Summary of changes from August 29, 2015 to September 5, 2015.
| Codebase | Repository | HEAD | Activity |
|-----|-----|-----|-----|
| Phabricator | rP | rP76665f7 | 35 commits |
| Arcanist | rARC | rARC9896908 | 8 commits |
| libphutil | rPHU | rPHUe838909 | 6 commits |
These changes were promoted to `stable`.
General
=======
- No major changes in this period.
Upgrading/Compatibility
=======================
- An earlier migration (in Week 32) incorrectly swapped "Add Reviewers" and "Add Blocking Reviewers" rules. This period includes a migration which attempts to restore these rules to their original values, but you may want to double-check things. See T9347 for discussion.
- The `auth.login-message` configuration option has been removed. There is an equivalent handler available as a replacement, see T9346 for discussion.
- Support for "Postponed" lint and unit tests was previously removed (in Week 33). In this period, additional support is removed, and these mechanisms will now fail more actively. See T9134 for discussion.
- There is an upcoming mandatory migration from old Differential hunk storage to new Differential hunk storage. Installs with a large amount of data and a long history can avoid maintenance downtime by running this migration manually in advance of when it becomes mandatory. Follow T8623 for discussion.
Security
========
- Fixed an issue where improper hash comparisons could reduce the effective entropy of some security tokens. Although we believe no practical attack existed against this vulnerability (an attacker could only take advantage of the weakness during specific, rare, unpredictable windows that could occur decades or centuries apart), it was a material implementation error in core authentication code. This issue was reported to us via HackerOne and we awarded a $450 bounty for it.
Audit
=====
- The Audit query UI is now slightly cleaner and has a few more options.
- Added a `packages(...)` typehaead function.
Arcanist
=======
- Added a `--temporary` flag to `arc upload`.
- `arc` no longer prints `49` to the console unprompted.
Ponder
======
- "Duplicate" status is now "Invalid".
- Added answer summaries.
- Improved logged out behavior for public installs.
Owners
======
- Fixed an issue where the repository for a path might not be fully respected.
- Typeahead tokens should no longer link to `/null` in any browser.
- Improved documentation somewhat.
Developer / Internal
====================
- Aphront controllers may now return response producers instead of responses. The respond production/handling pipeline has generally been made more generic and modular.
- Uncaught exception handlingi in Aphront is now modular.
- `AphrontUsageException` has been replaced with `AphrontMalformedRequestException`, which is a more tailored exception. Use of this exception in controllers is likely incorrect (use modular exception handlers to intercept the exception instead).
- Policy exceptions now carry more information to top level. This allows exception handlers to intercept exceptions in a more targeted way.
Minor
=====
- Unpublished inlines can no longer be hidden.
- Fixed an issue where an unclonable repository could fail too abruptly and prevent administrators from editing it to fix it.
- Added an explicit "Subscribers" field to Phriction.
- Clarity has been increased in the config edit UI.
- Phortune invoices now have a "Printable Version" action.
- Fixed a visual permission state on the "Create Task" action on workboards.
- Fixed a visual permission state on the "Edit Column" action on workboards.
- Fixed an error message in libphutil which could end in two periods. It now ends with only one period..