Release 20210129 - emergency release!
January 29, 2021 in bliss by Dan Gravell
Emergency!
Thanks to a keen eyed devops engineer, we recently discovered two major weaknesses in the way bliss queries metadata and cover art. More specifically: the way it uses certificates to access the metadata server.
Headline: versions of bliss prior to this one will fail to query metadata starting tonight (Friday 29th January 2021).
This release contains a fix so bliss can continue querying metadata. If you have an old version that is affected by this and you cannot upgrade due to not holding a current update subscription, get in touch via [email protected] and we’ll issue a temporary update licence so you can install this fix.
Certificates and incompetency
It’s on my (Dan’s) shoulders.
A few years ago, we decided to adopt HTTPS for querying musical metadata and cover art. This is to ensure privacy; while no sensitive data is exchanged, the principle that no-one should be able to monitor your Internet activity is important.
We used Let’s Encrypt to generate the certificates. However, we have to support older versions of Java which don’t “trust” Let’s Encrypt certificates, so we also needed to hardcode the Let’s Encrypt certificate into bliss.
The trouble is, I (Dan) hardcoded the wrong certificate, an “intermediate” certificate which has since been replaced. This expires tonight, and it just so happens we discovered this in the last week.
We’ve now properly encoded the required certificates and will institute some process to make sure this doesn’t happen again.
To re-iterate: bliss versions older than this release will stop being able to query metadata from midnight tonight (GMT). If you do not have a bliss update licence please ask us at [email protected] for a temporary one so you can upgrade.
A workaround
There is a workaround if you want to stay on the current version and you are happy to use HTTP for metadata querying (as above - no sensitive data is exchanged, only a subset of information about your music files).
Follow the instructions at How can I assign more memory to bliss? Only, instead of changing the -Xmx
line, add:
-Dbliss.oma.host=bliss2.onemusicapi.com
-Dbliss.oma.protocol=http
Then restart… If you need more help implementing this, get in touch at [email protected] .
More improvements
We’ve also got a few other improvements in this build:
- Be tolerant of track numbers ending with periods.
- … but also be noisy when a track number is tagged that is invalid.
- Cope with exceptions in custom rules better.
Downloading and installing
You can download from the downloads page.
After you click through, installation instructions are available on the page following download.