Download: 2.14.22 | 2.14.21 | 2.14.20 | 2.14.19 | 2.14.18 | 2.14.17 | 2.14.16 | 2.14.15 | 2.14.14 | 2.14.13 | 2.14.12 | 2.14.11 | 2.14.10 | 2.14.9 | 2.14.8 | 2.14.7 | 2.14.6 | 2.14.5.1 | 2.14.4 | 2.14.3 | 2.14.2 | 2.14.1 | 2.14
Documentation: 2.14.22 | 2.14.21 | 2.14.20 | 2.14.19 | 2.14.18 | 2.14.17 | 2.14.16 | 2.14.15 | 2.14.14 | 2.14.13 | 2.14.12 | 2.14.11 | 2.14.10 | 2.14.9 | 2.14.8 | 2.14.7 | 2.14.6 | 2.14.5.1 | 2.14.4 | 2.14.3 | 2.14.2 | 2.14.1 | 2.14
This release contains schema changes. To upgrade:
java -jar gerrit.war init -d site_path
Gerrit 2.14 introduces a new secondary index for groups. The initial version of this index must be created by running the offline reindex before starting Gerrit:
java -jar gerrit.war reindex --index groups -d site_path
Note that it is not necessary to reindex the changes and accounts indexes offline. These will automatically be reindexed by the online reindexer after starting Gerrit.
Gerrit now requires Java Runtime Environment (JRE) version 8. It is no longer possible to run Gerrit on JRE 7 and it is not compatible with JRE 9 or newer yet. For more information, see Issue 7843.
The Bouncy Castle Crypto API libraries are now distributed in the Gerrit .war
file rather than being downloaded during site initialization. When upgrading from a previous version of Gerrit, previously downloaded Bouncy Castle .jar
files remaining in the site's /lib
folder will be disabled by appending .disabled
to the file name.
Support for HTTP Digest Authentiation is removed. With the move to NoteDB, the per-account data (including the HTTP password) will be stored in a branch in the All-Users
repo, where it is subject to Gerrit ACLs.
Since these are notoriously hard to setup correctly, we want to avoid storing the password in plaintext.
Existing passwords will be migrated to a hashed password during site initialization when upgrading from an earlier version of Gerrit.
An exclusive ALLOW permission now has priority over a BLOCK permission when both permissions are defined on the same project. This means an exclusive ALLOW rule now overrules BLOCK rules on the same project. BLOCK rules still cannot be overruled by child projects. This change makes it possible to allow a permission for a specific ref and to block the same permission for all other refs. For example, it is now possible to allow all users to push changes for review, but to block all direct pushes:
[access "refs/*"] push = block group Anonymous Users [access "refs/for/*"] exclusiveGroupPermissions = push push = group Registered Users
This release deprecates the use of Velocity mail templates. In a future release support will be removed and it will be necessary to upgrade custom mail templates to Soy files.
The permissions “Push Annotated Tag” and “Push Signed Tag” are renamed to “Create Annotated Tag” and “Create Signed Tag”. Existing project configurations using the old permission names will be migrated during site initialization.
ref-update
hookThe ref-update
hook is now only invoked for direct ref updates, i.e. branch creation, branch deletion, and updates (fast-forward and non-fastforward) via direct push. It is not invoked on commits received for review, or on submit of changes.
A new hook named commit-received
is added, which is invoked when a commit is received for review, and can be used to prevent reviews from being created. A new hook named submit
is added in 2.14.9, which is invoked when a user attempts to submit a change, and can be used to prevent the submit.
Sites using the ref-update
hook to validate changes pushed for review, or to validate submits, should migrate to the commit-received
and submit
hooks.
In version 2.14.4 the fields in the JdbcAccountPatchReviewStore primary key are reordered to improve performance when clearing the reviewed flag for a patch set.
