MusicBrainz Server update, 2021-04-19

Hi! We’re back with another (fairly small) release. Perhaps the most noticeable new thing, other than a few squashed bugs, is that we’re finally officially linking to the 1200px thumbnails of Cover Art Archive images. While these were being generated for new images already for quite a while, we didn’t want to start linking to them until we figured out how to ensure they were also generated for all the images already there. Thankfully, our user (and recent new auto-editor) ROpdebee got in touch with the right people in the Internet Archive and basically made all the efforts needed to ensure this happened. So, we officially have 1200px thumbnails now! That’s some big thumbnails for you.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to yyoung for improving Bandcamp and DNB URL cleanup. Thanks to CatQuest, chaban, kepstin, Lotheric, navap, selflessself, synthicalist13 and xplt for having reported bugs and suggested improvements. Thanks to ROpdebee for helping us get all the 1200px thumbnails generated. Thanks to Mellthas, mfmeulenbelt, salorock and SistemaRayoXP for updating the translations. And thanks to all others who tested the beta version!

The git tag is v-2021-04-19.

Fixed Bug

  • [MBS-11500] – “Add cover art” edits link to no longer existing release
  • [MBS-11563] – Cache makes newly linked recordings not show in work rels table
  • [MBS-11564] – Niconi Commons “download for free” links blocked by Nicovideo cleanup
  • [MBS-11569] – Collection created from entity sidebar does not restrict entity type
  • [MBS-11581] – Release Group still shows cover art despite Release being darkened
  • [MBS-11582] – Instrument alias sortname guess button breaks page

Improvement

  • [MBS-9631] – Add 1200px to available sizes under cover art images, in release’s Cover Art tab
  • [MBS-9833] – Link relationship style guide within release edit relationships tool
  • [MBS-10534] – Handle both DNB permalinks and DNB search links
  • [MBS-11524] – Disallow *.bandcamp.com/ URLs at release and recording level
  • [MBS-11527] – Block smart links: music.indiefy.net
  • [MBS-11533] – Block smart links: snd.click
  • [MBS-11542] – Update Classical Archives URL format
  • [MBS-11552] – Add validation for Classical Archives links
  • [MBS-11566] – Ensure consistent ordering of appearances sections

Task

  • [MBS-11514] – Move from passing $c to using React.useContext in the sidebar
  • [MBS-11515] – Move from passing $c to using React.useContext in header/footer/menus
  • [MBS-11516] – Move from passing $c to using React.useContext in entity lists
  • [MBS-11517] – Move from passing $c to using React.useContext in MergeHelper

MusicBrainz Server update, 2021-04-05

This time we have a lot of small bug fixes and improvements, and two changes that are likely to be more noticeable. The first one: the list of tags for a user is now paginated, and it shows the upvoted and downvoted tags separately. This is probably good news all around. The second one: long lists of relationships are also paginated. For example, the relationships page for the London Symphony Orchestra now only shows some of the orchestra relationships directly, with a link to “See all 17,303 relationships”. This change was needed, since these pages had become so big for some artists (and areas) that they were timing out since they took more than 30 seconds to load. This reduces the time for the largest pages to a few seconds – still a lot, but much more manageable. We understand that not having all the relationships shown at once might cause some issues with the workflow of some of our hardcore users. Sorry about that, but hopefully it won’t be too bad! If some use cases are very problematic, let us know and we will think about how to make it better.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to CatQuest, chaban, EndofLine, HibiscusKazeneko, jesus2099, kellnerd, Kid Devine, navap, Sophist and yindesu for having reported bugs and suggested improvements. Thanks to mfmeulenbelt and salo.rock for updating the translations. And thanks to all others who tested the beta version!

The git tag is v-2021-04-05.

