What's New in Review Board

Today's release of Review Board 4.0.11 introduces new APIs for managing access control lists, new repository support needed for upcoming Cliosoft SOS improvements, and fixes a handful of bugs.

Repository Access Control List APIs

Repositories can be locked down to a specific set of users and groups, and now these ACLs can be managed programmatically via new Repository Group ACL and Repository User ACL APIs.

We introduced this in 5.0 Beta 2, and are now bringing this to 4.0.11.

Repository Improvements

We've made changes behind-the-scenes to support new repository features, which will first be used for upcoming support for communicating with Cliosoft SOS over SSH. That will be coming soon to Power Pack.

Bug Fixes and Improvements

We've made several stability and performance improvements to:

• SSH-based repository communication
• Mercurial support
• Site installation
• API rate limiting

For the complete details, see the release notes.

Upgrading to Review Board 4.0.11

To upgrade to 4.0.11, we recommend specifying the exact version you want to install. For example:

sudo pip install -U ReviewBoard==4.0.11

This will be important once Review Board 5 is released.

Our official Docker images have also been updated for 4.0.11.

Today, we’re releasing what we expect to be the final pre-release of Review Board 5.0.

Review Board 5.0 features:

• Single Sign-On using SAML
• Elasticsearch 1.x-7.x support
• Trojan source code detection
• Stronger API tokens, with expiration, invalidation, last usage tracking, and secret scanning
• Stale Ship It! indicators in the Dashboard
• New APIs for querying comments and reviews across all review requests
• Built on top of Django 3.2, supporting Python 3.7-3.11, bringing better performance, bug/security fixes, and new extension capabilities

This release candidate introduces:

• Better Ship It! indicators in the Dashboard, showing if new updates have been made since the last Ship It!
• New controls for setting the expiration dates of API tokens
• Several bug fixes

We expect to release the final 5.0 within weeks.

Want to help us test?

We’re close to the release, but we could still use your help! We want this to be a solid release, and your feedback can help us get there.

We have installation information in the release notes, or you can use the beanbag/reviewboard:5.0rc1 Docker image. See our Docker instructions for information on setting up an environment.

Please make sure you have a dedicated testing server and database. Do not test this release candidate in production!

Stay tuned for the final 5.0 release, coming soon!

Last month, we announced the release of Review Board 5 beta 1, a feature-packed beta introducing SAML Single Sign-On, Trojan Source attack detection, new APIs, and more.

Today, we're following up with another beta, this time introducing:

Enhanced API Tokens

We're increasing the security of API tokens, and giving both users and administrators more control over their lifecycle.

• Expiration: API tokens can now be set to expire after a period of time, helping with testing or compliance with internal best practices. Once expired, a token will no longer be accepted. (Currently, expiration can only be set via the API, but the next beta will offer UI for this.)

• Invalidation: Administrators can invalidate tokens for specific users or all users on a server, helping to lock things down in the event of a security breach.

• Secret Scanning: Tokens are now 255 characters, and can be identified by secret scanning. We'll be updating Review Bot to help scan for leaked tokens in posted code, and will be working with other companies offering secret scanning.

All existing tokens will continue to work, but we recommend migrating over to the new enhanced API tokens.

Repository Access Control List APIs

Repositories can be locked down to a specific set of users and groups, and now these ACLs can be managed programmatically via new Repository Group ACL and Repository User ACL APIs.

We're introducing this in 5.0, but we plan to bring these same APIs to the upcoming 4.0.11 release as well.

Help When Upgrades Go Wrong

We work hard to ensure upgrades go smoothly, but sometimes things just go wrong.

Now, whenever there's a problem with an upgrade, rb-site will generate a debug log file containing information you can send to your Beanbag Support contact. We can use this to more quickly help you get going again.

If you don't have a support contract, and you're on your own supporting Review Board for your company, talk to us about how we can help lend a hand.

Plus..

• Mitigation against SAML Single Sign-On replay attacks
• Updates to Single Sign-On to work with multiple Review Board server hostnames
• Performance improvements with the Search field
• Usability improvements in the administration UI and My Account page
• Bug fixes throughout the product.

See the release notes for the complete list of changes.

Want to Help Us Test?

We’d love to have your help! We have installation information in the release notes.

Please make sure you have a dedicated testing server and database. Do not test this beta in production!

You can use the beanbag/reviewboard:5.0b2 Docker image as well. See our Docker instructions for information on setting up an environment.

We unfortunately had to pull this week's 4.0.8 and 4.0.9 releases, due to a packaging issue that broke the diff viewer.

