2017 Week 14 (Early April)
Updated 437 Days AgoPublic

Summary of changes from April 2, 2017 to April 7, 2017.

CodebaseRepositoryHEADActivity
PhabricatorrPrP770768573328 commits
ArcanistrARCrARCa59cfca53 commits
libphutilrPHUrPHUc581e760 commits
Instances (SAAS)rSAASrSAASb9effb51 commit
Services (SAAS)rSERVICESrSERVICES772620e0 commits
Core (SAAS)rCORErCORE3eebdfc0 commits
  • These changes were promoted to stable.

General

Files now support integrity hashes. This defuses some obscure attacks which could allow adversaries with a substantial level of access to replace safe file data on disk (trustworthy.exe) with unsafe data (evil.exe).

Additionally, we have removed internal use of SHA1 and started moving away from HMAC+SHA1. See T12515 for detailed discussion of these issues.

After upgrading, installs are encouraged to run this command to backfill integrity hashes for existing file data:

phabricator/ $ ./bin/files integrity --compute --all

This command can be run while Phabricator is online and serving requests.

Security

  • See note about Files integrity hashes above.

Migrations

MigrationRiskDurationNotes
20170406.hmac.01.keystore.sql20 ms

"Duration" is the duration for this install, and may not be representative.

Upgrading / Compatibility

  • No notes in this period.

Differential

  • Fixed a bug where "sticky accept" wasn't sticky.
  • Fixed a bug where "force accept" didn't need to be checked to apply.
  • The differential.revision.search API method now supports a reviewers attachment.

Files

  • Added a new file.search method to the Conduit API.
  • arc upload now uses SHA256.
  • arc download now uses file.search if avialable.
  • Fixed several bugs with Range HTTP header handling.
  • The file.uploadhash API method has been deprecated.
  • Fixed some minor bugs with relative/absolute TTLs for temporary files.

Minor

  • Fixed some typos, missing strings, and untranslatable strings.
  • robots.txt now forbids /source/ in addition to /diffusion/.
  • The PullLocal daemon now attempts to sleep long enough to hibernate.
Last Author
epriestley
Projects
None
Subscribers
None