The easiest, most secure way to use WireGuard and 2FA http://git.waynecole.info/tailscale/atom?h=debug-testwrapper 2026-01-23T23:49:45Z 2026-01-23T23:49:45Z Will Norris will@tailscale.com 2026-01-23T21:21:57Z urn:sha1:3ec5be3f510f74738179c1023468343a62a7e00f This file was never truly necessary and has never actually been used in the history of Tailscale's open source releases. A Brief History of AUTHORS files --- The AUTHORS file was a pattern developed at Google, originally for Chromium, then adopted by Go and a bunch of other projects. The problem was that Chromium originally had a copyright line only recognizing Google as the copyright holder. Because Google (and most open source projects) do not require copyright assignemnt for contributions, each contributor maintains their copyright. Some large corporate contributors then tried to add their own name to the copyright line in the LICENSE file or in file headers. This quickly becomes unwieldy, and puts a tremendous burden on anyone building on top of Chromium, since the license requires that they keep all copyright lines intact. The compromise was to create an AUTHORS file that would list all of the copyright holders. The LICENSE file and source file headers would then include that list by reference, listing the copyright holder as "The Chromium Authors". This also become cumbersome to simply keep the file up to date with a high rate of new contributors. Plus it's not always obvious who the copyright holder is. Sometimes it is the individual making the contribution, but many times it may be their employer. There is no way for the proejct maintainer to know. Eventually, Google changed their policy to no longer recommend trying to keep the AUTHORS file up to date proactively, and instead to only add to it when requested: https://opensource.google/docs/releasing/authors. They are also clear that: > Adding contributors to the AUTHORS file is entirely within the > project's discretion and has no implications for copyright ownership. It was primarily added to appease a small number of large contributors that insisted that they be recognized as copyright holders (which was entirely their right to do). But it's not truly necessary, and not even the most accurate way of identifying contributors and/or copyright holders. In practice, we've never added anyone to our AUTHORS file. It only lists Tailscale, so it's not really serving any purpose. It also causes confusion because Tailscalars put the "Tailscale Inc & AUTHORS" header in other open source repos which don't actually have an AUTHORS file, so it's ambiguous what that means. Instead, we just acknowledge that the contributors to Tailscale (whoever they are) are copyright holders for their individual contributions. We also have the benefit of using the DCO (developercertificate.org) which provides some additional certification of their right to make the contribution. The source file changes were purely mechanical with: git ls-files | xargs sed -i -e 's/\(Tailscale Inc &\) AUTHORS/\1 contributors/g' Updates #cleanup Change-Id: Ia101a4a3005adb9118051b3416f5a64a4a45987d Signed-off-by: Will Norris <will@tailscale.com> 2025-10-04T02:37:42Z Brad Fitzpatrick bradfitz@tailscale.com 2025-10-04T00:32:17Z urn:sha1:223ced84b571df1e2045d3977459374bc43f5515 Updates #12614 Change-Id: Iaee75d8831c4ba5c9705d7877bb78044424c6da1 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-10-02T15:25:14Z Brad Fitzpatrick bradfitz@tailscale.com 2025-10-01T15:53:48Z urn:sha1:1d93bdce20ddd2887651e4c2324dd4e113cd864a Saves 352 KB, removing one of our two HTTP/2 implementations linked into the binary. Fixes #17305 Updates #15015 Change-Id: I53a04b1f2687dca73c8541949465038b69aa6ade Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-10-01T18:59:38Z Claus Lensbøl claus@tailscale.com 2025-10-01T18:59:38Z urn:sha1:ce752b8a88214a2d45477aa8b77384175ebbdf18 The callback itself is not removed as it is used in other repos, making it simpler for those to slowly transition to the eventbus. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2025-09-30T17:25:56Z Brad Fitzpatrick bradfitz@tailscale.com 2025-09-30T16:12:42Z urn:sha1:442a3a779d29f78ba03cbd61509824f21c90cc59 Saves 139 KB. Also Synology support, which I saw had its own large-ish proxy parsing support on Linux, but support for proxies without Synology proxy support is reasonable, so I pulled that out as its own thing. Updates #12614 Change-Id: I22de285a3def7be77fdcf23e2bec7c83c9655593 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-09-21T03:37:14Z Brad Fitzpatrick bradfitz@tailscale.com 2025-09-20T23:48:18Z urn:sha1:db048e905d6636006d06c93da06fad3ff075e97b controlhttp has the responsibility of dialing a set of candidate control endpoints in a way that minimizes user facing latency. If one control endpoint is unavailable we promptly dial another, racing across the dimensions of: IPv6, IPv4, port 80, and port 443, over multiple server endpoints. In the case that the top priority endpoint was not available, the prior implementation would hang waiting for other results, so as to try to return the highest priority successful connection to the rest of the client code. This hang would take too long with a large dialplan and sufficient client to endpoint latency as to cause the server to timeout the connection due to inactivity in the intermediate state. Instead of trying to prioritize non-ideal candidate connections, the first successful connection is now used unconditionally, improving user facing latency and avoiding any delays that would encroach on the server-side timeout. The tests are converted to memnet and synctest, running on all platforms. Fixes #8442 Fixes tailscale/corp#32534 Co-authored-by: James Tucker <james@tailscale.com> Change-Id: I4eb57f046d8b40403220e40eb67a31c41adb3a38 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com> 2025-09-19T16:52:29Z Brad Fitzpatrick bradfitz@tailscale.com 2025-09-17T16:44:50Z urn:sha1:ecfdd86fc9956631759277d1ddbd78f0456dc365 Updates tailscale/corp#32227 Change-Id: I38afc668f99eb1d6f7632e82554b82922f3ebb9f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-09-16T15:25:29Z Claus Lensbøl claus@tailscale.com 2025-09-16T15:25:29Z urn:sha1:2015ce40814dd175f7d441c83d7517a2128b37e4 The Tracker was using direct callbacks to ipnlocal. This PR moves those to be triggered via the eventbus. Additionally, the eventbus is now closed on exit from tailscaled explicitly, and health is now a SubSystem in tsd. Updates #15160 Signed-off-by: Claus Lensbøl <claus@tailscale.com> 2025-06-18T21:20:39Z Brad Fitzpatrick bradfitz@tailscale.com 2025-06-09T01:51:41Z urn:sha1:e92eb6b17bb59cd66cd78c90db3b285015ed5e11 If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2025-04-16T17:10:45Z David Anderson dave@tailscale.com 2025-03-20T16:19:47Z urn:sha1:6d6f69e7358f52b56ad8365f465aefaa95a7de0c The event bus's debug page uses websockets. Updates #15160 Signed-off-by: David Anderson <dave@tailscale.com>