title: “Gerrit 3.3.0 release” permalink: 3.3.html hide_sidebar: true hide_navtoggle: true toc: true

Download: 3.3.3 | 3.3.2 | 3.3.1 | 3.3.0

Documentation: 3.3.3 | 3.3.2 | 3.3.1 | 3.3.0

Release highlights

  • Java 11 by default for Gerrit

  • New logs timestamp format

  • Attention Set

Important notes

Default support for Java 11

The java language level is now set to Java 11 by default for Gerrit.

  • Issue 13494; Generate a Java 11 Eclipse project by default

  • Update dev-{eclipse,intellij} development for Java 11.

Schema changes

This release contains schema changes. To upgrade:

  java -jar gerrit.war init -d site_path

Upgrading to this schema version (184) renames the Non-Interactive Users group to Service Users.

Zero-downtime upgrade

Gerrit supports zero-downtime upgrade from Gerrit v3.2 when configured using a high-availability configuration, when the Git repositories are stored in a shared filesystem such as NFS or similar.

For upgrading with zero-downtime, you should enable the rolling upgrade migration in gerrit.config on both Gerrit servers by setting the gerrit.experimentalRollingUpgrade to true.

During the zero-downtime upgrade, Gerrit end-users would not notice any outage or service disruption. They will be able to perform any read/write Gerrit operation on the GUI or using the Git protocol.

The zero-downtime upgrade consists of the following steps:

  1. Have Gerrit servers upgraded to v3.2 in high-availability configuration, healthy and able to handle the incoming traffic properly.
  2. Set gerrit.experimentalRollingUpgrade to true in gerrit.config on both Gerrit servers.
  3. Set the first Gerrit server unhealthy.
  4. Shutdown the first Gerrit server, upgrade to v3.3 and start Gerrit again.
  5. Verify that the first Gerrit server is working properly and then make it healthy again.
  6. Wait for the first Gerrit server to start serving traffic normally.
  7. Repeat steps 3. to 6. for the second Gerrit server.
  8. Remove gerrit.experimentalRollingUpgrade from gerrit.config on both Gerrit servers.

NOTE: The schema version 184 is tolerated by the Gerrit v3.2 because the group-id of the Non-Interactive Users remains the same, hence all existing ACLs are evaluated as expected also when the group is renamed to Service Users. During steps 4, 5 and 6, the Gerrit server still running v3.2 will display Service Users on the repositories ACLs screen.


Downgrade to any Gerrit v3.2.x release is possible, but requires the following manual steps:

  1. Shutdown a migrated Gerrit v3.3.x server
  2. Bump the All-Projects.git version (refname: refs/meta/version) to 183 (see git hash-object and git update-ref)
  3. Revert the All-Users.git schema-184 migration commit (refname: refs/meta/group-names)
  4. Run Gerrit v3.2.x init
  5. Startup Gerrit v3.2.x server

Breaking changes

  • New logs timestamp format:

    The new format supports both ISO-8601 and RFC3339, which means that if you are parsing it as general ISO-8601 it should work as before. However you will be affected if you are parsing the timestamp with a static format.

ChangeAttributeFactory deprecated and ChangePluginDefinedInfoFactory supported

Similar to the ChangeAttributeFactory, a ChangePluginDefinedInfoFactory allows plugins to provide additional data in change results. ChangePluginDefinedInfoFactory has the advantage that it allows plugins to know the full set of changes up front so that they can do bulk operations.

ChangeAttributeFactory will be removed in the next release.

JGit auto-configuration

Auto-disable receive.autogc option

By JGit's default, git-receive-pack will run auto gc after receiving data from git-push and updating refs.

Init step is added to auto-disable receive.autogc configuration option in $gerrit_site/etc/jgit.config file.

Auto-enable git wire protocol version 2

By JGit's default, git wire protocol version 2 is disabled. Given, that git wire protocol version 2 on the server side is considered to be now very stable, activate it per default in init site program, so that gerrit sites benefit from improved fetch performance.

