Radicle is a peer-to-peer, local-first code collaboration stack built on Git.

As announced in the release notes for Radicle 1.7.0, that version contains a mitigation for a security vulnerability. Due to backward compatibility issues, indirectly related to the mitigation, we released Radicle 1.7.1. That release restores backward compatibility and also contains the mitigation.

With the knowledge of how 1.7.0 broke backwards compatibility, however, we decided to take a slightly more general view on backwards compatibility in light of the security vulnerability.

We are currently working on two features (see below) that will be released in version 1.8.0, and decided to delay disclosure of the security vulnerability until that release is available, at which point this page will be updated.

Radicle 1.8.0 will better protect users, and give them options to increase their level of protection further via configuration.

Downgrade Attack Protection

We are adding protections against downgrade attacks that rely on data that was received per-node, rather than requiring all nodes to upgrade in order to stay compatible.

Configuration of Protection Level

We are working on a configuration option that will allow node operators and users to decide how backwards compatible their node should behave. That is, a way for node operators to decide for themselves where they stand on an ordinal scale that trades off maximal backwards compatiblity and minimal security one end and minimal backwards compatibility and maximal security on the other.

We would like to thank you for your patience and your trust as we work on ensuring that the Radicle network stays secure.