Download: 2.14.22 | 2.14.21 | 2.14.20 | 2.14.19 | 2.14.18 | 2.14.17 | 2.14.16 | 2.14.15 | 2.14.14 | 2.14.13 | 2.14.12 | 2.14.11 | 2.14.10 | 2.14.9 | 2.14.8 | 2.14.7 | 2.14.6 | | 2.14.4 | 2.14.3 | 2.14.2 | 2.14.1 | 2.14

Documentation: 2.14.22 | 2.14.21 | 2.14.20 | 2.14.19 | 2.14.18 | 2.14.17 | 2.14.16 | 2.14.15 | 2.14.14 | 2.14.13 | 2.14.12 | 2.14.11 | 2.14.10 | 2.14.9 | 2.14.8 | 2.14.7 | 2.14.6 | | 2.14.4 | 2.14.3 | 2.14.2 | 2.14.1 | 2.14

Release Highlights

  • Changes can be assigned to specific users
  • Open and Abandoned changes can be deleted
  • HTML emails and new templating framework
  • Support for receiving review comments by email
  • New Polymer based user interface
  • Support for elliptic curve/ed25519 SSH keys
  • Secondary index for groups
  • Experimental support for Elasticsearch as secondary index from 2.14.8

Important Notes

Schema Changes

This release contains schema changes. To upgrade:

  java -jar gerrit.war init -d site_path

Reindex for new groups index

Gerrit 2.14 introduces a new secondary index for groups. The initial version of this index must be created by running the offline reindex before starting Gerrit:

  java -jar gerrit.war reindex --index groups -d site_path

Note that it is not necessary to reindex the changes and accounts indexes offline. These will automatically be reindexed by the online reindexer after starting Gerrit.

Java 8

Gerrit now requires Java Runtime Environment (JRE) version 8. It is no longer possible to run Gerrit on JRE 7 and it is not compatible with JRE 9 or newer yet. For more information, see Issue 7843.

Bouncy Castle Libraries

The Bouncy Castle Crypto API libraries are now distributed in the Gerrit .war file rather than being downloaded during site initialization. When upgrading from a previous version of Gerrit, previously downloaded Bouncy Castle .jar files remaining in the site’s /lib folder will be disabled by appending .disabled to the file name.

HTTP Digest Authentication Removed

Support for HTTP Digest Authentiation is removed. With the move to NoteDB, the per-account data (including the HTTP password) will be stored in a branch in the All-Users repo, where it is subject to Gerrit ACLs.

Since these are notoriously hard to setup correctly, we want to avoid storing the password in plaintext.

Existing passwords will be migrated to a hashed password during site initialization when upgrading from an earlier version of Gerrit.

Evaluation of BLOCK permission rules has changed

An exclusive ALLOW permission now has priority over a BLOCK permission when both permissions are defined on the same project. This means an exclusive ALLOW rule now overrules BLOCK rules on the same project. BLOCK rules still cannot be overruled by child projects. This change makes it possible to allow a permission for a specific ref and to block the same permission for all other refs. For example, it is now possible to allow all users to push changes for review, but to block all direct pushes:

  [access "refs/*"]
    push = block group Anonymous Users
  [access "refs/for/*"]
    exclusiveGroupPermissions = push
    push = group Registered Users

Deprecation of Velocity Email Templates

This release deprecates the use of Velocity mail templates. In a future release support will be removed and it will be necessary to upgrade custom mail templates to Soy files.

Tag Permissions

The permissions “Push Annotated Tag” and “Push Signed Tag” are renamed to “Create Annotated Tag” and “Create Signed Tag”. Existing project configurations using the old permission names will be migrated during site initialization.

Behavior change in ref-update hook

The ref-update hook is now only invoked for direct ref updates, i.e. branch creation, branch deletion, and updates (fast-forward and non-fastforward) via direct push. It is not invoked on commits received for review, or on submit of changes.

A new hook named commit-received is added, which is invoked when a commit is received for review, and can be used to prevent reviews from being created. A new hook named submit is added in 2.14.9, which is invoked when a user attempts to submit a change, and can be used to prevent the submit.

Sites using the ref-update hook to validate changes pushed for review, or to validate submits, should migrate to the commit-received and submit hooks.

Updated primary key on JdbcAccountPatchReviewStore

In version 2.14.4 the fields in the JdbcAccountPatchReviewStore primary key are reordered to improve performance when clearing the reviewed flag for a patch set.

Sites that have already upgraded from an earlier version to 2.13, or to a 2.14.x version before 2.14.4, and want to take advantage of this performance improvement, should manually drop and recreate the primary key as follows:

  # drop the key
  ALTER TABLE account_patch_reviews
  DROP CONSTRAINT primary_key_account_patch_reviews;
  # recreate the key
  ALTER TABLE account_patch_reviews
  ADD CONSTRAINT primary_key_account_patch_reviews
  PRIMARY KEY (change_id, patch_set_id, account_id, file_name);

Note that this is optional. The site will continue to work without this update. The update is not necessary when upgrading directly to 2.14.4 from a version earlier than 2.13, as the primary key will be created with the updated order anyway.

New Features

Change Assignee

Changes may be assigned to a specific user. This allows a workflow where the user that is assigned to a change is responsible for reviewing the change and/or passing the assignment on to another user.

In the UI, changes assigned to the currently logged in user are highlighted.

A new assignee: search predicate allows to find changes assigned to a given user.

Delete Changes


HTML Emails

Gerrit email messages are made easier to read by sending HTML content parts in addition to the existing text email content. This is enabled by default, and can be disabled by setting sendemail.html to false. Users can opt to always receive plaintext emails by setting the Email Format preference.