Security fixes

  • Issue 13621; CVE-2020-8919: Make PermissionBackend#ForRef authoritative.

    Fixes a misconception that leads to data being accessible through Gerrit APIs that should be locked down.

    Gerrit had two components for determining if a Git ref is visible to a user: (Default)RefFilter and PermissionBackend#ForRef (e.g., RefControl). The former was always capable of providing correct results for all refs. The latter only had logic to decide if a Git ref is visible according to the Gerrit READ permissions. This includes all refs under refs/heads as well as any other ref that isn't a database ref or a Git tag. This component was unaware of Git tags and notedb-related refs. Hence, when asked for a database reference such as refs/changes/xx/yyyyxx/meta, the logic would allow access if the user has READ permissions on any of the ref prefixes (such as the default “read refs/* Anonymous Users”).

    That was problematic, because it bypassed documented behavior where a user should only have access to a change if he can see the destination ref. The same goes for other database references.

  • Issue 13514; CVE-2020-8920: Work around Gitiles bug on All-Users visibility.

    Gitiles has a special FilteredRepository wrapper that allows carefully hiding refs based on the project's ACLs. There is however an optimization that skips the filtering in case a user has READ permissions on every ACL pattern(s). When the target repository is All-Users, the optimization turns into a security issue because it allows seeing all personal information associated with all accounts, i.e.:

    • draft comments
    • draft edits
    • personally identifiable information (PII) of all users
    • external ids

    This fix now blocks Gitiles or any other part of Gerrit to abuse this power when the target repository is All-Users, where nobody can be authorized to skip the ACLs evaluation anyway.

  • Issue 12629; Verify hostname when sending emails via SMTP server with SMTPSClient.

    The SMTP server's certificate and hostname must be verified if encryption is enabled with SSL verification in the host settings (sendemail.smtpEncryption and sendemail.sslVerify).

    SMTPSClient from Apache Commons Net used for SSL processing. It has the following downside: if encryption is not required, SMTPSClient is used in ‘explicit’ mode with the upgrade to TLS never called. Thus, the client is somewhat misused.

Native packaging

  • Allow to use init as a param in docker run

    This allows to easily run the Gerrit image with the init argument to explicitly re-run the initialization on an existing or new site.

  • CentOS docker image upgrade to v8.2.2004

New features

  • Attention Set:

    For every change Gerrit maintains an “Attention Set” with users that are currently expected to act on the change. Both on the dashboard and on the change page, this is expressed by an arrow icon before the user name.

    Enabled by default. The former assignee feature is therefore now disabled by default.

  • The reply dialog posts patchset level comments instead of change messages.

    This is an experiment that is enabled by default. However, it can be disabled by adding ‘UiFeature__patchset_comments’ as disabled key in experiments section of gerrit.config. This is useful if your CI system parses back change messages (e.g. “/rerun”) and has not been updated yet to parse patchset level comments. The option to revert this behavior will be removed in Gerrit 3.4. Until then, administrators need to have migrated.

  • Issue 13670; Introduce cache.openFiles setting in gerrit.config.

    Persistent caches might require the allocation of additional file descriptors depending on their configuration and backend engine. This new setting allows the gerrit.sh to be aware of that and increase the number of files accordingly before starting Gerrit.

    E.g. when swapping the default H2 persistent cache implementation with the chronicle-map implementation the number of open files needs raising, since the latter is bound to open more file descriptors, mostly due to its usage of memory mapped files.

REST API changes

  • Reject REST requests with invalid enum values as bad request

  • Expose ‘Service User’ tag on the REST API

  • Add endpoints to allow enhancement on submit requirements

  • Add parameter for added reviewers on reply-reviewers endpoint

  • Add an alternate CreateChange endpoint

  • Issue 13357; Add the work_in_progress option to the revert and revertSubmission endpoints

End-to-end tests

Plugin changes



  • New command: “Reset To”

    Add a new command that allows to reset the current branch to the commit that was fetched. This is useful in cases when the user is working on a local branch and the existing commands are not appropriate:

    • “Checkout” will check out the FETCH_HEAD, i.e. moving off the current branch and leaving the local repository in ‘detached head’ state.

