Skip to content

Curio v1.28.0

Latest
Latest

Choose a tag to compare

View all tags
@Reiers Reiers released this 05 May 12:34
· 12 commits to main since this release
v1.28.0
f2e6a26
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Curio v1.28.0

curio_nv28

✨ Overview

Curio v1.28.0 is the Nv28 network upgrade release. Storage Providers running on Mainnet MUST upgrade to this version (or later) before the Nv28 activation epoch.

Beyond Nv28 support, this release also tightens PDP correctness around rail finalization, ships an SSRF-config layer for outbound HTTP, and brings several smaller fixes that have accumulated since v1.27.4.

Field Value
Version v1.28.0
Type Stable, network-upgrade required
Compare v1.27.4...v1.28.0 (8 commits)
Build Go 1.26+ required to build from source
Network Nv28 (Lotus v1.36.0, go-state-types Nv28 actors)

⭐ Highlights

🌐 Nv28 network upgrade

Lotus and the Filecoin FFI are bumped to the Nv28 dependency set (lotus v1.36.0-rc1, filecoin-ffi v1.36.0). Curio nodes running v1.27.x will not be able to follow consensus past the Nv28 activation epoch, so an upgrade is required for all Mainnet SPs before that point. (#1183)

🛡️ Outbound HTTP SSRF guardrails ([Subsystems.RobustHTTP])

Curio's robusthttp client now exposes a configurable SSRF policy. Operators can set per-deployment allow/deny rules for outbound HTTP destinations rather than relying on hardcoded behavior, which matters when Curio talks to retrieval clients, market peers, or PDP service URLs in untrusted networks. New configuration block documented in default-curio-configuration.md. (#1192)

💸 Sybil-fee enforcement on by default for PDP clients

PDP create and pull flows now enforce client-side sybil-fee payment by default. This closes a path where clients could submit data-set creation/pull requests without having staked the protocol-level sybil fee. Existing operators do not need to change configuration; the enforcement is transparent. (#1181)

🛠️ PDP rail-finalization correctness

Two related fixes around the PDP-pay integration with FilecoinPay rails:

  • Detect rail finalization from getRail revert (#1190). FilecoinPay zeroes the rail struct atomically with the settle that brings settledUpTo to endEpoch, so the post-confirm getRail call reverts. Previously, the EndEpoch == SettledUpTo observation never fired, deletion_allowed was never set, and DeleteDataSetTask never ran. Curio now treats a getRail revert as finalization when pdp_delete_data_set shows after_terminate_service = TRUE and service_termination_epoch <= current.
  • Race-safe parked_pieces upsert (#1195). The existing check-then-execute pattern could race two identical-piece writes and produce duplicate key value violates unique constraint "parked_pieces_active_piece_key". Replaced with a conflict-safe upsert utility.
  • Missing returns after httpServerError in PDP handlers (#1188). Several PDP HTTP handlers continued executing after writing an error response, which could either double-write a body or take an erroneous further action. Returns now match the error-write.

🧹 Other fixes

  • itest-compat (#1182): integration-test harness adjustments for the Postgres-template itests landed in v1.27.4. No runtime impact.
  • Remove old CI files (#1184): cleanup of legacy CircleCI and self-hosted runner configuration.

📦 Compatibility

Component Required Notes
Lotus v1.36.0 Nv28 release. v1.36.0-rc1 also works for early upgrades.
Yugabyte v2025.1 (Automatic) Unchanged from v1.27.x.
Forest 0.33 (Automatic) Unchanged from v1.27.4.
Boost NA Curio's market path.

⚠️ Upgrade notes

  1. Upgrade Lotus first, then upgrade Curio. The Curio v1.28.0 binary will not work against an older Lotus daemon that doesn't speak Nv28 actor versions.
  2. No DB migration is required for this release. The schema is unchanged from v1.27.4. The migrator will pick up no new files on first start.
  3. If you are still on v1.27.3 or earlier, read the v1.27.4 release notes first. v1.27.4 included the PDP V0 main-branch landing and the parked_pieces uniqueness migration. Going 1.27.3 → 1.28.0 directly is supported but skipping the v1.27.4 notes is not recommended.
  4. Calibrationnet may be a network version ahead. Curio v1.28.0 is the calibration-and-mainnet release for Nv28; there is no separate calibration-only build.

🙏 Contributors

Thank you to everyone who contributed to this release: @LexLuthr, @magik6k, @rvagg, @ZenGround0, @snadrus, @Phi-rjan, @Reiers.

Contributors

rvagg, snadrus, and 4 other contributors
Assets 2
Loading