Gitorious 2.4.6 has been released

Gitorious 2.4.6 has just been released, and all Gitorious servers should be updated immediately. This release brings Gitorious up to Rails version 2.3.16, which solves a severe vulnerability in Ruby on Rails. There’s more information about this vulnerability on the Ruby on Rails security mailing list. This release also fixes the less severe CVE-0155 from two weeks ago.

To upgrade to this version, follow one of the three following alternative fixes

If you’re running from a release in the 2.4 branch of Gitorious:

To upgrade a server running one of the releases in the 2.4 series of Gitorious, follow these steps:

  • git fetch origin
  • git merge v2.4.6
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running from the next branch of Gitorious (Rails 3)

Guess what, you’re off the hook. This vulnerability does not affect Rails 3.2, which Gitorious 3 is built on.

If you’re running neither of the versions above:

If your server is not running from a version that can be upgraded, you can secure your server by following these manual steps

  • create the file config/initializers/fix_cve_2013_0333.rb inside your Gitorious installation with this content:
ActiveSupport::JSON.backend = "JSONGem"
  • restart your application server

Gitorious 2.4.5 has been released

Gitorious 2.4.5 has just been released, and all Gitorious servers should be updated immediately. This release brings Gitorious up to Rails version 2.3.15, which solves a severe vulnerability in Ruby on Rails. There’s more information about this vulnerability on the Ruby on Rails security mailing list.

To upgrade to this version, follow one of the three following alternative fixes

If you’re running from a release in the 2.4 branch of Gitorious:

To upgrade a server running one of the releases in the 2.4 series of Gitorious, follow these steps:

  • git fetch origin 
  • git merge v2.4.5
  • bundle install
  • touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)

If you’re running from the next branch of Gitorious (Rails 3):

The next branch of Gitorious has also been upgraded. For servers running from the next branch you should:

  • git pull git://gitorious.org/gitorious/mainline.git next
  • bundle install
  • restart you application server

If you’re running neither of the versions above:

If your server is not running from a version that can be upgraded, you can secure your server by following these manual steps

  • create the file config/initializers/fix_cve_2013_0156.rb inside your Gitorious installation with this content:
ActionController::Base.param_parsers.delete(Mime::XML)
  • restart your application server

Gitorious 3.0 lands in the next branch

After a few months of hard work, we just merged the Rails 3 feature branch into the next branch in the Gitorious mainline repository.

The major new feature in this branch is that Gitorious now uses Rails 3. This required quite a few changes to Gitorious, which was bound to introduce some non-backwards-compatible changes. We took the opportunity to deal with a few other long pending issues, and we’re really happy with the way this turned out.

The major changes you will have to deal with while upgrading are as follows:

  • Upgrade your gitorious.yml. Quite a few of the settings in this file have been renamed for consistency, and gitorious.yml now also supports “global” settings shared between the various Rails environments.
  • Stomp is no longer supported for messaging. A lot of users have been having trouble getting a Stomp server running reliably, and the scripts we used for consuming messages off the message queue would leak memory, causing all kinds of problems. gitorious.org has been running with the new setup (Resque/Redis) without any issues for a month now, and this is the only supported asynchronous message queue in Gitorious 3.0. To start using Resque simply install Redis, which is available in the repositories for all major distributions.
  • Replace the database driver defined in config/database.yml on your server with “mysql2″.
  • You should consider upgrading your Ruby version to 1.9.3, although Gitorious 3 will still work with Ruby 1.8.7. Upgrading to 1.9.3 will give significant speed improvements, and 1.8.7 will only be supported for a limited period of time. If your distributions has 1.9.3 in the repositories you should be able to install it from there.

There’s a recipe for upgrading to Gitorious 3 in the doc/ directory in the mainline repository, and a script in bin/upgrade-gitorious3-config to migrate your gitorious.yml file to the new format.

What happens next?

We just completed the first step in the migration, which is merging it into the next branch in the mainline repository. New features will be created on this branch, and only critical patches will be backported to the 2.x-stable branch.

We plan to start migrating gitorious.org to 3.0 next week and will release 3.0.0 within a week or two. Although we’re not aware of any open issues in the current next branch, we will respond quickly to any issues reported from users running this branch on their servers. We have been running this branch on our internal (aka. dogfood) server for a long time without any major issues.

By running from the next branch of Gitorious, upgrading to the final version will be a matter of pulling and merging the 3.0.0. tag once that’s released. You’ll be reaping the benefits of a faster, simpler Gitorious installation and quick response to any issues you’re having from the Gitorious team.

While helping us finalize Gitorious 3.0, you will probably find a place or two where the UI contains escaped HTML code; this is due to Rails 3 by default escaping HTML to prevent XSS situations. These issues are easy to fix, but can be hard to find without extensive use of the UI.

Gitorious 2.4.4 was just released

Since switching to the git-flow model for management of the branches in Gitorious mainline, new features don’t appear in master except in the form of new versions. This means that a few new versions have been released (and deployed to gitorious.org) which haven’t been annouced here.

