Distribution 2.15
Distribution 2.15.0
Released September 28, 2022
Highlights
Enhancements
Updated the Design and Functionality of the Received Bundles Table
The Received Bundles table in the JFrog Platform has been updated to support easier search and filtering for Release Bundles. These updates include:
- Improved search that enables you to find any Release Bundle by name or by using a wildcard together with other Release Bundle details
- All Release Bundles are pulled using the REST API, ensuring that you can search for any Release Bundle regardless of when it was released
- Release Bundles can now be sorted according to name, latest version or creation date
See Viewing Release Bundles on Distribution Edges.
Improved Distribution and XRay integration
The improved integration allows Distribution to retry triggering XRay scans for Release Bundles in cases where XRay is not available (previously this required manually triggering via API).
Resolved Issues
Jira Issue | Description |
|---|---|
JR-5825 | Added support for a Reference token to the Distribution APIs. |
JR-5678 | Changed the
|
JR-3783 | Improved Distribution and XRay integration, allowing Distribution to retry triggering XRay scans for Release Bundles in cases where XRay is not available (previously this required manually triggering via API). See Distribution Application Config YAML File. Fixed an issue related to the behavior of Distribution when Xray is started:
|
JR-5938 | Resolved an issue related to using GPG signing keys by non-admins. |
JR-5894 | Updated the PostgreSQL driver version to resolve a security issue. |
Resolved Vulnerabilities
This release contains resolved CVEs - security vulnerability issues.
Distribution 2.14
Distribution 2.14.3
Released August 28, 2022
Resolved Issues
Jira Issue | Description |
|---|---|
JR-5938 | This patch resolves an issue related to using GPG signing keys by non-admins. |
Distribution 2.14.1
Released August 1, 2022
Highlights
Select a Specific GPG Key to Sign a Release Bundle Version
When signing a Release Bundle version, you can now choose the signing key to use to sign the version through the Distribution UI.
If you are using multiple GPG signing keys in Distribution, with this release, the user can now select which signing key to use in the Platform UI (previously available only from the REST API). If no key is selected, the default/primary key will be used to sign the Release Bundle. See Distributing Release Bundles.
Release Bundles UI Enhancements
The following UI changes have been implemented in the Release Bundles UI:
- Added a new filter search and the total count for both Distributable and Received Release Bundles.
- From this release, the checkbox Auto create missing repositories is displayed for all Release Bundle distributions (not only PDN), replacing the Target Repository Auto-Creation checkbox (the functionality remains the same).
- The UI of the Distribute Release Bundles window has also been updated and streamlined.
For more information, see Distributing Release Bundles.
Resolved Issues
| Jira Issue | Summary |
|---|---|
| JR-5128 | Improved the performance of the release bundle page query. |
JR-5440 | Fixed an issue whereby, signing a Release Bundle with a passphrase only worked with the default GPG. |
JR-5561 | Improved the performance when searching a Release Bundle from the UI. |
| JR-5575 | Improved the performance of the Release Bundle table. |
| JR-5608 | Fixed an issue whereby, importing a Release Bundle through the UI upload failed. |
JR-5449 | New configuration option was added to better handle situations where the authentication and token verification process is very slow. This was fixed by adding a new configuration to the Distribution configuration file (see Distribution Application Config YAML File). |
| JR-5665 | Fixed an issue relating to the creation of multiple Release Bundles. |
JR-5382 | General UI performance improvements and optimizations. |
JR-5435 | Improved the performance of the Get Release Bundles REST API. |
Resolved Vulnerabilities
This release contains resolved CVEs - security vulnerability issues.
Distribution 2.13
This section describes all of the Distribution 2.13 releases.
