What's New in Review Board

Today, Django released new security patches for 1.7.x and 1.8.x, and 1.9. These fix a possible settings leak in the date template filter, enabling a user to steal settings like a database password if they're able to construct their own date format string.

We've put out a corresponding 1.6.11.2 release, which backports this fix to the version of Django used by Review Board 1.7.x through 2.5.x. While this vulnerability does not affect Review Board, we nevertheless suggest that you upgrade.

The latest security releases can always be downloaded here. We announce new releases on our Official Announcements mailing list and on our community support forum.

To upgrade to Django 1.6.11.2, you can run:

$ sudo easy_install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

or, using pip:

$ sudo pip install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.2

Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in Review Board. We are working on a solution for this. However, for now, it will be up to you to handle this.

For information on what's in this security release, see the Django's announcement.

Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.

Last week's release of Review Board 2.5.1 was a huge hit, and we've had a lot of people quickly upgrading to try out all our new features. If you haven't had a chance to see the release yet, check out our video introduction.

However, it wasn't a perfect release, and many of our Python 2.6 users noted that summaries were no longer showing in the dashboard, due to a compatibility issue introduced in 2.5. We've addressed this and several other issues in today's release of 2.5.1.

Along with the bug fixes, we've made improvements to diff display and for posting new commits for review.

You can see the full list of changes in the release notes.

Thanks to everyone for testing the release, sharing it with others, and providing great feedback!

Updated November 3, 2015 23:40 PST: We've released 2.5.1.1, which temporarily reverts the new feature from 2.5.1 for including branch information in posted commits, due to some breakages that resulted.

We are proud to announce the immediate availability of Review Board 2.5. You’ve helped make Review Board a hugely popular tool, with hundreds of thousands of users worldwide, and we think you’re going to love 2.5!

We really pushed ourselves to improve the tool’s extensibility, to give you even more ways to make Review Board a reliable, hassle-free part of your workflow. We’ve incorporated feedback from our users around things like mobile support, improved collaboration capabilities and usability improvements that make developers’ jobs easier.

Here are some of the highlights:

Productivity Boosters

• A cleaner, more polished look and feel

  A cleaner Review Board is a friendlier Review Board. We've removed a lot of the noise and cruft, and helped bring your attention to what matters most.

• Work on the go with new mobile support

  On a train? Out to lunch? No problem! Review Board 2.5 is mobile-friendly, so developers can contribute to reviews while away from their desk.

• Review faster with Expandable Diff Fragments

  Instantly see more context for a comment. One click expands the diff right in the review.

• Stay focused by muting and archiving review requests

  For all the Inbox Zero types, you can now archive old review requests and mute any that don’t require your attention.

• Auto-version and diff your file attachments

  Just upload a new version of an attachment and Review Board will track its version, letting everyone see all the changes made. Images and text-based attachments can even be diffed!

• See more at a glance with Live HD Thumbnails

  Hover over file attachment thumbnails and watch as more of it scrolls into view, giving you a better picture of what's in the file.

Integrations to Power Your Workflow

• Share your credentials securely with API Tokens

  Third-party tools/services and custom scripts can now securely log in as a Review Board user. No need to give out passwords, and the access can be tightly restricted. This paves the way for future integrations with things like third-party automated code review services.

• Hook into other services with Webhooks

  Review Board 2.5 can notify other services, such as collaboration and CI tools, in a format they understand when posting or updating review requests and reviews.

• Deeper integration with bug trackers

  Connecting your JIRA, Bugzilla, or GitHub bug trackers to Review Board lets you see more detail about the bugs on your review requests.

You can see some of this in action by watching the video below:

For the entire list of changes, see the release notes.

Tell Your Friends!

We hope you're as excited about 2.5 as we are! Want to help us spread the word over Twitter or Facebook? We've even prepared a little something you can start with:

Looking forward to using @ReviewBoard 2.5’s new UI, mobile support, webhooks, and more! http://bit.ly/1MUZPv2 #devops

You can also find the announcement on Hacker News and Reddit.

