Review Board 3.0.11 and 2.5.18 Security and Bug Fix Releases

Today's release of Review Board 3.0.11 features a security fix in the API, compatibility with modern Bitbucket WebHooks, and other improvements. We've also put out an accompanying 2.5.18 security release, for those who haven't yet upgraded to 3.0.

Diff Validation Security Fix

The Diff Validation API allowed for private repositories to be specified when validating a new diff. This did not leak any file contents whatsoever, but could expose whether a particular file at a revision did or did not exist, or whether an uploaded patch could be applied against those files.

This is only an issue for servers making use of private repositories, and it does not apply to Local Site access control. Still, we recommend that everyone updates to this release.

Modern Bitbucket WebHooks

Bitbucket removed support for their legacy WebHooks, which broke Review Board's ability to auto-close review requests when commits are pushed.

The 3.0.11 release adds compatibility with the newer WebHooks. Follow the instructions to re-add any hooks you had set before in Bitbucket.

Other Fixes and Improvements

  • Repository names can now be up to 255 characters long, giving you enough room to generate names based on URLs or some other identifier
  • Errors finding the GitLab API version (usually caused by domain resolution or SSL certificate trust issues) now contain enough information to help you locate the real problem
  • Fixed crashes with sending WebHook payloads when certain data types were involved

See the Review Board 3.0.11 and 2.5.18 release notes for the full list of changes.

Review Board 3.0.10: Security and bug fixes

Security fixes

Review Board 3.0.10 addresses a security vulnerability found in-house that could allow for malicious JavaScript from a user profile to execute when rendering avatars. This bug was originally introduced in 3.0.7 and does not affect any prior releases.

Although there are no known exploits found in the wild, we do recommend that everyone upgrades to this release.

Plus several bug fixes, including

  • A regression introduced in 3.0.9 with sending WebHooks
  • An upgrade bug that could occur when upgrading to 3.0.x for the first time
  • Conflicts between extensions when installing or upgrading multiple ones at a time
  • URLs not always linking in comments and text fields

And other improvements

  • The New Review Request page confirms that you want to post commits for review, in case you click the wrong thing
  • Review request e-mails now show the branch information

That's not all. Check out the release notes for the rest of the changes.

Review Board 3.0.9 is released

Today's release of Review Board 3.0.9 brings on a handful of bug fixes for extensions, diffs, review requests, Perforce, Subversion, JIRA, Review Bot, and more. Plus, better active user tracking (for support contracts and licenses) and new condition rules.

Let's take a look.

Welcome back, Review Bot

Review Bot

A recent release of Review Bot unveiled some bugs in our extension handling. When installing for the first time, Review Board could crash loading the metadata. Shouldn't be a problem anymore, and thanks everyone for your patience on this.

Activity tracking has improved

Last Logged In

We now store information on when users last used Review Board, helping administrators get a better idea of their active user base. Particularly helpful when signing up for support or purchasing a Power Pack license.

Subversion, Perforce, and JIRA are happier

Subversion repositories that allowed anonymous access were broken when using Subvertpy as a backend

Tracked down an odd bug with Perforce involving access-restricted Perforce clients named "none" blocking new review requests from being posted.

If JIRA was configured wrong, your logs could be full of crash details when failing to access a ticket. Now we handle that much more gracefully.

Extension authors, too

The Review Bot bug wasn't limited to just Review Bot. Any extensions with Unicode characters in the description could break, but not anymore.

We've also identified an issue that could break some custom authentication backends, and another that could prevent custom date/time fields from saving reliably.

We polished visuals

Aligned Move Flags

We've fixed up some alignment annoyances with move detection flags in the diff viewer. Moved lines of code no longer appear ever-so-slightly indented.

The Dashboard had some lingering hover styles for date fields that were pretty sloppy. We got rid of them.

Notifications for updates on a review request could also show the wrong timestamp in cases, or the wrong user if an administrator changed a review request. Edge cases, but they're taken care of.

Made integrations more flexible

Participants Choice

We've added new options for choosing when Slack and other integrations do their thing. You can now define rules based on who has participated in discussions on a review request, or who is listed as a target reviewer.

And there's some other stuff

Fixes for the API, better safeguards for webhooks, and new helpful instructions for Beanstalk.

See the release notes for the full list of changes.

Review Bot 1.0.1 is out now

Today's release of Review Bot, our automated code review extension for Review Board, introduces a few new features and fixes several compatibility issues and other bugs. Most of these wouldn't have happened without our wonderful community of contributors and early adopters. Thank you!

Let's look at the highlights.

Full-Repository Review for Mercurial

Some tools (such as the Clang Static Analyzer) need a full checkout of the repository in order to perform a full review. These now work with Mercurial repositories in addition to Git.

Cppcheck Language Selection

Cppcheck can now be forced to check source files as either C or C++ code. This is helpful for codebases that treat .h files as C++. By default, it will continue to auto-detect the file type based on the extension.