Sites that have already upgraded from an earlier version to 2.13, or to a 2.14.x version before 2.14.4, and want to take advantage of this performance improvement, should manually drop and recreate the primary key as follows:
# drop the key ALTER TABLE account_patch_reviews DROP CONSTRAINT primary_key_account_patch_reviews; # recreate the key ALTER TABLE account_patch_reviews ADD CONSTRAINT primary_key_account_patch_reviews PRIMARY KEY (change_id, patch_set_id, account_id, file_name);
Note that this is optional. The site will continue to work without this update. The update is not necessary when upgrading directly to 2.14.4 from a version earlier than 2.13, as the primary key will be created with the updated order anyway.
Changes may be assigned to a specific user. This allows a workflow where the user that is assigned to a change is responsible for reviewing the change and/or passing the assignment on to another user.
In the UI, changes assigned to the currently logged in user are highlighted.
A new assignee:
search predicate allows to find changes assigned to a given user.
Gerrit email messages are made easier to read by sending HTML content parts in addition to the existing text email content. This is enabled by default, and can be disabled by setting sendemail.html
to false
. Users can opt to always receive plaintext emails by setting the Email Format preference.
Mail templates can now be written using Closure Templates (Soy). Mail templates written in Velocity (VTL) are deprecated but still supported. Support for VTL will be dropped in a future release.
Gerrit now supports receiving review comments by email.
It is possible to enable Elasticsearch as a secondary index by setting index.type
to ELASTICSEARCH
and configuring the Elasticsearch specific configuration parameters.
Note that the Elasticsearch implementation is still considered experimental and it is not advised to use it for production systems.
Issue 3944: Tags can be created and deleted via the Tags screen in the UI. Although the REST API supports creation of both lightweight and annotated tags from 2.14, the GWT UI allows for annotation with 2.14.4 or later.
For merge commits, the list of commits that will be merged into the destination branch is included as the /MERGE_LIST
magic file which is shown as Merge List
in the UI.
Gerrit now includes a new user interface, referred to as “PolyGerrit”, based on Polymer. The UI can be switched between PolyGerrit and GWT by clicking the “New UI” and “Old UI” links in the site footer. Alternatively, the UI can be switched by adding ?polygerrit=1
or ?polygerrit=0
to the URL. Note that PolyGerrit is still under development. Most use cases are supported, but there are still some missing features compared to the GWT UI.
Normally, changes can be reviewed only before they are being merged. This new feature allows for post-submit review of commits by creating a new merged change, by using the ‘merged’ push option.
ref-update
hook from being invoked on every commit when pushing multiple commits. Instead of being invoked on every commit received, the ref-update
hook is now invoked before the ref update operation is finalized. Note that the hook is no longer invoked on commits pushed for review or on changes that are merged. It is invoked for creation/deletion of refs, and for ref updates caused by direct pushes (i.e. bypassing review). The previous behavior of the ref-update
hook is moved into a new hook named commit-received
. A new parameter --cmdref
is added, and the special handling of refs/for
and refs/changes
is removed. Sites using the ref-update
hook should rename the hook file to commit-received
.Security Fixes
Issue 13514 CVE-2020-8920: Work around Gitiles bug on All-Users
visibility.
Gitiles has a special FilteredRepository
wrapper that allows carefully hiding refs based on the project's ACLs. There is however an optimization that skips the filtering in case a user has READ
permissions on every ACL pattern(s). When the target repository is All-Users
, the optimization turns into a security issue because it allows seeing all personal information associated with all accounts, i.e.:
This fix now blocks Gitiles or any other part of Gerrit to abuse this power when the target repository is All-Users
, where nobody can be authorized to skip the ACLs evaluation anyway.
Security Fixes
Issue 12717: Deny access over HTTP for disabled accounts.
A disabled account was still able to access over HTTP until the existing session expired.
Issue 10695: Upgrade JGit to 4.7.9.201904161809-r to fix regression in packfile list handling.
If core.trustfolderstat
was set to false
, an infinite loop could occur when an object was not found in the packfile.
Don't abort auto-abandoning if one change failed.
When failing to query a single change during auto-abandoning, the whole process was aborted. Now the failure is logged and the process continues to attempt to abandon subsequent changes.
