OpenSSL Security Advisory

By on March 19, 2015

Bitbucket is not affected by the vulnerabilities announced by the OpenSSL project today. Two high severity security vulnerabilities CVE-2015-0291 and CVE-2015-0204 have been announced:

The CVE-2015-0291 vulnerability results in a potential denial of service attack against a server that requests a client’s certificate, which is not something that would happen in most circumstances as it is usually the client that requests the server’s certificate.

The CVE-2015-0204 vulnerability is a reclassification of the existing and well known FREAK vulnerability (CVE-2015-0204 & CVE-2015-1637), which allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

Both vulnerabilities described in the OpenSSL security advisory posted at https://www.openssl.org/news/secadv_20150319.txt do not affect Bitbucket.

Snippets for teams are here with a rich set of APIs

By on March 18, 2015

Teams that use Bitbucket often want to share important information that isn’t part of their project repository – favorite regexes, config files, code snippets, homebrew recipes (beers, and the package manager). And yes – image, audio, video, and a host of other MIME types. Currently, there is no way to share such information via Bitbucket.

Snippets for teams

Today, we’re thrilled to announce Snippets, available now in Bitbucket,  to create and manage multi-file snippets of all kinds. We took a different approach than standard pastebin or gist – we built Snippets around teams. Snippets can be shared with your team, private to you, or fully public; you control read and write privileges. If you create a snippet owned by your team, the snippet will stay with the team forever, even after you leave that team.

snippets-screenshot

Additional features

In Bitbucket, you’ll find a clean, easy interface to create, edit, version, and share Snippets. It’s media-friendly, supports drag-and-drop, and features syntax highlighting for over 90 programming languages.

Because Snippets are backed by Git or Mercurial repositories, power users can clone and edit them like any other distributed code repositories.

Rich set of APIs

You can use Snippets’ rich set of APIs to further extend functionality, and access the core set of features from desktop, mobile, and web apps. For example, this command line interface for creating, inspecting, and editing Bitbucket Snippets uses this python wrapper built on top of the Snippets API. For more info, please visit the Snippets API documentation: Snippets REST API

Snippets via command line

Most importantly, we have made it easy to create Snippets via the command line. Creating a snippet from your local file is just a single curl command:

$ curl -X POST https://api.bitbucket.org/2.0/snippets/{username or teamname} \
-u {username} -F file=@myawesomefile.txt

Got Snippets?

We hope you’re as excited as we are. We look forward to hearing from you in the comments below.

Coding in the cloud with Bitbucket

By on February 11, 2015

We are proud to announce the integration of several popular cloud IDEs into the Bitbucket experience. You are already managing, building, and deploying your code to the cloud; you can now code in the cloud as well. Your personally-configured cloud IDE and dev environments are now accessible to you on any machine anywhere, all connected to, and, most importantly, integrated with the familiar Bitbucket interface.

Today, we are launching integrations with Codio and Codeanywhere, since they meet Atlassian’s standards of quality and security. Integrations with other cloud IDE vendors will be available soon. You can now click on the repository view of Bitbucket to clone and edit files directly in Codio or Codeanywhere:

edit-in-codio-screenshot

Cloud IDEs have come a long way in the past few years. The IDEs we have chosen to integrate with Bitbucket are solid, full-fledged development environments with desktop-quality coding experiences: resizing, context-coloring, navigation, and responsiveness. We believe that many developers will appreciate the code editing features, as well as the more advanced features of some of our partner cloud IDEs – automatic configuration of code libraries and build server & deployment integrations.

find-new-addons-page-screenshot

Cloud IDE integration is a one-click process. Just select the IDE partner of your choice from your Bitbucket users settings and authenticate. Bitbucket’s repository view page will now contain an additional option in the ‘develop’ menu: Open in your cloud IDE (‘Open in Codio’, for example).

More about our launch partners

codio-logo-dark

Codio

Codio is the cloud-based IDE and publishing platform for teaching computer programming and computer science in schools, universities, and the vocational education sector worldwide.

Codio provides instant coding environments featuring rich code editing, a large portfolio of programming languages & other software components, dedicated virtual servers, advanced features for student administration, and a growing library of course content resources, all accessible anywhere through any browser.

