Download: 3.0.16 | 3.0.15 | 3.0.13 | 3.0.12 | 3.0.11 | 3.0.10 | 3.0.9 | 3.0.8 | 3.0.7 | 3.0.6 | 3.0.5 | 3.0.4 | 3.0.3 | 3.0.2 | 3.0.1 | 3.0.0

Documentation: 3.0.16 | 3.0.15 | 3.0.13 | 3.0.12 | 3.0.11 | 3.0.10 | 3.0.9 | 3.0.8 | 3.0.7 | 3.0.6 | 3.0.5 | 3.0.4 | 3.0.3 | 3.0.2 | 3.0.1 | 3.0.0

Release Highlights

  • Removal of GWT UI

    The GWT UI is removed and PolyGerrit is now the only UI.

  • Removal of ReviewDb

    The database backend for changes, accounts, groups and projects (“ReviewDb”) is removed and this metadata is now stored in git (“NoteDb”).

    A database is still needed for account patch reviews, which stores the ‘reviewed’ flag for files in a review per user. The default backend is H2, but MySQL, PostgreSQL and MariaDb are also supported. See the documentation for details.

    It is also possible for plugins to provide another backend by implementing the AccountPatchReviewStore interface.

  • New quota enforcer extension point.

  • Issue 4040: Support for signed push with GPG subkeys.

  • New core plugins: delete-project, gitiles, plugin-manager, and webhooks.

Important Notes

Schema Changes

This release contains schema changes. To upgrade:

  java -jar gerrit.war init -d site_path

The changes index version has been increased. To run off-line reindexing of the changes (optional):

  java -jar gerrit.war reindex --index changes -d site_path

By default the changes index is automatically rebuilt upon the Gerrit startup after the upgrade.

Breaking Changes

Reverse DNS lookup is now disabled by default

The gerrit.disableReverseDnsLookup option with default value false is replaced by gerrit.enableReverseDnsLookp also with default value false. This means that reverse DNS lookup is now disabled by default.

Private changes will be published (unmarked private) once merged

A warning dialog will be displayed to the user to confirm this on submission using the UI. When submitted via push, this warning will not be shown. Already merged changes cannot be marked private any longer.

The urlAlias configuration settings are removed

The URL rewriting feature introduced in 2.12 via the urlAlias configuration was only supported in GWT, and thus removed with the 3.0 release.

See issue 8054 for details.

The MessageOfTheDay extension point is removed

The MessageOfTheDay functionality was not ported to the PolyGerrit-UI and the MessageOfTheDay extension point was removed with the 3.0.7 release. However, the JS API provides the banner entrypoint for plugins to add messages to the UI. Plugins that were previously using the MessageOfTheDay extension point have to be adapted accordingly.

New Features

  • New quota enforcer extension point.

    Plugins may implement the QuotaEnforcer interface to enforce quotas.

  • Issue 4040: Support for signed push with GPG subkeys.

    It is now possible to use a GPG subkey when pushing commits with signed push.

  • Issue 6053: Support for searching on mobile devices.

  • Issue 8535: Support for plugin config entries in the PolyGerrit UI.

    Configuration entries defined by server-side plugins are now displayed in the UI.

  • Issue 10385: New Toggle Work In Progress state permission.

    This allows for granting the “Toggle Work In Progress state” permission to arbitrary users. This permission controls who is able to flip the Work In Progress bit in addition to the three different groups that can do so already: change owner, server administrator and project owners.

    Note that the option was included in 3.0.0 but only documented since 3.0.12.

  • New method to get UI top menus in the config API.

  • New configuration option change.api.excludeMergeableInChangeInfo.

    Computing mergeability of open changes becomes very expensive for hosts that have fast-moving branches and a lot of open changes. Setting this option to true disables it.

  • New configuration option change.move.

    The change.move option allows to disable the “Move Change” REST API.

    Note that the option was included in 3.0.0 but only documented since 3.0.3.

  • New core plugins.

    The delete-project, gitiles, plugin-manager, and webhooks plugins are now core plugins bundled with the release, and can be installed during site initialization.

