4 Updates https://github.com/tailscale/corp/issues/42772 Updates https://github.com/tailscale/tailscale/issues/19982 Signed-off-by: Mario Minardi <mario@tailscale.com> | 29 天前 | |
go.toolchain.rev: bump to Go 1.26.4 Updates https://github.com/tailscale/corp/issues/42772 Updates https://github.com/tailscale/tailscale/issues/19982 Signed-off-by: Mario Minardi <mario@tailscale.com> | 29 天前 | |
go.toolchain.rev: bump to Go 1.26.4 Updates https://github.com/tailscale/corp/issues/42772 Updates https://github.com/tailscale/tailscale/issues/19982 Signed-off-by: Mario Minardi <mario@tailscale.com> | 29 天前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
cmd/vet/lowerell, drive/driveimpl: forbid variables named "l" or "I" Add a new vet checker that rejects variables, parameters, named return values, receivers, range/type-switch bindings, type parameters, struct fields, and constants named "l" (lowercase ell) or "I" (uppercase i). Both are hard to distinguish from the digit "1" and from each other in too many fonts. Rename the two pre-existing struct fields named "l" (both of type net.Listener) in drive/driveimpl/drive_test.go to "ln", matching the convention used elsewhere for net.Listener locals. Rename the test-fixture struct fields "I" (single int label) to "Int" in metrics/multilabelmap_test.go and util/deephash/deephash_test.go, preserving the "first letters of types" convention used alongside neighboring fields like I8/I16/U/U8. Also teach pkgdoc_test.go to skip testdata/ directories, which the go tool ignores; they are not real packages. Fixes #19631 Change-Id: I71ad2fa990705f7a070406ebcdb8cefa7487d849 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 1 个月前 | |
tool/updateflakes, cmd/nardump: replace update-flake.sh with Go tool Consolidate go.mod.sri and go.toolchain.rev.sri into a single flakehashes.json file at the repo root, owned by a new Go program at tool/updateflakes. The JSON is consumed by flake.nix via builtins.fromJSON and by any future Go code via the FlakeHashes struct that defines its schema. Each block records its input fingerprint alongside the SRI it produced: the goModSum (a sha256 over go.mod and go.sum) for the vendor block, and the literal rev string from go.toolchain.rev for the toolchain block. updateflakes regenerates a block only when its recorded fingerprint disagrees with the current input. Doing the gating by content rather than file mtimes avoids the usual mtime hazards across git checkouts, clones, and merges. It also means re-runs with no input changes are essentially free, and a re-run that touches only one input pays only for that one block. The two blocks have no shared state -- vendor invokes go mod vendor into one tempdir, toolchain fetches and extracts a tarball into another -- so they run concurrently via errgroup. Cold time is bounded by the slower of the two rather than their sum. Also takes the opportunity to fold the toolchain fetch into a single curl|tar pipeline (no intermediate .tar.gz on disk). Split cmd/nardump into a thin package main and a new package nardump library at cmd/nardump/nardump that holds the NAR encoder and SRI helper. tool/updateflakes imports the library directly rather than building and exec'ing the nardump binary at runtime. The library uses fs.ReadLink (Go 1.25+) instead of os.Readlink, so it no longer requires the caller to chdir into the FS root for symlink targets to resolve. WriteNAR now wraps its writer in a bufio.Writer internally (unless the caller already passed one) and flushes on return, so callers don't pay for tiny writes against slow underlying writers. The cache-busting line in flake.nix and shell.nix is known to live at end of file, so updateCacheBust walks the lines in reverse. make tidy timings on this machine, before: ~14s every run. After: warm (no input changes): 0.05s vendor block stale only: 1.4s toolchain block stale only: 5.0s cold (no flakehashes.json): 5.0s Updates #6845 Change-Id: I0340608798f1614abf147a491bf7c68a198a0db4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 2 个月前 | |
go.mod: update ts-gokrazy for local dev workflow Update ts-gokrazy to b83088f which includes: - Skip hardware watchdog when nowatchdog is on kernel cmdline - gokrazy.log_to_serial=1 tees service logs to /dev/console - Fix /etc/resolv.conf symlink (point at /tmp/resolv.conf where userspace DHCP writes, not /proc/net/pnp which is always empty) All these things are more emulating a Raspberry Pi in qemu when doing local development of the appliance image. Updates #1866 Change-Id: Iba7847e5deb237b1e485b74a4126e31fd118333a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 22 小时前 | |
all: cleanup unused code, part 2 (#10670) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com> | 2 年前 | |
cmd/printdep: add --next flag to use rc Go build hash instead Updates tailscale/corp#36382 Change-Id: Ib7474b0aab901e98f0fe22761e26fd181650743c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 | |
all: remove AUTHORS file and references to it This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> | 5 个月前 |
Tailscale
轻松搭建私有 WireGuard® 网络
概述
本仓库包含 Tailscale 大部分开源代码。其中值得注意的是,它包含 tailscaled 守护进程和 tailscale 命令行工具。tailscaled 守护进程可在 Linux、Windows、macOS 上运行,在 FreeBSD 和 OpenBSD 上也能一定程度运行。Tailscale iOS 和 Android 应用使用本仓库的代码,但本仓库不包含移动 GUI 代码。
其他值得关注的 Tailscale 仓库:
- Android 应用位于 https://github.com/tailscale/tailscale-android
- Synology 套件位于 https://github.com/tailscale/tailscale-synology
- QNAP 套件位于 https://github.com/tailscale/tailscale-qpkg
- Chocolatey 打包位于 https://github.com/tailscale/tailscale-chocolatey
有关 Tailscale 哪些部分是开源的以及原因的背景信息,请参阅 https://tailscale.com/opensource/。
使用方法
我们在 https://pkgs.tailscale.com 提供适用于多种发行版和平台的软件包。
其他客户端
macOS、iOS 和 Windows 客户端 使用本仓库中的代码,但另外包含小型 GUI 包装器。非开源平台上的 GUI 包装器本身并非开源。
构建
我们始终需要最新的 Go 版本,当前为 Go 1.26。(虽然我们使用 Go 分支 构建发行版,但并非必须使用该分支。)
go install tailscale.com/cmd/tailscale{,d}
如果您要打包 Tailscale 进行分发,请改用 build_dist.sh,以便将提交 ID 和版本信息嵌入到二进制文件中:
./build_dist.sh tailscale.com/cmd/tailscale
./build_dist.sh tailscale.com/cmd/tailscaled
如果您的发行版因自身约定而无法使用 build_dist.sh,请按照发行版的方式执行与该脚本等效的操作,以确保错误报告中包含有用的版本信息。
错误反馈
有关此代码或托管服务的任何问题,请在 问题跟踪器 上提交。
贡献指南
欢迎提交 PR!但请先提交错误报告。提交信息应 引用相关错误。
我们要求提交中包含 开发者证书 的 Signed-off-by 行。
有关我们的提交信息风格,请参见 commit-messages.md(或浏览 git log)。
关于我们
Tailscale 主要由 https://github.com/orgs/tailscale/people 上的人员开发。其他贡献者信息,请参见:
- https://github.com/tailscale/tailscale/graphs/contributors
- https://github.com/tailscale/tailscale-android/graphs/contributors
法律信息
WireGuard 是 Jason A. Donenfeld 的注册商标。