Download: 2.14.22 | 2.14.21 | 2.14.20 | 2.14.19 | 2.14.18 | 2.14.17 | 2.14.16 | 2.14.15 | 2.14.14 | 2.14.13 | 2.14.12 | 2.14.11 | 2.14.10 | 2.14.9 | 2.14.8 | 2.14.7 | 2.14.6 | 22.214.171.124 | 2.14.4 | 2.14.3 | 2.14.2 | 2.14.1 | 2.14
Documentation: 2.14.22 | 2.14.21 | 2.14.20 | 2.14.19 | 2.14.18 | 2.14.17 | 2.14.16 | 2.14.15 | 2.14.14 | 2.14.13 | 2.14.12 | 2.14.11 | 2.14.10 | 2.14.9 | 2.14.8 | 2.14.7 | 2.14.6 | 126.96.36.199 | 2.14.4 | 2.14.3 | 2.14.2 | 2.14.1 | 2.14
This release contains schema changes. To upgrade:
java -jar gerrit.war init -d site_path
Gerrit 2.14 introduces a new secondary index for groups. The initial version of this index must be created by running the offline reindex before starting Gerrit:
java -jar gerrit.war reindex --index groups -d site_path
Note that it is not necessary to reindex the changes and accounts indexes offline. These will automatically be reindexed by the online reindexer after starting Gerrit.
Gerrit now requires Java Runtime Environment (JRE) version 8. It is no longer possible to run Gerrit on JRE 7 and it is not compatible with JRE 9 or newer yet. For more information, see Issue 7843.
The Bouncy Castle Crypto API libraries are now distributed in the Gerrit
.war file rather than being downloaded during site initialization. When upgrading from a previous version of Gerrit, previously downloaded Bouncy Castle
.jar files remaining in the site's
/lib folder will be disabled by appending
.disabled to the file name.
Support for HTTP Digest Authentiation is removed. With the move to NoteDB, the per-account data (including the HTTP password) will be stored in a branch in the
All-Users repo, where it is subject to Gerrit ACLs.
Since these are notoriously hard to setup correctly, we want to avoid storing the password in plaintext.
Existing passwords will be migrated to a hashed password during site initialization when upgrading from an earlier version of Gerrit.
An exclusive ALLOW permission now has priority over a BLOCK permission when both permissions are defined on the same project. This means an exclusive ALLOW rule now overrules BLOCK rules on the same project. BLOCK rules still cannot be overruled by child projects. This change makes it possible to allow a permission for a specific ref and to block the same permission for all other refs. For example, it is now possible to allow all users to push changes for review, but to block all direct pushes:
[access "refs/*"] push = block group Anonymous Users [access "refs/for/*"] exclusiveGroupPermissions = push push = group Registered Users
This release deprecates the use of Velocity mail templates. In a future release support will be removed and it will be necessary to upgrade custom mail templates to Soy files.
The permissions “Push Annotated Tag” and “Push Signed Tag” are renamed to “Create Annotated Tag” and “Create Signed Tag”. Existing project configurations using the old permission names will be migrated during site initialization.
ref-update hook is now only invoked for direct ref updates, i.e. branch creation, branch deletion, and updates (fast-forward and non-fastforward) via direct push. It is not invoked on commits received for review, or on submit of changes.
A new hook named
commit-received is added, which is invoked when a commit is received for review, and can be used to prevent reviews from being created. A new hook named
submit is added in 2.14.9, which is invoked when a user attempts to submit a change, and can be used to prevent the submit.
Sites using the
ref-update hook to validate changes pushed for review, or to validate submits, should migrate to the
In version 2.14.4 the fields in the JdbcAccountPatchReviewStore primary key are reordered to improve performance when clearing the reviewed flag for a patch set.
Sites that have already upgraded from an earlier version to 2.13, or to a 2.14.x version before 2.14.4, and want to take advantage of this performance improvement, should manually drop and recreate the primary key as follows:
# drop the key ALTER TABLE account_patch_reviews DROP CONSTRAINT primary_key_account_patch_reviews; # recreate the key ALTER TABLE account_patch_reviews ADD CONSTRAINT primary_key_account_patch_reviews PRIMARY KEY (change_id, patch_set_id, account_id, file_name);
Note that this is optional. The site will continue to work without this update. The update is not necessary when upgrading directly to 2.14.4 from a version earlier than 2.13, as the primary key will be created with the updated order anyway.