Distribution 2.13.4
Released June 26, 2022
Resolved Issues
| Jira Issue | Summary |
|---|---|
JR-5590 | Fixed an issue whereby signing a release bundle that includes artifacts from the build with the name or number larger than 64 chars was failing. |
Distribution 2.13.3
Released June 20, 2022
Resolved Issues
| Jira Issue | Summary |
|---|---|
JR-5440 | Fixed an API key authentication issue. |
Distribution 2.13.2
Released June 16, 2022
Highlights
Support for a New User Scoped Token for Distribution to the Source Artifactory
Breaking Change: Support for a New User Scoped Token for Distribution to the Source Artifactory
From Distribution 2.13.x, user permissions will be enforced when distributing to the source JPD. The permissions are as follows:
- To distribute release bundles: Only users with read and deploy permissions on the target repositories can successfully complete a distribution process to the source Artifactory (in this case the JPD acts as the target JPD).
Note: If this type of user (non-admin) tries to distribute to a target repository that does not exist, they will receive an error message. - To delete release bundles : Only users with delete permission for the target repository can delete these bundles.
See Distribution Application Config YAML File and Distribute Release Bundle Version, and Release Bundles Permissions.
Update to the API to Propagate the GPG Key Pair to a Newly Added Distribution Edge
In this release, the API to propagate the GPG key pair to a newly added Distribution Edge has been updated, and keys are propagated as follows:
- When no parameters are provided - the default key will be propagated.
- When api/v1/keys/pgp/propagate?all=true - Propagates all available keys.
- When api/v1/keys/pgp/propagate?alias =<alias name> - Propagates the key with the alias name. For example, api/v1/keys/pgp/propagate?alias = 'my_key' propagates the key with the alias name my_key.
Propagation is possible by either alias key or all keys but not both.
See Propagate GPG Signing Keys to a Distribution Edge.
Java 17 Support
JFrog Distribution has been upgraded and now requires Java 17.
Resolved Issues
| Jira Issue | Summary |
|---|---|
JR-4764 | Fixed an issue related to the error displayed when setting the GPG. |
JR-4901 | Fixed a bug whereby the `AutoCreateTargetRepoAdvance` cluster configuration could not be activated/enabled. |
JR-4952 JR-5136 | Implemented several UI improvements to the Distribution UI. |
JR-5174 | Update to improve release stability and performance. |
JR-5019 | Distribution now supports an Outbound Request Log, which improves debugging and runtime user tracking of the system behavior. . |
JR-5381 | Fixed an issue whereby the Rangelimit-Total header count was incorrect. |
Distribution 2.12
This section describes all of the Distribution 2.12 releases.
Distribution 2.12.3
Released May 10, 2022
Resolved Issues
| Jira Issue | Description |
|---|---|
| Fixed a UI issue whereby, in some cases, the user was not able to type text in the Release Bundle creation tab. | |
Fixed an issue that generated distribution errors related to upgrading to v.2.11.1. | |
Fixed an issue related to security issues in common dependencies. |
Resolved Vulnerabilities
This release contains resolved CVEs - security vulnerability issues.
Distribution 2.12.2
Released April 24, 2022
Highlights
Updated the versions of the following third-party software:
- PostgreSQL 42.2.25
- Node.js16.13.2
Resolved Issues
This release includes a number of fixes to the Distribution UI in the JFrog Platform.
| Jira Issue | Description |
|---|---|
| This release includes a number of fixes to the Distribution UI in the JFrog Platform. |
Detected Known Issues
This release contains one or more known issues.
Distribution 2.12.1
Released March 7, 2022
Resolved Issues
Fixed an issue, whereby loading release bundles to the JFrog Platform UI resulted in infinite loading.
Distribution 2.12.0
Released: February 28, 2022
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby, the path was omitted from the AQL query in the UI. | |
Fixed an issue whereby, customers were unable to create a release bundle based on the path pattern. | |
Fixed an issue whereby, some Distribution logs were being logged in an incorrect folder. | |
Fixed an issue whereby, an error was displayed for missing logs (that were not missing). | |
Fixed an issue whereby, in the release bundle view, the versions were not sorted correctly. | |
Fixed an issue in the GPG key propagation. |
Resolved Vulnerabilities
This release contains resolved CVEs - security vulnerability issues.
Distribution 2.11
This section describes all of the Distribution 2.11 releases.
