tectonic 0.6.0

tectonic 0.6.0 (2021-06-15)

This release adds some helpful new utilities and internal cleanups, which
involve breaking API changes (see below).

• New V2 command tectonic -X show user-cache-dir to print out the
  location of the per-user cache directory. FAQ, answered! (@pkgw, #786)
• New V2 command tectonic -X bundle search to print out listings of files
  contained in the "bundle" of TeX support files. If run in a workspace
  containing a Tectonic.toml file, the workspace’s bundle is queried;
  otherwise, the default bundle is queried. (@pkgw, #786)
• New V2 command tectonic -X bundle cat to print out one of the support files,
  with the same general behavior as the search command. You could also use
  this to ensure that a particular file has been loaded into the local cache.
  (@pkgw, #786).
• Improved security model regarding the "shell-escape" feature, which has the
  potential to be abused by untrusted inputs. A new --untrusted argument to
  the V1 CLI and tectonic -X build disables the use of shell-escape, and any
  other known-insecure features, regardless of the presence of -Z shell-escape
  or any other options. Therefore, if you're writing a script that processes
  untrusted input, if you make sure to run tectonic --untrusted ... you can be
  confident that further command-line arguments can't undo your sandboxing.
  Furthermore, if the environment variable $TECTONIC_UNTRUSTED_MODE is set to
  a non-empty value, the effect is as if --untrusted had been provided.
  (@pkgw, #787)
• You know what ... get rid of the "beta" message in the V1 CLI.
• Fix SyncTeX output, we hope (e.g., #720, #744; @hulloanson, @pkgw, #762).
  Tectonic's SyncTeX files should now include correct, absolute filesystem paths
  when appropriate.
• Fix some broken low-level XeTeX built-ins, reported by @burrbull (@pkgw, #714,
  #783)

A few more more words on the security model: the terminology is a bit slippery
here since we of course never intend to deliver a product that has security
flaws. But features like shell-escape, while providing useful functionality, can
certainly be abused to do malicious things given a hostile input. The default UX
aims to be conservative about these features, but if a user wants to enable
them, we'll allow them -- in the same way that Rust/Cargo will compile and run
build.rs scripts that in principle could do just about anything on your
machine. Our main security distinction is therefore whether the input is trusted
by the user running Tectonic. The decision of whether to "trust" an input or not
is something that fundamentally has to be made at a level higher above Tectonic
itself. Therefore the goal of Tectonic in this area is to provide the user with
straightforward and effective tools to express that decision.

For developers, this release adds two new Cargo crates to the Tectonic
ecosystem: tectonic_docmodel, allowing manipulation of Tectonic.toml files
and their related data structures; and tectonic_bundles, allowing manipulation
of the Tectonic support file bundles. In both cases, third-party tools might
wish to use these formats without having to pull in all of the heavyweight
dependencies of the main tectonic crate. And in both cases, the separation has
led to many API improvements and cleanups that greatly improve the overall code
structure. These changes break the API of the tectonic crate by removing some
old modules and changing the particular traits and types used to implement these
systems. (@pkgw, #785, #786)

tectonic 0.5.2

tectonic 0.5.2 (2021-06-08)

• Update dependencies, including watchexec. We believe that this should fix
  the issues with the official Windows executables that have been reported
  (#780, #782, @pkgw)

tectonic_bridge_harfbuzz 0.2.2

tectonic_bridge_harfbuzz 0.2.2 (2021-06-07)

• Still no code changes
• 0.2.1 didn't publish to Crates.io because our package file was too big for it;
  we've eliminated some of the Harfbuzz support files that should fix this
  (#781, @pkgw)

tectonic_bridge_harfbuzz 0.2.1

tectonic_bridge_harfbuzz 0.2.1 (2021-06-07)

• No code changes
• The 0.2.0 package didn't actually contain the vendored Harfbuzz source files,
  breaking cargo builds. We’ve modified the CI scripts to attempt to fix this
  (#777, @pkgw)

tectonic 0.5.1

tectonic 0.5.1 (2021-06-07)

Note: we have reports that the official 0.5.0 Windows executables don’t
work, or don’t always work (#780). This is under investigation but hasn’t been
addressed yet.

• No code changes to the main crate
• Update the Arch Linux specification files to comply better with guidelines
  (#779, @lmartinez-mirror)

tectonic 0.5.0

tectonic 0.5.0 (2021-06-06)

This is an exciting release! After literally years of requests, Tectonic
now supports the TeX “shell escape” mechanism required by some packages like the
minted code highlighter (#708). This is chiefly thanks to @ralismark who
put in the work to deliver a solid implementation and track ongoing changes to
the Tectonic backend. Thank you, @ralismark!