Changes may be assigned to a specific user. This allows a workflow where the user that is assigned to a change is responsible for reviewing the change and/or passing the assignment on to another user.
In the UI, changes assigned to the currently logged in user are highlighted.
assignee: search predicate allows to find changes assigned to a given user.
Gerrit email messages are made easier to read by sending HTML content parts in addition to the existing text email content. This is enabled by default, and can be disabled by setting
false. Users can opt to always receive plaintext emails by setting the Email Format preference.
Mail templates can now be written using Closure Templates (Soy). Mail templates written in Velocity (VTL) are deprecated but still supported. Support for VTL will be dropped in a future release.
Gerrit now supports receiving review comments by email.
Note that the Elasticsearch implementation is still considered experimental and it is not advised to use it for production systems.
Issue 3944: Tags can be created and deleted via the Tags screen in the UI. Although the REST API supports creation of both lightweight and annotated tags from 2.14, the GWT UI allows for annotation with 2.14.4 or later.
For merge commits, the list of commits that will be merged into the destination branch is included as the
/MERGE_LIST magic file which is shown as
Merge List in the UI.
Gerrit now includes a new user interface, referred to as “PolyGerrit”, based on Polymer. The UI can be switched between PolyGerrit and GWT by clicking the “New UI” and “Old UI” links in the site footer. Alternatively, the UI can be switched by adding
?polygerrit=0 to the URL. Note that PolyGerrit is still under development. Most use cases are supported, but there are still some missing features compared to the GWT UI.
Normally, changes can be reviewed only before they are being merged. This new feature allows for post-submit review of commits by creating a new merged change, by using the ‘merged’ push option.
ref-updatehook from being invoked on every commit when pushing multiple commits. Instead of being invoked on every commit received, the
ref-updatehook is now invoked before the ref update operation is finalized. Note that the hook is no longer invoked on commits pushed for review or on changes that are merged. It is invoked for creation/deletion of refs, and for ref updates caused by direct pushes (i.e. bypassing review). The previous behavior of the
ref-updatehook is moved into a new hook named
commit-received. A new parameter
--cmdrefis added, and the special handling of
refs/changesis removed. Sites using the
ref-updatehook should rename the hook file to
Gitiles has a special
FilteredRepository wrapper that allows carefully hiding refs based on the project's ACLs. There is however an optimization that skips the filtering in case a user has
READ permissions on every ACL pattern(s). When the target repository is
All-Users, the optimization turns into a security issue because it allows seeing all personal information associated with all accounts, i.e.:
This fix now blocks Gitiles or any other part of Gerrit to abuse this power when the target repository is
All-Users, where nobody can be authorized to skip the ACLs evaluation anyway.
Issue 12717: Deny access over HTTP for disabled accounts.
A disabled account was still able to access over HTTP until the existing session expired.
Issue 10695: Upgrade JGit to 188.8.131.52904161809-r to fix regression in packfile list handling.
core.trustfolderstat was set to
false, an infinite loop could occur when an object was not found in the packfile.
Don't abort auto-abandoning if one change failed.
When failing to query a single change during auto-abandoning, the whole process was aborted. Now the failure is logged and the process continues to attempt to abandon subsequent changes.
Issue 10562: Upgrade JGit to 184.108.40.206903121755-r to fix corruption of packfile list due to concurrent access during GC.
See JGit issue 544199 for details.
Issue 10262: Upgrade JGit to 220.127.116.11812240805-r to fix validation of
git-upload-pack for protocol v0 stateless transports.
AdvertiseRefsHook was not called for
git-upload-pack in protocol v0 stateless transports, meaning that
wants were not validated and a user could fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they could guess the object name.
Issue 10242: Fix regression that allows a user's account to be taken over when multiple authentication providers are in use.
A regression introduced in 2.14.7 allowed a user's account to be taken over by creating an account on a different provider with exactly the same username as the existing Gerrit account.
Issue 10112: Upgrade rules_closure to make Gerrit buildable with the latest Bazel version.
Issue 9781: Allow to disable the groups relevance filtering for LDAP.
Issue 9952: Upgrade dependencies to newer versions to fix CVEs.
Issue 9969: Fix incorrect dependency on httpcore-nio for Elasticsearch.
The Elasticsearch REST client depends on version 4.4.5 of httpcore-nio, but the version provided by Gerrit was 4.4.1.
Remove dependency on httpmime.
httpmime was a dependency of Apache Solr, which was removed from Gerrit some time ago.