Distribution 2.11.1
Released: February 9, 2022
Resolved Issues
| Jira Issue | Description |
|---|---|
| Fixed a critical issue causing a distribution process to fail when using older Artifactory versions. |
Distribution 2.11.0
Released: February 7, 2022
Known Issue
Distribution 2.11.0 includes a critical issue causing a distribution process to fail when using older Artifactory versions. We recommend upgrading directly to 2.11.1.
Highlights
This version focused on improving performance and stability.
Resolved Issues
| Jira Issue | Description |
|---|---|
The Maintenance API has been changed to be more secure; for more information, see Distribution REST API - MAINTENANCE . | |
Improved the release bundle clean up process. | |
Fixed an issue, whereby Webhooks were not triggered correctly. | |
Improved Distribution service logs for better root cause analysis. | |
Resolved a permission-related issue. | |
Fixed an issue, whereby the Distribution status API was returning the wrong number of artifacts and bytes transferred. |
Resolved Vulnerabilities
This release contains resolved CVEs - security vulnerability issues.
Distribution 2.10
This section describes all of the Distribution 2.10 releases.
Distribution 2.10.5
Released: December 7, 2021
Distribution 2.10.5 is Available as an On-prem Version
Distribution 2.10.5 is available as an on-prem version.
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue where the deletion of a release bundle fails in cases when the target is using the new paring token configuration. | |
Reduced the number of tokens used in the distribution flow. | |
| Updated the bundled Redis version to 6.2.6. | |
| Added additional logs to make it easier to troubleshoot. | |
| General fix: fixed some security issues that were detected. |
Distribution 2.10.3
Released: November 1, 2021
Highlights
New Hybrid Solution Provided through the Distribution Edges
Self-hosted customers who have an existing JFrog Distribution in place may sometimes require the option of adding additional JFrog Artifactory instances in the cloud. This hybrid setup is now supported through the JFrog Distribution Edges Add-on, a commercial offering for On-Prem customers to leverage JFrog SaaS for software distribution. This add-on enables On-Prem customers to add cloud-based Edge nodes managed by JFrog (software-as-a-service) and fully utilize them for content distribution. See Configuring Distribution Edges Using the Distribution Edges Add-on.
New Pairing Token UI and API
Added new UI in the JFrog Platform for a pairing token, which establishes trust between different JFrog microservices. The pairing token is an access token that is used for the initial pairing flow. Because the token is a limited access token, it is dedicated to a specific task and short-lived. Once trust is established, the services can continue using the standard token-based authentication for communication. Pairing tokens replace the join.key that was used in the past in the JFrog Platform to link between services. This type of token is only designed to link cross-topologies (i.e., locally, and not with in a JPD). See Generating Scoped and Pairing Tokens.
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby the API Get all Versions of all Release Bundles returned an empty array of artifacts for every release bundle. And both this API and the Get Release Bundle Versions API failed to paginate properly because they always returned the full list. | |
Fixed an issue whereby usernames longer than 64 (and up to 255) chars were not supported. | |
Fixed an issue whereby Edge nodes were not visible if a user is referred to in multiple permission targets. | |
Fixed an issue whereby a Mission Control connected to the remote JFrog Platform environment, was resolving the Artifactory URL improperly. | |
Fixed a slowness issue in the release bundles list page. | |
| Fixed the naming for Edge Webhook: t he Artifactory Release Bundle domain has been renamed Destination to consolidate all under same Release Bundle domain. |
Distribution 2.9
This section describes all of the Distribution 2.9 releases.
Distribution 2.9.3
Released: September 30, 2021
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby, a Distribution instance connected to the remote Mission Control while using a Circle of Trust for Token validation failed. | |
| Fixed issue whereby, a token generated using the UI, had fewer permissions in the Distribution process. |
Distribution 2.9.2
Released: August 22, 2021
Resolved Vulnerabilities
This release contains resolved CVEs - security vulnerability issues.