Closure Templates

Mail templates can now be written using Closure Templates (Soy). Mail templates written in Velocity (VTL) are deprecated but still supported. Support for VTL will be dropped in a future release.

Review Comments by Email

Gerrit now supports receiving review comments by email.

Secondary Index with Elasticsearch

It is possible to enable Elasticsearch as a secondary index by setting index.type to ELASTICSEARCH and configuring the Elasticsearch specific configuration parameters.

Note that the Elasticsearch implementation is still considered experimental and it is not advised to use it for production systems.

User Interface

  • Issue 3944: Tags can be created and deleted via the Tags screen in the UI. Although the REST API supports creation of both lightweight and annotated tags from 2.14, the GWT UI allows for annotation with 2.14.4 or later.

  • For merge commits, the list of commits that will be merged into the destination branch is included as the /MERGE_LIST magic file which is shown as Merge List in the UI.







New User Interface (“PolyGerrit”)

Gerrit now includes a new user interface, referred to as “PolyGerrit”, based on Polymer. The UI can be switched between PolyGerrit and GWT by clicking the “New UI” and “Old UI” links in the site footer. Alternatively, the UI can be switched by adding ?polygerrit=1 or ?polygerrit=0 to the URL. Note that PolyGerrit is still under development. Most use cases are supported, but there are still some missing features compared to the GWT UI.


  • Issue 4507: Add support for elliptic curve/ed25519 SSH keys.

Creating Changes for Merged Commits

Normally, changes can be reviewed only before they are being merged. This new feature allows for post-submit review of commits by creating a new merged change, by using the ‘merged’ push option.


  • Issue 5234: Fix SSH GSSAPI authentication.
  • Issue 5739: Prevent ref-update hook from being invoked on every commit when pushing multiple commits. Instead of being invoked on every commit received, the ref-update hook is now invoked before the ref update operation is finalized. Note that the hook is no longer invoked on commits pushed for review or on changes that are merged. It is invoked for creation/deletion of refs, and for ref updates caused by direct pushes (i.e. bypassing review). The previous behavior of the ref-update hook is moved into a new hook named commit-received. A new parameter --cmdref is added, and the special handling of refs/for and refs/changes is removed. Sites using the ref-update hook should rename the hook file to commit-received.

Dependency Updates

  • Update auto-value to 1.4 (updated to 1.6.2 in 2.14.12)
  • Update Bouncy Castle to 1.56 (updated to 1.60 in 2.14.17)
  • Update codemirror to 5.25.0
  • Update commons-compress to 1.12
  • Update Guava to 21.0 (updated to 24.1.1-jre in 2.14.17)
  • Update Guice to 4.1.0 (updated to 4.2.0 in 2.14.11)
  • Update GWT to 2.8.0 (updated to 2.8.2 in 2.14.6)
  • Update gwtjsonrpc to 1.11
  • Update gwtorm to 1.17
  • Update JavaEWAH to 1.1.6
  • Update JGit to (updated to in 2.14.20)
  • Update jsch to 0.1.54
  • Update Lucene to 5.5.2 (updated to 5.5.5 in 2.14.17)
  • Update mina to 2.0.16
  • Update ow2-asm to 5.1
  • Update prolog-cafe to 1.4.2
  • Update SSHD to 1.4.0

Bugfix Releases


  • Security Fixes

    • Issue 13514 CVE-2020-8920: Work around Gitiles bug on All-Users visibility.

      Gitiles has a special FilteredRepository wrapper that allows carefully hiding refs based on the project’s ACLs. There is however an optimization that skips the filtering in case a user has READ permissions on every ACL pattern(s). When the target repository is All-Users, the optimization turns into a security issue because it allows seeing all personal information associated with all accounts, i.e.:

      • draft comments
      • draft edits
      • personally identifiable information (PII) of all users
      • external ids

      This fix now blocks Gitiles or any other part of Gerrit to abuse this power when the target repository is All-Users, where nobody can be authorized to skip the ACLs evaluation anyway.


  • Security Fixes

    • Issue 12717: Deny access over HTTP for disabled accounts.

      A disabled account was still able to access over HTTP until the existing session expired.


  • Issue 10695: Upgrade JGit to to fix regression in packfile list handling.

    If core.trustfolderstat was set to false, an infinite loop could occur when an object was not found in the packfile.

  • Don’t abort auto-abandoning if one change failed.

    When failing to query a single change during auto-abandoning, the whole process was aborted. Now the failure is logged and the process continues to attempt to abandon subsequent changes.


  • Issue 10562: Upgrade JGit to to fix corruption of packfile list due to concurrent access during GC.

    See JGit issue 544199 for details.


  • Issue 10262: Upgrade JGit to to fix validation of wants in git-upload-pack for protocol v0 stateless transports.

    AdvertiseRefsHook was not called for git-upload-pack in protocol v0 stateless transports, meaning that wants were not validated and a user could fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they could guess the object name.

  • Issue 10242: Fix regression that allows a user’s account to be taken over when multiple authentication providers are in use.

    A regression introduced in 2.14.7 allowed a user’s account to be taken over by creating an account on a different provider with exactly the same username as the existing Gerrit account.

  • Issue 10112: Upgrade rules_closure to make Gerrit buildable with the latest Bazel version.

  • Issue 9781: Allow to disable the groups relevance filtering for LDAP.


  • Issue 9952: Upgrade dependencies to newer versions to fix CVEs.

  • Issue 9969: Fix incorrect dependency on httpcore-nio for Elasticsearch.

    The Elasticsearch REST client depends on version 4.4.5 of httpcore-nio, but the version provided by Gerrit was 4.4.1.

  • Remove dependency on httpmime.

    httpmime was a dependency of Apache Solr, which was removed from Gerrit some time ago.