Issue 10562: Upgrade JGit to 4.7.8.201903121755-r to fix corruption of packfile list due to concurrent access during GC.
See JGit issue 544199 for details.
Issue 10262: Upgrade JGit to 4.7.7.201812240805-r to fix validation of wants
in git-upload-pack
for protocol v0 stateless transports.
AdvertiseRefsHook was not called for git-upload-pack
in protocol v0 stateless transports, meaning that wants
were not validated and a user could fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they could guess the object name.
Issue 10242: Fix regression that allows a user's account to be taken over when multiple authentication providers are in use.
A regression introduced in 2.14.7 allowed a user's account to be taken over by creating an account on a different provider with exactly the same username as the existing Gerrit account.
Issue 10112: Upgrade rules_closure to make Gerrit buildable with the latest Bazel version.
Issue 9781: Allow to disable the groups relevance filtering for LDAP.
Issue 9952: Upgrade dependencies to newer versions to fix CVEs.
Issue 9969: Fix incorrect dependency on httpcore-nio for Elasticsearch.
The Elasticsearch REST client depends on version 4.4.5 of httpcore-nio, but the version provided by Gerrit was 4.4.1.
Remove dependency on httpmime.
httpmime was a dependency of Apache Solr, which was removed from Gerrit some time ago.
Fix unnecessary reads of change note refs when NoteDb is disabled.
Change notes packed refs were unnecessarily being read and parsed when NoteDb was disabled.
See the mailing list discussion for more information.
Upgrade Elasticsearch REST client to 6.4.3.
Issue 9836: Fix database connections leaks.
The fix for issue 9823 in 2.14.15 introduced a database connection leak.
Upgrade JGit to 4.7.6.201810191618-r.
.gitmodules
files.Update JGit to 4.7.5.201810051826-r to fix CVE-2018-17456.
This release of JGit implements validation of .gitmodules
files to protect unguarded tools against CVE-2018-17456.
Issue 9823: Fix force push permission check for administrators and project owners over SSH.
It was possible for an administrator or project owner to force push to a project over SSH without having the Force Push permission.
This issue did not affect regular users, or pushes over HTTP.
Update jackson-core to 2.9.7.
There have been several releases since 2.6.6 including many bug fixes and security fixes.
Update elasticsearch-rest-client to 6.4.2.
Issue 9761: Ensure that URIs in requests to Elasticsearch are prefixed with /
.
When using Amazon's Elasticsearch service, requests failed with “400 Bad Request” because they were not prefixed with /
.
Issue 9766: Update jruby to 9.1.17 and asciidoctorj to 1.5.7.
Since Bazel 0.16 the build is done with an embedded JRE using Java version 9. The documentation build was using an older version of jruby that did not properly support Java 9.
Instances of IdString used to return true when equals
was given a String instance equal to the IdString's URL-encoded value. This violates symmetry, so this behavior was removed: IdStrings now never compare equal to Strings.
Upgrade JGit to 4.7.4.201809180905-r.
Issue 9667: Fix handling of output stream in LFS server.
Fix errors during cleanup after deleting refs.
Fix errors during cleanup after running garbage collection.
Fix atomic lock file creation on NFS.
Issue 9711: Add a change deleted event.
Since 2.14 it is possible to delete changes, however there was no specific event emitted. A new change deleted event is added, which is notified to stream-events
clients. The hooks plugin is updated to support a change-deleted
hook.
Issue 9689: Fix visibility of tag creation form on the project screen (GWT).
The tag creation form was shown when the user had “Create Reference” permission on refs/*
or refs/heads/*
(but not refs/tags/*
).
Issue 9528: Allow project-level receive.maxObjectSizeLimit
to be inherited from parent project.
It is possible to set the limit per project in the project.config
on refs/meta/config
, and at global level in $site/etc/gerrit.config
. The project setting may override the global setting if it is lower. Changing the global setting requires a server restart.
