• [Python-announce] ANN: Crossbar.io 26.6.1, Autobahn and the WAMP-for-Python stack (coordinated 26.6 release)

    From Tobias Oberstein@tobias.oberstein@gmail.com to comp.lang.python.announce on Mon Jun 22 11:01:03 2026
    From Newsgroup: comp.lang.python.announce

    We're happy to announce a coordinated 26.6 release of the complete WAMP-for-Python stack: the Crossbar.io router, the Autobahn|Python
    library, and the supporting packages, all released and cross-tested
    together.


    What is this
    ============

    WAMP (the Web Application Messaging Protocol) is an open protocol that
    provides two messaging patterns over a single connection: routed Remote Procedure Calls (RPC) and Publish/Subscribe (PubSub). It lets you build distributed applications and microservices where components -- in the
    browser, on a server, or on a device -- call each other's procedures and
    share events in real time.

    The packages in this release:

    * Crossbar.io -- the WAMP router (the broker/dealer that all
    clients connect to)
    * Autobahn|Python -- WAMP and WebSocket client/server library; runs
    unmodified on both Twisted and asyncio
    * txaio -- the Twisted/asyncio compatibility helper
    * zLMDB -- object-relational in-memory persistence on LMDB
    * cfxdb -- Crossbar.io database schema package (on zLMDB)
    * xbr -- XBR data-market extensions for WAMP

    All packages run on CPython 3.11-3.14 and PyPy 3.11.


    Highlights
    ==========

    * Coordinated, cross-tested release. The whole stack was released
    together at 26.6, with the router (Crossbar.io) acting as the
    integration oracle: the libraries are exercised together against the
    WAMP test suite, on both CPython and PyPy, before any package is
    tagged.

    * Router reliability fix. Fixed a bug in the router's dealer where,after
    a particular call-cancel / disconnect sequence, a callee registration
    could be left behind as a "zombie" that silently dropped routed calls
    (reported from a production deployment). Added a regression test.

    * Serializer coverage on CPython and PyPy. JSON, MsgPack, CBOR and
    FlatBuffers are now covered by round-trip tests on both interpreters,
    with graceful handling when an optional serializer (UBJSON) isn't
    available on a given platform.

    * Broader binary wheels and portable native code. Added the missing
    aarch64 wheels (CPython 3.12 / 3.14) and macOS wheels for a symmetric
    platform matrix (#1848), and fixed a PyPy/Windows wheel gap (#1859).
    The optional NVX native-vectorized WebSocket acceleration now builds
    against a portable CPU baseline (x86-64-v2 / armv8-a) instead of
    possibly emitting "-march=native", which could cause SIGILL on a
    different CPU than the build host; native tuning is now opt-in.
    musllinux / Alpine (musl libc) wheels are not yet published but are on
    the roadmap (#1877).

    * Software supply chain (SLSA). The release pipeline was reworked for a
    verifiable chain of custody: each artifact is built once, its checksum
    is verified, and the exact verified bytes are what gets published --
    there is no rebuild between testing and publishing -- using OIDC
    trusted publishing with attestations. A shell-injection attack surface
    in the CI/CD pipeline itself was also closed (GHSA-6658-6vq6-hjpr).
    To be precise: this concerned the build pipeline that *produces* our
    artifacts, not a runtime vulnerability in the shipped packages.


    On the roadmap
    ==============

    Work in progress, with design details in the Autobahn|Python issue
    tracker:

    * Software supply chain: SLSA Level 2/3 provenance and PEP 740
    attestations (#1842)
    * Post-quantum cryptography for WAMP: ML-KEM / ML-DSA (#1847)
    * FIPS: run on FIPS-enabled Linux kernels (RHEL 9 / Rocky 9) and a
    crypto-policy option (#1844, #1846)


    Where to get it
    ===============

    Crossbar.io 26.6.1
    PyPI: https://pypi.org/project/crossbar/26.6.1/
    Git: https://github.com/crossbario/crossbar/tree/v26.6.1

    Autobahn|Python 26.6.2
    PyPI: https://pypi.org/project/autobahn/26.6.2/
    Git: https://github.com/crossbario/autobahn-python/tree/v26.6.2

    txaio 26.6.1
    PyPI: https://pypi.org/project/txaio/26.6.1/
    Git: https://github.com/crossbario/txaio/tree/v26.6.1

    zLMDB 26.6.1
    PyPI: https://pypi.org/project/zlmdb/26.6.1/
    Git: https://github.com/crossbario/zlmdb/tree/v26.6.1

    cfxdb 26.6.1
    PyPI: https://pypi.org/project/cfxdb/26.6.1/
    Git: https://github.com/crossbario/cfxdb/tree/v26.6.1

    xbr 26.6.1
    PyPI: https://pypi.org/project/xbr/26.6.1/
    Git: https://github.com/wamp-proto/wamp-xbr/tree/v26.6.1


    Documentation and community
    ===========================

    * Protocol: https://wamp-proto.org/
    * Crossbar.io: https://crossbario.readthedocs.io/
    * Autobahn: https://autobahn.readthedocs.io/
    * txaio: https://txaio.readthedocs.io/
    * zLMDB: https://zlmdb.readthedocs.io/
    * cfxdb: https://cfxdb.readthedocs.io/
    * xbr: https://xbr.readthedocs.io/
    * Issues / discussions: see each project's GitHub repository

    Licensing: Crossbar.io is EUPL-1.2; the libraries (Autobahn|Python,
    txaio, zLMDB, cfxdb) are MIT-licensed.

    -- The Crossbar.io / Autobahn team

    --- Synchronet 3.22a-Linux NewsLink 1.2