Today's release of 4.0.10 is a replacement for these releases, and will restore working functionality.

What Happened?

We use a fantastic tool called Babel to help us write modern JavaScript. It converts our JavaScript to something compatible with the majority of the browser market share.

Since our 4.0.7 release, an older mobile browser dropped below a certain market share. This was the last browser that held back our usage of some modern JavaScript. When this happened, it uncovered a bug where some of our code was expecting the rewritten form, and broke with the modern form.

This is our first time encountering such a rare breakage, but it's an interesting one, and we're evaluating how to avoid this in the future and to improve our automated testing.

Updating to Review Board 4.0.10

If you're on any prior release, including 4.0.9, you can upgrade as normal. Our official Docker images have also been updated for 4.0.10.

If you missed the 4.0.8 or 4.0.9 releases, we've included all of the improvements in the Review Board 4.0.10 release notes.

We have two new releases to present today, improving compatibility and fixing an assortment of bugs.

Review Board 4.0.9

This is a small bug and compatibility fix release, focusing on:

• Compatibility issues with a new release of Python-Markdown and in general with Python 3.10.
• A regression with changing between Source and Rendered tabs in the Markdown review UI
• An uncommon problem with closing/resolving issues when a single review request contains comments of multiple types with the same ID.

See the release notes.

We've also updated the official Docker images to provide Review Bot 3.1.1 and Power Pack 5.1.

Review Bot 3.1.1

This release improves compatibility with the following tools:

• JSHint
• Cargo

As well as fixing installation issues on Python 3.6.

Our official Docker images have been updated for this release.

See the release notes

We are pleased to announce the first beta for the next major version of Review Board!

Our team has been hard at work on this release, and with your help, we hope to ship the final 5.0 release soon.

If you’re interested in beta testing, please keep reading.

What’s New in 5.0?

Built for Modern Environments

Review Board now requires Python 3.7 or higher, and uses Django 3.2 LTS.

Many of our dependencies have been updated to require the latest versions available.

If you’re upgrading an old installation, this would be a good opportunity to deploy a new server or switch to our Docker images (use beanbag/reviewboard:5.0b1). Once released, we’ll continue to support older versions through support contracts.

Single Sign-On

We’re building support for SAML 2.0-based Single Sign-On (SSO) directly in Review Board. With SSO, you can use a provider such as Auth0, OneLogin, or Okta to provision and authenticate users.

This works alongside any existing authentication setup you may already have, such as LDAP or Active Directory.

When enabled, users will need to configure API Tokens for use with RBTools, rather than using their SSO credentials.

We’re still testing this with various SAML providers. If you’re interested in this feature, please let us know which providers you use today, and whether you encounter any problems with the beta.

Trojan Source Attack Detection

Review Board now looks for Trojan Source attacks in code posted for review. These attacks use special Unicode characters to make code appear one way, but execute another way, and can be injected intentionally (by a malicious developer) or accidentally (by copying and pasting malicious code from another website).

The diff viewer will now show a notice if any suspicious code is detected for a file, and will show you the suspicious characters. Reviewers can then choose to see how the code would normally appear, getting a sense of the attack.

Elasticsearch 5.x and 7.x

Review Board now supports using Elasticsearch 5.x and 7.x as search backends, as well as the previously-supported 1.x and 2.x releases.

Please note, we depend on a third-party project called Django Haystack for our Elasticsearch support. At this time, neither Elasticsearch 8.x nor OpenSearch are supported by Haystack.

See the release notes for information on how to configure your version of Elasticsearch.

Global Review and Comment APIs

These new APIs allow you to make queries against all reviews or all comments in Review Board.

This can, for instance, be used to list all reviews made by a given user in the past month, or all issues that remain open.

Performance Improvements

We’re making substantial changes to how Review Board works internally, in an effort to improve performance for large installs.

Beta 1 begins this work by simplifying many of the queries used in the database, making the dashboard and several APIs substantially faster.

We’ll have even more improvements in beta 2.

Plus…

• You can now forward review requests and discussions to the Matrix chat service.
• You can set the syntax highlighter you want for different file types in the diff viewer.
• Extension authors can now benefit from the features available in Django 3.2, new registration abilities for custom SCMs, and async/await operations in our JavaScript API.
• Many bugs were fixed (the major ones are listed in the release notes).

See the 5.0 beta 1 release notes for the full list of changes.

Want to Help Us Test?

We’d love to have your help! We have installation information in the release notes.

Please make sure you have a dedicated testing server and database. Do not test this beta in production!

