General
=======
- The daemons have been restructured to use less memory.
- Phabricator now supports email invites.
- Diffusion's default rules around sending mail and creating audits should
now better match intent when importing new repositories.
Upgrading / Compatibility
=========================
- If you've configured a layer on top of the daemons, it may make assumptions
which are no longer valid. Check that it still works properly. We recommend
using `phd` to manage the daemons.
- If you're running MySQL older than 5.5, upgrading will do some exta
adjustment work, which may take some time. You may need to use `--unsafe`
to complete these adjustments. Strongly consider upgrading to MySQL 5.5 or
newer.
- If you have custom translations, they will need to be updated. Translations
have been refactored to be more modular.
- We now issue a setup warning which walks administrators through configuring
an alternate file domain or CDN. This improves security and can improve
performance.
- The minimum version of Subversion was previously unspecified, but is now
1.5.
Security
========
- Added support for HSTS.
- We reacted to the GHOST vulnerability, but there was nothing actionable
in Phabricator itself.
- We received about 5 reports via
[[ https://hackerone.com/phabricator | HackerOne ]] in this period, but
none represented qualifying or actionable vulnerabilities.
Aphlict
=======
- Fixed an issue where listeners were not cleaned up properly.
- Added support for hosting multiple installs on one Aphlict server.
Arcanist
========
- Improved handling of untracked, unstaged, and uncommitted changes.
- Fixed an issue with `arc which --show-base` emitting too much output.
Daemons
=======
- Added `phd reload` to reload daemons in place. This is an advanced workflow.
- We now automatically start the `Trigger` daemon.
- Merged the `GarbageCollector` daemon into the `Trigger` daemon.
- Fixed a bug where we'd identify invalid daemons.
- The daemons now heartbeat over stdout instead of via SIGUSR1.
- Fixed a bug where SIGINT would incorrectly be sent to subproceses when
performing a graceful shutdown.
- Added support for autoscaling daemon pools.
- Increased the specificity of the "Daemons and Web Have Different Config"
warning.
Diffusion
=========
- Fixed an issue where the PullLocal daemon could retry failing repositories
much too quickly.
- Added `diffusion.ssh-host` for configurations where SSH VCS traffic is
load balanced through a different host.
- Improved visibility of credential-related errors in repository import.
- Fixed a race condition where a commit that "Reverts" another commit
could incorrectly wipe the "Herald" import step flag.
Legalpad
========
- Legalpad documents can now be flagged as required by all users (for example,
to implement a Terms of Service document).
- Legalpad documents can now have a "No One" signature type (for example,
for policy documents which do not require a signature).
OAuth Server
============
- Users must now be able to see an OAuth application to authenticate with it.
- Improved usability of authentication workflow.
- Added "trusted" application flag to improve usability when an OAuth
application is trusted.
Phortune
========
- Added autopay support to Phortune.
- Added email invoices to Phortune.
Minor / Bug Fixes
=================
- Fixed a handful of longstanding minor issues in policy code.
- Removed some redundant "(authored by X)" attributions.
- Made CDN requests instance-aware.
- Made S3 storage engine instance-aware.
- Added "Auto-Login" support for cases with only one usable provider.
- In Remarkup, inline images now properly render inline.
- Added support for `.woff2` font files.
- Added a Conduit method to retrieve public keys.
- The Home application can now be uninstalled. Don't do this.
- Disabled caching of remarkup previews, which was not useful and occasionally
consumed significant resources.
Developer / Internal
====================
- Stack traces now report library version information.
- Added methods for getting system memory information.