What's New in Review Board

Today's release of Review Board 3.0.3 focuses on a series of fixes and improvements for avatars, diffs for comments, extension packaging, and a few other things. The big highlights are with the new avatar upload UI and stability improvements.

Avatars

It's now easier to upload custom avatars. The UI has been completely redone, and gives you a better idea of how your avatar will look. Simply drag-and-drop any image to upload it.

We've also fixed a handful of problems with custom avatar backends, to prevent them from occasionally disappearing or not being used. If you're building custom backends, we're interested in hearing if you're encountering any problems with this release.

Some other things we've fixed

• The Review Request API resource now includes the number of issues pending verification.
• Diffs shown alongside comments work once again under Python 2.7.6 and older.
• Subversion support is no longer broken when using modern versions of Subvertpy.
• Extensions providing LessCSS stylesheets will now package correctly when including stylesheets outside the extension.

For the full list of changes, see the release notes.

For over a decade, we've been building Review Board with the goal of making your code, UI, and documentation review process easier, helping you weigh in and spot problems before your customers do.

But we know you're busy — we all are — and there's better uses for your time than checking every change for syntax errors, unused variables, bad imports, style consistency, and other problems that could have been caught ahead of time by code analysis tools.

So we'd like to help you out.

Meet Review Bot.

Review Bot is a self-installed service and extension for Review Board 3.0 that automatically reviews code changes posted for review. It integrates with a handful of popular command line code analysis tools, gathering results and posting reviews for issues found in the code.

You can create as many Review Bot configurations as needed for your organization, running different tools for different repositories or review groups, and customizing the settings for each tool.

Review Bot 1.0 supports the following tools:

• BuildBot "try" — automated builds
• Checkstyle — Static analysis for Java
• Clang Static Analyzer — Static analysis for C, C++, and Objective-C
• Cppcheck — Static analysis for C and C++
• CppLint — Style checker for C and C++ using Google's style guide
• flake8 — Style checker and static analysis for Python
• JSHint — Static analysis for JavaScript
• PMD — Static analysis and duplicate code detector for a wide variety of languages
• pycodestyle — Style checker for Python
• pyflakes — Static analysis for Python

More are coming soon, but you're not limited to what Review Bot ships with. You can also write your own integrations for tools used in your organization using Python.

Get started with Review Bot

Review Bot is ready and eager to start reviewing your code today. To get set up, there are three components you'll need to install:

• A compatible message broker service, such as RabbitMQ or Redis, which tracks automated code review requests
• The Review Bot worker service, which runs any configured tools against your code
• The Review Bot extension for Review Board 3.0

The message broker and Review Bot worker can be installed on the server running Review Board or on a dedicated server. Follow your preferred broker's instructions and the Review Bot installation guide to get everything set up. Please note that some tools may have their own installation requirements as well.

If you have any questions or hit any problems as you get going, you can reach out to us on our community support forum. Priority support for Review Bot is also included as part of a Review Board support contract.

We have a new release of RBTools for you today. Version 0.7.11 brings a number of fixes and improvements for posting reviews and working with Git, Mercurial, Subversion, and Team Foundation Services repositories.

Here are some of the highlights:

• rbt post --diff-only, which used to be specific to Perforce and regressed there recently, now works for all types of repositories.
• Mercurial changes are now posted as Git-style diffs, leading to a better experience on Review Board.
• Crashes running svn info with certain locales when scanning the type of repository will no longer occur.
• Team Foundation Services support should work correctly when Visual Studio 2017 is installed.
• The help output for rbt post --tracking-branch is no longer incomplete and misleading.

The complete list of changes are available in the release notes.

See the RBTools Downloads page for installation instructions for your operating system.

We're working toward a release of RBTools 1.0, with many new features for working with automated code review, intelligently computing tracking branches for Git, landing sets of changes at once, and more. Stay tuned for that, and as always, if you hit any problems, please let us know on our community support forum or bug tracker.

This week's release of Review Board 3.0.2 fixes many bugs in our new features, from avatars and issue verification to automated code review and desktop notifications.

Here are some of the highlights of the release:

• The in-page bubble and browser's desktop notifications have been fixed, letting you see once again when a review request has been updated or has new discussions.

• Diffs with Unicode characters should appear once again alongside comments in reviews.