Compatibility Fixes

Review Bot now authenticates properly with Review Board 3.0.8.

Dependency conflicts involving pyflakes, pycodestyle, or flake8 when installing the Review Bot Worker have been resolved. Not everyone hit these, but it was common on newer installs due to changes in newer versions of these packages.

And More

We've smoothed out communication between the Review Bot extension and worker services, added better error handling when saving a configuration form without all required data, removed unwanted temporary files, and fixed error reporting in flake8 and cpplint.

For the full list of changes, see the release notes.

RBTools 1.0.1 is out now

Today’s release of RBTools fixes some of the most common issues experienced in the recent 1.0 release:

Improved Windows compatibility

This release fixes some regressions on Windows, namely a crash when prompting for a password for Review Board.

If you're continuing to hit problems on Windows, please let us know in our community support tracker so we can collect additional information on your setup.

Fixes for Empty Diff errors on Git

While RBTools 1.0 greatly improved how diffs were generated for Git repositories under many scenarios, it broke one important workflow.

Posting a branch for review after pushing that branch upstream no longer results in errors about empty diffs when a tracking branch is configured. Instead, the tracking branch is once again respected, allowing your topic branch to be posted for review in full.

See the release notes for the full list of changes.

Introducing RB Gateway 1.0 and Review Board 3.0.8

Today's release of Review Board 3.0.8 features a few small bug fixes:

  • Invisible search filters in the search results
  • Crashes in the API when working with automated code review
  • Deleting draft replies prematurely when deleting the reply to a review header
  • Compatibility problems using Subvertpy and HTTPS-backed repositories

(See the release notes for the full list of changes.)

The big announcement today, though, is a new companion to Review Board that we'd like to introduce you to.

Meet RB Gateway

RB Gateway is a microservice used by Review Board that's built to address shortcomings in Git and Mercurial's APIs. Git, in particular, is quite limited. It doesn't provide fine-grained access to the contents of repositories, meaning that tools like Review Board typically have to depend on specific hosting services (like GitHub Enterprise or GitLab) or hacks to work.

When using RB Gateway, Review Board can access your self-hosted repositories in new ways, enabling users to browse for commits, close review requests when a commit is pushed, and more cleanly managing your repositories. It works just like other hosting services, but is simple to set up and configure on all major platforms.

This means no more GitWeb, cgit, or hgweb hacks! Just install RB Gateway, point it to your repositories, and tell Review Board about them. You're done.

RB Gateway can be installed on Linux, macOS, or Windows. Installation is easy, and we have instructions to help you get started.

For the best experience, we recommend Review Board 3.0.8 with RB Gateway. Older 2.5.x and 3.0.x releases support it, but are limited in functionality and only support Git.

RBTools 1.0 is here!

RBTools has been an important part of the life of Review Board users for many years. While it started off as a single tool for posting review requests, its feature set has evolved with time, turning into an extensible set of tools and APIs for talking to Review Board.

Today, we're finally pulling RBTools out of the 0.x era with the release of RBTools 1.0.

Compatible with Python 3

Both the RBTools commands and the Python API now support Python 2.7 and 3.5+.

(Please let us know if you hit any issues on Python 3, as this is still pretty new.)

Better Repository Detection and Git Support

RBTools now does a better job determining which repository it's working with, in case there's confusion. For example, a Mercurial repository nested in a Git-managed home directory will no longer cause problems.

Git repositories in particular are now easier to work with. When generating a diff, RBTools now looks for the nearest upstream parent commit or branch, instead of requiring that users or repositories configure a specific tracking branch.

Publish Automated Reviews

Writing your own automated review solutions for Review Board 3.0 or RBCommons just became easier through the new rbt status-update command. Your scripts can use it to file a pending status update on a review request (showing that checks are being performed) and then update it to say that all is well or to report issues that need to be fixed.

This is useful for in-house continuous integration setups where you're analyzing code for errors, style issues, documentation, or any other requirements you might have.

Easily Land Complex Dependent Changes

rbt land can now land multiple review requests tied together using the Depends On field.

This works with -r to take the ID of the review request you want to land. It will figure out which review requests must land before it and in which order. For example, if review request 3 depends on 2, which depends on 1, you can run:

$ rbt land --recursive -r 3

Instead of:

$ rbt land -r 1
$ rbt land -r 2
$ rbt land -r 3

This is a precursor to the new DVCS support coming soon in Review Board 4.0.

And That's Not All

  • rbt setup-completion was added to enable auto-completion of RBTools commands and arguments in Bash and ZSH shells.

  • rbt alias was added to help you list and test out your custom aliases.

  • rbt post --submit-as can now automate posting review request updates, and not just new review requests, on a user's behalf.

  • rbt post -m and rbt publish -m let you specify a custom description of your draft's changes when publishing (equivalent to filling out the "Describe your changes" box when publishing in the browser).

  • rbt post --trivial-publish and rbt publish --trivial let you publish trivial updates to a review request without sending out e-mails to everyone (when using Review Board 3.0 or RBCommons).

