Summary of changes from March 11, 2017 to March 17, 2017.
| Codebase | Repository | {icon lock} | HEAD | Activity |
|----------|------------|--|------|----------|
| Phabricator | rP | | rP688c120f9f | 15 commits |
| Arcanist | rARC | | rARC3b6b523c | 0 commits |
| libphutil | rPHU | | rPHU13a200c | 0 commits |
| Instances (SAAS) | rSAAS | {icon lock} | rSAAS286f9e7 | 0 commits |
| Services (SAAS) | rSERVICES | {icon lock} | rSERVICES772620e | 0 commits |
| Core (SAAS) | rCORE | {icon lock} | rCOREc1d41b0 | 3 commits |
- These changes were promoted to `stable`.
General
=======
- See "Security", below, for an important security notice.
Security
========
IMPORTANT: This release contains an important security fix.
This release fixes an issue where "Show Raw File" in Differential could generate files with permissions that were too open. See T12408 for details and discussion.
Part of the fix involves a migration to destroy cached files with bad permissions. This migration may take a significant amount of time if you have a large number of revisions (approximately 4 minutes on this install, with 17,000 revisions).
This issue was reported to us [[ https://hackerone.com/reports/213942 | via HackerOne ]].
Migrations
==========
| Migration | Risk | Duration | Notes |
|-----------|------|----------|-------|
| 20170313.reviewers.01.sql | | 17 ms |
| 20170316.rawfiles.01.php | {icon clock-o, color=red} | 204,010 ms | May be slow, see "Security".
//"Duration" is the duration for this install, and may not be representative.//
Upgrading / Compatibility
=========================
- See note in "Security".
Minor
=====
- Fixed an issue where some Remarkup options were hidden on mobile.
- Added an "Install Dashboard" workflow.
- Administrators can now identify users who don't have MFA configured, to ease the process of enabling the `security.require-multi-factor-auth` option.
- `bin/config set --database ...` now resurrects deleted values.
- In commit messages, "Auditors: author" no longer stalls in the daemon queue.
- Made some performance improvements to Badges.
- The deep internals of fetching changes from an observed Git repository may work better, worse, or differently now, and may be faster or slower and use fewer or more resources.
- Shuffled around the bugs you'll encounter when sending SMTP mail to a thousand recipients.