Dependency Updates

  • Add dependency on resemblejs

  • Remove dependency on apache derby

  • Remove dependency on gwtjsonrpc

  • Remove dependency on gwtorm

  • Remove dependency on postgresql

  • Upgrade asm to 7.0

  • Upgrade auto-value to 1.6.5

  • Upgrade codemirror-minified to 5.43.0

  • Upgrade commons-lang3 to 3.8.1

  • Upgrade gitiles-blame-cache and gitiles-servlet to 0.2-8

  • Upgrade guava to 27.0.1-jre

  • Upgrade guice to 4.2.2

  • Upgrade prolog-cafe to 1.4.4

  • Upgrade soy to 2019-03-11

  • Upgrade truth to 0.43

Native packaging

  • Upgrade the Docker/Ubuntu image to Ubuntu 18.04

  • Upgrade the Docker/CentOS image to CentOS 7.6.1810

  • RPM/Deb: Remove Gerrit service start upon package setup.

    Gerrit service is no longer started automatically after the package installation, but requires manual invocation of the /etc/init.d/gerrit start command, or the configuration of the service for auto-start and the reboot of the machine.

  • Docker: auto-init the Gerrit site during first start of the container.

    Simplify the configuration and management of Docker setups by automatically detecting if a $GERRIT_SITE/git/All-Projects.git exists and, if it doesn’t, invoke the Gerrit init step in batch mode.

Bugfix Releases


  • Security Fixes

    • Issue 13858 CVE-2021-22553: Fixed memory leak in Git-over-HTTP requests.

      Unauthenticated users could exploit this problem in a Denial of Service attack, causing the server to go out-of-memory.

  • Bug Fixes

    • Issue 12287: Add a warning if submitting a change with an open change edit.
  • Dependency Updates

    • Update JGit to

    • Update Jetty to 9.4.33.v20201020.


  • Security Fixes

    • Issue 13621 CVE-2020-8919: Make PermissionBackend#ForRef authoritative.

      Fixes a misconception that leads to data being accessible through Gerrit APIs that should be locked down.

      Gerrit had two components for determining if a Git ref is visible to a user: (Default)RefFilter and PermissionBackend#ForRef (e.g., RefControl). The former was always capable of providing correct results for all refs. The latter only had logic to decide if a Git ref is visible according to the Gerrit READ permissions. This includes all refs under refs/heads as well as any other ref that isn’t a database ref or a Git tag. This component was unaware of Git tags and notedb-related refs. Hence, when asked for a database reference such as refs/changes/xx/yyyyxx/meta, the logic would allow access if the user has READ permissions on any of the ref prefixes (such as the default “read refs/* Anonymous Users”).

      That was problematic, because it bypassed documented behavior where a user should only have access to a change if he can see the destination ref. The same goes for other database references.

    • Issue 13514 CVE-2020-8920: Work around Gitiles bug on All-Users visibility.

      Gitiles has a special FilteredRepository wrapper that allows carefully hiding refs based on the project’s ACLs. There is however an optimization that skips the filtering in case a user has READ permissions on every ACL pattern(s). When the target repository is All-Users, the optimization turns into a security issue because it allows seeing all personal information associated with all accounts, i.e.:

      • draft comments
      • draft edits
      • personally identifiable information (PII) of all users
      • external ids

      This fix now blocks Gitiles or any other part of Gerrit to abuse this power when the target repository is All-Users, where nobody can be authorized to skip the ACLs evaluation anyway.


This minor release has been withdrawn.


  • Breaking Changes

    • Elasticsearch: Support for EOL versions 6.6 and 6.7 is discontinued.

    • Issue 13184: Logging: --console-log-flag of gerrit.war daemon respects log.textLogging and log.jsonLogging options.

      Change in the default behaviour of the --console-log flag. Since log.textLogging in the gerrit.config is true by default, using the --console-log-flag now writes logs to the error_log-file in addition to stderr by default. This can be avoided by setting log.textLogging = false.

  • Bug Fixes

    • Issue 11706: ChangeEdits: Don’t wrap Response.none() in Response.ok().

      Wrapping of edit message modification Response.none() in Response.ok() was erroneously added. Revert that part, as it broke the handling of that specific request.

    • Issue 13175: Fix gr-hovercard-behavior under Firefox.

    • Issue 13328: Redirect GWT UI project dashboard links to Polygerrit endpoints.

      Add a route to the Polygerrit UI router, to redirect such legacy GWT UI endpoints, so that existing menu links are handled without any modifications. Otherwise, switching from GWT to Polygerrit resulted in broken links to project dashboards. This fix also handles bookmarked links.