Some Thoughts From Our Beta Users

"As both a heavy Review Board user and a contributor, I’m very excited about release 2.5," said Stephen Gallagher of the Fedora Project. "The Beanbag team and entire Review Board upstream open source project exemplify all the ideals of the open source movement: agility, collaboration and community. The interface improvements in 2.5 really make Review Board feel like a tool for today’s developer. And as I’m increasingly away from my desk, mobile support to keep up with reviews on the go is critical."

Griffin Myers, a developer with a leading maker of high performance signal processing applications, added "Review Board is an indispensable part of our development process. It helps increase collaboration within our team, improves code quality, and provides a pathway for new team members to become assimilated with a large existing code base. The Beanbag team has cultivated an active user community and is incredibly responsive to, and receptive of, user feedback. I’m most excited about 2.5’s restyled UI, improved mobile support, and expandable diff fragments. We also love the enhancements to Markdown rendering, e-mail and dashboard management, all of which have their roots in user requests."

RBTools 0.7.5 is now out and ready to install.

This is largely a bug fix release, focusing in part on improved compatibility with Windows, Git, Subversion, Mercurial, Perforce, and Team Foundation Server.

On Windows, RBTools will now first look in %HOME% to find any custom .reviewboardrc files, instead of only looking in the Application Data directory, which will be quite helpful with many system configurations. There are also fixes for using Mercurial on Windows.

Non-Git user? You've probably seen that annoying but harmless command not found: git error when posting a change. That's gone now!

For Perforce users, posting submitted changes or files outside of the client view now work. This had regressed in an earlier release, but you should be in good shape now.

Subversion has seen some more Unicode fixes, plus fixes for rbt post --svn-show-copies-as-adds.

Along with all this, we've added a new feature for setting a custom search path for .reviewboardrc. You can set your $RBTOOLS_CONFIG_PATH to a list of paths to search, allowing you to make your version in $HOME take precedence over what's in your repository, and allowing you to work with centralized collections of aliases in your organization.

See the release notes for the complete list of changes.

One more thing: We've simplified installation for those of you using pip to install. Our builds are now directly hosted on PyPI, meaning all you now need to do to upgrade is run:

$ pip install -U RBTools

Power Pack 1.3.4 builds on top of last release's 1.3.3, fixing a couple of annoying bugs.

First, some of you have found that Reports broke in 1.3.3. We've tracked the issue down and fixed it. Reports should work just fine now.

Beta users of Review Board 2.5 have noted that one of our new features didn't work so well with Power Pack. Review Board 2.5 allows any draft comments on an image or document to be moved and resized, but this didn't play nicely on PDFs. That's been taken care of, so once you upgrade to 2.5, you'll be able to drag those comments all over the place.

It's a small release, but we have some big ones coming up, as we prepare some major improvements to Reports, and introduce some new features to help manage user accounts.

See the release notes.

To install Power Pack, follow our installation instructions. If it's already installed, you can upgrade by typing:

$ sudo easy_install -U ReviewBoardPowerPack

Got a feature you want in Power Pack? Let us know!

Power Pack 1.3.3 is now available for download, featuring new bug fixes and an improved setup and trial experience.

Power Pack extends Review Board, offering PDF document review, report generation, scalability, and compatibility with Microsoft Team Foundation Server and GitHub Enterprise.

We've fixed case sensitivity issues when comparing paths with TFS, fixing issues when posting diffs. There are also compatibility fixes for systems using Python 2.6.

Along with this, we've made it easier to get started with Power Pack. When you first install it and enable the extension, you'll see a new banner guiding you through installing a trial license, and then guiding you through adding users to the license. Once your trial runs out, it'll let you and your users know, so that there's no confusion as to why features stopped working.

See the release notes for all the changes.