You can use the beanbag/reviewboard:5.0b1 Docker image as well. See our Docker instructions for information on setting up an environment.

Power Pack 5.1 adds support for the upcoming Review Board 5 release, while maintaining compatibility with Review Board 3 and 4.

We are releasing Review Board 5 beta 1 very soon. If you're planning to beta test this release, and are using Power Pack today, we recommend preparing by upgrading to Power Pack 5.1.

This release also contains a fix for diffing PDFs on Python 3 installations.

For complete details, see the release notes.

What is Power Pack?

Power Pack is an add-on to Review Board that provides:

• PDF document review and diffing, allowing you to review documents, schematics, designs, contracts, and code all in one place.
• Report generation, giving you insight into code review practices in your organization.
• Integrations with enterprise services including AWS CodeCommit, Azure DevOps/TFS, Bitbucket Server, Cliosoft SOS, GitHub Enterprise, HCL VersionVault and IBM Rational ClearCase.

With more features in the works.

Licenses are affordable and can cover as many or as few users as needed in your team. Download a 60-day trial license to get started.

Review Bot 3.1 adds support for the upcoming Review Board 5 release, while maintaining compatibility with Review Board 3 and 4.

We are releasing Review Board 5 beta 1 very soon. If you're planning to beta test this release, and are using Review Bot today, we recommend preparing by upgrading to 3.1.

This release also contains a small fix for changing the configured broker URL, to avoid retaining connections to older brokers.

For complete details, see the release notes.

To get started, download Review Bot or read the documentation.

Docker images are also available to help you get going quickly.

We have three new releases out today, all focusing on better compatibility and bug fixes.

Review Board 4.0.7

We've fixed issues all throughout the product, covering:

• Compatibility fixes for ClearCase, GitLab, reCAPTCHA, and third-party extensions
• Text editing improvements to better help you write code in comments
• Better scaling for deployments with many Review Board servers and with thousands of repositories
• Fixes for edge cases when rendering diffs

Our Docker images have also been updated to include support for Power Pack and Review Bot 3.

See the release notes for more on Review Board 4.0.7.

RBTools 3.1.1

This release fixes some regressions from the 3.1 release in rbt land and rbt patch.

It also improves support for IBM ClearCase and HCL VersionVault repositories, which is available through Power Pack.

See the release notes for more on RBTools 3.1.1.

Power Pack 5.0.1

This releases focuses on improving the support for IBM ClearCase and HCL VersionVault. Bugs for diff generation has been fixed and support for UCM workflows have been improved. If you're using legacy ClearCase support in Review Board, we recommend upgrading to the modern version in Power Pack for features like multi-VOB repositories, better compatibility, and official support.

We've also fixed issues running the Database Import/Export functionality in some environments. If you're using our Docker images, import-db and export-db should now work fine.

Power Pack supports additional repositories like Cliosoft SOS and GitHub Enterprise, PDF document review and diffing, Reports for your teams and organizations, and more.

See the release notes for more on Power Pack 5.0.1, or download a 60-day trial license to get started!

Cliosoft SOS is an enterprise source code management solution widely used for hardware and software design and development. It's built to allow teams across the globe to collaborate on large hardware-focused projects.

We’ve partnered with Cliosoft to bring support for SOS to Review Board. You can now connect your SOS projects to Review Board as repositories, post code from local workareas using RBTools, and review them using Review Board’s collection of code review capabilities. This includes issue tracking for comments, moved code detection, multi-line commenting, interdiffs, file attachment review, and more.

SOS support is available as of today’s releases of Power Pack 5 (our licensed add-ons for Review Board) and RBTools 3.1 (our developer command line tools).

Along with SOS support, Power Pack provides PDF document review/diffing, team collaboration reports, database import/export, scalability enhancements, and support for several additional source code management solutions.

Compatible Releases

SOS support requires the following minimum versions on the Review Board server:

• SOS 7.20
• Review Board 4.0.6
• Power Pack 5

And on developer machines:

• SOS 7.20
• RBTools 3.1

Licensing

Power Pack is a licensed product. Licenses can be purchased by credit card or Purchase Order, and can cover as many or as few Review Board users as needed for SOS.

You can get started with a 60-day trial license.

Please note that this is separate from your SOS license.

Learn More

See our SOS workflow guide to learn how to post changes to Review Board, and our repository setup guide to learn how to connect Review Board to SOS.

To learn more about today’s releases of Power Pack 5 and RBTools 3.1, see the Power Pack release notes and RBTools release notes.