    • “Cherry-Pick” will commit the fetched change again, resulting in a ‘new’ commit (i.e. changed sha1) which will result in a new patch set if the user creates any commits on top of it and pushes for review.

  • Issue 10021; Avoid quoting on basic strings



  • Add method to push changes directly to given replica

    This makes it possible to push changes directly to given replica instance without sending unnecessary requests to others.

    The method is intended to be used by other plugins that extend the replication plugin.

  • Prevent persistent task listing interruptions on IOExceptions

    Improved the logging by differentiating between failures that are severe versus potentially related to other node actions since in a multi-primary scenario with shared storage, it is common for operations on one node to “interfere” with task listing operations on another node without causing a malfunction. Specifically, improve the exception handling so that the logging in these latter cases have a likely explanation of the listing error, and do not consider these specific filesystem errors operational errors.

    NOTE: The multi-primary replication is still experimental.

  • Issue 12769; Fix synopsis in replication start cmd documentation

    --url is usable with --all or projects and on its own. Updated the usage to reflect this.

  • Issue 12769; Don't wait for pending events to process on startup

    Previously, on large Gerrit installations with many projects and/or many replication destinations, the replication plugin could take very long periods of time to startup. This was particularly a problem if the pending (persisted) event count was large as they all were rescheduled before the plugin finished initializing. Change this behavior so that startup merely begins the process of scheduling the pending events, but does not wait for them to complete.

  • Issue 13480; Don't output directories during task walk

Polygerrit UI changes

  • Add comment icon to CR column of the dashboard

  • Lock scroll for background when reply-dialog open

  • Fix use of registration dialog instead of overlay

  • A11y - Add meaningful label for Edit button on change page

  • Enable download dialog shortcut in diff page

  • Add title and shortcuts for some links and buttons

  • Fix titles for buttons

  • Add help icon to search bar with link to the doc

  • Fix first and last focusable elements in download and diff pref dialogs

  • Refine the UX on account chips

  • Add doc/bug icons to hovercard and change to help-outline icon

  • Re-use logic for opening up download dialog from ‘d’

  • Update hovercard text to say Your/their turn to take action

  • Offer an option to hide the file comment button

  • Update pg-plugin-dev document with polymer 3 examples

  • Fix broken link/icon to the master build status

  • Add link icon to messages in change log

  • A11y - Fix label and navigation for More Actions Button

  • Disable the ‘Send’ button when a comment is being edited

  • Fix the dangling comma after reviewer on dashboard

  • Fix Shift-A shortcut for hiding the left side of the diff

UI issues

  • Issue 7458; Fix iron-dropdown positioning

  • Issue 13080; Fix the position of the hovercard

  • Issue 13175; Fix gr-hovercard-behavior under Firefox

  • Issue 13328; Redirect GWT links to project dashboard to Polygerit

  • Issue 13433; Unlock scroll if hovercard detached

  • Issue 13543; Fix navigate back to change page with ‘[’ on first diff.

  • Issue 13658; Convert comment counts to comment thread counts around the UI

Documentation changes

  • config-reverseproxy.txt: Document X-Forwarded-For header

  • Document possibility to resume reviews with meetings

  • Document how to mitigate the issue of broken Eclipse project on MacOS

  • Clarify documentation about parent project access right

  • Document jgit options respected by gerrit gc; receive

JGit changes

  • Issue 13544; Ensure that GC#deleteOrphans respects pack lock.

    If pack or index files are guarded by a pack lock (.keep file), deleteOrphans() should not touch the respective files protected by the lock file. Otherwise it may interfere with PackInserter concurrently inserting a new pack file and its index.