A limitation of this implementation is that we cannot set the limit at a project level and have it inherited to its child projects; it is necessary to explicitly set the limit on each child project.
A new global option receive.inheritProjectMaxObjectSizeLimit
is added, and when this is enabled the project-level setting is inherited from the parent. This new setting is disabled by default to keep backwards compatibility with the original behavior.
Allow more email RFC characters in the username.
It was possible to set a username with an email-address-like string, but only as far as the fact that the @
character was allowed. Most of the other characters allowed by the RFC were not allowed.
Issue 9670: Add support for Elasticsearch 6.4.0.
Issue 9514: Emit a warning when starting Gerrit via gerrit.sh
without OOM protection.
Fix incorrect response from the ‘Put Config’ project REST API.
The response returned after updating the configuration was generated using the configuration that was loaded before the update, and did not contain the changed values.
Fix support for commentLink
entries in the project.config
.
The documentation states that commentLink
entries may be added at project level in the project.config
on a project's refs/meta/config
branch, but this was not actually implemented.
Issue 5316: Fix incorrect relative URL paths in Gitiles links in the PolyGerrit UI.
Return raw byte value for effective value of git max object size limit.
The ‘value’ field of the info shows the effective value that gets applied, and now shows the actual byte value rather than the formatted value which could be using any arbitrary unit suffix (within the scope of the suffixes actually supported).
In the GWT UI, the effective value is now always shown, rather than only when there is a global value, and explicitly says when there is no value configured.
Ensure user authentication in AllRequestFilter
filters.
The order of filters made request authentication only work when the HTTP request was issued from the Gerrit UI, but not work when REST API was used.
commit-message-length-validation plugin: Use “warning” prefix to allow colorization of remote output.
From version 2.19 of git, the “warning” keyword will be highlighted in the remote output when color.remote
is enabled in the git config.
Fix partially hidden plugin configuration in the GWT UI.
In the project setting page, plugin configurations were partially hidden if the value had more characters than the default number of characters displayed in the text box.
Add a new method on the project API to get the reflog.
Upgrade PostgreSQL connector to 42.2.4.
Validate connections when sending a request to the database.
In some cases it was possible to attempt to reuse an already closed connection, which resulted in an internal server exception.
log4j.configuration
is set When the environment variable log4j.configuration
is set, log files defined by plugins were not created because the appender couldn't be found.Change-Id
in error message when Change-Id
line is not in the footer.ChangeReportFormatter
extension point for customizing the report output from git push
.elasticsearch.requestCompression
elasticsearch.connectionTimeout
elasticsearch.maxConnectionIdleTime
elasticsearch.maxReadTimeout
elasticsearch.maxTotalConnection
A new setting elasticsearch.maxRetryTimeout
is added. If not configured, it defaults to 30000 ms which is the default used by the REST client.[elasticsearch "name"]
section, with separate values protocol
, hostname
, and port
, the servers are now configured as a list of server
values in the [elasticsearch]
section. This also fixes Issue 9383 where a “default” server http://localhost:9200
would be added by the site initialization even if other servers were already explicitly configured. During startup the list of configured Elasticsearch servers is logged at info level.elasticsearch.username
setting. If elasticsearch.password
is specified, the username
can be omitted and it will default to elastic
which is the default username configured when running Elasticsearch with security enabled.CacheImpl
interface. An implementation is provided for postgresql.ownerin:
predicate for internal groups.#
), the change was created with a zero Change-Id. This was beause lines beginning with #
are considered to be comments, and are stripped from the commit message by JGit before computing the Change-Id for the commit. Before attempting to create the change, Gerrit now strips out any comment lines from the commit message and returns an error if this results in the commit message being empty.user.name
and user.email
from gerrit.config
. The user.name
and user.email
settings were being read as-is, which would allow them to be configured with values that may interfere with standard email name/address parsing.submit
hook The submit
hook is invoked synchronously when a change is submitted. If it returns a non-zero exit status, a MergeValidationException