Fixed Bug

  • [MBS-8477] – /user/<user>/tag/<tag> pages don’t distinguish between upvotes and downvotes
  • [MBS-8807] – Artist, Label and Series subscribers sub-page wrongly shows “You have no collections!”
  • [MBS-9543] – Seeding a string of “0” results in the field being blanked out
  • [MBS-11320] – When the “I don’t know the tracklist for this medium.” checkbox is unchecked on an existing release, the “Add medium” window pops up
  • [MBS-11321] – Strange things happen when adding the tracklist to a release with exactly 1 unknown medium
  • [MBS-11373] – Relationship merging in relationship editor no longer replaces empty dates
  • [MBS-11386] – Area containment missing from indexed area search results
  • [MBS-11442] – Entering a tag from the Add Cover Art page disables tagging and cover art submission
  • [MBS-11452] – Private user subscriptions tab shown on collection and subscribers page
  • [MBS-11454] – Can’t edit release with format/date clash even if error already existed
  • [MBS-11462] – Private subscriptions/tags/ratings user tabs uselessly shown to admins
  • [MBS-11473] – ISE when loading edit/open while logged out
  • [MBS-11508] – Qobuz favicon is missing
  • [MBS-11510] – Labels for arrows to move tracks up/down are not showing
  • [MBS-11531] – Filtering reports gives ISE
  • [MBS-11538] – Collections data missing in some sidebars

Improvement

  • [MBS-1178] – Relationship view needs paging.
  • [MBS-1870] – Showing a users tags should be paginated
  • [MBS-9310] – Link to created relationship type in Add Relationship Type edits
  • [MBS-9349] – Add Pinterest links to the sidebar
  • [MBS-10691] – Allow seeing tags the user has downvoted in user/tags
  • [MBS-10726] – Several release editor buttons say “disc” but really mean “medium”
  • [MBS-11429] – Don’t block editing if existing URL fails foul of later-added blocking rule
  • [MBS-11432] – Allow also linking places and works to Operabase
  • [MBS-11455] – Make linking of user statistics more consistent
  • [MBS-11467] – Use sort name to order lists of artists for tags
  • [MBS-11476] – Don’t show own open edits in /edit/open
  • [MBS-11485] – Allow irc(s):// links on expand2react
  • [MBS-11503] – Block smart links: trac.co
  • [MBS-11506] – Point home page ‘data’ link to ‘MB Database’

New Feature

  • [MBS-9851] – Add “is not edit author” option when searching for edits by “Edit Note Author”
  • [MBS-11222] – Add a report for releases with media without a tracklist

React Conversion Task

  • [MBS-10690] – Convert user tag list page to React

MusicBrainz Server update, 2021-03-15

This week we have a lot of small fixes and improvements, including a patch that should fix to the elusive bug where some recording pages would sometimes fail to load with a type error. The fix for that issue involved a large change in how we move data around behind the scenes, and in turn caused a few new issues that were reported and fixed during the beta testing period (even more thanks than usual to all testers!). If you happen to find any small errors that might still have remained undetected during the beta testing period, please do let us know.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to babelfisch, CatQuest, chaban, Cyberskull, Cyna, Freso, HibiscusKazeneko, jacobbrett, jesus2099, kellnerd, Kid Devine, salo.rock, uLuGaBi and Yurim for having reported bugs and suggested improvements. Thanks to Besnik, Jesús Heriberto López Cisneros, mfmeulenbelt, salo.rock, SpearDog, stevemarsan and SustReal for updating the translations. And thanks to all others who tested the beta version!

The git tag is v-2021-03-19-hotfixes.

Fixed Bug

  • [MBS-8232] – Guess case lowercases after U+201C (left double quotation mark)
  • [MBS-8621] – Inconsistent result between track and release guess case after apostrophe
  • [MBS-9581] – Event locations (areas/places) don’t use relationship credits in lists
  • [MBS-10004] – JSON-LD MBID URIs should be HTTP
  • [MBS-10866] – TypeError was shown for a recording page
  • [MBS-10976] – Unicode Private Use Area characters are stripped during edit process
  • [MBS-11384] – Some (release) countries are untranslated
  • [MBS-11385] – Country names untranslated in indexed search results
  • [MBS-11407] – Errors that go directly through Controller->error expect .tt templates
  • [MBS-11409] – Recurring warning in server logs for recording’s page
  • [MBS-11410] – Edit could not be created while at the same time approving another one had a time-out
  • [MBS-11420] – “Paste Credits” function doesn’t apply artist credit if it matched existing name
  • [MBS-11423] – Beginner editors report doesn’t show any data
  • [MBS-11424] – Release seeding landing page joins multiple values into one
  • [MBS-11426] – Track URL links open wrong medium when medium position is not aligned with CD numbers

