Review Board 5.0 Release Notes¶

Database Changes¶

Note that this release contains database schema changes to the following tables:

• oauth2_provider_accesstoken

• oauth2_provider_application

• oauth2_provider_grant

• oauth2_provider_idtoken

• oauth2_provider_refreshtoken

• reviewboard_oauth_application

• scmtools_repository

• webapi_webapitoken

This will take a small amount of time to migrate the database. Please test the upgrade on a copy of your database first, to ensure the upgrade is smooth and to time how long the upgrade takes.

Packaging¶

• Review Board 5.0 supports Python 3.7 - 3.11.

• Django 3.2.x is required.

• Djblets 3.0.x is required.

• django_evolution 2.2.x is required.

• django-haystack 3.2.x is required.

• django-oauth-toolkit 1.6.x is required.

• Switched Memcached interface from python-memcached to pymemcache.

• Removed the elasticsearch dependency by default.

  See the release notes below for enabling Elasticsearch support.

Single Sign-On with SAML 2.0¶

Single Sign-On (SSO) is increasingly important in the enterprise world, providing centralized user and application provisioning and much better security.

Review Board now supports SAML 2.0 for authentication and user provisioning. This allows the use of Auth0, OneLogin, Okta, and many other SSO providers.

See SAML 2.0 Authentication for more information.

Detection of Trojan Source Attacks¶

Trojan Source attacks employ special Unicode characters, such as bi-directional control characters, zero-width spaces, or confusable/homoglyph characters (which have the appearance of other common character) to trick reviewers into approving possibly malicious code.

These are CVE-2021-42574 and CVE-2021-42694, and affect many tools on the market (code review tools, IDEs, repository browsers, and more).

Review Board now detects characters that can be used in these attacks, and flags them in the diff viewer. When found, a helpful notice with examples and informative links will be shown at the top of the file, and the lines themselves will be flagged.

The Unicode characters will be highlighted, replaced with the Unicode codepoint, rendering the attack harmless. Reviewers can click a button to see how the code would have looked.

This will also be shown when previewing a diff before publishing, in case any new code was copied/pasted from a malicious source.

Learn more.

Dashboard Improvements¶

The Ship It! indicators in the dashboard are now grey if there’s been a new update since the last Ship It! (Bug #2106).

This makes it easier to see at a glance which changes have been updated since they’ve been approved, helping you to prioritize what you review next.

Enhanced API Tokens¶

Since Review Board 2.5, users have been able to create API Tokens through the My Account page for use with RBTools or custom scripts using the Review Board API. These have historically been SHA1-based tokens.

We’ve revamped API tokens in Review Board 5. They now support:

• Expiration dates – tokens past an expiration date will no longer work.

• Invalidation – administrators can mark tokens as invalid and specify the reason.

• A larger length (255 characters), for security.

• Tracking the last-used date/time of a token.

• The ability to be scanned via secret scanning by checking an identifiable prefix (rbp_) and a checksum in the token.

All legacy tokens will continue to work, but we recommend moving to newer tokens for security.

The API Tokens management page in My Account has been updated:

• Tokens can now be copied with one click.

• The time a token was last used and how long until it expires or how long since it expired is now shown and can be changed.

• If a token is invalidated, the date and reason why will be shown.

Users will be notified if they try to use a token that has expired.

Administrators can invalidate tokens through a new invalidate-api-tokens site management command.

New Integrations¶

• Elasticsearch 1.x, 2.x, 5.x, and 7.x

  Previously, due to compatibility issues in the search backend package we use, only Elasticsearch 1.x and 2.x were available. We now support 5.x and 7.x.

  To enable the version you want, you must install the appropriate version of the elasticsearch package. We provide the following convenient packages:

  • 1.x: pip3 install ReviewBoard[elasticsearch1]

  • 2.x: pip3 install ReviewBoard[elasticsearch2]

  • 5.x: pip3 install ReviewBoard[elasticsearch5]

  • 7.x: pip3 install ReviewBoard[elasticsearch7]

  See Elasticsearch Configuration for more information.

• Matrix

  Matrix is a modern, decentralized chat service. It allows individual servers to be set up and federated, and supports many chat features, including end to end encryption.

  Review Board can now post to Matrix when review requests are posted or updated, or whenever there’s new discussions on the review request.

  See the documentation for configuration instructions.

  Patch by Ruonan Jia.

Administration Features¶

• Custom syntax highlighting configuration for diffs.

  The choice of syntax highlighters has traditionally been left up to the decisions made by the Pygments library. In most cases it is correct, but sometimes the wrong lexer would be chosen for certain filenames. This can now be overridden on a case-by-case basis, mapping file extensions to Pygments lexer names. These mappings can be configured in the Diff Viewer settings within the Review Board admin UI.

• The Install Key field in Administration UI -> Support Settings can now be copied with one click.

  This makes it easier to activate support or get a Power Pack license.

SCMTools Registry¶

SCMTools have traditionally been defined using Python entry points, and a management command had to be run to scan the entry points and add a row to the scmtools_tool table in the database.

We’ve changed this to instead use a registry. Entry points and the Tool model will still work in Review Board 5.0, but this usage is deprecated and will be removed in a future release.

As part of this, a new extension hook, SCMToolHook has been added. We recommend anybody who has implemented a custom SCMTool change their code to use the new hook instead of entry points.

JavaScript Async Operations¶

Most asynchronous operations in the JavaScript APIs have been extended to return promises. The promises can either be used directly, or can be used implicitly through the use of async and await.

If you develop client-side extensions, you will need to upgrade.

The callback usage is still available, but has been deprecated and will be removed in a future release.

Review Requests¶

• Fixed a handful of issues that could occur when a new review request was discarded before being published, but then updated again via RBTools.

• Fixed switching between “Source” and “Rendered” views when viewing a diff of Markdown-type file attachments.

User Accounts¶

• Fixed a crash when a database issue causes multiple user profiles to be created for the same user.

• Fixed a UI issue when changing API token policies where the wrong policy could be shown if making multiple changes to a policy and then canceling out of the policy editor.

Breezy¶

• Fixed potential problems with environment variables when executing brz.

Extensions¶

• Corrected the help text that would be displayed if an extension fails to load.

• Fixed a crash when trying to load extensions from broken Python packages.