To install Power Pack, follow our installation instructions. If it's already installed, you can upgrade by typing:

$ sudo easy_install -U ReviewBoardPowerPack

We've just released Review Board 2.0.20, which fixes several bugs that were reported in 2.0.19. These include:

• Subversion 1.9 diffs containing newly-added files are now supported.
• E-mail headers that contain Unicode data (such as full names with accents) once again send correctly.
• Image file attachments with comments no longer break review requests.
• Plain text files in the diff viewer no render incorrectly with red boxes around words.
• Text-based file attachment thumbnails no longer sometimes show up as garbage.

Thanks as always to our wonderful users for their patience and bug reports!

The full release notes are up. We also have a guide on verifying PGP signatures for our downloads, to ensure authenticity.

We're gearing up for the full 2.5 release. Just getting everything in order, but (knock on wood) we expect to ship by the end of the month!

Review Board 2.0.19 is out! This release focuses on some e-mail-related improvements and a series of compatibility/bug fixes.

Extension authors have access to several new hooks that allow extensions to better control the recipients for an e-mail list. They can be used to filter out addresses or add to the To/CC lists.

On the user side, e-mails now provide a bunch of new headers that you can use for more fine-grained filtering:

• Any review e-mail with a Ship It! will contain a X-ReviewBoard-ShipIt: 1 header.
• If it doesn't have any other contents, it'll be accompanied by a X-ReviewBoard-ShipIt-Only: 1 header.
• You'll find a X-ReviewBoard-Diff-For header for every file in a diff, to really help sort those into appropriate right e-mail folders.

It wouldn't be a .z release without some good bug fixes:

• We've fixed more character set compatibility issues with different systems we integrate with.
• Some issues relating to Power Pack compatibility on Windows and with SSH scalability have been resolved.
• Comment dialogs no longer show the wrong thing if immediately opening a newly-saved plain text comment.
• Opening and closing text fields or the comment dialog no longer results in unnecessary drafts being created.

The full list of changes are up in the release notes.

Please note that you're also going to want to upgrade your version of Django to 1.6.11.1. We cannot install this version for you at this time, so see our earlier announcement for instructions.

We've just put out new, unofficial releases of Django 1.6.11 that contain security fixes backported from the latest versions of Django.

The Django project is no longer maintaining Django 1.6.x, as it has end-of-lifed. However, for many reasons, we're currently dependent on this version. As such, we will be maintaining security releases for Django 1.6.x from here on out, in the form of 1.6.11.x releases.

The latest security releases can always be download here. We will announce new releases on our Official Announcements mailing list and on our community support forum.

To upgrade to Django 1.6.11.1, you can run:

$ sudo easy_install \
    -f http://downloads.reviewboard.org/releases/Django/1.6/ \
    Django==1.6.11.1

or, using pip:

$ sudo pip install \
    -f https://s3.amazonaws.com/downloads.reviewboard.org/releases/Django/1.6/index.html \
    Django==1.6.11.1

Unfortunately, due to restrictions in the design of pip, we will not be able to automatically upgrade to these versions of Django in our upcoming releases of Review Board. It will be up to you to handle this for now. We will announce instructions along with the releases.

For information on what's in this security release, see Django's announcement.

Please note that Django 1.6.x is the last version to support Python 2.6.x, which has also end-of-lifed. We will be dropping support for Python 2.6 in Review Board 2.6, so we recommend moving to Python 2.7 at your earliest convenience.

Many of you may have heard that Google Code is going read-only starting tomorrow, and some have asked us how this will affect the project, since we host our bug tracker there.

Not to worry. Google's been nice enough to whitelist us for a little while, so even though most of Google Code will be down, we'll continue to be up. This is not permanent, but for the time-being, you'll still be able to report bugs at the old address.

Going forward, we'll be migrating off of Google Code and onto a new tracker. That will happen in the coming weeks, and we'll talk more about it when it happens.

So why the delay? Why did Google need to extend the shutdown date for us? We actually have something new on the way that we're pretty excited about. We call it Splat, and while still very young, it's shaping up to a pretty cool bug/issue tracker. We weren't quite prepared to switch over to it by the shutdown date, but we have enough of it ready to launch pretty soon.

There's a lot more that I'd like to say about Splat, but there will be time for that. We'll make a more formal announcement soon.