Distribution 2.9.1
Released: August 8, 2021
Distribution 2.9.1 is Available as a Cloud Version
Distribution 2.9.1 is Available as a Cloud Version
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby, in some cases, conflicts in target paths for Docker layers were present upon Release Bundle creation. | |
| Fixed issue whereby, the Distribution service was shutting down the Release Bundle distribution transaction in a non-optimal manner. |
Distribution 2.9
Distribution 2.9.0
Released: August 4, 2021
Feature Enhancements
Maven Shared Library Upgrade
Upgraded the Maven shared utils library to version 3.3.4 to fix some vulnerabilities issues related to the following:
Distribution 2.8
This section describes all of the Distribution 2.8 releases.
Distribution 2.8.2
Released: July 12, 2021
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue regarding the Distribution Support Bundle creation in Distribution version 2.8.1. |
Distribution 2.8.1
Released: June 30, 2021
Highlights
Dynamic Release Bundle
Introduced the capability to create, sign and distribute an ad-hoc Release Bundle dynamically through a single REST API request. For more information, see Creating a Dynamic Release Bundle.
Multiple GPG keys for Signing Release Bundles
Distribution now supports signing Release Bundles using multiple GPG keys and not one key pair for all Release Bundles. This enables you to use different keys according to your organizational requirements, such as keys used in different departments. For more information, see Multiple GPG Signing Keys
Target Repository Auto-Creation
Automatically create repositories on the target edges if no repositories exist when distributing Release Bundles. For more information, see Target Repository Auto-Creation.
Feature Enhancements
Distribution Service
To introduce efficiencies within the JFrog Platform, the services that were previously under the Distributor service has been moved under the Distribution service. This does not affect the Distribution's functionality.
Live Logs Enhancement
Added a new distribution-service log to the System Logs Viewer.
Distribution 2.7
Distribution 2.7.1
Released: March 31, 2021
Highlights
HashiCorp Vault Integration with the JFrog Platform
The Jfrog Platform integration with HashiCorp Vault enables you to configure an external vault connection to use as a centralized secret management tool. Using vault allows you to store signing keys as secrets and provides you with the capability to generate and manage keys in a centralized tool for security and compliance. To learn more, see Vault.
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby, in some cases, Release Bundles were stuck and blocking distribution . |
Distribution 2.6
This section describes all of the Distribution 2.6 releases.
Distribution 2.6.1
Released: February 25, 2021
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby, when creating a Release Bundle, the Docker manifest resolver, in some cases, duplicated artifacts causing a conflict. |
Distribution 2.6.0
Released: January 13, 2021
Highlights
Webhooks for Distribution
You can now use event-driven Webhooks to send important events occurring in Distribution. You have a number of events that you can choose from, such as Release Bundle status changes, Release Bundle distribution status changes, and Release Bundle deletion from Edge nodes.
These events are sent to other applications by setting a URL. To learn more, see Webhooks.
Distribution 2.5
This section describes all of the Distribution 2.5 releases.
Distribution 2.5.4
Released: 29 December, 2020
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue, whereby a proxy configuration from Artifactory cannot be used in distribution due to an expired token. | |
| Fixed an issue, whereby a Release Bundle version added properties that might override existing artifact properties. | |
| Fixed an issue, whereby using multiple AQL queries in a single Release Bundle version may cause the Release Bundle creation to fail due to token expiration. | |
| Fixed an issue whereby, in some cases, Distribution may remain in an in-progress state due to a failed close transaction flow. |
Distribution 2.5.3
Released: 8 December, 2020
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue, whereby a proxy configuration from Artifactory cannot be used in distribution due to an expired token . |
Distribution 2.5.2
Released: 11 November, 2020
Highlights
Release Bundle Release Notes
You can now add and distribute Release Notes with a Release Bundle.
PostgreSQL Version Support
Distribution now supports PostgreSQL version 12.3.