is thrown and the submit is prevented. This adds back the ability to block submit by a hook which was removed in version 2.14 due to the reworking of the ref-update
hook behavior.ref-update
and commit-received
hooks. The hooks were not singletons, which caused new instances to be created on every invocation.LightweightPluginDaemonTest
base class.ProjectLevelConfig.getWithInheritance
method, any config values from the parent are overridden by those of the child. This is not useful for plugins like the reviewers plugin where the child configuration should be merged with the parent's. To solve this, a new variant of the getWithInheritance
method is added, which merges the configs rather than overriding.gitweb.type
must be set to gitweb
.index start
or index activate
command.Code-Review=2
without the explicit label:
predicate can never work as expected because the query is also considered as a comment search, which matches on all changes that have received a vote on that label, regardless of the label score. The section about approval requirements is removed from the basic search documentation to avoid confusion. It is also now recommended to use explicit query predicates when predictable results are desired.ownerin:
and reviwerin:
queries. When the ownerin: or reviewerin: predicate is used in a query without any additional explicit index predicate, it will default to only include changes in status ‘OPEN’.query:
search with a non-existing named query.httpd.gracefulStopTimeout
, which allows to set a maximum period of time for the daemon to preserve incoming connections, before starting the graceful shutdown process.elasticsearch.prefix
was not set, and Elasticsearch server-specific settings were not correctly set under elasticsearch.name.protocol
, etc.index.maxLimit
for Elasticsearch. When using Elasticsearch, index.maxLimit
should not exceed the value of index.max_result_window
configured on the Elasticsearch server.index start
and index activate
ssh commands with Elasticsearch.gerrit_
.account_patch_reviews
for mysql. Creation of the account_patch_reviews
table failed on mysql due to the file_name
column being too long.ref-updated
event twice for new patch sets.Change-Id
in subject line during commit validation: A commit with an empty commit message except for a Change-Id
line in the subject was only rejected if “Require Change-Id” was enabled.Change-Id
line when creating changes from the UI: When a change was created via the UI (or via the REST API), the Change-Id
footer line was not validated. This resulted in it being possible to create a change with an invalid Change-Id
.Change-Id
to changes created from the UI: When a change was created via the UI (or via the REST API), a Change-Id
line was added without first checking if one already existed.Signed-off-by
line after existing footer lines in changes created from the UI. When a change was created via the UI (or via the REST API) and the commit message included a Change-Id
line or any other footer line, the Signed-off-by
footer was appended to the end of the last footer instead of on a new line.commit-msg
hook to awk behavior change on Cygwin/MSYS. Awk has stopped automatically stripping \r
on Windows since version 4.2.0.MigrateAccountPatchReviewDb
program.index.maxTerms
when using group predicate in queries.--threads
option in the offline reindex
program.mergeable
field to always be set to null in the index. As a result, the change was always shown with “Merge Conflict” status in the change list.#
token, which resulted in the link redirecting to a 404 response.show-connections
command output. When the SSH backend is MINA, the show-connections
command shows the connection start time. For connections started more than 1 day ago, the start time is supposed to be shown in the format MMM-dd
but was instead always shown in the format HH:mm:ss
due to incorrect calculation of the elapsed time.HEAD
reference failed because the passed reference name was not absolute.--insecure
to curl
in download-commands plugin. Validating certs is an important feature of HTTPS that we should not disable, especially when downloading code that is going to be trusted.ban-commit
ssh command on slaves. Gerrit slaves are supposed to be read-only, but the ban-commit
command creates a Git note and hence writes to the repository.error_log.json
.suexec
command.createdOn
in change attribute in events. This allows for aggregating review-time if defined as the timespan between when a change is created and when it is merged.set-reviewers
command to work with change sha1s. The check for sha1 was done before the check for legacy change number, so if a server had large enough change numbers they would be erroneously interpreted as sha1 resulting in a “change not found” error.WARNING: the 2.14.5 release includes a regression. Use 2.14.5.1 instead.
