File Uploads in frontend
Performance improvements on mergeability check and accounts caching
Support for Java 11
Gerrit is now officially supported on Java 11, in addition to Java 8. Running on Java 11 was already possible from v2.16.13, v3.0.4 and v3.1.0, but not officially supported because of the lack of a CI validation on Java 11 for stable-2.16, stable-3.0 and stable-3.1 branches.
Please note that Java 11 has a number of improvements and breaking changes compared to Java 8. Refer to the Java 11 release notes for more details.
Gerrit v3.2 has been validated with Java 11, with the following known issues:
Issue 11567: Java 11 runtime & startTLS LDAP broken: ‘error code 8 - BindSimple: Transport encryption’.
Issue 12639: WARNING: An illegal reflective access operation has occurred, when starting Gerrit.
This release contains schema changes. To upgrade:
java -jar gerrit.war init -d site_path
The changes index version has been increased. To run off-line reindexing of the changes (optional):
java -jar gerrit.war reindex --index changes -d site_path
By default the changes index is automatically rebuilt upon the Gerrit startup after the upgrade.
PERFORMANCE WARNING: The migration process performs the cleanup of the zombie draft comments in the All-Users.git repository that have been left behind since the introduction of NoteDb. It is highly recommended to perform a
git gc --aggressive of the All-Users.git repository BEFORE running the migration. Also the reindex of all the changes can take a significant amount of time for large-scale installations.
Also, make sure that the All-Users.git resides on a fast access local filesystem for minimizing the migration time.
Upgrade the Docker/Ubuntu image to Ubuntu 20.04
Upgrade the Docker/CentOS image to CentOS 8.1.1911
Move to OpenJDK 11
Gerrit v3.2 supports both Java 8 and 11. However, Java 11 is the best choice for large production servers thanks to the introduction of more advanced Garbage Collection strategies and associated tuning for large heaps.
Gerrit supports zero-downtime upgrade from Gerrit v3.1.6 (or later) when configured using a high-availability configuration, when the Git repositories are stored in a shared filesystem such as NFS or similar.
For upgrading with zero-downtime, you should enable the rolling upgrade migration in
gerrit.config on both Gerrit masters by setting the
During the zero-downtime upgrade, Gerrit end-users would not notice any outage or service disruption. They will be able to perform the normal Gerrit operations on the GUI or using the Git protocol.
The zero-downtime upgrade consists of the following steps:
gerrit.configon both Gerrit masters.
gerrit.configon both Gerrit masters.
NOTE: During the zero-downtime upgrade, the nodes may experience an increase of CPU and memory utilisation due to the online reindexing activity. If testing reveals that the nodes are not able to keep sustained load in conjunction with the online reindexing, then you have to follow the standard migration path.
Issue 12858: ListGroups: the --query2 option in the groups query REST-API has been renamed to --query
Gerrit metrics associated with H2 disk-statistics are now disabled by default. The disk-statistics can be enabled again by setting
cache.enableDiskStatMetrics in gerrit.config.
This release introduces a configuration setting
change.mergeabilityComputationBehavior that defines when Gerrit computes the mergability of a change .
Computing the mergability of changes is an expensive operation that can be become a bottleneck for large Gerrit installations. The new setting allows administrators to control this expense. Please refer to the Gerrit documentation for more details about this setting.
change.api.excludeMergeableInChangeInfo is no longer used and may be removed from
Introduction of a brand-new AccountCache decomposed into smaller chunks that can be cached individually:
The new structure is cleverly designed to require a lot less I/O when an entry needs to be reloaded and lowering the ratio of cache-miss in case of user’s details updates.
Gerrit can be linked to external user directories like LDAP, providing Gerrit with external users and groups. External groups can be added to Gerrit to restrict access to refs and repos and are mainly used for permissions evaluation.
The following new additional caches have been introduced and can be customized in
groups_external: Caches all the external groups available to Gerrit.
groups_external_persisted: Caches all external groups available to Gerrit at some point in history.
File Uploads are now supported in the User Interface or through the REST API.
Introduce a new permission to allow/deny the ability to revert a change through the Gerrit UI.
The permission is automatically added to the
Registered Users as part of the schema upgrade. To deny reverts, Gerrit administrators should remove this permission from
Introduce the new
is:merge operator for allowing to find changes that are merge commits. This change requires a full reindex of the changes, which may take quite a long time to compute for large-sized installations.
