Page MenuHomePhabricator

2018 Week 9 (Very Early March)
Updated 2,214 Days AgoPublic

Version 4 of 4: You are viewing the current published version of this document.

Summary of changes from February 24, 2018 to March 2, 2018.

CodebaseRepositoryHEADActivityPatched
PhabricatorrPrP42e5b8a0439 commitsrPb52783af
ArcanistrARCrARCbe1dd7e20 commits
libphutilrPHUrPHUdedf2601 commit
Instances (SAAS)rSAASrSAASa71d20f0 commits
Services (SAAS)rSERVICESrSERVICESedd96db0 commits
Core (SAAS)rCORErCOREc937d900 commits
  • These changes were promoted to stable.

General

[] Content-Security-Policy: We now emit a Content-Security-Policy header. See T4340 for discussion.

[] Harbormaster Build Logs: This release includes an prototype version of upgraded build logs. See T13088 for discussion. If you have a large volume of build logs, the migrations in this release may take a significant amount of time to apply.

Security

The Content-Security-Policy header (see above) is a significant general security hardening measure. (It does not defuse any specific known vulnerability today.)

Migrations

MigrationRiskDurationNotes
20180222.log.01.filephid.sql702 ms
20180223.log.01.bytelength.sql652 ms
20180223.log.02.chunkformat.sql749 ms
20180223.log.03.chunkdefault.sql482 ms
20180223.log.04.linemap.sql682 ms
20180223.log.05.linemapdefault.sql431 ms
20180228.log.01.offset.sql7,176 ms

"Duration" is the duration for this install, and may not be representative.

Upgrading / Compatibility

The Content-Security-Policy header may break custom code which does unusual things, particularly if you've written custom code which directly inlines external Javascript from third-party services (this might be external Javascript libraries like jQuery served from a public CDN).

Custom code which handles static resources (CSS and Javascript) using the standard Phabricator toolchain (Celerity) should largely be unaffected. Other applications either need to be converted to use Celerity or explicitly add CSP exceptions.

When browsers block scripts, images, CSS, frames, requests, etc., because of Content-Security-Policy, they show a helpful error message in the browser console. You can use this error to identify where your application violates the policy.

Minor

  • [] Herald now supports "Committer's projects" and "Author's projects" fields for "Commit" and "Commit Hook: Commit Content" rules.
  • Phriction documents should no longer send mail to the previous editor.
  • [] Default profile images now generate more quickly.
  • [] Fixed a bug where creating a project with a "Members of project" Edit Policy and simultaneously adding several members would generate a perplexing policy exception.

The [] icon indicates a change backed by support mana.

Last Author
epriestley
Last Edited
Mar 6 2018, 8:20 PM

Event Timeline

epriestley edited the content of this document. (Show Details)
epriestley edited the content of this document. (Show Details)