Fix unnecessary reads of change note refs when NoteDb is disabled.
Change notes packed refs were unnecessarily being read and parsed when NoteDb was disabled.
See the mailing list discussion for more information.
Upgrade Elasticsearch REST client to 6.4.3.
Issue 9836: Fix database connections leaks.
The fix for issue 9823 in 2.14.15 introduced a database connection leak.
Upgrade JGit to 18.104.22.168810191618-r.
Update JGit to 22.214.171.124810051826-r to fix CVE-2018-17456.
This release of JGit implements validation of
.gitmodules files to protect unguarded tools against CVE-2018-17456.
Issue 9823: Fix force push permission check for administrators and project owners over SSH.
It was possible for an administrator or project owner to force push to a project over SSH without having the Force Push permission.
This issue did not affect regular users, or pushes over HTTP.
Update jackson-core to 2.9.7.
There have been several releases since 2.6.6 including many bug fixes and security fixes.
Update elasticsearch-rest-client to 6.4.2.
Issue 9761: Ensure that URIs in requests to Elasticsearch are prefixed with
When using Amazon's Elasticsearch service, requests failed with “400 Bad Request” because they were not prefixed with
Issue 9766: Update jruby to 9.1.17 and asciidoctorj to 1.5.7.
Since Bazel 0.16 the build is done with an embedded JRE using Java version 9. The documentation build was using an older version of jruby that did not properly support Java 9.
Instances of IdString used to return true when
equals was given a String instance equal to the IdString's URL-encoded value. This violates symmetry, so this behavior was removed: IdStrings now never compare equal to Strings.
Upgrade JGit to 126.96.36.199809180905-r.
Issue 9667: Fix handling of output stream in LFS server.
Fix errors during cleanup after deleting refs.
Fix errors during cleanup after running garbage collection.
Fix atomic lock file creation on NFS.
Issue 9711: Add a change deleted event.
Since 2.14 it is possible to delete changes, however there was no specific event emitted. A new change deleted event is added, which is notified to
stream-events clients. The hooks plugin is updated to support a
Issue 9689: Fix visibility of tag creation form on the project screen (GWT).
The tag creation form was shown when the user had “Create Reference” permission on
refs/heads/* (but not
It is possible to set the limit per project in the
refs/meta/config, and at global level in
$site/etc/gerrit.config. The project setting may override the global setting if it is lower. Changing the global setting requires a server restart.
A limitation of this implementation is that we cannot set the limit at a project level and have it inherited to its child projects; it is necessary to explicitly set the limit on each child project.
A new global option
receive.inheritProjectMaxObjectSizeLimit is added, and when this is enabled the project-level setting is inherited from the parent. This new setting is disabled by default to keep backwards compatibility with the original behavior.
Allow more email RFC characters in the username.
It was possible to set a username with an email-address-like string, but only as far as the fact that the
@ character was allowed. Most of the other characters allowed by the RFC were not allowed.
Issue 9670: Add support for Elasticsearch 6.4.0.
Issue 9514: Emit a warning when starting Gerrit via
gerrit.sh without OOM protection.
Fix incorrect response from the ‘Put Config’ project REST API.
The response returned after updating the configuration was generated using the configuration that was loaded before the update, and did not contain the changed values.
Fix support for
commentLink entries in the
The documentation states that
commentLink entries may be added at project level in the
project.config on a project's
refs/meta/config branch, but this was not actually implemented.
Issue 5316: Fix incorrect relative URL paths in Gitiles links in the PolyGerrit UI.
Return raw byte value for effective value of git max object size limit.
The ‘value’ field of the info shows the effective value that gets applied, and now shows the actual byte value rather than the formatted value which could be using any arbitrary unit suffix (within the scope of the suffixes actually supported).
In the GWT UI, the effective value is now always shown, rather than only when there is a global value, and explicitly says when there is no value configured.
Ensure user authentication in
The order of filters made request authentication only work when the HTTP request was issued from the Gerrit UI, but not work when REST API was used.
commit-message-length-validation plugin: Use “warning” prefix to allow colorization of remote output.
From version 2.19 of git, the “warning” keyword will be highlighted in the remote output when
color.remote is enabled in the git config.
Fix partially hidden plugin configuration in the GWT UI.
In the project setting page, plugin configurations were partially hidden if the value had more characters than the default number of characters displayed in the text box.
Add a new method on the project API to get the reflog.
Upgrade PostgreSQL connector to 42.2.4.