• Progressively updating automated code reviews no longer stops displaying the diffs for the comments.

• Files from Perforce containing Unicode BOMs should now patch correctly. If you were having this problem, you should also make sure you have a modern P4Python package installed.

• Gravatars once again display properly for users who have mixed-case e-mail addresses.

• Several compatibility regressions with extensions have been fixed.

• The "Download Diff" button should no longer go missing on the diff viewer.

• The User API no longer breaks if an avatar can't be loaded for a user.

There's a handful of other fixes as well. See the release notes for the full list of changes.

The next patch release of Review Board will be a feature enhancement release, focusing on reworked GitLab support (moving to their more stable API version 4), along with new integrations for Asana, Trello, and I Done This. We're aiming for a predicable schedule for releases, so going forward, look for Review Board releases on Tuesdays and RBTools releases on Thursdays.

Updated 6-January-2018, 2:12AM PST: We seem to be back up and running. It's not clear yet what happened, but we'd like to thank whoever at Google turned the group back on! We'll keep an eye on this over the coming days.

Today, we became aware that our community support group, hosted by Google Groups, was blocked due to a report of malicious content. We're not sure yet if this was a spam protection mechanism on Google's side determining that some content (such as a snippet of source code pasted as part of a support request) was malicious, or if someone intentionally or unintentionally reported the group to Google for abuse. We've reached out to Google and are investigating this.

Right now, since the portal is down, there are a few other option for support:

• You can post to the reviewboard-dev group. We typically use this for issues related to the development of Review Board or third-party extensions, but are opening it up for now to all discussion.
• You can post to the /r/reviewboard subreddit. This is a pretty new, low-activity subreddit we've been using for announcements, but is a fine place to ask more basic questions and have discussions.
• If you need private support, you can file a support ticket. We generally require a support contract for any support tickets here, but until this issue is resolved, we're accepting community support requests.

We know this is annoying, and we're looking into new options for community support going forward that would prevent this from ever happening again. Please reach out to us through any of the above methods if you have any questions. We'll keep this post updated when the support portal comes back online.

We have two new Review Board releases for you today!

Review Board 2.5.17 fixes a handful of issues, including:

• Posting changes containing Unicode characters to GitLab via the New Review Request page
• Regressions in showing closed review requests in the search field
• Crashes when getting a user's full name from LDAP when that name didn't include any spaces
• Creating drafts when editing the caption for file attachments
• Showing replies alongside reviews in the user page's list of published reviews

On top of those fixes, Review Board 3.0.1 has a few additional improvements:

• Capability flags have been added in the API's root resource indicating if JSON patching and symlinks in Git diffs are supported, helping clients make smarter decisions
• A newer user permission was added to let that user see invite-only review groups in the API, which is useful for in-house tools
• Avatar backends provided by extensions should no longer disappear

See the 2.5.17 and 3.0.1 release notes for the full list of changes. If you're upgrading to 2.5.17, please follow the installation instructions in the release notes so you don't end up on 3.0.1.

It feels like yesterday that we wrapped up the first release of Review Board 2.5. Surprisingly, it's actually been 2 years, and we've been busy in that time building the next major evolution of Review Board, 3.0.

That version is here, and with it comes new integrations for third-party services, automated code review support, new review capabilities, better discussions, and oh so much more.

It's a big release. Let's take a look at the major features.

Review Board now talks to your other services (like Slack!)

One of the focuses of this release was to help Review Board work with the other tools you use every day. For this, we've developed a new integrations feature that can talk to all sorts of things, like:

• Chat services (Slack, and soon Stride and Mattermost)
• Continuous Integration services (Travis CI and CircleCI)
• Automated code review services (Review Bot, coming soon)
• Project/task management services (Asana and Trello, also coming soon).

You can create as many integration configurations as you need, directing updates for different teams to different Slack channels, or using different tools for different repositories.

More integrations are coming soon, and extension authors can build their own.

Do more with reviews

Your reviews can contain general comments, which aren't tied to any particular file, and are useful for pointing out higher-level issues with a change (missing screenshots, typos in the description, architectural problems, or anything else).

We're introducing optional issue verification, which ensures an issue can't be resolved and the change landed until the reviewer has verified the fix.