  • Fix unnecessary reads of change note refs when NoteDb is disabled.

    Change notes packed refs were unnecessarily being read and parsed when NoteDb was disabled.

    See the mailing list discussion for more information.

  • Upgrade Elasticsearch REST client to 6.4.3.


  • Issue 9836: Fix database connections leaks.

    The fix for issue 9823 in 2.14.15 introduced a database connection leak.

  • Upgrade JGit to

    • Fixes a file handle leak in the LFS file server.
    • Allows the path or url to be absent in the validation of .gitmodules files.
    • Fixes malformed Javadoc.


  • Update JGit to to fix CVE-2018-17456.

    This release of JGit implements validation of .gitmodules files to protect unguarded tools against CVE-2018-17456.

  • Issue 9823: Fix force push permission check for administrators and project owners over SSH.

    It was possible for an administrator or project owner to force push to a project over SSH without having the Force Push permission.

    This issue did not affect regular users, or pushes over HTTP.

  • Update jackson-core to 2.9.7.

    There have been several releases since 2.6.6 including many bug fixes and security fixes.

  • Update elasticsearch-rest-client to 6.4.2.


  • Issue 9761: Ensure that URIs in requests to Elasticsearch are prefixed with /.

    When using Amazon’s Elasticsearch service, requests failed with “400 Bad Request” because they were not prefixed with /.

  • Issue 9766: Update jruby to 9.1.17 and asciidoctorj to 1.5.7.

    Since Bazel 0.16 the build is done with an embedded JRE using Java version 9. The documentation build was using an older version of jruby that did not properly support Java 9.


  • Instances of IdString used to return true when equals was given a String instance equal to the IdString’s URL-encoded value. This violates symmetry, so this behavior was removed: IdStrings now never compare equal to Strings.

  • Upgrade JGit to

    • Issue 9667: Fix handling of output stream in LFS server.

    • Fix errors during cleanup after deleting refs.

    • Fix errors during cleanup after running garbage collection.

    • Fix atomic lock file creation on NFS.

  • Issue 9711: Add a change deleted event.

    Since 2.14 it is possible to delete changes, however there was no specific event emitted. A new change deleted event is added, which is notified to stream-events clients. The hooks plugin is updated to support a change-deleted hook.

  • Issue 9689: Fix visibility of tag creation form on the project screen (GWT).

    The tag creation form was shown when the user had “Create Reference” permission on refs/* or refs/heads/* (but not refs/tags/*).


  • Issue 9528: Allow project-level receive.maxObjectSizeLimit to be inherited from parent project.

    It is possible to set the limit per project in the project.config on refs/meta/config, and at global level in $site/etc/gerrit.config. The project setting may override the global setting if it is lower. Changing the global setting requires a server restart.

    A limitation of this implementation is that we cannot set the limit at a project level and have it inherited to its child projects; it is necessary to explicitly set the limit on each child project.

    A new global option receive.inheritProjectMaxObjectSizeLimit is added, and when this is enabled the project-level setting is inherited from the parent. This new setting is disabled by default to keep backwards compatibility with the original behavior.

  • Allow more email RFC characters in the username.

    It was possible to set a username with an email-address-like string, but only as far as the fact that the @ character was allowed. Most of the other characters allowed by the RFC were not allowed.

  • Issue 9670: Add support for Elasticsearch 6.4.0.
  • Issue 9514: Emit a warning when starting Gerrit via without OOM protection.
  • Fix incorrect response from the ‘Put Config’ project REST API.

    The response returned after updating the configuration was generated using the configuration that was loaded before the update, and did not contain the changed values.

  • Fix support for commentLink entries in the project.config.

    The documentation states that commentLink entries may be added at project level in the project.config on a project’s refs/meta/config branch, but this was not actually implemented.

  • Issue 5316: Fix incorrect relative URL paths in Gitiles links in the PolyGerrit UI.
  • Return raw byte value for effective value of git max object size limit.

    The ‘value’ field of the info shows the effective value that gets applied, and now shows the actual byte value rather than the formatted value which could be using any arbitrary unit suffix (within the scope of the suffixes actually supported).

    In the GWT UI, the effective value is now always shown, rather than only when there is a global value, and explicitly says when there is no value configured.

  • Ensure user authentication in AllRequestFilter filters.

    The order of filters made request authentication only work when the HTTP request was issued from the Gerrit UI, but not work when REST API was used.

  • commit-message-length-validation plugin: Use “warning” prefix to allow colorization of remote output.

    From version 2.19 of git, the “warning” keyword will be highlighted in the remote output when color.remote is enabled in the git config.

  • Fix partially hidden plugin configuration in the GWT UI.

    In the project setting page, plugin configurations were partially hidden if the value had more characters than the default number of characters displayed in the text box.

  • Add a new method on the project API to get the reflog.
  • Upgrade PostgreSQL connector to 42.2.4.
  • Validate connections when sending a request to the database.

    In some cases it was possible to attempt to reuse an already closed connection, which resulted in an internal server exception.


  • Fix display of “Delete Changes” permission in access screen on GWT UI.
  • Fix permission check when deleting a single branch with the “Delete Branches” REST endpoint.
  • Include cause in exception when failing to save config in the “Set Config” REST endpoint.
  • Issue 9482: Fix staleness checker for URL-encoded project names.
  • Issue 9153: Upgrade JGit to This version includes several fixes including a fix for issue 9153 which prevented querying for filenames with special characters, and fixes related to cleaning up ref directories after running GC. It also includes the fix Honor trustFolderStats also when reading packed-refs. Users should note that for repositories with a high number of references (for example in excess of 300K refs) and in a server with high traffic, this solution may not scale well and should be tested carefully.
  • Upgrade guice to 4.2.0. Guice version 4.2.0 includes performance improvements.
  • Upgrade metrics-core to 4.0.3.
  • Upgrade elasticsearch-rest-client to 6.3.2.