“Codio has always focused on delighting users with instant access anywhere to a powerful web IDE, and with today’s integration we’re thrilled to extend that experience to Bitbucket.”

– Freddy May, CEO and founder, Codio.

codeanywhere_logo

Codeanywhere
Collaboration platform for developers. Codeanywhere’s powerful web IDE has all the features of a Desktop IDE but with additional features only a cloud application can give you.

“When Codeanywhere was just starting out, connecting to Bitbucket was one of the first feature requests our users had. Today I am ecstatic that Bitbucket will be integrating Codeanywhere, allowing their users to easily and seamlessly edit and write code, from anywhere.”

– Ivan Burazin, CEO, Codeanywhere.

Bitbucket: 2014 in review

By on February 5, 2015

Congrats to the New England Patriots for winning the Super Bowl. And what a heartbreaker for fans of the Seattle Seahawks! But it was a very close game and it could have gone either way. Both teams have a lot to celebrate. Just like any good football team reflects on their accomplishments at the end of the season, the Bitbucket team has a lot to celebrate, too. So we thought it would be fun to look back at what we achieved together in 2014. Thank you for making 2014 our best year yet and here’s to making 2015 even better.

2014-in-review-final

New year, new features

By on January 30, 2015

It’s been a busy quarter for us at Bitbucket. As you may have noticed, Bitbucket is faster than ever, and even more reliable for our human users, cloning agents, and even for our robot friends who reach on behalf of CI systems and other integrations.

We also have a bunch of new features that have launched recently. Here’s a recap:

Merged pull requests in compare view

It’s often useful to see the pull request history when comparing a branch to master, or between tags. In this way you could see all the features (and fixes) that have been pushed from, say ‘staging’ to ‘deployed’ versions of your application, shown as a list of pull requests.

A tab called ‘Merged Pull Requests’ now appears alongside the familiar ‘Diff’ and ‘Commits’ tabs on all Compare and Branch results to list any pull requests that have been merged into the source, and you can now examine each of these pull requests with a single click.

Merged PRs at a glance

Introducing ‘Omnibar’ 

Sometimes you just can’t be bothered with your mouse. For the power users of Bitbucket, we’ve created the Omnibar, a one-stop shop for finding the things you want and taking action on them without ever having to leave your keyboard. Your repositories, pull requests, and issues are just a few keystrokes away. Just hit the period key to reveal Omnibar.

Omnibar

Ignore whitespace in diffs via URL

Depending on language and coder style, sometimes you do care about whitespace in diffs. But sometimes whitespace differences just clutter up the diff. Bitbucket now gives you the option to ignore whitespace in diffs.

Whenever you’re on a Bitbucket page showing a diff, you can add “w=1″ to the query string in the URL to force the diff engine to ignore whitespace when comparing lines. On reload, differences in the files where a given line has only unmatched whitespace will not be shown.

with_whitespace-2

Custom tab size via URL

So, how wide should a tab be? It’s a matter of taste, and, if the discussions on our team are any example, of religious conviction. Now you can set all tabs in Bitbucket code displays to the width you believe is best by adding a “ts” query param to the URL and reloading the page.

For example, adding “ts=4″ to the query string of a URL will set the tab size to 4 spaces for all code on that page. The feature is currently supported in Chrome, Firefox, and Safari, but not Internet Explorer due to CSS limitations there.

default-tab-size

Emoji Auto-complete

Sometimes, code comments, wiki pages, and readmes are just crying out for emoji. But who can remember ‘Face With Stuck-Out Tongue And Tightly-Closed Eyes?’ (表情(いー))

The many (many) emoji Unicode has to offer can now be entered in Bitbucket by ‘type-ahead’ when you type a ‘:’ followed by any part of the emoji description string (followed by a brief pause then pausing a bit). For example: typing ‘:ast’ will autosuggest a number of matching emoji including ‘:astonished:’ with the astonished face emoticon shown for your selection, ‘train’ will return all sorts of train emoticons.

emoji-autocomplete

Improved emoji

And, now, your emoji on Bitbucket are in high-res.

