2017 Week 14 (Early April)
2017 Week 14 (Early April)
Summary of changes from April 2, 2017 to April 7, 2017.
Codebase | Repository | HEAD | Activity | |
---|---|---|---|---|
Phabricator | rP | rP7707685733 | 28 commits | |
Arcanist | rARC | rARCa59cfca5 | 3 commits | |
libphutil | rPHU | rPHUc581e76 | 0 commits | |
Instances (SAAS) | rSAAS | rSAASb9effb5 | 1 commit | |
Services (SAAS) | rSERVICES | rSERVICES772620e | 0 commits | |
Core (SAAS) | rCORE | rCORE3eebdfc | 0 commits | |
- These changes were promoted to stable.
General
Files now support integrity hashes. This defuses some obscure attacks which could allow adversaries with a substantial level of access to replace safe file data on disk (trustworthy.exe) with unsafe data (evil.exe).
Additionally, we have removed internal use of SHA1 and started moving away from HMAC+SHA1. See T12515 for detailed discussion of these issues.
After upgrading, installs are encouraged to run this command to backfill integrity hashes for existing file data:
phabricator/ $ ./bin/files integrity --compute --all
This command can be run while Phabricator is online and serving requests.
Security
- See note about Files integrity hashes above.
Migrations
Migration | Risk | Duration | Notes |
---|---|---|---|
20170406.hmac.01.keystore.sql | 20 ms | ||
"Duration" is the duration for this install, and may not be representative.
Upgrading / Compatibility
- No notes in this period.
Differential
- Fixed a bug where "sticky accept" wasn't sticky.
- Fixed a bug where "force accept" didn't need to be checked to apply.
- The differential.revision.search API method now supports a reviewers attachment.
Files
- Added a new file.search method to the Conduit API.
- arc upload now uses SHA256.
- arc download now uses file.search if avialable.
- Fixed several bugs with Range HTTP header handling.
- The file.uploadhash API method has been deprecated.
- Fixed some minor bugs with relative/absolute TTLs for temporary files.
Minor
- Fixed some typos, missing strings, and untranslatable strings.
- robots.txt now forbids /source/ in addition to /diffusion/.
- The PullLocal daemon now attempts to sleep long enough to hibernate.
Tags
None
Referenced Files
None
Subscribers
None
- Last Author
- epriestley
- Last Edited
- Apr 7 2017, 8:40 PM