  • Allow to assign “Delete Own Changes” permission to “Change Owners”. It was only possible for a user to delete their own change if they were a member of a group that was assigned the “Delete Own Changes” permission. This was counter-intiuitive as it was necessary to either create a specific group, or assign the permission to “Registered Users”. It is now possible to assign this permission to the “Change Owners” virtual group.
  • Issue 9354: Add “Delete Changes” permission. It was only possible for a user to delete another user’s change if they were a member of a group that was assigned the “Administrate Server” permission. A new “Delete Changes” permission is added. This permission can be assigned to a group, or to the “Project Owners” virtual group.
  • Issue 9345: Fix creation of plugin log file when log4j.configuration is set When the environment variable log4j.configuration is set, log files defined by plugins were not created because the appender couldn’t be found.
  • Fix repeated Change-Id in error message when Change-Id line is not in the footer.
  • Add ChangeReportFormatter extension point for customizing the report output from git push.
  • Align Elasticsearch connection configuration with Elasticsearch REST client. In 2.14.9 the JEST client was replaced with the native Elasticsearch REST client, but several settings that were only used by JEST were not removed. The following settings are now removed:

    • elasticsearch.requestCompression
    • elasticsearch.connectionTimeout
    • elasticsearch.maxConnectionIdleTime
    • elasticsearch.maxReadTimeout
    • elasticsearch.maxTotalConnection A new setting elasticsearch.maxRetryTimeout is added. If not configured, it defaults to 30000 ms which is the default used by the REST client.
  • Issue 9372: Simplify the configuration of Elasticsearch servers. Instead of specifying each server in a separate [elasticsearch "name"] section, with separate values protocol, hostname, and port, the servers are now configured as a list of server values in the [elasticsearch] section. This also fixes Issue 9383 where a “default” server http://localhost:9200 would be added by the site initialization even if other servers were already explicitly configured. During startup the list of configured Elasticsearch servers is logged at info level.
  • Issue 9146 and Issue 9147: Fix Elasticsearch queries for results with substrings in keywords. Doing a query that involved the characters “.” and “_” from full text fields did not include results with keywords as a substring. This behavior was different from Lucene, where these two characters are mapped to the space character (“ “) so that the query returns keywords separated by them.
  • Allow to omit the elasticsearch.username setting. If elasticsearch.password is specified, the username can be omitted and it will default to elastic which is the default username configured when running Elasticsearch with security enabled.
  • Upgrade Elasticsearch REST client to 6.3.1.
  • Upgrade commons-io to 2.2. This version is needed by the gitblit plugin.


  • Issue 6094 and Issue 9112: Add support for Elasticsearch versions 5 and 6. Support is added for Elasticsearch versions 5.6 (tested with versions 5.6.9 and 5.6.10), 6.2 (tested with version 6.2.4) and 6.3.0. Version 2.4 is still supported (tested with version 2.4.6). Instead of using the ‘Jest’ client to communicate with Elasticsearch, the Elasticsearch low level API is now used. Support for Elasticsearch is still considered experimental, and is not recommended for production use.
  • Allow to replace the default H2 persistent cache with a custom implementation. The default H2 persistent cache can be replaced by a module that implements the CacheImpl interface. An implementation is provided for postgresql.
  • Issue 9245: Return the correct information in JSON response after moving a change. When moving a change by the REST API, the JSON response contained the branch name of the original destination rather than the new destination.
  • Issue 8916: Improve performance of ownerin: predicate for internal groups.
  • Fix omission of ‘branch’ values when saving project config. The ‘branch’ values were omitted when saving the config, resulting in them being lost.
  • Issue 9195: Strip comment lines out of commit message when creating change. When a change was created from the UI (or via the ‘Create Change’ REST API), and the commit message consisted of only a subject beginning with a hash character (#), the change was created with a zero Change-Id. This was beause lines beginning with # are considered to be comments, and are stripped from the commit message by JGit before computing the Change-Id for the commit. Before attempting to create the change, Gerrit now strips out any comment lines from the commit message and returns an error if this results in the commit message being empty.
  • Fix internal server error when generating email sender name for non-existing account.
  • Sanitize values of and from gerrit.config. The and settings were being read as-is, which would allow them to be configured with values that may interfere with standard email name/address parsing.
  • Fix the default text in the ‘Password’ field on the ‘HTTP Password’ screen. The default text said “(click ‘generate’ to revoke an old password)” but the label of the button is actually “Generate Password”.
  • Add reporting of work queue related metrics. Metrics are reported for core work queues. For work queues created by plugins, metrics are not reported.
  • Fix double creation of SSH command execution queues.
  • Don’t trim leading whitespace from content. Leading spaces were trimmed, resulting in preformatted code blocks not being rendered properly.
  • Only abort online reindex if more than 50% of projects failed. Reindexing would be aborted if a single project failed, for example if the repository could not be opened.
  • Fix user permission checks in APIs when invoked via the GerritApi. Actions were incorrectly being denied because the user validation was comparing user object instances rather than the account ID that they represented.
  • Various logging improvements.
  • Various documentation improvements.
  • Hooks plugin
    • Issue 9015: Add a submit hook The submit hook is invoked synchronously when a change is submitted. If it returns a non-zero exit status, a MergeValidationException is thrown and the submit is prevented. This adds back the ability to block submit by a hook which was removed in version 2.14 due to the reworking of the ref-update hook behavior.
    • Fix repeated instantiation of the ref-update and commit-received hooks. The hooks were not singletons, which caused new instances to be created on every invocation.
    • Wrap account ID in quotes when passing as hook argument.
    • Improve logging to make it easier to track down hook execution problems. When a hook exits with an error status (i.e. non-zero), or times out, an error is now emitted to the log. Previously there was no log on timeout, and the exit status was only logged at debug level. The configured hooks path and resolved path for hook files is logged at info level. When a hook file does not exist, a message is logged at debug level.
    • Improve documentation
      • Expand and improve documentation related to debugging hooks.
      • Restructure the hooks page to separate synchronous and asynchronous hooks, and add a table of contents.