  • rbt status now lists the review state and local branch for each review request you have up for review.

  • Warnings and errors in command output is now specially highlighted to help it stand out.

  • Several fixes and improvements for Git and Subversion compatibility.

  • The API has been improved, supporting extra_data fields and easier pagination of resources.

And plenty of other fixes and improvements. See the release notes for the full list of changes in 1.0.

Download It Today!

RBTools is out today for Windows, Linux, and Mac. Head on over to the downloads page for installation instructions.

Review Board 3.0.7: Privacy Enhancements and Bug Fixes

Privacy has been a big topic in the tech world over the past few months, with the news surrounding Facebook and Cambridge Analytica, the deadline for the GDPR, and all those Privacy Policy e-mails we've all be getting/sending out. We've written about this recently.

Today's release of Review Board 3.0.7 is focused on enhancing privacy options and protection in Review Board, improving defaults and adding optional GDPR-compliant privacy settings for servers. There's also the usual assortment of bug fixes.

Better Private Profiles

7 years ago, we introduced Private Profiles in Review Board. When enabled by a user, their full name and e-mail address would be hidden in the API when accessed by other users. In this release, we've expanded the protections of Private Profiles:

  • Enabling Private Profiles now hides full names and e-mail addresses throughout the UI and API
  • Private Profile behavior is always on when viewed by anonymous users (keeping information from public servers off of search engines)

Users can enable Private Profiles through the My Account -> Profile page.

User Consent and Privacy Rights

Consent Options

Some features making use of personal information now require consent before that information can be used. This is managed in the My Account -> My Privacy Rights page, and decisions on consent can be changed at any point. If configured, users will also be prompted for acceptance of a Privacy Policy and Terms and Conditions on this same page.

By default, Review Board only requests consent for Gravatars, but extensions can register their own features requiring consent. We'll be providing guides on incorporating this soon.

Review Board administrators can enable this support for consent, acceptance of Privacy Policies and Terms of Services through the new...

GDPR-Compliant Privacy Settings

Privacy Admin Settings

These new privacy settings can be changed in Admin UI -> User Privacy Settings:

  • Terms of service URL and Privacy policy URL can be set to the URLs of the server's respective URLs.

    When either of these are set, users will be prompted to view and approve the terms before they can use the server next, or when registering a new account.

  • Privacy information is a text field for providing privacy details specific to your server or organization.

    This will be shown to users in the My Account page or when prompted for terms or consent. It accepts HTML, letting you provide links to important information in your network.

  • Require consent for usage of personal information enables GDPR-compliant consent checks for features.

    Which enables the new consent management seen above.

Bug Fixes Aplenty For

  • A handful of crashes when bad data is fed into the URLs for the dashboard and internal diff viewer URLs (usually caused by search bots)
  • Some more crashes when avatars aren't available when configuring users in review groups
  • Regressions when configuring bug trackers
  • Communication problems with newer versions of Gerrit
  • Bad error messages when failing to find files on local Git repositories

See the release notes for the complete list of changes.

Power Pack 2.0.1: Fixes for trial license expiration

Today's release of Power Pack 2.0.1 is a small bug fix and maintenance release.

Licensing Fixes

The primary fix addresses various access issues with repositories hosted on Bitbucket Server and Visual Studio Team Services when transitioning license states (such as from a valid trial license to an expired one), which can cause future problems for users who need to use these repositories.

Python Compatibility

We've also dropped support for Python 2.6, allowing us to focus on bringing Python 3.x support to both Power Pack and Review Board in future releases. Python 2.6 hasn't been maintained in years, and support was recently dropped in Review Board 3.0. The last release to support Python 2.6 is Power Pack 2.0.

If you're still on Python 2.6, we can help you upgrade.

Update Today

Power Pack 2.0.1 is recommended for all Power Pack users, particularly those using Bitbucket Server and Visual Studio Team Services. Power Pack 2.0.1 supports Review Board 2.5 and up on Python 2.7.

To upgrade, or to install for the first time, see the installation instructions.

Learn more about Power Pack 2.0.

Review Board 3.0.6 is ready to install

Today's release of Review Board 3.0.6 fixes a handful of small issues throughout the product, from better source code management compatibility to more polished UI interactions.

Better E-Mails

  • Using rbt post --submit-as and then publishing the review request once again sends out e-mails on behalf of the owner of the review request instead of the logged-in user.
  • Links to comments in e-mails resolve correctly.

Compatibility Improvements

  • Fixed problems fetching some files using GitLab API version 4, depending on how the diff was uploaded.
  • Fixed timezone-related problems looking up or posting Bazaar changes and browsing Mercurial commits.

Fixes for UI Regressions

  • The Description/Testing Done text fields once again grow to fit when adding lines and shrink when removing them.
  • Revoking a Ship It now immediately crosses out the "Ship It" text on a review.

For the full list of changes, see the release notes.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 pages