POODLE and the end of SSL 3.0 on Bitbucket

By on October 15, 2014

As mentioned on Atlassian’s main blog, we’ve decided to end SSL 3.0 support on bitbucket.org in the wake of the newly-published POODLE exploit. Once all the facts were in, the choice was easy, and we acted quickly to address the issue. As our customer, though, you should know why we did what we did.

In the POODLE exploit, a well-placed attacker can trick each end of an SSL transaction into downgrading to an older, insecure, cipher. Once the connection is established, the attacker can become man-in-the-middle and compromise the data going back and forth between server and client.

The exploit relies on both ends’ willingness to communicate over SSL 3.0. If just one end of the transaction is unwilling to cooperate, then the attack fails altogether. Some older browsers or Git/Mercurial clients may not be able to use the newer TLS standard, though – so why did we choose to disable SSL 3.0 outright?

  1. It’s the recommended solution to the problem. Möller’s paper describing the exploit goes into further detail here, especially regarding flaws in CBC block cipher padding, but the gist is that SSL 3.0 can no longer be trusted as an encryption mechanism; it’s fundamentally flawed, and it will not be fixed. The optimal solution is to disable SSL 3.0 on our end and force everyone to use some flavor of TLS instead.
  2. It has minimal impact on our users. All of the browsers we support can handle the newer TLS encryption standard, as can most of the Git and Mercurial clients that communicate with our servers over HTTPS, and the change has no effect whatsoever on SSH connections.
  3. It protects all of our users – even the ones whose stuff breaks because of it. We want to ensure that all of our users’ HTTPS sessions are unaffected by POODLE, so we’ve done the most effective thing to protect Bitbucket traffic from that particular attack (and a few others). We can’t protect our users from other sites, though, so if this change breaks your browser or client then (unfortunately) you need to upgrade ASAP.

The safety and security of your data are our #1 priority, so this change is effective immediately. If you need further assistance, then please contact us at support.atlassian.com.

P.S. If you’d like more background on SSL, Wikipedia has an excellent article.

Bitbucket notifications to HipChat just got even better

By on October 7, 2014

HipChat notifications from Bitbucket are a great way to keep your team up to date on changes to their code repositories – no matter where they are. For example, your team can receive notifications in the HipChat room you use to collaborate whenever a commit is pushed to the repo. But of course, there’s a lot more happening on your repositories than just new commits. Issues and pull requests are a big part of your development workflow, so with our new HipChat add-on for Bitbucket, we’ve made it dead-simple to send notifications about those too.

Bitbucket’s new HipChat add-on includes the following notifications:

Bitbucket notifications in HipChat

Our new add-on is also easy to install and configure. Just look for ‘HipChat integration’ in the menu when managing your team or personal account. Once the add-on is installed, any administrator of a repository can configure notifications. Notifications can be added or configured when managing an account or managing a repository. When you manage your account, you will be able to view and manage notifications across all repositories owned by the account. When you manage a repository you will be able to view and manage notifications for that repository.

HipChat integration setup screen

If you’re new to HipChat, be sure to check it out. HipChat is a hosted private chat service for your team. Share ideas and files in persistent group chat rooms, create a new room on the fly, video chat when you need to, share files seamlessly, and more.

HipChat and Bitbucket - Free for 5 users

Google Cloud Push-to-Deploy comes to Bitbucket

By on September 18, 2014

If you frequently deliver apps to the cloud, you know every extra step to package and deploy your code introduces risk and can add hours to the process.  Now, with Push-to-deploy support for Bitbucket, deploying changes to your application in App Engine is easy, safe and fast.

pushtodeploy3

You can automatically trigger a deployment of your Java, Python or PHP app to App Engine by pushing code to your Bitbucket repo’s master branch or by merging an approved pull request.   Simply connect your App Engine project to your Bitbucket Git repo.

Visit the Google Cloud Platform blog for the detailed instructions to connect your App Engine projects to your Bitbucket repos.

Introducing Pull Request Tasks

By on September 16, 2014

Pull requests in Bitbucket are a great way to share proposed code changes for review and get feedback from your team.  Of course, this typically leads to discussions and feedback in comments, which might result in further changes to the code. While great for improving code quality, feedback via comments can get lost easily. Now, with pull request tasks, you can turn feedback into actionable tasks. Never miss a crucial change. 

create pull request task

To create a task, select Create task within a comment and enter the task info. You can also highlight the relevant text to fill-in the info before you select Create task.

pull request task list

Once you create tasks, you no longer have to search through all of the comments on a pull request to find follow-up items.  You can keep track of all open and resolved tasks with a consolidated list available from the top of a pull request.

The Inner Guts of Bitbucket

By on August 11, 2014

Recently our teammate and Bitbucket engineer Erik Van Zijst had the opportunity to present at Euro Python 2014 in Berlin. Check out this video of his session on the Inner Guts of Bitbucket and get a detailed overview of our current architecture at all layers from Gunicorn and Django to Celery and HAProxy to NFS.