  • Elasticsearch is now available for early adopters as a secondary index.
    • The implementation is limited to version 2.4.x of Elasticsearch.
    • See the list of fixed issues below for more details.
  • Expose plugin guice injectors in plugin test classes that derived from LightweightPluginDaemonTest base class.
  • Issue 5181: Limit assignee suggestion to users that can see the change.
  • Issue 8468: Allow plugin configuration to be inherited by merging with parent config. When using the ProjectLevelConfig.getWithInheritance method, any config values from the parent are overridden by those of the child. This is not useful for plugins like the reviewers plugin where the child configuration should be merged with the parent’s. To solve this, a new variant of the getWithInheritance method is added, which merges the configs rather than overriding.
  • Issue 8557: Fix gitweb documentation to clarify that gitweb.type must be set to gitweb.
  • Issue 8558: Fix internal server error when detecting change kind of root commit.
  • Issue 8715: Fix internal server error when invalid index name is given to the index start or index activate command.
  • Issue 8731: Improve the wording in the revert notification email template.
  • Issue 8589: Remove approval requirement search from basic search documentation. Using approval requirements in basic search, for example Code-Review=2 without the explicit label: predicate can never work as expected because the query is also considered as a comment search, which matches on all changes that have received a vote on that label, regardless of the label score. The section about approval requirements is removed from the basic search documentation to avoid confusion. It is also now recommended to use explicit query predicates when predictable results are desired.
  • Issue 8597: Clarify the behavior of ownerin: and reviwerin: queries. When the ownerin: or reviewerin: predicate is used in a query without any additional explicit index predicate, it will default to only include changes in status ‘OPEN’.
  • Fix internal server error when using the query: search with a non-existing named query.
  • Fix internal server error when group UUID cannot be resolved when getting audit log.
  • Display group UUID in group audit log if group name is missing. The group name can be missing if there is no group backend that handles the group. This can happen for example if a plugin that handled the group was removed.
  • Allow graceful rolling restarts. Add a new setting, httpd.gracefulStopTimeout, which allows to set a maximum period of time for the daemon to preserve incoming connections, before starting the graceful shutdown process.
  • Elasticsearch {#elasticsearch}
    • Issue 8523: Fix configuration of elasticsearch during site initialization. When the site was initialized with Elasticsearch as the secondary index, the elasticsearch.prefix was not set, and Elasticsearch server-specific settings were not correctly set under, etc.
    • Issue 8527: Improve documentation of index.maxLimit for Elasticsearch. When using Elasticsearch, index.maxLimit should not exceed the value of index.max_result_window configured on the Elasticsearch server.
    • Issue 8553: Fix reindexing of an already initialized site with Elasticsearch.
    • Issue 8690: Allow to use the index start and index activate ssh commands with Elasticsearch.
    • Issue 8525: Fix setting of changed lines in the change info.
    • Issue 8588: Fix setting the star icon status in the change info.
    • Change default Elasticsearch prefix to gerrit_.


  • Issue 7652: Avoid intermediate migration state for external IDs. In the 2.14 series the accounts are not completely migrated to the git backend and are written to both the git backend and database backend. This results in risk of the backends getting out of sync.
  • Fix account_patch_reviews for mysql. Creation of the account_patch_reviews table failed on mysql due to the file_name column being too long.
  • Issue 8053: Don’t fire ref-updated event twice for new patch sets.
  • Issue 8478: Fix “concurrent modification” exception when posting reviews.
  • Issue 8279: Always check for Change-Id in subject line during commit validation: A commit with an empty commit message except for a Change-Id line in the subject was only rejected if “Require Change-Id” was enabled.
  • Issue 8280: Fix validation of Change-Id line when creating changes from the UI: When a change was created via the UI (or via the REST API), the Change-Id footer line was not validated. This resulted in it being possible to create a change with an invalid Change-Id.
  • Issue 8284: Fix unnecessary addition of Change-Id to changes created from the UI: When a change was created via the UI (or via the REST API), a Change-Id line was added without first checking if one already existed.
  • Issue 8299: Fix insertion of Signed-off-by line after existing footer lines in changes created from the UI. When a change was created via the UI (or via the REST API) and the commit message included a Change-Id line or any other footer line, the Signed-off-by footer was appended to the end of the last footer instead of on a new line.
  • Issue 8390: Fix adding a group as reviewer when group name partially matches a username.
  • Prevent possible internal server error when creating new email.
  • Fix validation of email address when creating new email from a plugin. When a plugin created a new email, the address was not validated.
  • Trim leading and trailing whitespace from email address when adding a new email address to an account.
  • Adjust commit-msg hook to awk behavior change on Cygwin/MSYS. Awk has stopped automatically stripping \r on Windows since version 4.2.0.
  • Improve hooks plugin documentation Add documentation of how to enable debug logging, and how to reload hooks configuration.
  • Print progress information from the MigrateAccountPatchReviewDb program.
  • Honor index.maxTerms when using group predicate in queries.
  • Issue 7827: Fix submit on push for same commit on multiple branches.
  • Issue 8301: Fix reindexing of stale changes when a change or project is deleted.
  • Issue 8319: Honor the --threads option in the offline reindex program.
  • Issue 8381: Fix mergeability check during index for changes not visible to owner. If a change becomes no longer visible to its owner, e.g. because the user was removed from a group having exclusive visibility of the change’s project, reindexing the change would cause the mergeable field to always be set to null in the index. As a result, the change was always shown with “Merge Conflict” status in the change list.
  • Issue 4889: Fix formatting of commit message when updating multiple submodule subscriptions.
  • Prevent concurrent login by disabling form submission. If a user double-clicks when logging in for the first time, it resulted in two accounts being created for the same user.
  • Fix internal server error in reviewer suggestion.
  • Fix registration redirect for new OpenID users. The redirect link included an extra # token, which resulted in the link redirecting to a 404 response.
  • Fix line breaks in error dialogs.
  • Fix display of timestamp in show-connections command output. When the SSH backend is MINA, the show-connections command shows the connection start time. For connections started more than 1 day ago, the start time is supposed to be shown in the format MMM-dd but was instead always shown in the format HH:mm:ss due to incorrect calculation of the elapsed time.
  • Trim SSH commands’ multi-line arguments for task name and SSH log. Multi-line arguments in SSH commands are trimmed to make the the task name and SSH log entries more readable.
  • Allow plugins to intercept creation of SSH commands. By implementing the SshCreateCommandInterceptor interface, a plugin can intercept the creation of SSH commands and override them with a custom implementation.
  • Replication plugin:
    • Fix creation of missing repository. When replicating to a destination where the repository does not exist, updating the HEAD reference failed because the passed reference name was not absolute.
    • Add documentation of how to exclude repositories from replication.
    • Fix logging of new project creation and project deletion. The “created” and “deleted” logs were emitted even when the operation failed.
  • PolyGerrit UI:
    • Issue 6109: Don’t open “Your” menu items in a new tab.
    • Issue 8373: Fix “Your” menu items when deployed with non-default base URL.
  • Upgrade metrics-core to 4.0.2
  • Upgrade jsinterop-annotations to 1.0.2 This is a transitive dependency of GWT and was missed in the previous upgrade of GWT to 2.8.2


