Skip to main content

14 min read

Transcript: The Atlassian Ecosystem Podcast Ep. 131 - Gimme Some Personal Space(s)

Ryan Spilken
Ryan Spilken
29 October 2021 Podcast
Atlassian Ecosystem Podcast artwork

Show Notes

Unrendered Unicode bidirectional override characters in multiple products:
From Atlassian: https://confluence.atlassian.com/security/multiple-products-security-advisory-unrendered-unicode-bidirectional-override-characters-cve-2021-42574-1086419475.html
How this impacts ScriptRunner: https://www.adaptavist.com/blog/trojan-codes-in-atlassian-products-and-scriptrunner

Atlassian Cloud Updates 25 Oct. - 8 Nov.:

https://confluence.atlassian.com/cloud/blog/2021/11/atlassian-cloud-changes-oct-25-to-nov-1-2021
https://confluence.atlassian.com/cloud/blog/2021/11/atlassian-cloud-changes-nov-1-to-nov-8-2021

Bitbucket Cloud has landed in AWS:

https://bitbucket.org/blog/bitbucket-cloud-has-landed-in-aws

Announcing the Bitbucket Cloud Migration Assistant:

https://bitbucket.org/blog/bitbucket-cloud-migration-assistant

Automatic Personal Spaces in Confluence Cloud:

https://community.atlassian.com/t5/Confluence-Cloud-articles/We-re-giving-you-a-personal-space-automatically/ba-p/1848650

Jira Cloud, meet Microsoft Teams:

https://community.atlassian.com/t5/Jira-articles/The-Jira-Cloud-for-Microsoft-Teams-app-is-now-live/ba-p/1828382

Jira Software 8.20.1:

https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-20-1-1085210126.html

Jira Service Management 4.20.1:

https://confluence.atlassian.com/servicemanagement/issues-resolved-in-4-20-1-1086419600.html

Confluence 7.14.1:

https://confluence.atlassian.com/doc/issues-resolved-in-7-14-1-1086420275.html

Bitbucket Data Center and Server 7.18:

https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-and-server-7-18-release-notes-1087534957.html

New! Built-in ScriptRunner for Jira Workflow Functions:

https://www.adaptavist.com/blog/scriptrunner-just-made-jira-workflows-easier-than-ever

Register for the ScriptRunner Webinar featured at the end of this show here!

Transcript

Ryan Spilken:

Hello and welcome to the Atlassian Ecosystem podcast. This is episode 131, "Give Some Personal Space." I, your host, Ryan Spilken, am in need of personal space. And let me tell you two other folks who need some personal space as well. Brenda Burrell and Matthew Stublefield. Brenda, Matthew, do you need some space? Am I too close to your bubble?

Brenda Burrell:

You are way too close to my bubble.

Matthew Stublefield:

Alternatively, Ryan, you come on over here man.

Ryan Spilken:

Well.

Matthew Stublefield:

I could use some company.

Ryan Spilken:

You know 50-50 ain't bad folks not in 2021.

Brenda Burrell:

We're off to a great start, folks.

Ryan Spilken:

Have we started or were we just wrapping up?

Matthew Stublefield:

For those of you who are engaged with the Atlassian community, you might have a guess at what we're going to talk about later with personal spaces. But first, let's talk about the big security story since our last podcast, with the unenviable title, Unrendered Unicode Bidirectional Override Characters in Multiple products. So this really blew over the last few weeks. This is not an Atlassian-explicit thing. This is actually a Unicode issue. And for those of you who aren't aware, Unicode is character set. It's embedded everywhere in everything in every character.

Ryan Spilken:

It's the oxygen of the internet, right?

Matthew Stublefield:

It is kind of. Yeah, it's the roads on which we drive it there and that we breathe. And one of the things that's come to light is, it is possible to trick things. I don't know if it's fair to say trick computers or people or what exactly, but you can use Unicode and type a character that would normally be left to right or right to left, differently so that it's not really visible to the naked eye. And when you do this, you could then inject malware malicious code that is not visible. And if somebody were to copy and paste that because it's Unicode, it will get copied and pasted without you seeing it or knowing it's there. So this is an insidious, potential attack vector. That's hard to see and that makes it particularly concerning and risky.