has:starss
, the user’s web session was invalidated.sshd.waitTimeout
configuration to set WAIT_FOR_SPACE_TIMEOUT
. In sshd a new channel property, channel-output-wait-for-space-timeout, was introduced with a default value of 30 seconds. This was not being set, causing any clone operations lasting longer than 30 seconds to fail. Administrators may now increase this value by setting sshd.waitTimeout
.GERRIT_FDS
when an LFS plugin is configured. GERRIT_FDS
was set to double of core.packedGitOpenFiles
, which was not sufficient to account for the file descriptors used by Git LFS._moreChanges
when change query result is empty./COMMIT_MSG
and /MERGE_LIST
don’t actually exist in the git repository, so any links to them result in 404 on the viewer.vote-deleted
event. The missing registration was causing listeners to fail with ‘Unknown event type’.set-reviewers
ssh command.auth.type
and auth.gitBasicAuthPolicy
. Update the documentation of auth.type
to clarify that the HTTP_LDAP
and CLIENT_SSL_CERT_LDAP
types only use LDAP to gather basic information about the user, and not to actually perform the authentication. Also, add checks to make sure the combination of auth.type
and auth.gitBasicAuthPolicy
is valid. If an invalid combination is used, this could result in unintentionally disabling authentication, so raise an error during startup.stream-events
ssh command with the --help
option.polygerrit
URL parameter on GET
requests. Attempting to parse the polygerrit
parameter on all requests caused failures when sending a POST
or PUT
request to the REST API via curl
.gerrit.canonicalWebUrl
. The only situation where the setting is mandatory is when using OAuth authentication, because the OAuth provider needs to have a fixed callback URL with a single hostname.PluginConfig.setGroupReference
method. When the group reference was a new one, i.e. not already in the groups file, it was not added to the groups file when saving the project config.-S
instead of -s
as alias for --start
in list branches and tags REST API endpoints. Using an upper case -S
makes the API consistent with the other list APIs (changes, groups, projects). This is a breaking change for any clients that use -s
.gerrit.config
file it is now possible to configure the url
, poolLimit
, poolMinIdle
, poolMaxIdle
, and poolMaxWait
values.:
to autocompleted predicates in search bar.refs/heads/
prefix is omitted.iabcde
, it was not possible to search for changes using the Change-Id triplet project~branch~changeId
./register
with URL prefix.self
before other users in search operator suggestions. For query operators that expect a user, the suggestion included other users whose name begins with “sel” before “self”. Since “self” is more frequently used, it should be suggested first.shortSubject
field to 72 characters in soy email template.site_path
from system_config
table. The starting mode where site_path
is not specified (as a system property) and Gerrit first connects to the database using the ReviewDb JNDI property from the servlet container was broken since version 2.13 due to a cyclic dependency in Guice bindings.throws
declarations on NotImplemented
classes in the extension API. The throws
were removed as a cleanup in Gerrit 2.14, but this prevenented classes that extend NotImplemented
from throwing the exceptions.LocalUsernamesToLowerCase
program.m
and r
options together in branch and tag list filters.multipart/
in inbound emails. Inbound emails would not be parsed when the message was signed and therefore wrapped in a multipart/signed
part.httpd.filterClass
.httpd.idleTimeout
makes the Jetty HTTPD socket timeout configurable so to tailor the socket and thread consumption to the needs of setups with different latencies and bandwidth.group indexed
extension point. Similar to the existing change indexed
and account indexed
extension points, this allows plugins to be notified when a group has been indexed..backup
suffix, but if the destination file already existed the initialization would fail with a fatal error. Now a warning is printed and the initialization continues.sshd.idleTimeout
for nio2 backend. The idle timeout was not properly set for the nio2 backend, so connections would always time out with the default value (10 minutes).maxRetries
is set to 0.receiveemail.encryption
is set to TLS/SSL, we always want to use the implicit mode to execute the TLS/SSL command right after establishing the conection with the mail server. Strict mail servers like Gmail would close the connection prematurely otherwise./MERGE_LIST
and /COMMIT_MESSAGE
as Merge List
and Commit Message
.