Improvement

  • [MBS-9836] – Guess Case: stop uppercasing “the” in artist names
  • [MBS-9866] – Add some info of what IPI and ISNI are on add forms
  • [MBS-9871] – Display all non-part-of series relationships for a series on pages for entities in the series
  • [MBS-9884] – Use “Created” as label for the begin date of character-type artist
  • [MBS-9987] – JSON-LD: Use “Concept URI” for Wikidata IRIs in the sameAs relation
  • [MBS-10012] – Treat HTTP & HTTPS versions of a link as identical in the entity editor
  • [MBS-10076] – Give a friendlier error when trying to delete an attribute that has children
  • [MBS-10416] – Prevent entering control character in annotation
  • [MBS-10487] – Allow adding instruments and areas from inline search for users with the right privileges
  • [MBS-11398] – Add Qobuz links to sidebar
  • [MBS-11402] – Block smart links: many.link
  • [MBS-11405] – Don’t show ended URL rels in “deprecated relationships” reports
  • [MBS-11408] – Clarify Edit Note Author edit search options
  • [MBS-11419] – Show YouTube Music links on the sidebar
  • [MBS-11422] – Block smart links: gate.fm
  • [MBS-11427] – Add new fields to release editor seeding testing page (seed-love-bug)
  • [MBS-11431] – Speed up /ws/js/check_duplicates
  • [MBS-11433] – Add Mp3tag to the Products header menu and main page tagger list

React Conversion Task

  • [MBS-11403] – Convert attribute in use page to React/JSX

MusicBrainz Server update, 2021-03-01

Welcome to another MusicBrainz release! This time we have a fair amount of small bugs and improvements both newly requested and recovered from the ancient times of… well, a few years ago, because we spent quite a bit of time looking at older tickets.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to CatQuest, chaban, Freso, HibiscusKazeneko, kellnerd,  Lucas Werkmeister, pmepepnoute, Psychoadept, salorock, Sotho Tal Ker and Trevor for having reported bugs and suggested improvements. Thanks to mfmeulenbelt, Remko de Keijzer, salorock for updating the translations. And thanks to all others who tested the beta version!

The git tag is v-2021-03-01.

Fixed Bug

  • [MBS-10117] – Password length error message does not indicate correct password length
  • [MBS-10744] – Gender of editors is not translatable
  • [MBS-11378] – Artist gender in artist overview is untranslated
  • [MBS-11387] – “instrument:” attribute name is untranslated when editing relationships
  • [MBS-11390] – Editor profile added entities: Incorrect count when there are pre-NGS release adds
  • [MBS-11395] – muziekweb.nl links not shown on sidebar
  • [MBS-11396] – CollectionType/SeriesType admin page shows entity_type rather than type of allowed entities
  • [MBS-11397] – Place-Series relationship does not show on series page

Improvement

  • [MBS-9095] – Add Recochoku and mora links to the sidebar
  • [MBS-9706] – Normalize OCRemix URLs (including HTTPS)
  • [MBS-10195] – Block Google Amp links & prompt user to get canonical link instead
  • [MBS-10227] – Display entity count on collection page
  • [MBS-10343] – Display a placeholder for darkened images
  • [MBS-10452] – Implement tagger links for releases on recording pages
  • [MBS-10470] – Rename “IRC” link in footer to “Chat (IRC)”
  • [MBS-10557] – Normalize Recochoku URLs to use HTTPS
  • [MBS-11287] – Add Apple Touch icon to the MusicBrainz website
  • [MBS-11389] – Top-align edit medium Tracklist tables
  • [MBS-11394] – Don’t try to load cover art for darkened releases

MusicBrainz Server update, 2021-02-15

This is a fairly small release that brings a few bug fixes and some small improvements, while the team works on some background tasks.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to david-russo and jesus2099 for submitting patches. Thanks to hibiscuskazaneko, kellnerd and Trevor for having reported bugs and suggested improvements. Thanks to mfmeulenbelt and salorock for updating translations. And thanks to all others who tested the beta version!