Matthew Stublefield:

So Atlassian, like the every other platform in the world, has been upgrading and patching to render this code. The phrase "Unrendered Unicode" it's what a lot of people are doing to solve. This is just to render it, to make it visible. So it's taking some extra steps to make it visible so that you can see if these bidirectional characters are there in the text, in the code that you're working with. Atlassian has released updates for everything, including fisheye crucible. It's been` like a year since we talked about that crew on the podcast.

Matthew Stublefield:

Yeah. In fact crew got an update. So everything's getting updated. We've got the security advisory from Atlassian that we'll link to, if you have not yet upgraded your Bamboo, BitBucket, Confluence, JIRA systems that are [inaudible 00:03:29], you're really ought looking into doing this. Atlassian only notes that it's like a medium risk, because while this is very concerning, typically people who are using the lasting tools use them internally. So it have to be one of your employees doing this type of thing. But if you run a public anonymously available system, particularly one where people are posting code into, it could be a problem. We're also going to link to a blog post by Jamie Echlin, the inventor ScriptRunner, you're at Adaptavist to explain this a little bit easier to understand fashion.

Ryan Spilken:

I had the good fortune of working with Jamie to get that blog out. And so I actually read quite in depth on this subject. It is insidious and it's tricky and it's clever as heck because what this attack can do is basically cause a compiler to read an instruction backwards. And that can then open up doors into things that you wouldn't expect. So the rendered code that someone could have copied out of, even our library and put into a production instance could do some pretty gnarly stuff. It was something...

Matthew Stublefield:

Now that said, not actually in our library, because we don't have things in the adaptive's library that do this. But, but one of the things we'll be doing, because we want to open that up for contribution in the not too distant future before we do that, we will improve our rendering so that if there was Bidirectional Unicode, it would be visible, which means that we're just going to be able to catch it before that happens. So yeah, take a look at that, Upgrade your Atlassian products. If you are on Cloud, my understanding is Atlassian is already upgraded everything there. So you should be fine, but stay safe people. Keep an eye out.

Ryan Spilken:

Away from that security update and into our Atlassian Cloud updates, these are from the 25th of October to the 8th of November and feels like the Thanksgiving slowdown. The end of year slowdown is upon us yet again, because this is the shortest set of updates to the Cloud update pages that I've seen in a while. Let's start with JIRA service management, where there is an improvement to SLA format for longer dates. Atlassian has improved, they think the way to display the service level agreement goal times to enhance the agent experience in both the que and issue view. The view of the SLA goal now displays the relative time and date. So it's going to display today, yesterday, tomorrow, or the exact date for completion or the breach that would occur if it doesn't get done. There's also a tool tip that shows hours remaining in past or past and the percentage towards the SLA goal.

Ryan Spilken:

So that sounds like a fun improvement for service teams. JIRA software gets project insights with median cycle time on the insights panel. This is an update to the insights panel on the deployments page, showing the median cycle time over 12 weeks where before it was only four. This means media cycle time shown on your insights panel is now the same as the median shown on your cycle time report. When we link through to this in the show notes, you'll find more on cycle time in Atlassaian's documentation. Lastly, on the JIRA platform, you can now trigger Bamboo builds on release deprecation messages. In December of 2021, Atlassian will remove the option to run a Bamboo build when you release a JIRA version. Bamboo and JIRA software integrations will still work, but you're going to need to run your builds directly in Bamboo rather than through a JIRA release. Less automation? Why?

Matthew Stublefield:

Does seem like an odd thing. I just wonder why I don't need to have a guess. I don't know why they would remove this.

Brenda Burrell:

Granularity of roles in the release process. I would venture to guess.

Ryan Spilken:

You both, you said words.

Brenda Burrell:

Yeah.

Ryan Spilken:

I know they're in English.

Brenda Burrell:

I said words.

Matthew Stublefield:

So in our bamboo instance on server and we get your software connected with it, like it's nice to have this tied together, so it's...

Ryan Spilken:

We'll see where this leads.

Matthew Stublefield:

You do. You're at Atlassian.

Ryan Spilken:

And finally, you're now able to mention users in comments from the portal request view, which I think is great. Customers can now mention with the @ symbol, you know how this works. You can add somebody in the comments in a JIRA Cloud portal situation. So that's more than just JIRA service management. Now that's JIRA software. Oh, I'm sorry. JIRA work management and JIRA service management both include this feature. So now both of them will be able to get @ mentions. Don't @ me about the @ mentions.