  • Issue 13694; Fix the git wire protocol v2 issue on JDK 15

Elasticsearch changes

  • ElasticContainer: Upgrade V6_8 to elasticsearch 6.8.13

  • ElasticContainer: Upgrade V7_8 to elasticsearch 7.8.1

  • Issue 12704; Simplify Init for Elasticsearch

Other dependency changes

  • Upgrade caffeine to 2.8.5

  • Upgrade jackson-core to 2.11.3

  • Upgrade metrics-core to

  • Upgrade soy to 2020-08-24

  • Issue 13474; Upgrade testcontainers to 1.15.0

Other core changes

  • Limit graceful shutdown to SSH sessions serving git requests

  • NoteDbMigrator: Improve log message when saving ref updates

  • Explicitly check READ permission when processing a git push

  • Introduce sshd.gracefulStopTimeout

  • Fix eclipse project generation

  • Update instructions for running on Docker

  • Fix links and file name in emails for patchset-level comments

  • Add JavaScript style guide

Core issues

  • Issue 11637; Add a process to remove a core plugin

  • Issue 11774; Change filtering of messages in experimental ChangeLog

  • Issue 12707; Apply diff preferences immediately after clicking save

  • Issue 12934; Fix selection on diff with range comments

  • Issue 12994; Fix toggle on iOS

  • Issue 13014; Clean up disrespectful terms

  • Issue 13054; Restore keyboard shortcut for expand all diff context

  • Issue 13073; Fix highlight on multi-line range comments

  • Issue 13184; Respect log.textLogging and log.jsonLogging using --console-log

  • Issue 13266; Allow to use ‘Apply fix’ several times on the commit message

  • Issue 13349; When SSH is disabled, it should also be disabled on replica

  • Issue 13350; Decode group id before using it to add [cc-]reviewers

  • Issue 13376; Make sure that comment drafts are sorted to the end

  • Issue 13464; Use persistent cache provided by libModule for offline reindex

  • Issue 13754; Fix NPE with StoredCommentLinkInfoSerializer when enabled is null

Bugfix releases


  • New Features

  • Breaking Changes

    • Elasticsearch: Support for EOL versions 7.2 and 7.3 is discontinued. Both elasticsearch versions became EOL recently.

    • Issue 13931: Disallow editing the Change-Id during inline edits.

  • Bug Fixes

    • Issue 12443: Stop generating continuous “logging context is not empty” in error_log.

    • Issue 12847 Issue 12862: Fix NPE on trying to send email for user without email address.

    • Issue 13899: Shows reviewers column in the user's open changes dashboard.

    • Issue 14097: Allow enabling of Git GC button for non-local Git repository managers, such as multi-site repositories.

    • Issue 14117: Do not suggest service users as reviewers on changes.

    • Issue 14118: Quota management: enforce repository size on pack rather than on object.

    • Issue 14193: Ensure InternalUser can parse groups.

  • PolyGerrit Fixes

    • Issue 14035: Change --gr-formatted-text-prose-max-width from 80ch to 120ch.

    • Issue 14036: Fix multiline range commenting in Firefox.

    • Issue 14104: Decorate the number line element of a blank side, otherwise it won't be affected by the “hide-left” action to hide one side of the diff.

    • Issue 14127: Fix binding of DELETE REST calls from plugins which impacted the ability the delete projects using the delete-project plugin.

    • Issue 14257: Fix empty TopMenu drop down list.

  • Documentation updates

    • Align the recommended buildifier version to v4.0, the same used in the CI.

    • Development guidelines: mention that Optional in arguments is discouraged (use @Nullable instead) but may be used as return type.

    • New configuration setting suggest.skipServiceUsers for preventing the suggestion of service users as reviewers.

    • New configuration setting gerrit.installBatchModule for adding additional Guice modules to Gerrit init command.

    • Remove the now obsolete section about Java configuration for Strong Cryptography.

  • Dependency Updates

    • Update highlight.js to 10.6.0.


  • New Features

    • Add change query option allowing administrators to skip visibility filtering.