Bitbucket now supports the so-called ‘twemoji’ set used by Twitter and others, which cover the entire Unicode space with emoji in scalable, resolution-independent vectors. Previously, we were using a stagnant set of .png file emoji that simply scaled to twice their source size on high-dpi (including ‘retina’) screens, and didn’t map perfectly with modern Unicode characters. We render our new emoji set as native DOM images, and they look great in all modern browsers, including IE9.

Improved emoji

Bedrock Analytics speeds up with Bitbucket

By on January 12, 2015

[Editor’s Note: This is the first of a series of guest blog posts around Bitbucket. This post is written by Will Salcido, CEO & Co-Founder of Bedrock Analytics Corporation. If you are interested in writing a guest post about your usage of Bitbucket, or best practices & tips, please contact us at guestposts@bitbucket.org, and we will reach out to you.]

image01

Will Salcido is the CEO & Co-Founder of Bedrock Analytics Corporation. Will spent over a decade in the field of analytics across several leadership roles at Nestle, Novartis, Ghirardelli & Lindt. He developed analytical software for Ghirardelli that led him to solo-deploy the solution across 11 European countries in 2011. Bedrock Analytics is a data visualization and analytics software company based out of Oakland, CA.

The idea for what would become Bedrock Analytics came to me while I was working in Stockholm, Sweden. After nine international deployments of the analytical solution I had built for Ghirardelli & Lindt, I discovered that nearly all consumer product companies had similar issues working with data. Bedrock’s data visualization software enables consumer product companies to extract actionable insights from retail data. The software fills a skills gap for small to midsized companies and makes larger enterprises more efficient by automating the discovery of insights. Our customer base of consumer product companies spans throughout North America, Central America, and Europe.

image02

In the very beginning, we had a single person with access to the source code. It wasn’t until we started hiring additional engineering staff that we began exploring the different hosted repository providers. We tested a few options and after careful deliberation, we ended up choosing Bitbucket.

We chose Bitbucket since it allowed us to collaborate within our development team using the built-in wiki and the “pull request’ workflow, and had the ability to scale along with our company. We recently hired engineering talent in Eastern Europe and Bitbucket allowed us to manage our development projects in an efficient manner. Bitbucket has made it possible to segregate our code in ways that enabled different specialized teams to work in parallel on different portions of our source code while keeping everything organized in a single platform. Most importantly, we are also looking forward to integrating Bitbucket with other Atlassian and non-Atlassian products as we continue to grow.

Our engineers like the fact that Bitbucket offers unlimited private repositories to store smaller ongoing projects. Having the ability to track changes made in each repository has saved the team countless hours. We are in the middle of scaling our processes and Bitbucket has become a critical part of how we are gaining efficiencies within our development team.

Like any fast-growing startup, our company’s greatest advantage is our speed. Bedrock Analytics speeds up with Bitbucket.

signup-free

Update on Git and Mercurial vulnerability

By on December 18, 2014

The maintainers of the Git and Mercurial open source projects have identified a vulnerability in the Git and Mercurial clients for Macintosh and Windows operating systems that could allow critical files to be overwritten with unwanted files, including executables.

Because this is a client-side vulnerability, Bitbucket itself is not affected; however, we recommend you update your Git client with one of the published Git maintenance releases (1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) or Mercurial client with the latest release.

If you are also using SourceTree please follow these instructions to update your Git client:

Bitbucket: building high-quality software with speed and scale

By on December 1, 2014

Bitbucket helps teams build better software through collaboration. Our customers want tools they can trust and software that won’t break under stress or load. Robustness, reliability, and security are very important attributes of our software. But, like any other software, sometimes things may go wrong. Anticipating those situations and building good diagnostics and recovery features in the product is crucial.

Quality at Bitbucket

Our Bitbucket team doesn’t include an army of dedicated testers who would spend weeks before the release to find bugs. That’s inefficient and creates a sub-optimal split of responsibilities that leads to poor quality. Instead, we take a very different approach. Every developer on the team is responsible for the quality of the software. But not every developer is good at testing. That’s why we have a very small team of QA engineers whose primary goal is to enable every developer to do a better job with quality. It is usually achieved through the following tasks:

That’s why QA in our team stands for “quality assistance” and not “quality assurance”.