Matthew Stublefield:

Or maybe do.

Ryan Spilken:

Maybe because you could @ me, @ me everybody.

Brenda Burrell:

In big news in BitBucket Cloud, now, Ryan, I know you feel like the updates are kind of thin, but there's some big ones for BitBucket, starting with BitBucket Cloud now being hosted in AWS. So Atlassian has mentioned over the last year or so that they've been migrating BitBucket Cloud to Micros, which is their internal Cloud platform based on AWS. For the last decade or so, they've been running it in their own data center and that worked well for a long time, but due to scale and everything Atlassian has gone ahead and performed due to this migration, there's a lovely image of fireworks. I feel like for something of this nature, an animated gift of fireworks would have been appropriate, but it's a very nice image of fireworks and a little bit in this blog post, which we will link to in the show notes about the benefits to customers.

Brenda Burrell:

So if you're on BitBucket Cloud, you will have better reliability on the new platform, they say that in the past two months, since the migration was actually completed, the volume of weekly support cases relating to reliability decreased 93%. So more reliable than the old hosting, more secure than ever before with Cloud storage volumes, providing web services, access to customer source code now being encrypted at [inaudible 00:10:17] on the Micros platform allows Atlassian to leverage security, best practices and policies enforced platform wide and removing data center operations from the team's responsibilities as it eliminates an entire class of security risk.

Brenda Burrell:

It also improves performance. They are indicating that they have seen a 55% faster web response time compared to the start of 2020. It is one of the more technically complex projects that Atlassian has ever tackled. They migrated 50 million repositories to the new Cloud storage backend replicated and moved all other data storage with traffic totaling over 200,000 queries per second. These services regularly handle over a billion daily transactions, which are redirected transparently to the new backend with zero downtime. So sounds pretty cool. There's more information in this blog post. As I mentioned, we'll link to it in the show notes. More animated fireworks, please.

Matthew Stublefield:

I want to shoutout to the BitBucket Cloud team, everybody working in this, this is an unbelievable achievement. There have been some performance hits over the last couple of years and especially the last year during this migration, Atlassian's published about it. We've talked about it on the blog or on the podcast, but when they say, they did this fairly transparently, no downtime, I mean a billion daily transactions. It's unbelievable.

Brenda Burrell:

It's incredible.

Matthew Stublefield:

So, well-done everybody. I wish I could take you all out for drinks and give you like balloons and cookies. This is an unbelievable achievement, kudos to every Atlassian involved with this project.

Ryan Spilken:

What about pizza and chocolate milk?

Matthew Stublefield:

Well, I would give them whatever goodies they want. They've earned it.

Brenda Burrell:

Another big announcement from the Bit Bucket Cloud team announcing the BitBucket Cloud migration assistant. So for quite a while now, if you are migrating your JIRA or confluence [inaudible 00:12:16] to Cloud, you have had a migration assistant to do that. Now you can with BitBucket as well. This allows you to automatically migrate projects and repos, all poll requests, diffs and metadata, such as comments, users, authors, and reviewers, users including inactive users, so that past comments, authors and reviewer statuses are preserved. Its worth noting that BCMA does not migrate user permissions in groups. Those will need to be set after the migration is complete. The article links to migration resources as well as a video for a demo of how this works. And if you are interested in migrating BitBucket to BitBucket Cloud, you will definitely want to take a look at this. So this is another huge achievement.

Brenda Burrell:

So this is the second pizza party for the team for launching this Cloud migration assistant. This is really going to help people that are On-Prem, get onto Cloud and continue to support Atlassian's drive in that direction. So two huge achievements, massive kudos sending, sending virtual pizzas.

Ryan Spilken:

Staying in the Cloud space was something a bit more controversial. There was a community post on October 28th from Avni Barman. She's the Product Manager on the Confluence Cloud team announcing that all users would be getting personal spaces on Confluence Cloud automatically. So if they're a current user, any future users created, everybody gets a personal space. It's just automatically created there's...

Brenda Burrell:

You get a personal space and you get a personal space and you get a personal space.

Matthew Stublefield:

I was like constraining my inner Oprah, but you're right, that was in my head.

Brenda Burrell:

I couldn't resist.