The git tag is v-2021-02-15.

Fixed Bug

  • [MBS-9573] – Search for edits loses track of type criteria
  • [MBS-11354] – Recording edit view shows up/down arrows for recordings of a single work
  • [MBS-11366] – Harmful links not greyed out once they have been removed
  • [MBS-11368] – Regression: track title span.name-variation disappeared from Edit Medium edit

Improvement

  • [MBS-11329] – Return privileges as a number in internal editor JSON
  • [MBS-11352] – Add Starzik to the “malware domains” blacklist and isGreyedOut
  • [MBS-11359] – Add GeoNames to the sidebar
  • [MBS-11365] – Allow Resident Advisor /podcast URLs for releases
  • [MBS-11369] – Don’t use top vertical align data in tables for details
  • [MBS-11370] – Historic edit track length: display track lengths of 0 ms or -1 ms as unknown

MusicBrainz Server update, 2021-02-01

This slightly delayed release brings with it more bugfixes, improvements, and React-converted templates than usual. A new data report created by loujin lists disc IDs that are attached to media but not applied to them. Also, the Italian localization of the website – that was available in beta only and is maintained by salorock – reached 100% and is now available for the main website, evviva!

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to loujin for updating data reports about CD releases. Thanks to Alex_, cam1170, CatQuest, chaban, chirlu, culinko, danbloo, flamingspinach, eloise_freya, Freso, ianmcorvidae, jesus2099, kellnerd, Lotheric, loujin, metrickstar, nikki, pmepepnoute, psychoadept, rafwuk, and selflessself for having reported bugs and suggested improvements. Thanks to mfmeulenbelt and salorock for updating translations. And thanks to all others who tested the beta version!

The git tag is v-2021-02-03.1-hotfixes.

Fixed Bug

  • [MBS-4782] – Cover art edits of merged releases display with broken release link and without image
  • [MBS-8028] – Can’t edit series type
  • [MBS-9674] – URLs with IDN domains not considered valid
  • [MBS-10187] – “Merge artists” edit is stuck
  • [MBS-10872] – Fix “colSpan” in “Edit Medium” edits
  • [MBS-10964] – The credited-as name in an artist credit cannot be empty
  • [MBS-11123] – Improve the “Added entities” table in the editor profile
  • [MBS-11289] – Can not add YouTube Music as external link
  • [MBS-11292] – United Nations flag inappropriate icon for worldwide
  • [MBS-11317] – Annotation trimming breaks initial <li> in release editor
  • [MBS-11328] – Regression: Approving an edit redirects to home page
  • [MBS-11332] – Ended recording-of rels in release inline view show “((ended))”
  • [MBS-11333] – Regression: Cover art edits of merged releases display incomplete filename
  • [MBS-11340] – Punctuation and diacritics not allowed in Spotify user URLs
  • [MBS-11353] – Regression: Image type can’t be unset
  • [MBS-11357] – Regression: Unable to link RateYourMusic to release groups (hotfixed)
  • [MBS-11358] – Regression: Alias sort name can’t be left blank (hotfixed)
  • [MBS-11360] – Regression: Can’t add/edit release group alias (hotfixed)
  • [MBS-11362] – Regression: Recent medium title edits look like they changed the tracklist (hotfixed)
  • [MBS-11363] – Regression: Bad request when cancelling a merge (hotfixed)