      Add a new REST-API change query option “skip-visibility” to allow administrators to skip visibility filtering.

  • Security Fixes

    • Issue 13858 CVE-2021-22553: Fixed memory leak in Git-over-HTTP requests.

      Unauthenticated users could exploit this problem in a Denial of Service attack, causing the server to go out-of-memory.

  • PolyGerrit Fixes

    • Issue 11811: Fix comments on partial text selection on Safari.

    • Issue 13870: Polygerrit: Remove license headers in minified gr-app.js.

  • Replication plugin fixes

    • Don‘t check read permission when authgroup isn’t set.

      Do not check for read permission when authGroup is not set since the user is a RemoteSiteUser that is-an InternalUser having read access to everything. This fixes a regression introduced in v3.1.10 that prevented the All-Users.git repository to be fully replicated to Gerrit replicas.

  • Bug Fixes

    • Issue 13803: Limit number of ambiguous accounts in error message.

      Don't list more than 3 ambiguous accounts in error message of UnresolvableAccountException in order to prevent flooding the log and displaying a lot of sensitive account data in an error dialog.

    • Issue 13936: Fix badly formatted error message shown in error dialog.

    • Issue 13884: Fix ‘is:submittable’ query on multiple submit records.

  • Dependency Updates

    • Update highlight.js to 10.5.0.

    • Update codemirror-minified to 5.59.1.

    • Update Jetty to 9.4.35.v20201120.

    • Downgrade soy-template to 2019-10-08.


  • Breaking changes

    • Elasticsearch: support for EOL version 6.8 is discontinued. This was the last supported minor version of Elasticsearch 6 in Gerrit. From this release, Gerrit no longer supports V6 but only the already supported versions 7.x of Elasticsearch.

      • Speaking of which, support for 7.0 and 7.1 is discontinued too, as both elasticsearch versions also became EOL recently.
  • Security Fixes

    • Issue 12629: Verify hostname when sending emails via SMTP server with SMTPSClient.

      The SMTP server's certificate and hostname must be verified if encryption is enabled with SSL verification in the host settings (sendemail.smtpEncryption and sendemail.sslVerify).

  • PolyGerrit Fixes

    • Remove requesting DETAILED_LABELS for the dashboard.

    • Issue 13785 Add z-index to gr-main-header to avoid the box shadows being hidden behind the content.

  • Bug Fixes

    • Issue 13544 Ensure that GC#deleteOrphans respects pack lock:

      If pack or index files are guarded by a pack lock (.keep file) deleteOrphans() should not touch the respective files protected by the lock file.

    • Issue 13775 Honor toogleWipState permission for %ready %wip push options:

    • Issue 13781 Compact the REST-API output JSON unconditionally:

      The output JSON was initially compacted only when the Accept header was set to application/json: the compaction is now done unconditionally, unless the pp=1 query parameter is specified.

    • Issue 13786 ForRef#check should permit internal users to read all refs:

      Make PermissionBackend#ForRef authoritative change introduced a regression where gerrit internal users (e.g. plugins) were not taken into consideration when checking READ permission. As consequence the All-Users.git repository did not get any of the user's refs replicated to the slaves. After the upgrade it is required to trigger a forced replication of the All-Users.git repository manually.

    • Avoid logging ssh exception for stream is already closed when length=0 if present in the stacktrace.

    • Adapt Bazel/RBE build to produce Java 11 language level.

    • Make UI experiments configurable from gerrit.config.

      Allows users who upgrade Gerrit to make use of experimental features or temporarily revert to previous behavior in case the new behavior breaks them (e.g. turn off patch-set-level comments in 3.3 which breaks some CI workflows).

    • Issue 13800 Expose patch set level comment in stream event.

  • Documentation Updates

    • Clarify that ‘m’ push option sets patch set description.

    • Clarify that disk cache metrics require cache.enableDiskStatMetrics.

  • Dependency Updates

    • Upgrade commons-io to 2.4.

    • Upgrade testcontainers to 1.15.1.