Matthew Stublefield:

Prior to this change and this change hasn't actually happened yet, but the way it currently works it as an admin, you can choose to allow personal spaces or disallow them. If you don't allow them, nobody can create one. If you allow them, people can choose to create a personal space. The way it will work in the future is if you don't allow them, nobody can create a personal space. If you do allow them, everyone gets automatically. At this point, this community article, we're recording on Wednesday, November 10th, it has had over 11,500 views. It is one of the more viewed community posts I've seen. The first discussion of this has up to 87 comments. Amongst those 87 comments, probably about six, seven. I think it was seven days later, Avni, the Product Manager came back in and wrote, thank you for detailed feedback and responses. I've gone ahead and addressed those here. She links an FAQ. But it doesn't actually address the concerns which were many.

Matthew Stublefield:

There were a lot of people who are very opposed to this change. Their concerns are that this plethora of personal spaces they'll be automatically created, will clock up search results. It will encourage siloing of information as opposed to collaboration. As people start creating more content, personal spaces that is hard to find. It's not integrated with the teams. It's a change that admins can't really opt into. One of the recommendations that I thought was particularly good was just let us turn on or off automatic creation of personal spaces, make that a toggle. So if I want to have personal spaces created automatically for people, I can turn that off, but have it disabled by default.

Matthew Stublefield:

So this discussion is still going. We'll link to it on the community website. If you have feelings about automatic creation of personal spaces, you can go and contribute. I'm seeing both partners and customers comment that they don't want to see this. They worry about drowning in personal spaces. They worry about the maintenance of, right now, whenever somebody leaves the company, their personal space, doesn't just automatically disappear. If you want to deprecate it, remove it, you have to go manually do that. Now potentially you're going to have thousands of these out there and there is no automatic way to clean this up. So management of your rookie space just becomes very challenging. So yeah, it's been interesting to watch, not a lot of communication back from Atlassian and yet we're going to be trying to get some additional comments on this to see if we can give some takes.

Ryan Spilken:

If anyone knows Avni and you can connect us, we would love to have her on the show. We're not coming at this from a... Give you a chance, come on, connect us with Avni.

Brenda Burrell:

Yeah. I think it would be interesting to hear the thought process and...

Ryan Spilken:

The research.

Brenda Burrell:

...what's happened over the last week. The last 10 days, the last 12 days since posting this, like what have the internal conversations like, because I've totally been in the seat where something I thought was a great idea and I put it out there and everybody goes, "Oh my God, no, what are you thinking?" But in those instances, I typically go, "Oh, okay. Yeah, let's not do that. Let's change how we approach it." But it's been 12 ish, 13 days now, we haven't seen that rollback yet or haven't seen that communication. So if you are a Confluence Cloud user and have thoughts about personal spaces, always feel free to mention us at Adaptavist but you also come out to the community site, share your thoughts with Atlassian and let them know where you're at on this.

Ryan Spilken:

And in what I promise is the actual last bit of Cloud news in today's episode, are you a Microsoft teams user? I'm not, but I know that Microsoft teams is a competitor to Slack and offers similar features. And now JIRA Cloud app for Microsoft teams is available. And what this app allows you to do is do, is basically to interact with JIRA issues directly from teams. So add the app and then turn on notifications, search for issues, create issues, view issues within a meeting, all with the new app available for free through the teams marketplace. So yeah, have fun with that.

Matthew Stublefield:

And this similarly is a community article as well, announcing this, so sticking with our experience and having to look in a billion different places to get news from Atlassian. One of the things that's cool here is people have been commenting is they try to use it and we've got Atlassian and chiming in very actively answering questions, fixing things that weren't working as expected. So, kudos to people at Atlassian who are really keeping on top of this one, making sure it's working for people. I always think it's cool when you see the company [inaudible 00:19:29] interacted and engaged.

Brenda Burrell:

And with absolutely no good segue at all, we'll move over to news for on-prem JIRA software 8.20.1 and sorry, I don't know why I did dot endpoint JIRA software 8.20.1 and JIRA service management, 4.20.1 Have been released. These are fixes for the Unicode issue. We've talked about already on the podcast where Unicode characters allow malicious code to be hidden from a human reviewer. These are pretty important updates. So do recommend upgrading to 8.20.1 for JIRA software 4.20.1 for JIRA service management, as soon as is feasible to resolve that security issue.