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby, the timezone differed between the |
Distribution 2.5.1
Released: 5 October, 2020
Resolved Issues
| Jira Issue | Description |
|---|---|
JFrog Distribution now externalizes the configuration parameter allowing users to set the required time interval for Xray to complete the Release Bundle scanning process . |
Distribution 2.5.0
Released: 29 September, 2020
Highlights
Distributing Release Bundles in an Air Gap Environment
JFrog Distribution supports distributing your Release Bundles to remote Artifactory nodes within an Air Gap self-hosted environment. This use case is mainly intended for organizations such as financial institutions and military installations that have two or more Artifactory instances that have no network connection between them. To distribute the Release Bundles in an Air Gap environment, you need to export the Release Bundle on the Source Artifactory either directly from the WebUI or using REST API. For more information, see Distributing Release Bundles in an Air Gap Environment.
Distribution 2.4
This section describes all of the Distribution 2.4 releases.
Distribution 2.4.1
Released: 26 July 2020
Feature Enhancements
Distribution to Artifactory Edge nodes behind a proxy is now supported.
Distribution 2.4.0
Released: July 5, 2020
Highlights
Hybrid Distribution
JFrog SaaS supports Hybrid Distribution allowing you to distribute your Release Bundles from Artifactory Cloud to multiple Cloud and On-Prem Edge nodes within the same organisation. Hybrid Cloud promotes scalability and flexibility allowing you to distribute sensitive and highly regulated and mission critical Release Bundles to Artifactory On-Prem edges while using the Artifactory Cloud for mainstream public distributions and thereby gaining significant cost savings. For more information, see Hybrid Distribution.
Added Manual Linux Archive Installation
You can now install JFrog Distribution using a Linux Archive installer in addition to the existing options giving more control over how to set up your environment. For more information, see Manual Linux Archive Installation.
Feature Enhancements
Automated GPG Public Key Propagation to Edge Nodes
The automatic propagation of signed public GPG Keys to the Artifactory source and edge nodes is now an integral part of the upload process of the GPG keys to Distribution. To support this, the Upload and Propagate GPG Signing Keys for Distribution REST API has been introduced and replaces the Upload GPG Signing Key for Distribution REST API command that is now deprecated from version Distribution version 2.4. For more information, see GPG Signing.
Export/Import Release Bundle Metadata to Support One To One Pairing
To support the Artifactory to Distribution One to One paring ratio in the JFrog Platform, you can now migrate Release Bundle metadata of the relevant Artifactory Instance to the correlating Distribution Service. For more information, see Distribution and Artifactory One to One Pairing.
Distribution to the source Artifactory without Proxy
The requirement to Distribute to the source Artifactory via a proxy has been removed.
Distribution Load Balancing Mechanism Improvements
Improved the load balancing mechanism in High Availability environments.
PostgreSQL Version Support
Distribution is now certified to run with PostgreSQL versions 10.X, 11.X, and 12.X. Note that, all JFrog’s installers bundling PostgreSQL have been updated to use a newer PostgreSQL version 10.13.
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby you could not distribute Release Bundles from Artifactory version 7.x to Artifactory Edge 6.x edge nodes. | |
| When creating a Release Bundle, exclude Release Bundle repositories from the source. |
Distribution 2.3
Released: May 27, 2020
Feature Enhancements
Retrieve the Latest Version of a Release Bundle REST API
You can now retrieve the Last Release Bundle Version through the Rest API which enables you to distribute the latest version of the Release Bundle to your dedicated Edge nodes.
Improved Release Bundle Distribution Auditiblity and Tracking
A new set of parameters have been added to the Release Bundle APIs providing you with more audibility into the Distribution process:
The
created_byanddistributed_byparameters provide information on who created and distributed the Release Bundles.- The
start_time,finish_timeanddurationparameters provide information on the Distribution timeline of the Release Bundle.
Get Public GPG Key REST API
The Artifactory Edge Node verifies the Release Bundle signature with a public GPG key. You can now view the assigned public GPG Key by running the Get Public Key REST API command.
Distributing Release Bundle UI Improvements
Improved the Release Bundle Distribution management experience in the UI while providing you with the option to delete Release Bundles either from the JFrog Distribution server or from the JFrog Edge nodes.