Validate connections when sending a request to the database.
In some cases it was possible to attempt to reuse an already closed connection, which resulted in an internal server exception.
log4j.configurationis set When the environment variable
log4j.configurationis set, log files defined by plugins were not created because the appender couldn't be found.
Change-Idin error message when
Change-Idline is not in the footer.
ChangeReportFormatterextension point for customizing the report output from
elasticsearch.maxTotalConnectionA new setting
elasticsearch.maxRetryTimeoutis added. If not configured, it defaults to 30000 ms which is the default used by the REST client.
[elasticsearch "name"]section, with separate values
port, the servers are now configured as a list of
servervalues in the
[elasticsearch]section. This also fixes Issue 9383 where a “default” server
http://localhost:9200would be added by the site initialization even if other servers were already explicitly configured. During startup the list of configured Elasticsearch servers is logged at info level.
elasticsearch.passwordis specified, the
usernamecan be omitted and it will default to
elasticwhich is the default username configured when running Elasticsearch with security enabled.
CacheImplinterface. An implementation is provided for postgresql.
ownerin:predicate for internal groups.
#), the change was created with a zero Change-Id. This was beause lines beginning with
#are considered to be comments, and are stripped from the commit message by JGit before computing the Change-Id for the commit. Before attempting to create the change, Gerrit now strips out any comment lines from the commit message and returns an error if this results in the commit message being empty.
user.emailsettings were being read as-is, which would allow them to be configured with values that may interfere with standard email name/address parsing.
submithook is invoked synchronously when a change is submitted. If it returns a non-zero exit status, a
MergeValidationExceptionis thrown and the submit is prevented. This adds back the ability to block submit by a hook which was removed in version 2.14 due to the reworking of the
commit-receivedhooks. The hooks were not singletons, which caused new instances to be created on every invocation.
ProjectLevelConfig.getWithInheritancemethod, any config values from the parent are overridden by those of the child. This is not useful for plugins like the reviewers plugin where the child configuration should be merged with the parent's. To solve this, a new variant of the
getWithInheritancemethod is added, which merges the configs rather than overriding.
gitweb.typemust be set to
Code-Review=2without the explicit
label:predicate can never work as expected because the query is also considered as a comment search, which matches on all changes that have received a vote on that label, regardless of the label score. The section about approval requirements is removed from the basic search documentation to avoid confusion. It is also now recommended to use explicit query predicates when predictable results are desired.
reviwerin:queries. When the ownerin: or reviewerin: predicate is used in a query without any additional explicit index predicate, it will default to only include changes in status ‘OPEN’.
query:search with a non-existing named query.
httpd.gracefulStopTimeout, which allows to set a maximum period of time for the daemon to preserve incoming connections, before starting the graceful shutdown process.
elasticsearch.prefixwas not set, and Elasticsearch server-specific settings were not correctly set under
index.maxLimitfor Elasticsearch. When using Elasticsearch,
index.maxLimitshould not exceed the value of
index.max_result_windowconfigured on the Elasticsearch server.
index activatessh commands with Elasticsearch.
account_patch_reviewsfor mysql. Creation of the
account_patch_reviewstable failed on mysql due to the
file_namecolumn being too long.
ref-updatedevent twice for new patch sets.
Change-Idin subject line during commit validation: A commit with an empty commit message except for a
Change-Idline in the subject was only rejected if “Require Change-Id” was enabled.
Change-Idline when creating changes from the UI: When a change was created via the UI (or via the REST API), the
Change-Idfooter line was not validated. This resulted in it being possible to create a change with an invalid
Change-Idto changes created from the UI: When a change was created via the UI (or via the REST API), a
Change-Idline was added without first checking if one already existed.
Signed-off-byline after existing footer lines in changes created from the UI. When a change was created via the UI (or via the REST API) and the commit message included a
Change-Idline or any other footer line, the
Signed-off-byfooter was appended to the end of the last footer instead of on a new line.
commit-msghook to awk behavior change on Cygwin/MSYS. Awk has stopped automatically stripping
\ron Windows since version 4.2.0.
index.maxTermswhen using group predicate in queries.
--threadsoption in the offline
mergeablefield to always be set to null in the index. As a result, the change was always shown with “Merge Conflict” status in the change list.
#token, which resulted in the link redirecting to a 404 response.
show-connectionscommand output. When the SSH backend is MINA, the
show-connectionscommand shows the connection start time. For connections started more than 1 day ago, the start time is supposed to be shown in the format
MMM-ddbut was instead always shown in the format
HH:mm:ssdue to incorrect calculation of the elapsed time.