The challenges of scale

But it’s not that simple, especially if you’re building high-quality products at ever-increasing speed and scale with a small QA team. As Adrian Cockroft once said “scale breaks hardware, speed breaks software and speed at scale breaks everything!”. There are tons of problems to solve. Most importantly, there is a dire need for innovative approaches and tools.

Good engineering practices

In order to achieve our goals of building quality at scale we use some of the following tactics, which we are happy to share with the Bitbucket community:

This is just the tip of the iceberg. If you’re interested to learn more about how we do QA at Atlassian and if you’re in Austin, TX on 9th of December – join us for meetup and drinks. We’re also hiring, so check out this page if you’re interested.

Post written by Kostya Marchenko, QA Team Lead for Developer Tools at Atlassian

POODLE and the end of SSL 3.0 on Bitbucket

By on October 15, 2014

As mentioned on Atlassian’s main blog, we’ve decided to end SSL 3.0 support on bitbucket.org in the wake of the newly-published POODLE exploit. Once all the facts were in, the choice was easy, and we acted quickly to address the issue. As our customer, though, you should know why we did what we did.

In the POODLE exploit, a well-placed attacker can trick each end of an SSL transaction into downgrading to an older, insecure, cipher. Once the connection is established, the attacker can become man-in-the-middle and compromise the data going back and forth between server and client.

The exploit relies on both ends’ willingness to communicate over SSL 3.0. If just one end of the transaction is unwilling to cooperate, then the attack fails altogether. Some older browsers or Git/Mercurial clients may not be able to use the newer TLS standard, though – so why did we choose to disable SSL 3.0 outright?

  1. It’s the recommended solution to the problem. Möller’s paper describing the exploit goes into further detail here, especially regarding flaws in CBC block cipher padding, but the gist is that SSL 3.0 can no longer be trusted as an encryption mechanism; it’s fundamentally flawed, and it will not be fixed. The optimal solution is to disable SSL 3.0 on our end and force everyone to use some flavor of TLS instead.
  2. It has minimal impact on our users. All of the browsers we support can handle the newer TLS encryption standard, as can most of the Git and Mercurial clients that communicate with our servers over HTTPS, and the change has no effect whatsoever on SSH connections.
  3. It protects all of our users – even the ones whose stuff breaks because of it. We want to ensure that all of our users’ HTTPS sessions are unaffected by POODLE, so we’ve done the most effective thing to protect Bitbucket traffic from that particular attack (and a few others). We can’t protect our users from other sites, though, so if this change breaks your browser or client then (unfortunately) you need to upgrade ASAP.

The safety and security of your data are our #1 priority, so this change is effective immediately. If you need further assistance, then please contact us at support.atlassian.com.

P.S. If you’d like more background on SSL, Wikipedia has an excellent article.

Bitbucket notifications to HipChat just got even better

By on October 7, 2014

HipChat notifications from Bitbucket are a great way to keep your team up to date on changes to their code repositories – no matter where they are. For example, your team can receive notifications in the HipChat room you use to collaborate whenever a commit is pushed to the repo. But of course, there’s a lot more happening on your repositories than just new commits. Issues and pull requests are a big part of your development workflow, so with our new HipChat add-on for Bitbucket, we’ve made it dead-simple to send notifications about those too.

Bitbucket’s new HipChat add-on includes the following notifications:

Bitbucket notifications in HipChat

Our new add-on is also easy to install and configure. Just look for ‘HipChat integration’ in the menu when managing your team or personal account. Once the add-on is installed, any administrator of a repository can configure notifications. Notifications can be added or configured when managing an account or managing a repository. When you manage your account, you will be able to view and manage notifications across all repositories owned by the account. When you manage a repository you will be able to view and manage notifications for that repository.

HipChat integration setup screen

If you’re new to HipChat, be sure to check it out. HipChat is a hosted private chat service for your team. Share ideas and files in persistent group chat rooms, create a new room on the fly, video chat when you need to, share files seamlessly, and more.

HipChat and Bitbucket - Free for 5 users