Improvement

  • [MBS-1459] – Only display links at bottom of artist overview when relevant
  • [MBS-4548] – Allow seeing all uses of an artist credit
  • [MBS-9840] – Add OVERTURE by DOREMUS to the other DBs whitelist
  • [MBS-10830] – Don’t display remove function in sidebar if an entity can’t be removed
  • [MBS-10915] – Add button to remove individual data tracks in presence of Disc ID
  • [MBS-11111] – Mark recordings merged from release merge as having pending edits
  • [MBS-11256] – Auto accept adding track listing to previously unknown medium
  • [MBS-11279] – Make ISWC and ISRC search in otherlookups consistent
  • [MBS-11288] – Drop decoda.com from lyrics whitelist
  • [MBS-11297] – Block adding Wikipedia/Wikidata links to releases
  • [MBS-11310] – Clarify when discid would cause subsecond changes
  • [MBS-11322] – Update Resident Advisor URL cleanup and add validation
  • [MBS-11324] – Trim input in the barcode search field
  • [MBS-11327] – Show CAA icons on release search page
  • [MBS-11336] – Don’t show ended rels in “URLs with deprecated relationships” report
  • [MBS-11344] – Use HTTPS for rateyourmusic URLs and add validation
  • [MBS-11346] – Lower threshold on report for discID with very long durations
  • [MBS-11351] – Sort instrument reports by name before type

New Feature

[MBS-11348] – New report for releases with attached discIDs that are not actually applied

React Conversion Task

  • [MBS-10995] – Convert Other Lookups form to React
  • [MBS-10996] – Convert search index to React
  • [MBS-11045] – Convert Edit medium edit to React
  • [MBS-11112] – Convert /main error pages to React
  • [MBS-11168] – Convert alias edit form and edit pages to React
  • [MBS-11277] – Convert Other Lookups results to React

Other Task

  • [MBS-10999] – Make adding ISNIs and IPIs auto-edits for everyone
  • [MBS-11361] – Enable Italian localization for musicbrainz.org (hotfixed)

MusicBrainz Server update, 2021-01-11

To welcome this new year, we present a new release of MusicBrainz Server, which is mostly about fixing bugs and making small usability improvements, while continuing the React conversion. Beyond the website, the two most noticeable changes to API users are a bug fix in our OAuth implementation and the addition of recordings’ first release date to release lookup results.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to atj, chaban, cyberskull, darwinx0r, dragonzeron, drsaunde, fabe56, hibiscuskazaneko, jesus2099, loujin, nikki, salorock for having reported bugs and suggested improvements. Thanks to francescoSardo, mfmeulenbelt, salorock, and Skyjaython for updating the translations. And thanks to all others who tested the beta version!

The git tag is v-2021-01-11.

Fixed Bug

  • [MBS-7752] – Clicking on Subscribe/Unsubscribe sends me to the MusicBrainz homepage
  • [MBS-10913] – Since-removed standalone recordings show as being created on “add” edit
  • [MBS-10954] – DiscID tab disabled on “remove disc ID” page
  • [MBS-11181] – Unable to add ended relationship when another relationship to the same target already exists
  • [MBS-11183] – Artist name not preserved as alias after merge
  • [MBS-11233] – Seeding capability was broken during lodash removal
  • [MBS-11237] – Wrong rel info loaded when seeding relationships with target MBID
  • [MBS-11240] – Wrong country detected for Amazon links
  • [MBS-11250] – JSON rating lookup returns the serialized entity instead of the rating
  • [MBS-11253] – JSON tag lookup returns the serialized entity instead of the tag
  • [MBS-11262] – Release sidebar status is untranslated
  • [MBS-11263] – Some valid beatport URLs are not allowed
  • [MBS-11264] – Guess Case > French mode > Chain of c combined with ‘ incorrectly convert it in uppercase
  • [MBS-11265] – Artist not always shown for reorder medium edits
  • [MBS-11275] – Recordings shown as deleted when moving disc ID
  • [MBS-11276] – Same barcode warning points to release being edited
  • [MBS-11278] – Ratings not listed despite rating average and count being present
  • [MBS-11281] – Relationship merge code ignores invalid date periods
  • [MBS-11285] – User rating style doesn’t stick in collections
  • [MBS-11291] – Wrong bootleg check in “ReleasesSameBarcode” report
  • [MBS-11313] – OAuth PKCE S256 verification implementation is not RFC compliant