Filed a Ship It! accidentally, or maybe it no longer applies? You can now revoke your Ship It! at any time.

Add some flavor to your comments with Emoji shortcodes. These work on any database (unlike Unicode Emojis), and are largely compatible with Slack and GitHub's Emoji sets.

To share a mockup, meme, or other images in your comments, you can drag-and-drop images into text fields. This works with any Markdown-capable text field in the product.

Need to hand off a review request to another developer? Owners of a review request (and administrators) can now re-assign ownership of a review request.

We've improved discussions and searching

New discussions or updates are highlighted in blue, letting you see what's new since you last looked at the page. If you've already seen everything interested in a review or an update, the box will be collapsed by default, letting you focus on what's most important.

Want to share part of a discussion in chat or in an e-mail? You can easily link to reviews, review request updates, and individual comments through the link icon on the side.

Finding review requests has gotten easier with new support for Elasticsearch and on-the-fly search indexing, ensuring that any new changes made to review requests can instantly be found. (Note that Elasticsearch 2.x is currently required.)

New extension capabilities

Working with the API or extensions? Integrating with your own in-house tools? We have some new toys to play with:

• Review Board now works as an OAuth2 Provider, letting your users easily connect your service to their account in a safe way
• Custom avatar backends for using your company's existing photo database instead of Gravatar.com.
• New fine-grained control for modifying extra_data in the API, and controlling access to data.
• A better way of adding customs fields, with built-in options for drop-downs, checkboxes, date fields, and more.

Did we mention it's a big release?

Whew, that's a lot, and doesn't even cover all the new features in the release.

Ready to get going with Review Board 3.0? We recommend installing on a test server first with a copy of your database, just to make sure it works for you.

Please let us know how Review Board 3.0 works for you, or what you're most excited about. You can also find us on Reddit at /r/reviewboard.

We've just wrapped up what should be the final release candidate for Review Board 3.0. This release polishes up some of the new features and visuals, improves performance throughout the product, enhances the API's capabilities, and fixes a handful of bugs and regressions.

Let's dig in.

Smarter Collapsing of Review and Change Boxes

One of the major goals of Review Board 3.0 is to help you better follow along with any changes and discussions on review requests. To help with that, we've improved when boxes on the review request page start out collapsed.

If there's a new review or update to a review request, a new reply, an issue that needs to be resolved, or pending status updates, the box will be expanded, but if not, it will be collapsed. This really helps to see what's most important when working with large review requests.

Better API Support for JSON in extra_data

Most resources in the REST API provide a special field extra_data, which stores arbitrary JSON data that clients can write to and read from. Until now, clients could only store simple keys and values, and couldn't easily work with structured JSON content.

The API now supports using JSON Patches and JSON Merge Patches to modify extra_data, allowing for complex JSON structures to be stored, modified, and returned.

Better High-DPI Support

Screens are getting better all the time. MacBook Pro "Retina" displays arrived in 2012, and even higher-DPI screens have become more common since. Review Board has shipped artwork for "2x" DPI displays for years, but now we support "3x" and higher, with improved loading and no more transitions from low-resolution to high-resolution graphics. No matter what your display, Review Board will be nice and crisp.

And Loads More

This release is filled with polish and fixes for performance and stability. See the release notes for the complete list of changes, along with installation instructions.

We plan to ship the final 3.0 release this month, based on your feedback from this release. We expect that this will be the final release candidate, and that not much will change for the final 3.0 release, so now's the time to test and send us your feedback.

We're here today with another beta for Review Board 3.0. This introduces a large number of new features. For instance:

• Highlighting new discussions on a review request
• Ability to revoke Ship-Its
• Open issue verification
• Emoji shortcodes
• CircleCI and Travis CI integration
• OAuth2 Provider support

There's much more, but let's break these features down.

Highlighting New Discussions

Any updates, reviews, or replies made to a review request since you last looked at the page are now highlighted with a blue dot and a blue border, helping you to quickly catch up on what's new.

Revoking Ship-Its

Ever leave a Ship It and regret it? Maybe you realized you missed something important, or it just doesn't apply to the change anymore. Now you don't have to live with the regret. Clicking the "X" on the Ship It able to confirm you want to revoke it, and away it goes.

Open Issue Verification

Open issue tracking is a great way of communicating what changes need to be made before a change can go in, but sometimes an issue is so important that you really need to verify its resolution before it's closed.

