RhodeCode 4.7.0 Release: Git LFS Support, Jupyter Notebooks Rendering

The newest release of RhodeCode 4.7 is out. In this release, we focused on improving handling of large binary assets. Introduced Jupyter Notebook rendering and improved securit and performance. This release highlights are:

Git LFS API V2 Support.

Enabled downloading of Git LFS and Mercurial Largefiles objects directly via RhodeCode UI.

Jupyter Notebook rendering.

Mercurial 4.1 support for new compression algorithm called 'Zstandard' for even faster clones.

New workflow for PullRequest with manual merges.

RhodeCode AuthTokens can now be bound to single repositories for added security.

Take a few minutes to update your RhodeCode instance:

rccontrol self-update && rccontrol upgrade '*'

New to RhodeCode? Download the latest RhodeCode 4.7 Series from our website.

Keep reading for full release details.

We have been working on some exciting new functionality, please read on to learn about what's new in this release of RhodeCode.

Improved Large Binary files support

As Git open-source LFS extension hit version 2.0 adding some interesting new features (git lfs release 2.0). We quickly decided it would be a good fit for upcomming release. RhodeCode now supports the Git LFS v2.0 API and acts as an Git LFS server itself. This is of course powered by our per-repo settings, so users can control which repositories should use LFS.

In Addition to supporting Git LFS, we also looked at how RhodeCode users interact with Large Binary assets. Since this release you can RhodeCode detects the Git LFS, Mercurial Largefiles pointers and allows to fetch the corresponding assets directly via Web Interface. Oh and we also show their size too so you can check if you're about to download that 100GB file ;)

There are few other small improvements for binary files added including now proper rendering of images in file-preview.

Jupyter Notebook rendering

The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and explanatory text. We know a lot of our education users use them on a daily basis for their work. RhodeCode is the first OpenSource Source Code management platform that supports rendering of the notebooks (and second overall after Github). We're really excited to bring that feature to the OpenSource edition of our application. Of course you can store and view your notebooks in any type of repository, be it Mercurial, Git or Subversion.

Together with notebook rendering we also had to implement relative URL support for them. This also means that now inside Markup or RST rendered files relative URLs will be resolved and loaded. This allows building those markup files linking to other pages or static assets that are inside the RhodeCode repository. Writing simple wiki-like pages with documents and relative navigation is now possible.

Workflow changes

We introduced two new changes that should allow better integration into custom workflows for dev teams.

In Pull Requests we added an explicit close action instead of close with status from the status selector. This allows closing of approved or rejected pull requests, without performing a merge action.

In Repositories admin, we added new strip view allowing removing commits from repositories via the web interface for repository administrators. Before it was only possible with API.

Zstandard compression

With the release of 4.1 Mercurial introduces a new compression algorithm called 'Zstandard'. We recommend reading a great blog post by Gregory Shorc from Mozilla better compression with zstandard about all the benefits of this new compression algorithm.

In Short, end users will benefit from smaller clone sizes and much-reduced CPU usage. Zstandard is enabled by default in Mercurial 4.1 clients, so if you're using this or later version and interact with RhodeCode 4.7+ it will automatically use the new compression. For our customers who always seek the tiniest performance gains, this should be a noticeable increase.

Security

Security is very important here at RhodeCode. That's why we're happy to bring in few security improvements over the previous versions.

First, the biggest new security feature is repository scoped tokens (EE edition only). You can read about RhodeCode AuthTokens in our blog post here. Now again by customer request, we added further improvements for this feature.

In short, those tokens work as app-specific passwords, and now also their usage for VCS protocol (clone/push/checkout etc) can be narrowed to a single repository. This was users can generate a time-limited, single-repo tokens that could be used in external build farms, or CI/CD platforms with more confidence. Because the tokens are bound to the users, now with additional scope, even in a case of those leaking out, the user account is not compromised entirely. Additionally, we deprecated the built-in token for new users, this means there is an option to have users without any tokens available if required.

Since 4.7 release we started a big refactor of our audit-journals. We added now for each user an API endpoint together with a web-view to browse user actions made within RhodeCode system. In the next release, we'll add much more actions into this audit logs as requested by our customers.

Finally, we took a look at how password reset logic works and made few small improvements over it to make it more secure. Those include prevention from brute-force attacks, shorter reset token expiry and improved message to help prevent resource discovery type attacks.

Performance

In each release, we try to improve performance and UX for RhodeCode users. In this release besides the already mentioned 'Zstandard' compression enabled, we also rewrote the user admin page to be loaded in chunks, so now loading this view with e.g. 500 users should be as fast as loading it with 10 users, keeping the same filtering and ordering capabilities. When re-doing the User admin view we also changed how the last activity of users flag is stored by using a dedicated column to gain a small performance gain.

Other highlights of this release:

Features

Slack: updated slack integration to use the attachments for nicer formatting. Added number of commits inside the message and improved UI for all Slack messages.

API: implemented get_user_audit_logs method to fetch audit logs via API endpoint.

Annotation: added shortcut links to browse the annotation view with previous commits. Allows browsing history for each line from annotation view.

User administration: It’s now possible to edit user group membership from user view. (Thanks to awesome contribution from Bartlomiej Wolynczyk)

See the full list of changes in the release notes.

As usual, the update process is a simple one-liner type:

rccontrol self-update && rccontrol upgrade '*'

in the command line interface. Done!

Performantly yours,

The RhodeCode team.