    • Issue 13350: Decode group id before using it to add cc-reviewers.

      When a group is being suggested for cc-reviewer, its UUID gets encoded by Gerrit prior to rendering it. That had no impact on Gerrit internal groups, however external groups were affected. UUID prefixes contained encoded characters where they shouldn’t have. Hitting the Reply button sent such encoded groups as is, leading to them not being found in Gerrit.

      Decoding the URI before sending the group back to the UI fixes the issue.

    • Issue 13372: Remove obsolete GWT change-related screenshot.

      The GWT UI is not included anymore in Gerrit from v3.0 onwards.

  • Replication Plugin Fixes

    • Fixed synopsis in replication start command documentation.

      --url is usable with --all or projects and on its own. Update the usage to reflect this.

    • Issue 12769: Don’t wait for pending events to process on startup.

      Previously, on large Gerrit installations with many projects and/or many replication destinations, the replication plugin could take very long periods of time to startup. This was particularly a problem if the pending (persisted) event count was large as they all were rescheduled before the plugin finished initializing.

      Change this behavior so that startup merely begins the process of scheduling the pending events, but does not wait for them to complete.

  • End-to-end Tests Improvements

  • Other Improvements

    • Introduced sshd.gracefulStopTimeout, documented here.

    • Bumped the Bazel version to 3.5.0.

    • MigrateToNoteDb and NoteDbMigrator logging improvements.

  • Documentation Updates

  • Library Updates

    • Upgraded Elasticsearch 6 support to 6.8.12 and 7 (elasticsearch-rest-client) to 7.8.1.

    • Upgraded jackson-core to version 2.11.2.

    • Upgraded caffeine to version 2.8.5.


  • Security Fixes

    • Issue 12846: BadMessageException: 500: Response header too large.


      Bump Jetty version to 9.4.30.v20200611 to fix regression introduced in Jetty version: 9.4.27.v20200227.

      Response header overflow leads to buffer corruptions Jetty server always allocates maximum response header size.

      For more details see also upstream issues:

      Issue 4936 Issue 4541

  • Bug Fixes

    • Issue 13054: Restore keyboard shortcut for expand all diff context

      In gerrit 2.16 release the keyboard shortcuts system was redesigned, but the binding for Shift+x shortcut for expand all diffs was lost. Restore this binding and confirm that it is now listed in the help dialog and works as expected.

    • Issue 12952: Handle duplicate label values on project load and push of config updates

      With the fix a validation error on load of the project.config file is generated, but let the loading succeed and the duplicate value is filtered out. Hence getting the project info of such a project no longer fails.

    • Issue 13166: Include request latency in httpd_log.json

      The latency field was missing in the entries of JSON-formatted http logs.


  • Security Fixes

  • Bug Fixes

    • Issue 12680: Run projects reindex after Gerrit init only when needed, speeding up the upgrade process.

    • Issue 12909: Fx missing index creation after Gerrit init.

    • Issue 12918: Fix missing email notifications for project watches for changes created via cherry-pick.

    • Issue 12935: Fix the output of the migrate-to-note-db program swallowing messaages after garbage collecting All-Users.

  • PolyGerrit Fixes

    • Issue 12899: Speedup the rendering of changes with large number of comments by lazy loading them when expanded.
  • Documentation Updates

    • Issue 12869: Add documentation on how to move a change across branches.


  • Security Fixes

    • Issue 12717: Deny access over HTTP for disabled accounts.

      A disabled account was still able to access over HTTP until the existing session expired.

  • Bug Fixes

    • Issue 12777: Hide “No Votes” notice for for labels added and approved by rules.

    • Issue 12844: Update account full name when it changes in LDAP.

    • Issue 12850: Ignore WIP changes in “CCed on” dashboard section.

    • Issue 11707: Support /COMMIT_MSG for change edit REST endpoints.

    • Do not fail for invalid change refs in DefaultRefFilter.

  • Library Updates

    • Upgrade elasticsearch-rest-client to 7.7.1.
  • Documentation Updates


  • New Features

    • Add a new metric for monitoring Java deadlocks.

      The metric proc/jvm/thread/num_deadlocked_threads monitors the number of threads that are deadlocked waiting for object monitors or ownable synchronizers.