Now, when filing the issue, you can mark that it needs verification. This will still allow the review request's owner to click Fixed or Dropped, but it won't be closed until you verify their resolution. You're also free to re-open, if you disagree with their change.

This also works well as a "Don't Ship It" feature. Simply never verify the issue until both sides are in agreement on the direction the change must take.

Emoji Shortcodes

Text fields with Markdown enabled now accept Emoji shortcodes. These are codes like :smile:, :thumbsup:, etc. that will show up as Emojis.

CircleCI and Travis CI Integration

Review Board can now integrate with your CircleCI or Travis CI build systems to perform automated tests when review requests are posted. This is a great way of verifying that code going up for review pass all unit tests, browser-based tests, and anything you have set up.

We're still working on the documentation for these, but the Integrations release notes go into the basics. You can find these integrations in the Administration UI -> Integrations page.

And that's just the beginning

• OAuth2 Provider support
• Easy linking to reviews, comments, and replies
• New visuals and infoboxes in the dashboard
• On-the-fly search indexing
• Dynamics reloading of pending status updates
• Performance improvements
• Lots of new extension functionality for the entries (boxes) on the review request page, better custom field support, and other enhancements.

For the entire list of changes, see the Review Board 3.0 beta 2 release notes and Integrations 0.5 beta 2 release notes.

Installing 3.0 Beta 2

Ready to try beta 2? Excellent. Just run:

$ sudo pip install \
    -f https://downloads.reviewboard.org/releases/ReviewBoard/3.0/ \
    -f https://downloads.reviewboard.org/releases/Djblets/0.10/ \
    -f https://downloads.reviewboard.org/releases/rbintegrations/0.5/ \
    --pre -U ReviewBoard

Or, if using easy_install:

$ sudo easy_install \
    -f https://downloads.reviewboard.org/releases/ReviewBoard/3.0/ \
    -f https://downloads.reviewboard.org/releases/Djblets/0.10/ \
    -f https://downloads.reviewboard.org/releases/rbintegrations/0.5/ \
    -U ReviewBoard

Make sure you're deploying on a test server with a copy of your database in case anything goes wrong! You can't downgrade.

What's Next?

Now that we're finished with feature development, we'll be focusing on bug fixes and polish. We plan to have one more pre-release (Release Candidate 1) in just a couple weeks, with a final release to follow shortly after. Aiming for early November.

Your feedback will be invaluable to ensure we have a high-quality final release. If you're able to try beta 2, and have anything to report, please reach out to us on the community support forum or our bug tracker.

We have two new security releases for you today, both fixing security issues reported to us by security researcher Dylan Ayrey. There's also a few bug fixes for GitLab and Subversion, and some improvements for the Administration UI's Security Checklist.

Security Fixes

Dylan reported two vulnerabilities that could be used to execute JavaScript code on a user's behalf:

1. If a text field contains a plain-text javascript: URL, it would be turned into a link that, when clicked, would execute JavaScript on the user's behalf. These links would be pretty long and were easily identifiable, making it less likely that users would be tricked into clicking them (and could not be masked using Markdown links). We've altered the linking behavior to only link certain known types of safe URLs.

2. When clicking Download on a file attachment, the browser may choose to render certain file types in the browser. This includes SVG files, which can include JavaScript. If the media files are served up on the same domain used for Review Board (which is the default behavior), as opposed to a CDN or dedicated domain, then users could be at risk when downloading SVG files.

   We now generate Apache configuration files that add a Content-Disposition: attachment header to all media files, forcing them to download. If you're not using a standard Apache setup, you may need to modify your configuration to add this header.

   You can visit the Security Checklist to make sure this header is being set.

GitLab and Subversion Fixes

Review Board 2.0.31 and 2.5.16 include fixes for working with changes on GitLab. Both fix issues viewing diffs against files containing Unicode characters, and 2.5.16 includes a fix for creating/modifying repositories for self-hosted GitLab servers.

2.5.16 also includes a fix for the New Review Request page when there are problems talking to Subversion repositories. Errors are now reported, instead of the page reporting a generic "Internal Server Error."

See the 2.0.31 and 2.5.16 release notes for more information on these releases, along with upgrade instructions.