Matthew Stublefield:

Confluence 7.14.1 has the same Unicode fix as well as the number of other bug fixes. Some tiny links not being found, velocity templates not being rendered, some performance improvements, some icons being misaligned. So 7.14.1 main thing, reason to upgrade and install that is the code character thing, but you'll get some other bug fixes at the same time when you upgrade to that.

Brenda Burrell:

And in BitBucket data set and server 7.18, in addition to the Unicode character fix and update to how you view deployment information and BitBucket, you can now see where your code is deployed on poll requests and commits without having to go and check in your deployment tool in the upcoming Bamboo 8.1 release, deployment projects will automatically send deployment information to BitBucket data center. For upcoming Jenkins 3.1 release, this will be implemented as a post build action for freestyle jobs. For pipeline and multi branch pipeline jobs, it's implemented as a rapper step. So if you use Jenkins, those words have meaning for you. If you're using other integration tools, this can be done via the deploying status, API. HTTP access tokens for projects and repos when you create a personal HTTP access token, it's tied to your user account. Admins can now create HTTP access tokens for teams working on specific projects and repos that are not fixed to user accounts. This is really important.

Brenda Burrell:

So you can create and manage them from the project and repost settings. There's also a rename in the menus of personal access tokens page to HTTP access tokens for consistency and a clarity. BitBucket 7.18 now includes support for running Maria DB 10.5 and 10.6, and as of 8.0 for BitBucket data center, support has been removed for Postgres 9.6 SQL server 2012, Oracle 12CR1, Maria DB 10.2. If you are preparing to upgrade, the article which we will link to in the show notes contains information on an upgrade guide in matrix and getting ready along with the list of additional fixes that are in place alongside that Unicode character fix.

Matthew Stublefield:

Kind of makes me sad. SQL server 2012 was the first version of SQL server. I didn't absolutely hate.

Brenda Burrell:

Right. It made me sad too. It was just like, "Oh."

Ryan Spilken:

There it goes. Let's move into the farm.

Matthew Stublefield:

Server 2012, the first not bad SQL server.

Ryan Spilken:

And finally, for this edition of the Atlassian ecosystem podcast, we got a little bit of news from Adaptavist specifically Adaptavist ScriptRunner for JIRA on-prem. And it's a lot of news.

Brenda Burrell:

Beefy.

Ryan Spilken:

Yeah, yummy. The team has released a literal boatload of new workflow functionality and changed the way that you access these workflow functions to make it even easier, starting there. And then talking about the functions themselves, finding them is now super easy. And there's a sick GIF alert because it shows through a series of maybe four steps, how to get all of the workflow functions from script runner in line with the ones that are built into JIRA, or when you go into a transition's properties and you edit the conditioner validator or post function, you will see the script runner functions available right alongside the builtin ones.

Ryan Spilken:

And they're just delineated with a little script runner tag. So they're all right in you, you're right available to you when you're working on workflows instead of having to go through the script or menu, which is awesome. And just a little taste of some of these new functions, workflow conditions based on specific users on groups and on project roles are now available for conditions, validators and workflows, JIRA, regular expressions in conditions and validators. So you want to make sure that a social security field is populated correctly or a zipcode is entered the right way. You can now use a regular expression in these workflow functions to ensure that the data is being collected properly. If a user is added to a particular yield, you can cause additional actions to occur as well.

Ryan Spilken:

Field completion before a transition can occur is also now built into the script runners functionality where that is not default. That's not even built into JIRA. So it's now part of ScriptRunner and all sorts of stuff for post functions as well. Comment after an issue, clear fields after a transition and more. I will point you to a blog post that has all of this information in it with several links to documentation, and we're doing another webinar. And I'm going to be a little part of this as well with Andre Sorano, Jamie Echlin, Jess Thompson, and a host of our other engineers to introduce some of these new workflow functions. And that is on November 18th, put that one in your diaries or calendars, whichever one you want to call it, we'll link to both the article and the registration for the webinar in today's show notes.

Matthew Stublefield:

And that's it for this episode of the Atlassian ecosystem podcast, as always, you can reach us on the socials at Adaptavists. Let us know if you have thoughts about these stories, or there are other stories that you'd like us to talk about. Don't forget to check out our other fine podcasts. You can find them on our website in your podcast app, maybe the clouds in the sky, wherever it is, you look for the casts of pods. So for Ryan Spilken and Brenda Burrell this is Matthew Stublefield signing off from the Atlassian ecosystem podcast, a member of the Adaptavists live podcast network.