  • Issue 7562: Stop passing --insecure to curl in download-commands plugin. Validating certs is an important feature of HTTPS that we should not disable, especially when downloading code that is going to be trusted.
  • Disable ban-commit ssh command on slaves. Gerrit slaves are supposed to be read-only, but the ban-commit command creates a Git note and hence writes to the repository.
  • Fix error message when attempting to delete a branch without permission. Branches can be deleted by a user having the “Push” permission with the force flag set, or the “Delete Reference” permission. However, the error message did not mention “Delete Reference”, leading to users unnecessarily requesting administrators to grant the force push permission.
  • Fix status transition when directly pushing an abandoned change. If a change was abandoned, but then directly pushed to the branch, its status was not changed from “Abandoned” to “Merged”.
  • Keep old timestamps during data migration. In some cases the “created on” field was updated to the time of the migration when replacing the “Submitted” state with “New”.
  • Don’t compress live log file error_log.json.
  • Don’t create GC log file when GC is not configured.
  • Specify new tip of the branch when updating submodules. In Gerrit 2.12, whenever a submodule was updated the corresponding commit in the superproject included the SHA-1 of the new tip of the branch. Restore this behavior to avoid breaking clients that extract this information from the superproject commit message.
  • Don’t use account index to look up external IDs when authenticating with OAuth or OpenID. The account index is not available on slaves, causing authentication with OAuth and OpenID to fail.
  • Issue 7647: Gracefully handle malformed GPG keys input. Posting a malformed GPG resulted in an internal server error.
  • Issue 7611: Stop the project cache clock and await termination of index executor threads on server shutdown.
  • Issue 5386: Fix database connection leak in suexec command.
  • Evict idle database connections. Database idle connections in the pool were not evicted which could lead to connections to the database being exhausted. Idle connections are now evicted after 60 seconds.
  • Enable CORS for plugin static files and documentation.
  • Always include createdOn in change attribute in events. This allows for aggregating review-time if defined as the timespan between when a change is created and when it is merged.
  • Allow to select and copy text in inline comment boxes.
  • Issue 7739: Only enable the “Require Signed Push” project option for project owners.
  • Upgrade Polymer to version 1.11.0. This version includes a fix for deprecation of HTMLImports in Chrome.
  • Upgrade GWT to version 2.8.2. This version includes various fixes since 2.8.0.
  • Upgrade Guava to version 22.0.

  • Fix regression introduced in 2.14.5 A regression was introduced when fixing the set-reviewers command to work with change sha1s. The check for sha1 was done before the check for legacy change number, so if a server had large enough change numbers they would be erroneously interpreted as sha1 resulting in a “change not found” error.


WARNING: the 2.14.5 release includes a regression. Use instead.