Improvement

  • [MBS-6048] – Allow submitting edit note when adding ISRCs through the WS
  • [MBS-8141] – Link the disc ID on the remove disc ID page
  • [MBS-8169] – Add a link to the timeline for individual statistics
  • [MBS-11126] – Historic edits: display track lengths of 0 ms or -1 ms as unknown
  • [MBS-11221] – Normalize whosampled.com links to HTTPS
  • [MBS-11234] – Add validation for whosampled links
  • [MBS-11246] – Support for Amazon.SE ASINs
  • [MBS-11248] – Block smart links: li.sten.to
  • [MBS-11274] – Always show the timeline line if accessing via a direct stat link
  • [MBS-11304] – Add recordings’ first release date to API “release” lookup’s output
  • [MBS-11306] – Update CDJapan URL cleanup to use HTTPS + add them to the sidebar
  • [MBS-11309] – Block ToneDen smart links

React Conversion Task

  • [MBS-11228] – Convert Change Release Quality edit to React
  • [MBS-11229] – Convert cover art edits to React
  • [MBS-11235] – Convert Edit Instrument edit to React
  • [MBS-11239] – Convert historic Edit Release Events edit to React
  • [MBS-11243] – Convert first set of cover art forms and pages to React

Other Task

  • [MBS-11247] – Stop highlighting (discontinued) BBC Music relationships

MusicBrainz servers update, December 2020

Let’s end the year 2020 on a brighter note with new releases of both MusicBrainz Server and its companions for advanced indexed search.

The most urgent task was to lower the risk of leaking private data again (see previous incident) by reducing the scope of editor data passed to the renderer.

The most visible improvement of the website is the addition of instrument illustrations by IROM. Thanks to him for these very welcomed drawings. See sistrum for an example; we will keep adding illustrations to other instruments little by little.

The most useful improvements to the API are the addition of their first release date to recordings (both in lookup and search) and release groups (which were missing it in search results), and the addition of MBIDs for artists’ gender and releases’ status.

Advanced indexed search has also been improved to allow searching for releases by type of packaging, for recordings and release groups by first release date, and to simplify searching for releases by type of medium’s format.

Finally, a fair number of smaller bugs have also been fixed, and React conversion is being continued.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to amCap1712 for fixing a pair of bugs in outputting search API results, and jesus2099 for fixing a bug in seeding the release editor. Thanks to avilla, CatQuest, chaban, jgrmstr, jstranger, Lotheric, loujin, nikki, Psychoadept, and serg for having reported bugs and suggested improvements. Thanks to Besnik, mfmeulenbelt, and salorock for updating the translations. And thanks to all others who tested the beta version!

The git tags are v-2020-11-12 for MusicBrainz XML Metadata Schema, v-2020-12-14 for MusicBrainz Server, v-2020-12-24 for MusicBrainz Simple Solr Search Server Schema, v2.0.0 for Search Index Rebuilder, and v3.4.1 for MusicBrainz Solr Query/Response Writer.

Bug

  • [MBS-4555] – Seeding the release editor when logged out loses the seeded information
  • [MBS-8438] – The same event is displayed twice on an artist’s “Events” tab if they have multiple roles on it
  • [MBS-10664] – Regression: HTML tags are incorrectly displayed in editor’s bio
  • [MBS-11092] – Some issue with userscripts/plugins and beta site
  • [MBS-11169] – Artist credit doesn’t display properly in release pages when credits are at the bottom of the release instead of inline
  • [MBS-11207] – Error messages from DBI are badly encoded
  • [MBS-11212] – Incorrect quality attribute in “ws/2/release”
  • [MBS-11214] – Relationships with different link order not split on “see at bottom” medium rels display
  • [MBS-11220] – Release editor seeding is displayed in wrong language
  • [MBS-11223] – Releases with “unknown tracklist” on a medium failed to load in the “Edit Relationships” tab
  • [MBS-11227] – Unexpected URL used when removing release groups from merge queue
  • [SEARCH-623] – Gender ID is missing from JSON/XML artist search results
  • [SEARCH-624] – Status ID is missing from release in JSON/XML search results

