CVE-2014-9390

CVE-2014-9390 affects git systems on case-insensitive filesystems, such as Windows and Mac OS. For more informations of CVE-2014-9390 please have a look at the git mailing list.

There are only two parts of SCM-Manager which are affected by CVE-2014-9390, the new import (introduced with SCM-Manager 1.43) and the fork-plugin. These problems are fixed with the version 1.44 of SCM-Manager. If you are running SCM-Manager on Windows or Mac OS, we highly recommend to update to the latest version of SCM-Manager.

If your git clients run on Windows or Mac OS, you have to update your git clients too.

Download latest version of SCM-Manager.

SCM-Manager 2 Milestone 1

After a long development time SCM-Manager 2 reaches milestone 1. Here are the main features of the first milestone of SCM-Manager 2:

Server

With version 2 SCM-Manager will switch to Semantic Versioning. All upcoming SCM-Manager 2 versions and plugins will use the MAJOR.MINOR.PATCH scheme for their version numbers.

Repository Cleanup

Deprecated and used modules, packages, classes, methods and fields are completely removed from the repository. Some modules are renamed to match their maven artifact id. The following modules are moved to their own repositories to get the repository smaller and to improve release cycles:

Event handling

The handling of events in SCM-Manager 2 is now controlled only by the Subscribe annotation, the old style listener classes are removed. In addition we switched from the Google Guava EventBus to Legman. Legman is a fork of the Google Guava EventBus, which fixes some problems of SCM-Manager with the Google Guava EventBus. Have a look at the list of fired events (TODO update link) by SCM-Manager all of them can be handled like below:

Java and bundled Jetty (scm-server)

With version 2 we will switch to java 7, older versions of java are no longer supported. With this step we are able to use the java7 package from JGit, which should bring a performance boost for all SCM-Manager git operations. We will also update Jetty from version 7 to version 9.2.x. This update will give us opportunities like WebSockets and SPDY.

Performance, startup and appserver compatibility

We have dropped all classpath scanning operations in favor of a annotation processor. The annotation processor will store all classes which are annotated with Extension, ExtensionPoint, Subscribe or Path annotation durring the compilation. This change results in a shorter startup with a lower memory footprint, because we don’t have to load all classes from package classpath to check for annotations. The annotation processor solves also problems with the classpath scanning on some application servers.

Plugins

The plugin system of SCM-Manager 2 is completely rewritten. Here are some of the main features:

Structure and packaging

Plugins are no longer ordinary jar files. In SCM-Manager 2 plugins are packaged as a single smp file. The smp packages are containing classes, resources and all dependencies of a plugin. The structure of a smp file looks like this:

  • classes (classes and resources)
  • webapp (web resource like scripts, stylesheets and images)
  • lib (plugin dependencies)

The switch to smp packages allows us to drop the complex and error-prone Aether based plugin system of SCM-Manager 1.x. It also solves the problem with offline plugin installations.

Class and resource loading

SCM-Manager 2 creates an isolated classloader for each plugin, this protects us from classloading conflicts. The isolated classloaders also allows the override of core dependencies for plugins. The new plugins will also introduce WebResourceLoaders, which are able to load resources from the webapp directory for a plugin.

Plugin descriptor

Descriptors are now validated by dtd. The descriptors are now supports tags for later improvements to the plugin center.

Download

Warning: SCM-Manager 2 Milestone 1 is not compatible with SCM-Manager 1.x and it is not ready for production use. This release is only for testing purposes.

What comes next?

Milestone 2 will target the user/group management and the security system of SCM-Manager. The development of Milestone 2 is organised here.

Explore SCM-Manager Universe@Cloud

SCM-Manager has its own Universe. There it acts in the center of a bundle of ready to use open source software components.

Now the virtual appliance SCM-Manager Universe, which is developed by my partner TRIOLOGY, is available as a Cloud-Service. This highly scalable, most secure and deeply integrated Platform-as-a-Service (PaaS) makes developing software even easier.

Try out this new service completely for free and without commitment!

Are you interested? Register for a monthly trial here.

Repository Import Wizard

SCM-Manager 1.43 main feature is a new repository import wizard. This new wizard supports three import methods:

  1. Import repositories from the repository directory (.scm/repositories/type). This method is supported by git, mercurial and subversion.
    directory-animated
  2. Import repositories from a remote url. This method is supported by git and mercurial.
    url-animated
  3. Import repositories from a bundle/dump (svndump). This method is supported by subversion.
    bundle-animated

Note: Click on the images above to see the wizard in action.