  • Issue 7273: On account creation evict account from account cache. When an account was created by ssh or REST API, its username and full name were not available until the account cache was flushed (e.g. by restarting the server).
  • Issue 6885: Fix over-eager caching of pages.
  • Issue 7098: Fix diff base gitweb link.
  • Issue 5897: Fix false-positive warning on gitweb requests.
  • Issue 6657: Prevent invalid query operator from invalidating user’s web session. If the user entered an invalid query like has:starss, the user’s web session was invalidated.
  • Issue 7425: Add sshd.waitTimeout configuration to set WAIT_FOR_SPACE_TIMEOUT. In sshd a new channel property, channel-output-wait-for-space-timeout, was introduced with a default value of 30 seconds. This was not being set, causing any clone operations lasting longer than 30 seconds to fail. Administrators may now increase this value by setting sshd.waitTimeout.
  • Increase the value of GERRIT_FDS when an LFS plugin is configured. GERRIT_FDS was set to double of core.packedGitOpenFiles, which was not sufficient to account for the file descriptors used by Git LFS.
  • Issue 7357: Fix bad rounding of relative dates like ‘1 year, 12 months ago’. The date should be rounded to ‘2 years ago’.
  • Fix parsing of permissions when expanding parameters.
  • Skip adding _moreChanges when change query result is empty.
  • Fix suppression of log file compression when exception occurs. If any exception occurred, subsequent log compression was not done.
  • Fix scheduling of log file compression. The initial delay for log file compression scheduling was not being calculated correctly, leading to the task’s initial run being much later than expected.
  • Fix internal server error when reading changes. When a change was not found, NullPointerException was thrown and this caused the delete-project plugin to fail. Now, ChangeNotFoundException is thrown.
  • Fix parsing of email replies with “gmail_default” as class name. The email parser was rejecting all blocks with a class starting with ‘gmail’.
  • Don’t show weblinks for ‘magic’ files. The magic files /COMMIT_MSG and /MERGE_LIST don’t actually exist in the git repository, so any links to them result in 404 on the viewer.
  • Add missing registration of vote-deleted event. The missing registration was causing listeners to fail with ‘Unknown event type’.
  • Allow to add reviewers to changes by commit sha1 using the set-reviewers ssh command.
  • Hooks plugin: Protect against null object IDs in ref updates.
  • PolyGerrit UI
    • Fix avatars when using a URL prefix
    • Fix redirection of URLs with context to GWT UI


  • Fix performance issue when clearing reviewed flag for a patch set. Change the order of fields in the primary key of the JdbcAccountPatchReviewStore table, to allow usage of implicit indices when querying rows, improving performance when clearing the reviewed flag for a patch set. Sites that have already upgraded from an earlier version to either 2.13 or 2.14 need to manually recreate the primary key as described in the warning above.
  • Issue 7086: Disallow invalid combination of auth.type and auth.gitBasicAuthPolicy. Update the documentation of auth.type to clarify that the HTTP_LDAP and CLIENT_SSL_CERT_LDAP types only use LDAP to gather basic information about the user, and not to actually perform the authentication. Also, add checks to make sure the combination of auth.type and auth.gitBasicAuthPolicy is valid. If an invalid combination is used, this could result in unintentionally disabling authentication, so raise an error during startup.
  • Issue 7188: Fix ‘Cannot upgrade schema’ during upgrade on Oracle database backend.
  • Fix internal server error when invoking the stream-events ssh command with the --help option.
  • Add support for creating annotated tags from the tags list in the GWT UI. Although the REST API allows to create annotated tags, the UI only supported creating lightweight tags.
  • Consistently use lower case when reading enumerations during initialization. The list of supported options was converted to lower case, but the input prompt did not do the same for the default value.


  • Issue 6853: Only attempt to parse polygerrit URL parameter on GET requests. Attempting to parse the polygerrit parameter on all requests caused failures when sending a POST or PUT request to the REST API via curl.
  • Issue 6922: Fix comparison against edit revision.
  • Issue 6745: Emit an event to the event stream when a vote is removed from a change. When a reviewer was removed from a change, an event was emited to the event stream, but when only a vote was removed (leaving the reviewer on the change), no event was emitted
  • Add user who removed reviewer into event that is emitted when a reviewer is removed from a change.
  • Improve error message when failing to create the first user.
  • Allow to run the server without specifying gerrit.canonicalWebUrl. The only situation where the setting is mandatory is when using OAuth authentication, because the OAuth provider needs to have a fixed callback URL with a single hostname.
  • Align group reference from plugin with core group reference.
  • Fix PluginConfig.setGroupReference method. When the group reference was a new one, i.e. not already in the groups file, it was not added to the groups file when saving the project config.
  • Fix support for plugin group reference with inheritance. Group reference was not working when inherited from parent project config.
  • Use -S instead of -s as alias for --start in list branches and tags REST API endpoints. Using an upper case -S makes the API consistent with the other list APIs (changes, groups, projects). This is a breaking change for any clients that use -s.
  • Allow to configure pool connection settings for patch review store. Previously the pool connection settings were hard-coded. In high traffic servers this can cause a bottleneck as the transactions start to be queued when the maximum number of connetions is reached. In the accountPatchReviewDb section of the gerrit.config file it is now possible to configure the url, poolLimit, poolMinIdle, poolMaxIdle, and poolMaxWait values.
  • PolyGerrit UI
    • Issue 6827: Fix loading change screen with a slash following the patch set number.
    • Issue 6921: Request all commits in the change detail.
    • Issue 5677: Don’t crash on empty diff selection.
    • Add : to autocompleted predicates in search bar.