    • Add support for Elasticsearch 7.7.

  • Breaking Changes

    • Metrics: Cache disk stat metric computation is disabled by default

      Calculation of the cache disks stat metrics for persistent caches is disabled by default because it is a very expensive operation that can block a thread for several minutes on larger installations.

      Installations that still want to use this metric must explicitly enable it with the cache.enableDiskStatMetrics configuration option.

    • Plugin API: Deprecated methods related to the draft workflow and change edits are removed

      • ChangeApi.getEdit()
      • ChangeApi.publish()
      • RevisionApi.delete()
      • RevisionApi.publish()
    • Issue 12527: Elasticsearch: Support for EOL versions v5.6 and v6.0 to v6.5 is discontinued

  • End-to-end Tests Improvements

    • Allow end-to-end tests to proportionally scale on their expected execution times.

      A power_factor environment property was added to the end-to-end tests core framework. Using that optional property, scenario steps can take some more (or less) time prior to expecting proper completion.

      The way to set that property locally then depends on the target runtime environment, or SUT latency. The property may be used for either core or plugin scenarios.

    • FlushProjectsCache related scenarios added to core (and the high-availability plugin).

    • Support for relative runtime weights in scenarios.

      Each scenario can now either weight like any other by default, or override that default with a greater weight value, compared to siblings that are lighter on execution times.

      Beside core, make the high-availability and multi-site plugin scenarios reuse this.

    • Allow scenarios to create and delete Gerrit changes alongside projects.

      Add the corresponding core support for an optional http request body to every such GerritSimulation. Either automate or allow environment properties to feed the related input test data.

      Beside core, make the high-availability and multi-site plugin scenarios test changes that way. The latter currently has Issue 12693 as a known limitation.

  • Bug Fixes

    • Issue 12606: Fix visibleto predicate for groups.

      If a group name was used in the visibleto predicate, changes were not returned even if the group had permission to see them.

    • Issue 12747: Fix change query visibility for internal user.

    • Issue 12755: Block the removal of the Realm primary external ids.

      It was possible to remove the email address associated with the primary id of a Realm, effectively resulting in the account being removed.

    • Isssue 12786: Fix wrong status returned when auth backend couldn’t be reached.

      The response 401 was returned when the auth backend could not be reached, instead of the response 503.

    • Issue 14242: Fix email token verification failures caused by non-URL-encoded characters.

    • Issue 11625: Avoid multiple notifications for existing reviewers.

    • Fix internal server error on parsing commit message during receive commits.

    • Add autocomplete="off" to LDAP login form.

      Some security tools will flag the absence of the autocomplete flag as a possible security issue, as it could allow for passwords to be saved and automatically filled in on shared computers.

    • Accept --ownedby as an alias of --owned-by in the groups REST API.

      The option was incorrectly documented as --ownedBy which resulted in an error “not a valid option” if anyone tried to use it.

      The documentation is fixed, and --ownedby is added as an alias so that it also works for anyone still referring to the old documentation.

    • Fix various misuses of the Flogger API causing exception details to be omitted in the log output.

      Exceptions were not properly passed to the logger which would cause the details to be omitted, or in some cases the message “ERROR: UNUSED LOG ARGUMENTS” to be emitted.

      • When an invalid PAPE response is received during OpenID authentication
      • When a plugin config is invalid and cannot be loaded
      • When an error occurs while migrating a change metadata entry to JSON
      • When there is an unsupported charset in a patch text
    • Issue 12673: Fix emitting debug logs while running tests.

  • PolyGerrit UI Fixes

    • Issue 12707: Apply diff preferences immediately after pressing “Save”.

    • Issue 12690: Only show the “Edit” button for open changes in the diff view.

    • Issue 12726: Fix incorrect highlighting after / character in Javascript.

    • Issue 12775: Fix parent of previous patch sets not being available.

    • Issue 12385: Fix memory leak in gr-plugin-endpoints.

  • Replication Plugin Fixes

    • Issue 12678: Fix missing replication Id in replication logs.

      The migration to use Flogger in 2.16.17 caused a regression in the logging, where the replication Id was omitted from the logs. This is fixed by reverting back to slf4j logging for the replication log.

    • Issue 12719: Fix replication start --wait to track in-flight collisions and to not fail.

    • Issue 12731: Don’t lose state when there’s a pending push to the same ref.