Shell-escape remains disabled by default because it is, frankly, a hack that
detracts from the reproducibility and portability of document builds. It also
has significant security implications — you should never process untrusted input
with shell-escape enabled. But in those cases where shell-escape is necessary,
you can activate it with an unstable option in the “V1” command-line
interface:

tectonic -Z shell-escape my-shell-escape-document.tex

In the “V2” model, you can activate shell-escape by adding the following line
to one or more [output] sections in your Tectonic.toml file:

[output]
name = 'default'
type = 'pdf'
shell_escape = true  # <== add this

The other major change associated with this release is for developers. The
Tectonic implementation has now been split into a number of specialized Rust
crates, each focusing on a specific piece of the overall Tectonic
functionality. Besides helping clarify and organize the large amount of code
that goes into Tectonic, this will make it easier for developers to create
Tectonic-based tools that use part of the codebase without having to depend on
every piece of it.

This change was made possible by adopting a new release automation tool called
Cranko that project lead @pkgw created last summer. Cranko is based on a
novel “just-in-time versioning” release workflow and extensive use of
Azure Pipelines continuous integration and deployment services — together these
make it feasible to manage versioning and releases of the 20 different crates
that now live within the Tectonic monorepo. This may not sound like the most
exciting kind of code to write, but Cranko has made it possible to almost
entirely automate the Tectonic release processes in a way that’s been nothing
short of transformative.

This change comes with a bit of a downside, in that there have been a lot of API
breaks in the tectonic crate, as numerous internal APIs have been improved and
rationalized. If you only use the tectonic::driver module, changes should be
minimal, but lots of support systems have changed. It is likely that there will
be additional breaks in subsequent releases as a few remaining subsystems are
split out. The good news is that the APIs in the new sub-crates should be much
better designed and better documented than many of their former incarnations in
the main crate.

There’s the usual collection of smaller improvements as well:

• If a document referenced a filename that corresponded to a directory that
  lived on the filesystem, you could get a hard-to-interpret error. Now,
  directories are ignored when looking for files.
  (#754, #759, @pkgw)
• A floating-point precision issue was fixed that broke the reproducibility of
  builds on 32-bit versus 64-bit systems
  (#749, #758, @pkgw)
• Fix potential undefined behavior in the tectonic_xdv crate reported by
  @sslab-gatech
  (#752, #753, @pkgw)
• Add the ability to customize the preamble, postamble, and index files in
  V2 documents (#745, #746, @jeffa5)
• Add a V2 tectonic -X watch command to auto-rebuild documents when their
  source files get updated (#719, #734, @jeffa5)
• Add an --open option to tectonic -X build to open the document(s)
  after the build finishes (#109, #733, @jeffa5)
• The usual updates to dependencies, build fixes, and documentation tweaks

tectonic_xetex_layout 0.1.0

tectonic_xetex_layout 0.1.0 (2021-06-03)

This new crate encapsulates the font selection and layout code used by the
tectonic_engine_xetex crate. While it mostly consists of C/C++ code at the
moment and does not expose a Rust API, there is a hope that it can be made more
flexible and that its implementation can be migrated to be more Rust-based.

tectonic_xdv 0.1.12

tectonic_xdv 0.1.12 (2021-06-03)

• Fix a potential source of undefined behavior (#752)

tectonic_pdf_io 0.1.0

tectonic_pdf_io 0.1.0 (2021-06-03)

This crate contains the vast majority of the C/C++ code from xdvipdfmx. It
provides I/O services to both the tectonic_engine_xdvipdfmx and
tectonic_engine_xetex crates through its C/C++ APIs. It does not provide a
Rust API.

This crate deals with general graphics I/O, not just PDF files, but the majority
of its code is PDF-centric.

tectonic_io_base 0.2.0

tectonic_io_base 0.2.0 (2021-06-03)

• BREAKING: use &str for TeX paths rather than OsStr. In principle this
  prevents users from asking the TeX engine to load up files whose names aren't
  expressible in Unicode, but that whole use case really meshes poorly with
  Tectonic's goal to provide a portable, uniform user experience. And using
  str just makes many parts of life much easier.
• Expose a new interface for TeX path normalization.
• If an engine requests to open a file from a filesystem provider, and that name
  exists but is a directory, pretend that it's not found. This is sensible behavior
  and prevents some hard-to-understand failures (#754)
• Add FilesystemIo::root() for users that want to query the root directory of
  a filesystem I/O provider.
• Work on the docs a bit