  • Issue 6472: Fix online reindexing for plugin-dependent rules.
  • Issue 6473: Fix display of columns in projects tables.
  • Issue 6099: Set reflog message and identity when merging changes.
  • Issue 6591: Fix deletion of branches when the refs/heads/ prefix is omitted.
  • Issue 6605: Fix searching for change by Change-Id triplet when project name matches Change-Id pattern. For projects whose name matched the Change-Id pattern, i.e. named something like iabcde, it was not possible to search for changes using the Change-Id triplet project~branch~changeId.
  • Issue 3345: Preserve line endings in inline editor.
  • Issue 6508: Hooks plugin: Fix hook configuration names to match documentation Most hooks in the documentation are named with “Hook” suffix, but in the code the “Hook” suffix was omitted. This prevented the hook from being found when the administrator configured it with the documented name.
  • Issue 6609: Add “indent with tabs” configuration option in inline editor.
  • Issue 6544: Allow project owners to update project configuration.
  • Issue 6527: Use quoted-printable for SMTP transfer encoding.
  • Issue 6205: Fix internal server error on /register with URL prefix.
  • Fix line wrapping in inline editor. The line wrapping preference was respected for the diff screens, but not for the inline editor.
  • Don’t index missing accounts.
  • Disable auto-reindexing if stale during offline Reindex.
  • Fix title of revision field for creating new tag in the UI.
  • Suggest self before other users in search operator suggestions. For query operators that expect a user, the suggestion included other users whose name begins with “sel” before “self”. Since “self” is more frequently used, it should be suggested first.
  • Load external IDs from primary storage (ReviewDb). On sign in we can’t access the account index to lookup external IDs since Gerrit slaves don’t have an account index, but Gerrit slaves must be able to sign in. Instead load the external ID from the primary storage which is ReviewDb in 2.14.
  • Extend shortSubject field to 72 characters in soy email template.
  • Align lib modules load injector on Jetty and external containers. Align the startup of Gerrit with a standalone Jetty container to the WebAppInitializer and load the user-provided Guice modules in the sysInjector instead of the DbInjector. This Allows overriding some of the default bindings of Gerrit (e.g. repository manager or permissions backend) with custom-made alternate implementations.
  • Fix cyclic dependency when using site_path from system_config table. The starting mode where site_path is not specified (as a system property) and Gerrit first connects to the database using the ReviewDb JNDI property from the servlet container was broken since version 2.13 due to a cyclic dependency in Guice bindings.
  • Add missing throws declarations on NotImplemented classes in the extension API. The throws were removed as a cleanup in Gerrit 2.14, but this prevenented classes that extend NotImplemented from throwing the exceptions.
  • Add support for tag web links.
  • Reindex accounts after updating external Ids in LocalUsernamesToLowerCase program.
  • Disallow using both m and r options together in branch and tag list filters.
  • Recognize all parts marked with multipart/ in inbound emails. Inbound emails would not be parsed when the message was signed and therefore wrapped in a multipart/signed part.
  • Replication plugin: Fix race condition when scheduling a replication
  • Replication plugin: Use rescheduleDelay instead of replicationDelay when rescheduling.
  • PolyGerrit UI
    • Add syntax highlighting for kotlin, php, shell, erlang, and puppet.
    • Issue 6557: Enable multiline range comments in Firefox.
    • Issue 6062: Fix register links to use base URL.
    • Issue 6693: Fix back button behavior for hash redirects.


  • Add support for Git LFS locking. Plugins implementing LFS may now include support for locking.
  • Upgrade JGit to This includes a fix to make auto GC run in the background. In some cases, the auto GC limit is lower than the true number of unreachable loose objects, so auto GC will run after every (e.g) fetch operation. This leads to the appearance of poor fetch performance. Since these GCs will never make progress (until either the objects become referenced, or the two week timeout expires), blocking on them simply reduces throughput.
  • Allow multiple Servlet filters on Jetty HTTPD. It is now possible to specify multiple values for httpd.filterClass.
  • Allow to set Jetty HTTPD socket timeout. A new setting httpd.idleTimeout makes the Jetty HTTPD socket timeout configurable so to tailor the socket and thread consumption to the needs of setups with different latencies and bandwidth.
  • Add a group indexed extension point. Similar to the existing change indexed and account indexed extension points, this allows plugins to be notified when a group has been indexed.
  • Extend upload validation interface to allow listening to negotiation start. This can be used to check rate limits for fetch requests. Rate limits should be checked before git transport negotation starts to avoid unnecessary work in case the limit is already reached.
  • Fix support for ECDSA and ED25519 SSH keys. ECDSA and ED25519 SSH host keys were not generated during site initialization and were not loaded if they existed.
  • Fix initialization failure when removing old Bouncy Castle library fails. During initialization, old Bouncy Castle libraries are renamed with a .backup suffix, but if the destination file already existed the initialization would fail with a fatal error. Now a warning is printed and the initialization continues.
  • Issue 6278: Fix internal server error when cloning from slave over HTTP.
  • Fix firing change related events for deleted change.
  • Issue 5393: Improve the performance of reviewer suggestion.
  • Issue 6173: Fix setting sshd.idleTimeout for nio2 backend. The idle timeout was not properly set for the nio2 backend, so connections would always time out with the default value (10 minutes).
  • Improve error message when publishing an already published change edit.
  • Fix ref visibility checks in dashboards.
  • Replication plugin: Fix replication retries when maxRetries is set to 0.
  • Fix autocomplete for Firefox on LDAP login screen.
  • Add support for mariadb in AccountPatchReviewStore.
  • Fix notifications for comments on draft patch sets.
  • Fix internal server error when deleting current patch set and previous patch set doesn’t exist.
  • Issue 6176: Fix internal server error when old patch set is not found.
  • Always use SSL implicitly for POP3 and IMAP. If receiveemail.encryption is set to TLS/SSL, we always want to use the implicit mode to execute the TLS/SSL command right after establishing the conection with the mail server. Strict mail servers like Gmail would close the connection prematurely otherwise.
  • Allow plugins to non-transitively depend on prolog rules.
  • Issue 6367: Allow to set blocking label range rules in permission rule editor.
  • PolyGerrit UI
    • Issue 6096: Add an “up” button to the diff screen.
    • Issue 6041: Display /MERGE_LIST and /COMMIT_MESSAGE as Merge List and Commit Message.
    • Issue 6080: Allow editing status when full name is not editable.
    • Issue 6166: Fix loading favicon on a prefixed URL.
    • Make sure ‘Merge Conflict’ displays on change view.
    • Use a default name for accounts that do not have a display name.