The Gitorious Blog

Gitorious is featured on the GitMinutes podcast

Marius Mathiesen — Wed, 17 Apr 2013 07:22:16 +0000

GitMinutes is a fairly new podcast about Git, with weekly episodes featuring interviews with people doing all kinds of things with Git. This podcast is a great way to keep track of what’s happening in the Git community.

I’m in this week’s episode, talking about Gitorious and Git infrastructure. I had a great time chatting with Thomas from GitMinutes, and you’ll find the current episode here.

An update about Gitorious v3.0

Marius Mathiesen — Tue, 02 Apr 2013 12:12:44 +0000

When we merged the Rails 3 branch into next back in January it was our intention that this would become Gitorious 3.0, with few user-visible features. Our plan was to ship 3.1 shortly after, including the new code browser we started working on last year.

The upgrade to rails 3 was done mainly to enable us to run the code browser asynchronously, and we have put a lot of effort into making it possible to run an asynchronous web server alongside the Gitorious Rails application. Despite these efforts we were never able to get the stability we need with this setup. To make matters worse, the speed benefits from running asynchronously haven’t been as big as we had hoped. Because of this we have decided to make some changes to our plans:

Gitorious 3 will include the new code browser

We felt that shipping a new major without any major user-facing changes doesn’t make any sense. Since the updated code browser is so close to being merged, we’ll wait with tagging the 3.0 version until the new code browser has been merged into the next branch. We feel it’s worth waiting for:

The code browser in Gitorious 3 will not be asynchronous

We will change the code browser so it no longer runs asynchronously; rather it will be a Rack application running inside Gitorious. The git repository access is still done using libgit2/rugged, which gives great speed and stability gains, and we will finally get proper syntax highlighting courtesy of Pygments.

We hope to tag Gitorious 3.0 before the end of April, and will deploy it to gitorious.org as soon as it’s been tagged. It will feature:

Rails 3.2
Partial new UI
Significantly improved repository browser (Dolt)
New syntax highlighting, along with support for vast numbers of new languages
Readme-rendering for repositories
A JSON/HTTP based API, more details soon!
Ruby 1.9 support

Shortly after 3.0 lands we will keep working on propagating the UI upgrade to other parts of the application.

Gitorious v2.4.12 is released (security update)

Thomas Kjeldahl Nilsson — Tue, 19 Mar 2013 12:15:32 +0000

Three new vulnerabilities have been fixed for Ruby on Rails, on which Gitorious is built. Read the original Ruby on Rails sec-list announcements for further details.

The steps for upgrading are, as usual (from within the root gitorious clone/source directory):

git fetch --tags

git merge v2.4.12

git submodule update --init

bundle install

We advise all users running their own Gitorious servers to upgrade immediately. Note that the Gitorious Community Edition installer has also been updated to install v2.4.12 now.

Gitorious v2.4.10 has been released

Marius Mathiesen — Mon, 04 Mar 2013 08:54:28 +0000

As a refreshing change from the security-related versions of Gitorious over the last weeks, we’re glad to announce that version 2.4.10 of Gitorious was just released. This release contains fixes several bugs in Gitorious, among these:

Fix broken pushes with sync messaging adapter
Fix layout for global system message
Fix mass-assignment related bugs
Include repositories in Project XML output
Fix broken User avatar upload
Finally fix the double merge request versions
Make bin/bundle work when bundle needs update(s)

Furthermore, you may place global git hooks on a location specified in gitorious.yml.

The steps for upgrading are, as usual:

git fetch origin
git merge v2.4.10
git submodule update
bundle install
touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

Happy upgrades!

Gitorious went down this morning

Marius Mathiesen — Tue, 26 Feb 2013 08:06:08 +0000

Our frontend web server went down at 6:24CET this morning, we will be updating this post as we bring the server back up. Here’s what we know right now:

At 6:24 CET a Kernel oops occured. The alarms at our hosting provider went off, and the server was booted.
Since the file system keeping the repositories hasn’t had a full consistency check since August 2012 a fsck was started
When fsck hadn’t completed at 8:00 CET, the server was routinely rebooted, and another fsck process was started at 8:04 CET
The last time we ran a full fsck on the file system, it took about 2.5 hours. Since then, however, we have installed dedicated storage for our servers, and this has higher IO capacity than the one we were running from in August last year.
10:06 CET: The server is back up. We will upgrade the kernel and do another reboot, hopefully the kernel issue we encountered earlier today has been resolved. Expect a few minutes downtime in a few minutes
10:13 CET: All systems are running again, with an updated kernel

Improved and updated the Gitorious CE Installer (v2.4.9)

Thomas Kjeldahl Nilsson — Fri, 15 Feb 2013 13:43:15 +0000

We’ve closed a number of recent security issues related to Ruby and Rails (which Gitorious depends on). The Community Edition Installer has lagged behind a bit but is, as of today, upgraded to install the latest version of Gitorious (v2.4.9). The update also includes our current recommended default settings plus some improvements to the installer itself.