Improvement

  • [MBS-1424] – Add a “First release date” field to recordings
  • [MBS-11188] – Block smart links: “album.link”
  • [MBS-11224] – Releases with no medium should show a clear message in the relationship editor
  • [MBS-11225] – Make “staticbrainz.org/irombook/” URLs autoselect for image relationship
  • [MBS-11271] – Reduce the scope of editor data passed to the template renderer
  • [SEARCH-319] – Add first release date to the results of indexed search for release groups
  • [SEARCH-574] – Make release’s format search field insensitive to spaces and separators

New Feature

  • [MBS-10590] – Allow displaying IROMBOOK instrument images on MusicBrainz
  • [MBS-11216] – Split report “InstrumentsWithoutWikidata” from “InstrumentsWithoutAnImage”
  • [SEARCH-218] – Add first release date to the fields and results of indexed search for recordings
  • [SEARCH-384] – Add first release date to the fields of indexed search for release-groups
  • [SEARCH-590] – Add packaging to the fields of indexed search for releases

React Conversion Task

  • [MBS-11018] – Convert Add Relationship Type edit to React
  • [MBS-11211] – Convert the login page to React

Other Task

  • [MBS-10634] – Rework the “Instruments without an image” report to only look at IROMBOOK images
  • [MBS-11210] – Allow more subpaths for “saisaibatake.ame-zaiku.com”

Leaked email address incident: 2020-11-23

We’re saddened to write that we’ve let some of our users down by accidentally leaking their email addresses and birth dates via a bug in the web pages of musicbrainz.org. This caused some users to receive unwanted spam emails.

However, we would like to emphasize that no passwords, passwords hashes or any other bits of private user information other than email addresses and birth dates were leaked.

If you have never added or edited an annotation on MusicBrainz, then your email address and birth date were never leaked and you can ignore this — your data has not leaked.

What happened

About two weeks ago a MusicBrainz editor contacted us to say that their email address that was in use only at MusicBrainz had received spam. The user changed the email address to a very distinct email address in order to rule out a spammer guessing the updated email address. But it happened again, and the user received email to the unguessable email address. 

At this point we began an audit of the MusicBrainz server codebase in an attempt to find out where the leak was, patch it as soon as possible, and discover who was affected by it.

What we found

On 2019-04-26 we released a new version of the MusicBrainz server and in this version we added email addresses to the list of editor data we pass to our server to build MusicBrainz pages. The goal of this was to display them in admin-facing pages to, ironically, be able to fight spammers who were using MusicBrainz as a spamming tool. We also added the editor’s birth date, to be able to congratulate them on their birthday. Neither of these cases should have ever been a problem, since the private data should only be used on pages built and sent from our own server (where the data cannot be seen by anyone else), and any editor info sent to the users’ browser goes through a “sanitizing” process eliminating all this private information.

After some digging, we discovered that due to a bug we had overlooked in the code that stripped this data, the addresses and dates had started being sent to the browser whenever an entity page with an annotation was requested. The email address and birth date of the last person to have edited an annotation in MusicBrainz (any annotations, attached to any of our entities) was leaked on the page for the entities in question. This data was contained in a massive block of JSON data in the page source and was never shown on the web page for humans to see, which is why this issue went undetected for so long.

Who was affected

We looked at all editors who wrote any annotations that were displayed between the date the problematic code was released and the date the bug was fixed. This can mean either the annotation was written during this time period, or it was written before that but (being the latest version of the annotation for the entity) it was still displayed during this time period. This gave us a total of 17,644 editors whose data was at some point visible from the JSON block in at least one entity’s source code. We sadly do not have a way to know for sure how many of the affected were actually ever found and stored by spammers, since we attempt to block botnets as much as possible. As such, we simply have no way of knowing who was really affected by this leak — only who might have been.