When choosing the on-line reindexing option (default) Gerrit can still operate with the old index version, disabling the
is:merge operator until the new index has been successfully rebuilt.
New SSH commands introduced:
gerrit set-topic: set the topic of a change (existing REST-API surfaced via SSH)
gerrit sequence show: show the current sequences value from All-Projects.git or All-Users.git
gerrit sequence set: set the next value for sequences in All-Projects.git or All-Users.git
After a change is created or updated using the ‘cherry-pick’ functionality, the cherry-picked change includes a new field in the change info returned from REST APIs called
CherryPickOf with the source change number and the patchset.
instanceId configuration for multi-master Gerrit setups. For more details check:
The Gerrit frontend has been migrated from Polymer 2 to Polymer 3.
Users can now cherry pick entire topics.
Gerrit supports adding display names. Hosts can configure first name or username as default.
The reply dialog now shows the entire comment thread instead of the comment list.
Issue 6293: More self-evident transitions from WIP state. “Start Review” button added to change view.
Issue 8153: Improvements to rebase indicator: display a hover card instead of a tooltip with the icon including the possible rebase action.
Issue 10444: UI for deleting change messages for Gerrit Administrators.
Issue 10890: Repository list: Move “Repository Browser” column left of “Description” column.
Issue 11441: Add in-product reminder to keep discussions respectful.
Some code review discussions can become a bit rough and some people perceived discussions as not always respectful. Add an in-product reminder to keep discussions respectful when a reply is typed, optionally with linking to the code of conduct.
Issue 11493: Add an “Edit” button to the diff view in the PolyGerrit UI.
Issue 11521: Display trace ID in error popup if request failed and server did a trace.
Issue 11522: REST API for review labels in the project configuration.
Issue 11705: Show count of changes in User Dashboard.
Issue 11706: Allow editing the commit message as part of a change edit.
Issue 11973: Add copy-to-clipboard for generated HTTP password.
Issue 12364: Add support for going to a specific line number in the inline editor.
Issue 11594 Merge the repo-vs-git logic into GitDownloadCommand directly.
Created separate “getRepoCommand” and “getCommand” methods for downstream classes to extend with the default “getRepoCommand” defaulting to null.
Issue 11609 “Download patch” UI includes an option for also creating a local branch.
A very standard workflow is to download a change from Gerrit then want to make edits and then repo upload the changes back to Gerrit. Allow developers who are not familiar with the idiosyncrasies of repo, to easily create a local branch when checking out changes.
Allow end-to-end tests to proportionally scale on their expected execution times.
power_factor environment property was added to the end-to-end tests core framework. Using that optional property, scenario steps can take some more (or less) time prior to expecting proper completion.
The way to set that property locally then depends on the target runtime environment, or SUT latency. The property may be used for either core or plugin scenarios.
FlushProjectsCache related scenarios added to core (and the
Support for relative runtime weights in scenarios.
Each scenario can now either weight like any other by default, or override that default with a greater weight value, compared to siblings that are lighter on execution times.
Beside core, make the
multi-site plugin scenarios reuse this.
Allow scenarios to create and delete Gerrit changes alongside projects.
Add the corresponding core support for an optional
http request body to every such
GerritSimulation. Either automate or allow environment properties to feed the related input test data.
Beside core, make the
multi-site plugin scenarios test changes that way. The latter currently has Issue 12693 as a known limitation.
display_name field added to all the endpoints returning the account details.
New Set Display Name API for updating the account display name.
New Modify Account global capability is now required for List Accounts Emails, Get Account External IDs and Delete Account External IDs when used to access information that belongs to accounts other than the caller.
Query Changes API now supports a new
no-limit parameter to remove the default limit on queries and return all results. This might not be supported by all index backends. Also, the
SKIP_MERGEABLE option for skipping the mergeability flag option is not supported anymore.
Revert Change now truncates the revert message if it exceeds 63 characters, by cutting it down to 59 characters with the ellipsis (
…) in the end. Also, the API requires now the new revert permission, otherwise a
403 Forbidden status code is returned.
Revert Submission API for creating a submission-id for grouping multiple changes that belong to the same submission (e.g. topic submission).
Change file content in Change Edit API supports now uploading binary content.
New Preview Fix API for gettings the diffs of all files for a certain fix-id. This is intended to be used in conjunction with robot comments.
allow_conflicts option in all REST-API that perform a server-side merge or cherry-pick.
queryas parameter for groups filtering, instead of the
query2which was a temporary name given to avoid clashes with an earlier deprecated parameter.
refs/meta/configof the repository.
