News updates for a summer 2026 release.

NEWS

@@ -1,6 +1,101 @@
 Noteworthy changes in release a.b
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+* NEW.  Contribution guidelines, Including sections on complexity, completeness,
+  signing and our AI policy.
+  (PR #2003)
+
+Updates
+-------
+
+* Remove CRAM v4.0 support.  The experimental CRAM v4 code was large, complex
+  and insufficiently tested.  With no real move toward v4 adoption we have
+  removed the code in order to reduce the likelihood of security issues.
+  (PR #2020 and PR #2031)
+
+* Ensure indirect function calls have the correct type.  Some HTSlib interfaces
+  have function callbacks that are intended to be generic, so the function
+  signatures include a void * for data to be passed in.  While this mostly works
+  it is strictly undefined behaviour.  Some new wrapper functions and interfaces
+  are added to address this.
+  (PR #1994)
+
+* Add wrappers for malloc, realloc with a calloc-like interface.  This helps
+  avoid bugs due to integer wrap-around when calculating memory sizes.
+  (PR #2006)
+
+* Make faidx work with very long (>4 Gbyte!) lines. Although faidx should
+  support very long references, writing one longer than 4Gbases on a single line
+  broke it because it used a uint32_t field to store the line length.
+  (PR #2008. fixes samtools/samtools#2331.  Reported by Ying Chen)
+
+* Parallel cram2bam.  Add more of the work into worker threads to speed
+  everything up.
+  (PR #2015)
+
+* Improve synced reader error checking.  Ensure memory failures are caught and
+  that error are propagated to callers.
+  (PR #2024)
+
+* Add tbx and bcf multi-region iterators.
+  (PR #2030, fixes #1930.  Requested by Adam Novak.
+   Replaces the alternative PRs #1997 and #2022)
+
+* Remove references to the non-existant FAI_CACHE.
+  (PR #2033, fixes #2032.  Reported by John Marshall)
+
+* Improve hfile_s3.c error handling.
+  (PR #2036.  Thanks to John Marshall)
+
+* In VCF, improve the "not defined in the header" messages.
+  (PR #2007)
+
+
+Build Changes
+-------------
+
+* Add Github actions builds for Linux and Mac OS.  This replaces the Cirrus CI
+  tests that were discontinued.
+  (PR #2000)
+
+* Ensure PACKAGE_VERSION is set in the Makefile.
+  (PR #2038.  See also samtools/samtools#2337)
+
+Bug fixes
+---------
+
+* Fix a read buffer overflow and improve SQ LN field checking.
+  (PR #1999 fixes oss-fuzz issue 499447432)
+
+* A number of small fixes, often removing unused code or correcting misplaced
+  checks.
+  (PR #1992, PR #1993, PR #2004, PR #2010)
+
+* Fix s3_seek returning wrong offset on cache-hit.
+  (PR #2012.  Thanks to Nick Edwards)
+
+* Remove a signed overflow bug in bgzf_read_small.
+  (PR #2013)
+
+* Protect against uninitialised variable read with X_NOSZ codecs.
+  (PR #2023, fixes #2021.  Reported by Jiami Lin)
+
+* Several fixes co-authored by Team Atlanta.  Fix divide-by-zeros in
+  cram_xpack_decode_char and cram_xdelta_decode.  Also protect against oversized
+  shift (ubsan) in cram_subexp_decode.
+  (PR #2025.  Thanks to Team Atlanta)
+
+* Bounds-check refid when loading a CRAM .crai index.
+  (PR #2029.  Thanks to Sidhartha Kumar)
+
+
+Documentation updates
+---------------------
+
+* Clarify how defaults work when building an index with tabix.
+  (PR #2002, addresses #1995. Query made by dariober)
+
+
 Noteworthy changes in release 1.23.1 (18th March 2026)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~