HEADreference failed because the passed reference name was not absolute.
curlin download-commands plugin. Validating certs is an important feature of HTTPS that we should not disable, especially when downloading code that is going to be trusted.
ban-commitssh command on slaves. Gerrit slaves are supposed to be read-only, but the
ban-commitcommand creates a Git note and hence writes to the repository.
createdOnin change attribute in events. This allows for aggregating review-time if defined as the timespan between when a change is created and when it is merged.
set-reviewerscommand to work with change sha1s. The check for sha1 was done before the check for legacy change number, so if a server had large enough change numbers they would be erroneously interpreted as sha1 resulting in a “change not found” error.
WARNING: the 2.14.5 release includes a regression. Use 188.8.131.52 instead.
has:starss, the user’s web session was invalidated.
sshd.waitTimeoutconfiguration to set
WAIT_FOR_SPACE_TIMEOUT. In sshd a new channel property, channel-output-wait-for-space-timeout, was introduced with a default value of 30 seconds. This was not being set, causing any clone operations lasting longer than 30 seconds to fail. Administrators may now increase this value by setting
GERRIT_FDSwhen an LFS plugin is configured.
GERRIT_FDSwas set to double of
core.packedGitOpenFiles, which was not sufficient to account for the file descriptors used by Git LFS.
_moreChangeswhen change query result is empty.
/MERGE_LISTdon’t actually exist in the git repository, so any links to them result in 404 on the viewer.
vote-deletedevent. The missing registration was causing listeners to fail with ‘Unknown event type’.
auth.gitBasicAuthPolicy. Update the documentation of
auth.typeto clarify that the
CLIENT_SSL_CERT_LDAPtypes only use LDAP to gather basic information about the user, and not to actually perform the authentication. Also, add checks to make sure the combination of
auth.gitBasicAuthPolicyis valid. If an invalid combination is used, this could result in unintentionally disabling authentication, so raise an error during startup.
stream-eventsssh command with the
polygerritURL parameter on
GETrequests. Attempting to parse the
polygerritparameter on all requests caused failures when sending a
PUTrequest to the REST API via
gerrit.canonicalWebUrl. The only situation where the setting is mandatory is when using OAuth authentication, because the OAuth provider needs to have a fixed callback URL with a single hostname.
PluginConfig.setGroupReferencemethod. When the group reference was a new one, i.e. not already in the groups file, it was not added to the groups file when saving the project config.
-sas alias for
--startin list branches and tags REST API endpoints. Using an upper case
-Smakes the API consistent with the other list APIs (changes, groups, projects). This is a breaking change for any clients that use
gerrit.configfile it is now possible to configure the
refs/heads/prefix is omitted.
iabcde, it was not possible to search for changes using the Change-Id triplet
/registerwith URL prefix.
selfbefore other users in search operator suggestions. For query operators that expect a user, the suggestion included other users whose name begins with “sel” before “self”. Since “self” is more frequently used, it should be suggested first.
shortSubjectfield to 72 characters in soy email template.
system_configtable. The starting mode where
site_pathis not specified (as a system property) and Gerrit first connects to the database using the ReviewDb JNDI property from the servlet container was broken since version 2.13 due to a cyclic dependency in Guice bindings.
NotImplementedclasses in the extension API. The
throwswere removed as a cleanup in Gerrit 2.14, but this prevenented classes that extend
NotImplementedfrom throwing the exceptions.
roptions together in branch and tag list filters.
multipart/in inbound emails. Inbound emails would not be parsed when the message was signed and therefore wrapped in a
httpd.idleTimeoutmakes the Jetty HTTPD socket timeout configurable so to tailor the socket and thread consumption to the needs of setups with different latencies and bandwidth.
group indexedextension point. Similar to the existing
account indexedextension points, this allows plugins to be notified when a group has been indexed.
.backupsuffix, but if the destination file already existed the initialization would fail with a fatal error. Now a warning is printed and the initialization continues.
sshd.idleTimeoutfor nio2 backend. The idle timeout was not properly set for the nio2 backend, so connections would always time out with the default value (10 minutes).
maxRetriesis set to 0.
receiveemail.encryptionis set to TLS/SSL, we always want to use the implicit mode to execute the TLS/SSL command right after establishing the conection with the mail server. Strict mail servers like Gmail would close the connection prematurely otherwise.