Replication plugin fixes
Issue 11672: Change the storage structure of the persisted replication tasks to avoid losing events.
Issue 11745: Fix firing pending “..all..” events on startup.
Issue 11760: Make persistent task keys stable.
Issue 12678: Fix missing replication Id in replication logs.
Issue 12719: Fix
replication start --wait to track in-flight collisions and to not fail.
Issue 12731: Don‘t lose state when there’s a pending push to the same ref.
Issue 4616: Open commentlinks to changes on the same server in the same tab.
Issue 7083: Stop query from executing if predicate is empty.
Issue 8068: Fix screenreader: In unified mode, stop showing “0 added/removed”.
Issue 9296: Fix wrong diff of commit message between different patch sets of a merge commit.
Issue 11515: Fix Ctrl-Enter on Move Change
Issue 11552: Fix prev/next on diff screen with unchanged files containing only comments.
Issue 11625: Avoid multiple notifications for existing reviewers.
Issue 11697: Fix rendering of commentlinks without leading whitespace.
Issue 11725: Fix diff view file name shown even when the file wasn't changed, but only included because contains a comment.
Issue 11727: Fix blue underline missing from active tabs.
Issue 11782: Fix assignment of CSS style for CodeReview -1 labels within comments.
Issue 11969: Fix tab index in reply dialog.
Issue 11980: Fix handling of LDAP groups containing a dot in the PolyGerrit permissions screen.
Issue 11984: Fix top menu bar on iOS.
Issue 11993: Stop loading fonts from external resources.
Issue 12020: Fix ‘New Contributor Agreement’ screen.
Issue 12024: Fix undefined branch in create-destination-dialog.
Issue 12031: Fix issues with caching edited commit message.
Issue 12067: Fix blank screen after upgrading.
Issue 12108: Add missing ‘Page ...’ on pagination links in the repository list.
Issue 12184: Fix link in blame annotation to link directly to the commit.
Issue 12197: Fix rendering of commentlinks using
link in PolyGerrit UI.
Issue 12224: Honor the date format preference when displaying dates.
Issue 12385: Fix memory leak in
Issue 12707: Apply diff preferences immediately after pressing “Save”.
Issue 12726: Fix incorrect highlighting after
Issue 12775: Fix parent of previous patch sets not being available.
Issue 3340: Fix internal server errors when setting project access permission with bad regex.
Issue 7645: Fix thread deadlock when loading accounts from the account cache.
Replacing Guava caches with Caffeine reduces the chances of having the deadlocks and improves the cache performance.
Issue 7969: Fix internal server error when diffing
MERGE_LIST between different patch sets of a merge commit.
Issue 8952: Do not require explicit “Push Tag” rights to
refs/tags/* for pushing an annotated tag over HTTPS.
Issue 10397: Don't send notification email when publishing a change edit on a WIP change.
Issue 11650: Fix reindexing of changes after project is deleted in the
Issue 11962: Fix advertisement of
refs/meta/config in git protocol v2 when client does not have access to it.
Issue 11986: Fix fetching individual ref with git protocol v2.
Issue 11989: Fix internal server error when pushing over SSH with git protocol v2.
Issue 12070: Fix internal server error on git over HTTP calls when SSHD is enabled.
Issue 12243: Fix unexpected deactivation of service user accounts.
Issue 12246: Fix generation of duplicate ChangeIds when creating a new change via REST.
Issue 12440: Fix the access-path for AbstractGitCommand subclasses.
Issue 12444: Add support for
max_result_window in Elasticsearch index configuration.
Issue 12473: Fix broken links in Elasticsearch configuration documentation.
Issue 12606: Fix
visibleto predicate for groups.
Issue 12747: Fix change query visibility for internal user.
Issue 12755: Block the removal of the Realm primary external ids.
Upgrade flogger to 0.5.1
Upgrade guava to 29.0
Upgrade guice to 4.2.3
Upgrade jgit to 188.8.131.52005061305-m2
Upgrade mina-sshd to 2.4.0
Upgrade ow2 to 7.2
Upgrade truth to 1.0.1
New Gerrit walkthrough guide for GitHub users for allowing an easier transition for those who are coming from a Pull Request workflow.
New guide on how to backup Gerrit.