      If there was already a pending push (not an in-flight push) to the same endpoint, the start for the push would be dropped when adding the push to the Destination. This meant that a replication start --wait command would never complete when one of its pushes was pending since its state would never receive the completion notification for that push.

    • Issue 11745: Fix firing pending “..all..” events on startup.

    • Issue 11760: Make persistent task keys stable.

    • Fix URL matching to match real URLs in addition to templated URLs.

    • Log when skipping deletion of a ref when pushing to a remote in mirror mode.

    • Improve logging of push failures caused by a lock failure on the remote.

    • Improve logging of refs to be pushed.

  • Library Upgrades

    • Upgrade rules_closure to forked version

      This fixes the “-parameters is not supported for target value 1.7. Use 1.8 or later.” warning when building. See PR 478.

    • Issue 12448: Upgrade Guice to 4.2.3 and switch to using no-AOP Guice distribution

      This allows to more easily support newer JDK versions.

    • Upgrade asm to 7.2

    • Upgrade jackson-core to 2.11.0

    • Upgrade jetty to 9.4.27.v20200227


  • Breaking Changes

    • The LogThreshold annotation is removed.

      The default log level for tests has been changed from DEBUG to INFO, and this annotation is no longer needed. It was originally introduced to allow classes to explicitly set their log level at level other than DEBUG.

      Plugins that use this annotation must be adjusted.

  • New Features

    • Add support for Elasticsearch 7.6.x.

    • Include upload-pack metrics in the sshd log.

      In order to enable detailed performance and problem analysis, upload-pack metrics are now included in the sshd log.

    • Add new configuration setting core.packedGitUseStrongRefs.

      When set to true, this option enables using strong references to reference packfile pages cached in the WindowCache. If this option is set Java gc can no longer flush the WindowCache to free memory if the used heap comes close to the maximum heap size. On the other hand this provides more predictable performance.

    • Add new configuration setting sendemail.denyrcpt.

      This new setting works alongside the existing sendemail.allowrcpt, and allows to configure email addresses or domains that Gerrit may not send to.

    • Allow to format HTTP and SSH logs in JSON format.

      When log.jsonLogging is enabled, the HTTP and SSH logs are formatted as JSON, making it easier for them to be parsed. Note that the error log was already formatted in JSON when this option was enabled.

    • Add new metrics.

      Metrics are added for:

      • Jetty connections
      • JGit WindowCache and total load time for block cache entries
      • Available number of cores
      • Average system load for the last minute

      Refer to the metrics documentation for full details.

    • Issue 11493: Add an “Edit” button to the diff view in the PolyGerrit UI.

    • Add support for fsharp in highlighting syntax in the PolyGerrit UI.

    • Issue 12364: Add support for going to a specific line number in the inline editor.

    • Add prolog predicate to determine number of parents.

      The new predicate commit_parent_count can be used to detect merge commits.

    • Add NamedFluentLogger.

      NamedFluentLogger is an extension to Flogger that allows to create a logger with a given name rather than the name of the enclosing class.

    • Issue 12444: Add support for max_result_window in Elasticsearch index configuration.

    • Add a Code Coverage layer and plugin API in the PolyGerrit UI.

      See Chromium issue 939904 for details.

  • Library Upgrades

    • Upgrade gitiles-servlet and blame-cache to 0.2-12

    • Upgrade jackson-core to 2.10.3

    • Upgrade Jetty to 9.4.24.v20191120, including a fix for supporting IPv6.

    • Upgrade rules_closure to forked version.

      This fixes the “-parameters is not supported for target value 1.7. Use 1.8 or later.” warning when building. See PR 478.

  • Security Fixes

    • Issue 12440: Fix the access-path for AbstractGitCommand subclasses.

      The access path for the Receive.currentUser in the receive-pack command was wrongly set to SSH_COMMAND instead of to GIT. This allowed project owners to force-update a ref using git-over-SSH without having en explicit permission for that.

  • Bug Fixes

    • Fix size explosion of All-Users caused by draft comment removal.

      Modify draft comments generation so that, when removed, they to point to an empty parent.

    • Issue 11772: Cancel deprecation of change identifiers that was planned since 2.16.

      Since 2.16 the documentation of change identifiers states that the identifiers other than <project>~<numericid> are deprecated and will be removed in a future release. Since then the identifiers have still not been removed and there is no clear plan to do so.