We just pushed version 2.4.4 of Gitorious, the fourth patch version in the 2.4 series. There are no new features in this version, just a few bug fixes.

As usual, the Upgrading page on the wiki has the instructions for how to upgrade your server.

How we deploy gitorious.org

We’ve just written an article on our documentation site describing the configuration of our new servers.  You will find details about how we do deployment, our web server setup and how we manage processes.

Have a look if you’re into that kind of thing, and post a comment here if there are other things you’d like the article to cover.

Gitorious 2.4.1 was just released

Thanks to Steffen Forkmann the first patch release after 2.4.0 came really quickly this time. There was a bug in the 2.4.0 code preventing push from functioning properly.

We just pushed 2.4.1 and updated the master and next branches with this fix. You should upgrade your server as soon as possible.

Gitorious 2.4.0 was just released

Update: Version 2.4.1 was just released; the upgrade instructions have been updated to use this version instead.

We just pushed version 2.4.0 of Gitorious. This will be the last minor release of Gitorious before version 3, which brings Rails 3 to Gitorious.

The highlights of this release are:

  • Rails has been unvendored from Gitorious, and updated to the lastest release in the 2. x series of Rails
  • The Ultrasphinx plugin has been replaced by ThinkingSphinx

Since Ultrasphinx is no longer used by Gitorious, you will have to change any references to Ultrasphinx in init scripts or crontabs. ThinkingSphinx ships with a couple of rake tasks, one of which will shut down your search engine, rebuild the indexes and start the search engine afterwards. Gitorious ships with a wrapper binary for rake, which means you can execute rake tasks without chaning directories/user etc:

/path/to/gitorious/bin/rake ts:rebuild

This command will execute the `ts:rebuild` rake task with the `production` RAILS_ENV, from the correct directory and changing to the Gitorious user (unless already done). The same goes for any other scripts in the bin directory, including `bundle` and `console` (load a Gitorious console).

As previously announced on the mailing list, the Gitorious project now uses the git-flow branching model, which means that the master branch should be considered stable, and that daily development happens on the next branch. This means that today’s new release caused the following:

  • A branch was started off the next branch and the 2.4.0 tag was created
  • This branch was merged into the next branch
  • This branch was merged into the master branch

To upgrade your Gitorious server to 2.4.0, follow the instructions on the wiki.

The 2.4.0 release also contains the following minor changes and bug fixes (from the release tag):

  • Allow configuring Memcache
  • Extract logic for custom initializer/yaml file pair
  • Allow configuring Resque with a remote Redis host/port
  • Change Gravatar URL generation, as reported in #137
  • Fix failing and irrelevant tests

Gitorious on Rails 3 – Take it for a spin

The Rails 3 upgrade is for the most part done, and we have “all systems go”. I’m back to working on Dolt (the upcoming repository browser for Gitorious) and the general UI upgrades. In the meantime, we need help testing the upgraded Gitorious and make sure everything really works.

If you’re interested in helping out, here’s how:

If you have set up Gitorious using the official installer, an upgrade script will be made available at a later point. If you have a commercial license from us, we will upgrade your install once the new version is stable.

If you contribute to Gitorious, or are interested in doing so, you’ll be happy to learn about the two new script/instruction sets for setting up Gitorious. Installation has traditionally been somewhat painful for Gitorious, due to the many moving parts. I’m happy to announce that installation is simpler with Gitorious 3, and we now provide official scripts to do so. Check out doc/setup-dev-env-ubuntu.sh and doc/setup-dev-env-centos.sh. I’ll get back to more on this in an upcoming post on the blog.

Server migration the coming Tuesday

The servers powering gitorious.org have been running for more than 3 years, and it’s time to move to new servers. The migration will start Tuesday November 27th at 10.00CET, and we expect to be done before noon. All gitorious.org services will be unavailable while we’re doing the migration.

We’re making some changes in how Gitorious runs on the new servers, most notably:

Apart from the potential speed improvements and stability provided by these changes in our underlying infrastructure gitorious.org will continue working like it does today after the upgrade. We will post reminders about the migration on our status site before we start, and post updates as the migration proceeds.

Updates:

  • 10:40 CET: We have exported the database from the old database server, which has been shut down. We’re currently importing the database to the new database server.
  • 10:50 CET: The take has come to say goodbye to the old gitorious.org frontend server
  • 11:14 CET: We’ve imported the database and are currently running health checks on the new servers
  • 12:35 CET: A little behind our schedule, we’re just about ready to open up
  • 12:39 CET: And we’re back up

Rails 3 progress

Quick update: Gitorious is now running Rails 3.2.8 and all tests are passing. There are still a few minor “TODO”‘s left to tackle, but we’ll be upgrading our internal dogfooding server on Monday. When it’s running smoothly, we’ll get back to the UI upgrade.

We’re a bit behind schedule as I forgot to account for being away at Øredev for two days (the results of which can be seen on vimeo.com).

Have a nice weekend!

Follow

Get every new post delivered to your Inbox.

Join 846 other followers