Replace the term
replica in the Gerrit documentation, for alignment to the new term used in the configuration. The
slave term is still supported but deprecated.
Issue 12573: Added documentation of the commit-container PolyGerrit extension endpoint.
Issue 12443: Stop generating continuous “logging context is not empty” in error_log.
Issue 14097: Allow enabling of Git GC button for non-local Git repository managers, such as multi-site repositories.
Issue 14118: Quota management: enforce repository size on pack rather than on object.
Issue 14193: Ensure InternalUser can parse groups.
Align the recommended buildifier version to v4.0, the same used in the CI.
Development guidelines: mention that Optional in arguments is discouraged (use @Nullable instead) but may be used as return type.
Add change query option allowing administrators to skip visibility filtering.
Add a new REST-API change query option “skip-visibility” to allow administrators to skip visibility filtering.
Replication plugin fixes
Don‘t check read permission when authgroup isn’t set.
Do not check for read permission when authGroup is not set since the user is a RemoteSiteUser that is-an InternalUser having read access to everything. This fixes a regression introduced in v3.1.10 that prevented the All-Users.git repository to be fully replicated to Gerrit replicas.
Issue 13803: Limit number of ambiguous accounts in error message.
Don't list more than 3 ambiguous accounts in error message of UnresolvableAccountException in order to prevent flooding the log and displaying a lot of sensitive account data in an error dialog.
Issue 13936: Fix badly formatted error message shown in error dialog.
Issue 13884: Fix ‘is:submittable’ query on multiple submit records.
Update highlight.js to 10.5.0.
Update Jetty to 9.4.35.v20201120.
Downgrade soy-template to 2019-10-08.
Elasticsearch: Support for EOL version 6.8 is discontinued. This was the last supported minor version of Elasticsearch 6 in Gerrit. From this release, Gerrit no longer supports V6 but only the already supported versions 7.x of Elasticsearch.
Issue 12629: Verify hostname when sending emails via SMTP server with SMTPSClient.
The SMTP server's certificate and hostname must be verified if encryption is enabled with SSL verification in the host settings (
Issue 13544 Ensure that GC#deleteOrphans respects pack lock:
If pack or index files are guarded by a pack lock (.keep file) deleteOrphans() should not touch the respective files protected by the lock file.
Issue 13775 Honor
toogleWipState permission for
%wip push options:
Issue 13781 Compact the REST-API output JSON unconditionally:
The output JSON was initially compacted only when the Accept header was set to
application/json: the compaction is now done unconditionally, unless the
pp=1 query parameter is specified.
Issue 13786 ForRef#check should permit internal users to read all refs:
PermissionBackend#ForRef authoritative change introduced a regression where gerrit
internal users (e.g. plugins) were not taken into consideration when checking READ permission. As consequence the
All-Users.git repository did not get any of the user's refs replicated to the slaves. After the upgrade it is required to trigger a forced replication of the
All-Users.git repository manually.
Avoid logging ssh exception for stream is already closed when length=0 if present in the stacktrace.
Clarify that ‘m’ push option sets patch set description.
Clarify that disk cache metrics require
Upgrade Bazel toolchain to 3.1.0.
Upgrade testcontainers to 1.15.1.
Upgrade Jetty to 9.4.33.v20201020.
Elasticsearch: Support for EOL versions 6.6 and 6.7 is discontinued.
Issue 13184: Logging:
gerrit.war daemon respects
Change in the default behaviour of the
--console-log flag. Since
log.textLogging in the
true by default, using the
--console-log-flag now writes logs to the
error_log-file in addition to stderr by default. This can be avoided by setting
log.textLogging = false.
Issue 13701: X-Forwarded-Proto is now required because of underlying upgrade of the Jetty library, when Gerrit is accessed through an HTTP(/S) reverse-proxy.
Fixes a misconception that leads to data being accessible through Gerrit APIs that should be locked down.
Gerrit had two components for determining if a Git ref is visible to a user:
RefControl). The former was always capable of providing correct results for all refs. The latter only had logic to decide if a Git ref is visible according to the Gerrit
READ permissions. This includes all refs under
refs/heads as well as any other ref that isn't a database ref or a Git tag. This component was unaware of Git tags and notedb-related refs. Hence, when asked for a database reference such as
refs/changes/xx/yyyyxx/meta, the logic would allow access if the user has
READ permissions on any of the ref prefixes (such as the default “read refs/* Anonymous Users”).
