Summary of changes from March 16, 2018 to March 23, 2018.
| Codebase | Repository | {icon lock} | HEAD | Activity |
|----------|------------|--|------|----------|
| Phabricator | rP | | rPbba1b185f | 20 commits |
| Arcanist | rARC | | rARCdcd7ef66 | 0 commits |
| libphutil | rPHU | | rPHU1ad4249 | 0 commits |
| Instances (SAAS) | rSAAS | {icon lock} | rSAASd983b95 | 0 commits |
| Services (SAAS) | rSERVICES | {icon lock} | rSERVICES6b3fb8d | 0 commits |
| Core (SAAS) | rCORE | {icon lock} | rCORE5c1b3be | 0 commits |
- These changes were promoted to `stable`.
General
=======
[{icon tint, color=sky}] **Rich Document Rendering**: See T13105. This release adds preliminary support for richer rendering of more document types.
Previously, viewing images, audio, or video in Files would render the document inline.
Support has been expanded to include text files, remarkup, hexdumps, and JSON. PDFs also render somewhat more usefully.
A primitive rendering engine for Jupyter notebooks is also now available. It's probably better than reading the raw JSON, but maybe not by much.
Security
========
The PDF mime type `application/pdf` is now included in `files.viewable-mime-types` by default, which allows it to be served without `Content-Disposition: attachment`. If you are particularly paranoid about this, you can remove it to force PDFs to download.
When PDF content is served without `Content-Disposition: attachment`, the response includes a weaker `object-src` Content-Security-Policy to allow Chrome to render PDFs in the browser.
These changes should generally be safe, but do increase the amount of attack surface area Phabricator exposes on user content.
Migrations
==========
| Migration | Risk | Duration | Notes |
|-----------|------|----------|-------|
| 20180322.lock.01.identifier.sql | | 625 ms |
| 20180322.lock.02.wait.sql | | 2,252 ms |
//"Duration" is the duration for this install, and may not be representative.//
Upgrading / Compatibility
=========================
- //No notes in this period.//
Minor
=====
- Fixed an issue with result ordering in the "Edit Related Objects" dialogs when you have not entered a search query.
- [{icon tint, color=sky}] Fixed an issue where DarkConsole had an inline Javascript action in violation of the Content-Security-Policy.
- [{icon tint, color=sky}] When you resign from a revision and are not directly subscribed, you are now correctly excluded from the recipient list for notifications, not just for email.
- [{icon tint, color=sky}] It is now significantly harder to double-submit many forms, even if you are a quick-clicking champion.
- [{icon tint, color=sky}] Clustered repositories now provide more detailed feedback about locks and log more information about lock waits to the push log.
//The [{icon tint, color=sky}] icon indicates a change backed by support mana.//