      It is likely that “deprecated” identifiers are still used in links in places where they can’t be updated, for example in emails and forum posts. Due to this, and since continuing to support all of the types does not add any technical burden, ESC decided that the deprecation should be cancelled.

      The change.api.allowedIdentifier configuration setting is now obsolete and has been removed.

    • Issue 3340: Fix internal server errors when setting project access permission with bad regex.

    • Fix removal of stale metrics from the metrics registry.

    • Issue 12349: Fix time attribute of file entries in plugin artifacts.

    • Make assumption on number of query results explicit for change Id arguments.

      When a change Id passed as argument was resolved to multiple changes, the first returned change was arbitrarily used. Now an error will be raised and logged.

    • download-commands plugin: Set SSH default port to 22.

    • Document dependency from account deactivator to autoUpdateAccountActiveStatus and log a warning if the account deactivation task is configured but will not be scheduled.

    • Fix handling of ambiguous name in visibleto search predicate.

      If the visibleto search predicate was used with a display name that resolved to more than one account, the first account in the result was arbitrarily used. Now, this case will result in an error.

    • Fix a dependency injection runtime error in DeleteZombieDrafts program.

    • Issue 12473: Fix broken links in Elasticsearch configuration documentation.

  • PolyGerrit UI Fixes

    • Issue 4616: Open commentlinks to changes on the same server in the same tab.

    • Issue 12031: Fix issues with caching edited commit message.

    • Remove target=_self from commentlinks.

  • Replication Plugin Fixes

    • Add method to push changes directly to given replica; intended to be used by other plugins that extend the replication plugin.

    • Check nulls in firePendingEvents at startup.

      After a sudden reboot (for unknown reason) Gerrit at startup couldn’t load because of NullPointerException.

    • Change default for the replicateOnStartup to false.

    • Don’t lose ref-updated events on plugin restart.

      When a ref-updated event is received, persist the event in the directory defined by the replication.eventsDirectory. When the updated ref is replicated delete the persisted event.

  • Packaging Fixes

    • Issue 12355: Do not overwirte /etc/default/gerritcodereview upon upgrade.
  • Other Fixes

    • Fix various minor coding issues reported by Error Prone and Sonar Lint.

    • Reduce log spam of ‘Repository not found’ stack traces.

    • Issue 11953: Reduce log spam during tests by reducing the default log level to INFO.

      The log level can now be explicitly set by the GERRIT_LOG_LEVEL system variable.

      The LogThreshold annotation is removed.


  • New Features

    • Include request description in HTTP thread names.

      The HTTP worker threads had generic names like HTTP-100, HTTP-101, etc. While we could conclude from the stack trace what this thread was doing, we missed some important information like repository name, user name, etc.

      The HTTP threads now have descriptive names. For example, if there is an ongoing git-fetch operation we will see a thread named like: HTTP POST /a/myProject/git-upload-pack (johndoe from

      This makes the naming consistent with SSHD threads, which are named like: SSH git-upload-pack /myProject (johndoe).

    • New metrics for Jetty threadpool.

      The new metrics are exposed under http/server/jetty/*.

    • Utility program to delete zombie draft comment refs.

      Deletion of draft comment refs was broken until 2.16.14, resulting in draft comment refs not getting deleted properly. Although it has been fixed, it’s still possible that zombie refs exist from previous versions. The new site program DeleteZombieCommentsRefs can be used to remove them.

    • Highlight WORKSPACE and BUILD.bazel files as Python in the PolyGerrit UI.

  • Breaking Changes

    • The MessageOfTheDay extension point was removed.

      The MessageOfTheDay functionality was not ported to the PolyGerrit-UI and the MessageOfTheDay extension point was removed with the 3.0.7 release. However, the JS API provides the banner entrypoint for plugins to add messages to the UI. Plugins that were previously using the MessageOfTheDay extension point have to be adapted accordingly.

  • Bug Fixes

    • Issue 12246: Fix generation of duplicate Change-Ids when creating a new change via REST.

      The Change-Id was computed from the commit content and the timestamp, which resulted in the possibility for two changes to get the same Change-Id when two empty changes were created by REST at the same time.

      The Change-Id is now generated randomly.

    • Issue 12097: Fix migration to NoteDb when orphan changes exist.