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue whereby multiple Distribution nodes for one Edge Node were not performing well by introducing an algorithm for improving distribution scalability. | |
Fixed an issue whereby Distribution was not supporting distributing Release Bundles containing artifacts using Unicode characters in the artifact name. | |
| Fixed an issue whereby the Release Bundle “In-Progress” status was generated for all distribution issues. This general state has been replaced with specific states to accommodate different distribution issues. |
Distribution 2.2
Released: February 23, 2020
Resolved Issues
| Jira Issue | Description |
|---|---|
Fixed an issue where Distribution did not recover when the Mission Control token was not valid or if the Mission Control service was not running when Distribution started. | |
Fixed an issue which caused confusion in the use of the Create Release Bundle Version REST API . From this release, the default of the dry_run parameter is now FALSE, so that by default, executing the REST API creates the release bundle object. Action Required! Previously triggering this API with the default |
Distribution 2.0
Released: January 12, 2020
Deprecated Features
Distribution 2.0 introduces several deprecated features. Learn More >
Also read about the features that are currently out of scope and will be available soon, in forthcoming release. Learn More >
Breaking Changes
For a list of breaking changes in Distribution and other services in the JFrog Platform, click here >
REST API Changes
For a list of REST API changes in Distribution, click here >
Important: The JFrog Platform web UI is now accessed through port 8082 (For example, http://SERVER_HOSTNAME:8082/ui/). Accessing Xray directly for REST API and downloads is still possible through port 8081. Learn More >
Highlights
JFrog Platform
Announcing the new JFrog Platform, designed to provide developers and administrators with a seamless DevOps experience across all JFrog products, supporting the following main features:
- Universal package management with all major packaging formats, build tools, and CI servers.
- Security and Compliance that's fully integrated into the JFrog Platform, providing full trust of your pipeline from code to production.
- Radically simplified administration with all configurations in one place.
- Complete trust in your pipeline all the way from code to production.
- Seamless DevOps experience from self-hosted, cloud, hybrid or multi-cloud of your choice.
JFrog Platform New Functionalities
System Architecture
The new Distribution architecture has been updated to align with all JFrog products in the Platform. Learn More >
Distribution system.yaml
This release introduces a new system configuration file, allowing system configurations to be handled externally to the application, before/after the installation process. Learn More >
Installation and Upgrade
Distribution 2.0 comes with a new installer, which affects the installation and upgrade procedures. The file structure has been improved and is now aligned across all JFrog products. Learn More >
Distribution must be connected only to a single Artifactory instance . If you have a single Distribution instance connected to multiple Artifactory instances, t he upgrade to the JFrog Platform requires mapping a source Artifactory to a single Distribution service. If you are creating and distributing release bundles from multiple source Artifactory instances, you now need to deploy a Distribution service in every JPD that contains these source Artifactory instances. You would then register multiple Distribution services to one Mission Control.
Unified User Interface
This version introduces a new UI that is unified for the entire JFrog Platform, including all JFrog products. If you are using Artifactory and other JFrog products such as JFrog Xray, JFrog Distribution, JFrog Mission Control and JFrog Insights, you will now be able to access them all from within a single UI with one URL address. Learn More >
Unified Permission Model
This version unifies all JFrog product permissions, allowing easier permission management across all products from one unified UI. The Unified Permission Model enables you to create a single permission target that applies to all products installed in the JFrog Platform. Since the products are unified within the Platform, you can now use a single permission target to control the permissions of all products. Learn More >
Logging
All JFrog products now follow a standardized logging format and naming convention. Learn More >
Feature Enhancements
Xray Integration
Release Bundles can now be scanned for security and compliance issues with JFrog Xray. This means you can now define security and compliance policies for your organization, on the release bundles, to ensure your distributable content is protected and meets your standards. Learn More >
Package View Including Distribution Data
This version includes a Package Viewer, providing a 360 view of your packages from all your available JFrog services, including JFrog Distribution. With this, you can understand which packages are included in release bundles and have been distributed to various Artifactory Edge devices. Learn More >