Short story: following the steps outlined at http://getgitorious.com/installer on a fresh CentOS 6 server will ensure that you end up with the latest version of Gitorious installed.

Already running on an older version of Gitorious and need to upgrade? Follow the standard installation procedure outlined here.

Please let us know if you run into any issues with the installer: the Gitorious team can be reached at support@gitorious.org

Changelog for the installer:

Update to Gitorious v2.4.9 & improve installer

Brings the installer up to Gitorious v2.4.9, uses the current most
sensible default settings for that version, fixes recent Rails and
Ruby-related security issues and improves the installer itself.

Breakdown:

- Using resque instead of ActiveMq

- Using nginx+unicorn instead of apache+passenger

- Use latest version of Gitorious

- Includes fixes for recent Ruby/Rails security issues

- Using thinking sphinx instead of ultrasphinx

- Installer no longer nukes existing Ruby/Rubygems

- Installer logs puppet operations

- More robust puppet apply operation

- Truly random generated db/rails passwords

- Only create random db password on first run

- Remove unneeded git proxy, use git daemon directly

2.4.9 fixes regression in 2.4.8

Christian Johansen — Wed, 13 Feb 2013 14:00:27 +0000

I inadvertently broke creating new projects with yesterday’s 2.4.8 release. I have deployed a fix on gitorious.org, and just tagged 2.4.9. 2.4.9 also addresses a bug in Gitorious’ log graph visualization.

We made some sweeping changes yesterday, by changing attr_protected (which was the recent target of a Rails vulnerability) to attr_accessible – basically changing from black-listing to white-listing in what parameters can be posted to Gitorious and set on DB-backed models. It seems that one case was not covered by automatic tests, and was not discovered immediately.

Sorry for the inconvenience.

To upgrade your Gitorious, follow the regular procedure:

* git fetch origin
* git merge v2.4.9
* git submodule update
* bin/bundle install
* bin/rake assets:clear
* touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

Gitorious v2.4.8 is released

Christian Johansen — Tue, 12 Feb 2013 09:55:45 +0000

Three new vulnerabilities have been fixed for Ruby on Rails, on which Gitorious is built. Read the original announcements for further details. All users running their own Gitorious servers should upgrade immediately.

The steps for upgrading are, as usual:

git fetch origin
git merge v2.4.8
git submodule update
bundle install
touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running on the next branch, that has been updated as well. Just pull from mainline, then restart your server, and you’re all set.

You will note that the advisory and the v2.4.8 tag were both signed with our PGP key, as part of the Security Policy described at our security page. By signing release tags and security advisories you can verify that these were in fact issued by the Gitorious team.

Gitorious v2.4.7 was just released

Marius Mathiesen — Wed, 06 Feb 2013 09:11:41 +0000

This morning we discovered a vulnerability in Gitorious which made us write this advisory on our mailing list and release version 2.4.7 of Gitorious. All users running their own Gitorious servers should upgrade immediately.

The steps for upgrading are, as usual:

git fetch origin
git merge v2.4.7
git submodule update
bundle install
touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running on the next branch, that has been updated as well. Just pull from mainline, then restart your server, and you’re all set.

You will note that the advisory and the v2.4.7 tag were both signed with our PGP key, as part of the Security Policy described at our security page. By signing release tags and security advisories you can verify that these were in fact issued by the Gitorious team.

Gitorious 2.4.6 has been released

Christian Johansen — Tue, 29 Jan 2013 08:31:02 +0000

Gitorious 2.4.6 has just been released, and all Gitorious servers should be updated immediately. This release brings Gitorious up to Rails version 2.3.16, which solves a severe vulnerability in Ruby on Rails. There’s more information about this vulnerability on the Ruby on Rails security mailing list. This release also fixes the less severe CVE-0155 from two weeks ago.

To upgrade to this version, follow one of the three following alternative fixes

If you’re running from a release in the 2.4 branch of Gitorious:

To upgrade a server running one of the releases in the 2.4 series of Gitorious, follow these steps:

git fetch origin
git merge v2.4.6
bundle install
touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running from the next branch of Gitorious (Rails 3)

Guess what, you’re off the hook. This vulnerability does not affect Rails 3.2, which Gitorious 3 is built on.

If you’re running neither of the versions above:

If your server is not running from a version that can be upgraded, you can secure your server by following these manual steps

create the file config/initializers/fix_cve_2013_0333.rb inside your Gitorious installation with this content:

ActiveSupport::JSON.backend = "JSONGem"

restart your application server