Page MenuHomePhabricator
IndexNew Document
Phriction Welcome Changelog 2018 Week 45 (Early November)

2018 Week 45 (Early November)
Updated 1,990 Days AgoPublic
Actions

Summary of changes from November 3, 2018 to November 12, 2018.

CodebaseRepositoryHEADActivity
PhabricatorrPrP315d857a816 commits
ArcanistrARCrARC3534d2ba1 commit
libphutilrPHUrPHU335a9f81 commit
Instances (SAAS)rSAASrSAAS95288170 commits
Services (SAAS)rSERVICESrSERVICES019a12a0 commits
Core (SAAS)rCORErCOREb6e9b091 commit
  • These changes were promoted to stable.

General

The name of the project has officially changed from "Phabricator" to "Hey, Jeff, got a sec?". We'll update strings and documentation over time, but you can begin using the new name immediately.

Security

  • Fixed an issue where you could vote for one or more invalid options in Slowvote and see poll responses for a "Require Votes to See Responses" poll without your vote actually being visible to other suers. This is not exactly a security issue but was somewhat security-shaped. This issue was reported to us via HackerOne, see https://hackerone.com/reports/434116 for discussion.
  • We previously generated 80-bit TOTP secrets. Although the math suggests these are likely "secure enough" against any possible attacker today, they're shorter than recommended. We now generate 160-bit TOTP secrets. For now, we aren't forcing an upgrade since this would be disruptive and no practical attack against exists 80-bit secrets, but you can cycle your token if you want a longer secret. Upcoming changes may expand on this somewhat. This issue was reported to us via HackerOne, see https://hackerone.com/reports/435648 for discussion.
  • We no longer allow users to select exceptionally poor passwords based on their username or the install's domain name. This is more about getting security researchers to stop reporting this than because we have any evidence real users actually do this or it meaningfully impacts security. See D19776. On this install, a significant fraction of users with their username as their password are themselves security researchers.

Migrations

MigrationRiskDurationNotes
20181106.repo.01.sync.sql13 ms
20181106.repo.02.hook.sql811 ms

"Duration" is the duration for this install, and may not be representative.

Upgrading / Compatibility

  • [] The behavior of bin/repository thaw when bindings are disabled has changed slightly, and there is updated guidance around how to react to loss of every device in a repository cluster (previously, guidance focused on a loss of only a strict subset of devices). See D19793 for some details. If you reference this material in a runbook, you may want to review the updates.
  • Some qsprintf/queryfx() semantics will change in a future version of Phabricator. If you run custom extensions, you may want to begin evaluating these changes. See T13217 for details.

Minor

  • [] Improved the performance of {meme ...} with no text.
  • [] The commit hook rejection ASCII art has been updated.
  • [] Push logs now include a hookWait, which records how long commit hooks ran for.
  • [] A new "Sync Log" records intracluster synchronization events for clustered repositories.

The [] icon indicates a change backed by support mana.

Tags
None
Referenced Files
None
Subscribers
None
Tokens
"Dat Boi" token, awarded by tetrapus.
Last Author
epriestley
Last Edited
Nov 12 2018, 7:11 PM
Phabricator · Built by Phacility