That was problematic, because it bypassed documented behavior where a user should only have access to a change if he can see the destination ref. The same goes for other database references.
Gitiles has a special
FilteredRepository wrapper that allows carefully hiding refs based on the project's ACLs. There is however an optimization that skips the filtering in case a user has
READ permissions on every ACL pattern(s). When the target repository is
All-Users, the optimization turns into a security issue because it allows seeing all personal information associated with all accounts, i.e.:
This fix now blocks Gitiles or any other part of Gerrit to abuse this power when the target repository is
All-Users, where nobody can be authorized to skip the ACLs evaluation anyway.
Issue 13307: Do not forward events generated by multiple Gerrit servers in high-availability configuration.
Issue 13349: Allow disabling SSH on Gerrit replica, when disabled in gerrit.config.
Issue 13408: ReceiveCommits: potential NPE when auto-closing changes.
gerrit test-submit is not available when ssh download is disabled.
Issue 11706: Allow editing the commit message as part of change edit.
Issue 13175: Fix
gr-hovercard-behavior under Firefox.
Issue 13328: Project dashboard links stored in ‘My’ menu (GWT) lead to ‘cannot load page’ in PolyGerrit.
Issue 13350: Cannot add group to (cc-)review if its UUID is not the internal one.
Issue 13402: Errors not displayed by delete-project plugin, if project deletion fails.
Replication plugin Fixes
End-to-end Tests Improvements
New documentation for the GC section in jgit.config with the details of the relevant JGit settings for tuning the repositories GC.
New documentation for the receive section in jgit.config with the documentation of the
Documentation of how to enable Git protocol v2 on jgit.config.
Documentation of Gerrit logs format.
Documentation of the
X-Forwarded-For header on HTTP/HTTPS reverse proxy configuration.
New sshd.gracefulStopTimeout setting for allowing incoming SSH connections to drain upon Gerrit shutdown.
Google Truth 1.1
This minor release has been withdrawn.
Issue 12846: BadMessageException: 500: Response header too large.
Bump Jetty version to 9.4.30.v20200611 to fix regression introduced in Jetty version: 9.4.27.v20200227.
Response header overflow leads to buffer corruptions Jetty server always allocates maximum response header size.
For more details see also upstream issues:
Issue 12813: e2e-tests: Add CheckMasterBranchReplica1 scenarios
Issue 12934: Fix selection on diff with range comments
Issue 12952: Handle duplicate label values on project load and push of config updates
Issue 12959: Submit: Use updated change for response
The response was sent with the change instance from before it got submitted, rather than the updated change. As a result, the response contained the status “NEW” rather than “MERGED”.
Issue 12988: Fix issue with auto registering ssh commands
Issue 13166: Include request latency in httpd_log.json
The latency field was missing in the entries of JSON-formatted http logs.
Issue 12994: Fix toggle on iOS
This works around an issue where by clicking on iOS causes the toggle to act like a double tap, thus switches back off.
Issue 13080: Fix the position of the hovercard
The desired position was ‘right’, but it appeared ‘bottom-right’, because the height of the hovercard was calculated as 2px at the time of updating the position.
Issue 13054: Restore keyboard shortcut for expand all diff context
In gerrit 2.16 release the keyboard shortcuts system was redesigned, but the binding for Shift+x shortcut for expand all diffs was lost. Restore this binding and confirm that it is now listed in the help dialog and works as expected.
Replication plugin fixes:
Issue 12779: Only fire the specified pending event URI
Issue 12940: Fix issue with URI lock release after replication task cancellation
Issue 12986: Revert “Get a URI lock before running tasks.”
May still be missing some lock release calls and caused the loss of replication events in queue when backed by the same task storage file.
Issue 12680: Run projects reindex after Gerrit init only when needed, speeding up the upgrade process.
Issue 12778: Fix
Included In filter not working in the search box.
Issue 12909: Fx missing index creation after Gerrit init.
Issue 12918: Fix missing email notifications for project watches for changes created via cherry-pick.
Issue 12884: DatabasePubKeyAuth: Exclude comment from peer key line if present
Support for rolling upgrade.
AccountActivationListener available to plugins for listening to accounts activation status changes.
Issue 12717: Deny access over HTTP for disabled accounts.
A disabled account was still able to access over HTTP until the existing session expired.
Close active SSH connections associated to an account that has been disabled.