In addition to the inside scoop into Bitbucket’s inner workings, this video covers some war stories and shows how we too have to learn things the hard way sometimes.

Scheduled downtime for database maintenance

By on June 11, 2014

In the last few days, Bitbucket experienced intermittent database issues which caused the site to become unavailable for several minutes at a time. These outages are far beyond what we consider acceptable as a service provider, and we sincerely apologize for any inconvenience this caused.

We continue to investigate these database issues and our goal is to resolve these issues permanently as soon as possible. As part of our on-going investigation we will be be making Bitbucket unavailable for up to four hours starting Saturday, June 14, 2014 at 10:00:00 Pacific to make database configuration changes and upgrades.

Please subscribe to http://status.bitbucket.org to receive instant updates via email, SMS or RSS as we progress through the downtime. Thank you for your patience as we work to increase Bitbucket’s performance and reliability. Please contact us support@bitbucket.org if you have any questions or concerns.

Repository size limits

By on May 30, 2014

In order to improve and maintain the overall performance for everyone who uses Bitbucket, we are rolling out size limits on newly-created repositories. Starting today, repository size limits will be:

If you already have a repository that is larger than the 2GB limit, your repository has been grandfathered so you won’t have any issues. Should you find your new repository approaching the 1GB soft limit, check out our documentation on how to reduce repository sizes or our blog “How to handle big repositories”.

Of course, Bitbucket still offers unlimited private repositories free for five users!

Introducing the new fluid width Bitbucket

By on May 20, 2014

fluid-width-bitbucket

The more code you can see on your screen, the easier it is to work with it. That’s why we broke away from our traditional fixed-width pages, and redesigned every page on Bitbucket to expand to the full width of your screen, as wide as your browser will allow.

See more of your code

side-by-side-diff

When you’re in the zone, having to scroll horizontally to see all your work can really break your focus. Bitbucket’s new expansion capability makes it easier to view source, conduct code reviews, or edit files. Other pages, such as the listing of all your open pull requests, are now much easier to read now as well.

Sidebar based navigation

To reduce scrolling even more, we moved the navigation and action links from the top of the page into a collapsible bar on the left side. Using Bitbucket’s keyboard shortcuts, the sidebar can be expanded or collapsed simply by pressing “[“.

sidebar

Whether expanded or collapsed, the bar is anchored to the side of your repositories, giving you instant access to common actions like creating a pull request – even when you’ve scrolled waist-deep into a diff.

Dead simple READMEs

READMEs are a great way to make your project more attractive, and jumpstart other devs who want to pitch in. So we felt they deserve some special treatment.

create-a-readme

If your project doesn’t already have a README, we’ve made it brain-dead simple to get one started. Just use Bitbucket’s online code editing features, and a template that includes suggestions for key repository details such as installation or configuration instructions, contact information, license information, and acknowledgements.

online-editing

For repositories that already have a README, we’ve added a direct link to our online editor so it’s easy to keep your project details up to date. By default, READMEs will be created in Markdown. But if you’ve got an ASCII or reStructured file, that’ll work fine too.

Dashboard insight

Most of us have an ever-growing set of repos, and finding the one you need to work with can be a pain. The redesigned dashboard now features your repositories front and center, with the most recently active repos at the top. And the same quick search and filters are still there, making it extra easy to find repos you own or watch.

dashboard

To make accessing the dashboard lightening-fast, we’ve added shortcut links to the global header so you can jump there from any page on Bitbucket. We’ve also moved the activity feed to the right side with a high-level overview of what’s taking place across all the repositories your team is working on. 

Try Git out for free

Join the growing number of teams that host their code on Bitbucket, and stay more connected with unlimited private repositories free for five users. Or if you want to run Git on your own servers, check out Stash, our on-premises source code management for Git – it’s secure, fast, and enterprise grade. 

signup-free

or

Help spread the message on Twitter

We’re migrating repositories to new hardware

By on April 22, 2014

Starting today, we will be migrating all repositories to a new storage system which will allow us to improve the service and reliability of Bitbucket.

Over the next weeks, you can expect the following:

Due to the nature of the migration, we are unable to provide specific timelines for when individual repos will be affected. However, we expect no more than a 10 minute disruption when your repository will be placed in read-only mode.

Thank you all for your patience and support! We are working hard to constantly build a better Bitbucket.

If you have any other questions or concerns, please come to support@bitbucket.org.

Bitbucket now auto-updates pull requests

By on

Starting today your pull requests will always have the most recent and relevant code, and your reviews will be more efficient. With automatic updates, pushing to a branch with an open pull request will automatically include those commits in the open pull request. This way your reviewers will always see the most recent changes to the branch in the pull request.

Pull request screenshot

The most important thing about a pull request is the discussion that it generates: As you get feedback from other developers about changes or improvements that should be made, you’ll be generating new commits which should be part of your review. Now you’ll automatically see those commits in the pull request with no extra steps.

More best practices for your team

Everywhere, teams are making the switch from Subversion to Git. If you’re new to Git and want to learn more, check out Atlassian Git Essentials, our solution to implementing best practices with Git for your development team.

Create a free account