      In the case where a change belonged to a repository that did not exist, the migration failed.

    • Issue 9296: Fix wrong diff of commit message between different patch sets of a merge commit.

    • Issue 7969: Fix internal server error when diffing MERGE_LIST between different patch sets of a merge commit.

    • Issue 10397: Don’t send notification email when publishing a change edit on a WIP change.

    • Issue 12243: Fix unexpected deactivation of service user accounts.

    • Fix editing name and email for service user accounts.

    • Fix internal server error when a change edit includes an invalid file path.

      Invalid file paths are now rejected as ‘400 Bad Request’.

    • Don’t check for conflicting refs when deleting a ref; improve performance of migration to schema 167.

      The migration to schema 167 involves deletion of refs. The performance was poor for large installations (for example 30k user refs and 20k groups) because the ref deletion implementation was doing an unnecessary check for conflicting refs.

    • Fix setting _moreChanges to the wrong value in change query REST results.

    • Upgrade highlight-js to get various fixes in source code highlighting:

      • fix(makefile) fix double relevance for assignments
      • (xml) expand and improve document type highlighting
      • fix(kotlin): fix termination of “”” string literals
      • (cpp) Add additional keywords
      • Backslash is not used to escape in strings in standard SQL
      • (javascript) fix jsx self-closing tag issues
      • enh(ini) support arrays and much cleaner grammar
      • (javascript) support jsx fragments
  • PolyGerrit UI Fixes

    • Issue 11980: Fix handling of LDAP groups containing a dot in the PolyGerrit permissions screen.

    • Issue 12197: Fix rendering of commentlinks using link.

  • Other Changes

    • Upgrade jackson-core dependency to 2.10.2

    • Improve logging when a metadata update fails.

    • Update external Ids documentation with information on how to find the sha1 of an external Id and how to show the corresponding change note.


  • New Features

    • Include thread name in the HTTPD and SSHD logs.

      Having thread name in the HTTPD and SSHD logs makes it easier to match entries from the error log. The error log entries already contain the thread name, so with the thread name included in each entry in the HTTPD and SSHD logs, we have more data to match an error to a request than just the timestamp.

  • PolyGerrit UI Fixes

  • Other Fixes

    • Issue 12070: Fix internal server error on git over HTTP calls when SSHD is enabled.

      Double cleanup of the request context caused an internal server error on push or fetch via git over HTTP.

    • Fix generation of SSH keys with empty passphrase.

      The -N option of ssh-keygen was correctly used for generation of RSA keys, but for other types -P was used.

    • Extend documentation of external Ids to include examples of how to generate the sha1 of an external Id and how to show the git note of the Id.


  • New Features

    • Issue 11973: Add copy-to-clipboard for generated HTTP password.

    • Add support for doctag in PolyGerrit UI syntax highlighter.

    • Add an event interface in the PolyGerrit API.

    • Add support for Elasticsearch 7.5.

    • Add documentation of how to perform backups of Gerrit.

  • Breaking Changes

    • The default and minimum value of execution.defaultThreadPoolSize is increased to 2.
  • PolyGerrit UI Fixes

    • Issue 11993: Stop loading fonts from external resources.

    • Issue 11984: Fix top menu bar on iOS.

    • Issue 8282: Avoid browser caching for diff on edit patch.

    • Issue 9444: Fix syntax highlighting for multi-char char constants.

    • Issue 12020: Fix ‘New Contributor Agreement’ screen.

    • Fix gr-syntax-params css class.

    • Fix overflow of branch name in change list.

  • Other Fixes

    • Issue 7645: Fix thread deadlock when loading accounts from the account cache.

      Replacing Guava caches with Caffeine reduces the chances of having the deadlocks and improves the cache performance.

    • Issue 11918: Fix internal server error when deleting a tag or branch by git push.

    • Issue 5082: Upgrade gitiles blame-cache to 0.2-11 to fix internal server error when getting blame for file.

    • Issue 11650: Fix reindexing of changes after project is deleted in the delete-project plugin.

    • Disallow deleting the refs/meta/config branch via the ‘Delete Branches’ REST API.

    • Disallow deleting the HEAD ref via the ‘Delete Branches’ REST API.

    • Allow empty base revision in the ‘Create Branch’ and ‘Create Tag’ REST APIs.

    • Fix deletion of draft comment refs.