What we’ve done

Once we detected the issue on November 22, we immediately put out a hotfix to all production (and beta) servers plugging the leak. The hotfix acted to sanitize the editor data by removing email addresses and birth dates from the JSON. We also deployed two additional changes that should help prevent similar issues from occurring, by avoiding sending sensitive editor data to our template renderer altogether. See all changes from the git tag v-2020-11-22-hotfix.

We are planning to improve our testing infrastructure to detect exposure of editor data — this will become a routine part of our continuous integration process. We are also going to ensure that any pull request dealing with editor data goes through a strict testing checklist.

How did spammers get these email addresses?

You might be wondering how such an obscure leak in a web page can end up in spammers finding and using your email — you’re not alone. 

Our sites are under near constant traffic from seemingly random internet bots fetching thousands of our pages in a day, with no apparent goal. All of our metadata is available for download, so why would someone download pages from us at random?

Well, we now know — web pages can contain a whole host of random data that shouldn’t be there. Email addresses, birth dates and such are just the starting point — there have been websites that have leaked credit card numbers and even login passwords, possibly compromising the integrity of user accounts.

In this case it appears that a botnet kept downloading pages from musicbrainz.org and driving the load on our servers up. We’ve been trying to block botnets ever since they’ve come into existence, but this is a laborious task that is never complete.

It appears that spammers used the botnet to scour the internet for private data such as emails to then send out lovely spam emails to all compromised users.

Summary

We would like to wholeheartedly apologize for this data leak. We take data privacy seriously and we aim to have high standards about privacy and data security. We find ourselves frustrated by the endless data leaks that happen on the Internet on a seemingly continuous basis and work hard to avoid committing these mistakes in our domain. However, we’re also human and we do make mistakes periodically. As explained above, we’re working to improve our systems and processes in order to prevent this from happening again.

We hope that you accept our most sincere apologies for this leak.

Robert Kaye, Michael Wiencek, Nicolás Tamargo and Yvan Rivierre

MusicBrainz Server update, 2020-11-02

Right after Halloween, this new release of MusicBrainz Server tricks some bugs and treats some improvements, plus some work on the usually terrifying React conversion and updates to handle external links.

A new release of MusicBrainz Docker is also available that matches this update of MusicBrainz Server. See the release notes for update instructions.

Thanks to chaban, darwinx0r, kellnerd, hibiscuskazaneko, jesus2099, lotheric, snartal, and tularion for having reported bugs and suggested improvements. Thanks to grafi_tt, mfmeulenbelt, salorock, and shepard for updating the translations. And thanks to all others who tested the beta version!

The git tag is v-2020-11-02.

Bug

  • [MBS-6666] – Artist credits not renamed from artist edit page unless the artist name is changed
  • [MBS-10281] – Improper encoding of ISE pages
  • [MBS-10829] – Indexed recording search fails to find recording with no length
  • [MBS-11160] – Internal server error pages display empty stack traces
  • [MBS-11161] – Internal server error page sometimes not returned when an error occurs
  • [MBS-11186] – Inconsistent username font-weight for edit owner
  • [MBS-11194] – TypeError: Cannot read property ‘linkTypeID’ of undefined (part 2)
  • [MBS-11204] – ISE: Validation failed for \’Int\’ with value undef

Improvement

  • [MBS-7219] – Only display “Show only standalone recordings instead” when there are standalone recordings to display
  • [MBS-11158] – Document URL link_type integers for release editor seeding
  • [MBS-11177] – Do not show useless “Description:” label in entity type doc boxes
  • [MBS-11185] – Add “is not” operator for relationship type in edit search
  • [MBS-11192] – Add voting-icon for Approved
  • [MBS-11197] – Add validation for Mainly Norfolk links
  • [MBS-11199] – Update 7digital.com URL cleanup

React Conversion Task

  • [MBS-11195] – Convert the artist credit renamer to React

Other Task

  • [MBS-11182] – Remove LyricWiki links from the sidebar
  • [MBS-11189] – Remove PureVolume links from sidebar
  • [MBS-11196] – Add saisaibatake.ame-zaiku.com to “other databases” for instruments
  • [MBS-11200] – Add works to VGMdb autocleanup