      In some situations, draft comment refs were not properly deleted but left empty. This resulted in unused draft refs persisting in the All-Users repository, polluting the namespace. Published draft comments as well as deleted draft comments were kept in the history of the draft ref, keeping them alive for GC, and causing a steady increase of repository size.

    • Use correct content type text/plain instead of plain/text in ‘Create SSH Key’ REST API.

    • Fix handling of interactive/batch users in the QoS filter.

      For the git-over-http requests this filter didn’t work properly because the basic authentication happened later in the filter chain and at the moment when the QoS filter was invoked the current user was not yet set.

    • Add project name to headers of outgoing change emails.

    • Fix and expand documentation of ref-update and commit-received hooks in the hooks plugin.

    • Upgrade jackson-core to 2.10.1.


  • New features:

    • Add a method on ProjectConfig to read from the repository.

      Add a method that allows to read the config from the repository without having to provide a MetaDataUpdate instance.

    • New syntax highlighting files format supported.

      Highlight handlebars, Jinja2, Jenkinsfile, Soy and VHDL formats; associate cproj, xaml and svg as xml.

    • New getConfig() method in the PolyGerrit Plugin RestApi interface.

      Make the PolyGerrit RestApi interface to retrieve the server config and to cache it, accessible to plugins.

    • Add “readOnly” endpoint parameter to repo-config endpoint in PolyGerrit Plugin RestApi.

  • PolyGerrit UI Fixes:

    • Hide “HTTP Credentials” if auth is not HTTP or HTTP_LDAP.

    • Issue 11782: Fix assignment of CSS style for CodeReview -1 labels within comments.

    • Issue 7083: Stop query from executing if predicate is empty.

    • Issue 8513: Add the SHA hash of each patchset in dropdown menu as it was in the old GWT UI.

    • Issue 11715: Fix total additions/deletions counters when viewing diff against parent 1 on merge commit.

    • Issue 11682: Fix some corner-cases in the diff view where the download file feature did not work for added, renamed and deleted files.

    • Issue 10047: Add shortcut to copy ssh-rsa public key.

    • Issue 7867: Allow downloading a regular file from the patch set, from both base version and specific patch set version. It is implemented as a dropdown.

  • Elasticsearch Updates:

    • Add support for Elasticsearch 7.4.

    • Update elasticsearch-rest-client to 7.4.2.

  • JGit Updates:

    • Upgrade JGit to

      This JGit version brings significant performance improvement in the case when Gerrit loads all external-ids from NoteDb. This happens whenever the external_ids_map cache gets invalidated or expires.

  • Other fixes:

    • Fix internal server error when non-existing base revision is given in input to Cherry Pick Change REST API.

    • Remove error log when user tried to delete current branch with the Delete Branch REST API endpoint.

    • Fix the response status code when an error occurred in the Delete Branch/Tag REST API endpoint.

      The endpoint returned “409 Conflict” but should return “500 Internal Server Error”.

    • Fix the response status code then an error occurred in the Update/Delete GPG Keys REST API endpoint.

      The endpoint returned “409 Conflict” but should return “500 Internal Server Error”.

    • Issue 9001: Fix external-id consistency checker e-mail validation.

      Do not enforce emails on external IDs to be globally unique but allow the same e-mail repeated multiple times as long as it associated to the same account id.

    • Fix change message when automatically abandoning a change for a project that has been deleted.

      The change message and the message tag were inverted.

    • Fix commit message subject when updating project description by REST API.

      The tense of the commit message subject was inconsistent with other similar messages.

    • Fix commit timestamp when updating project configurations.

      For some REST API operations that update the project configuration, the commit that does the update on refs/meta/config had the wrong timestamp. Rather than being the time of the actual commit, it was always the time of the server startup.

      This was the case for the following operations:

      • Updating the description.
      • Setting the parent project.
      • Updating group names while getting access settings.
    • Upgrade jackson-core to 2.10.0.

      This version includes a fix for CVE-2019-12384.

    • Add more detailed debug logging when not sending an outgoing email.

      There are several conditions that could cause sending of an outgoing email to be skipped. These are now logged at debug level.

    • Increase severity to error for logging of exceptions during site initialization.

    • Issue 4824: Handle multiple httpd.listenUrl values.

      Per the documentation, multiple values are supported, but if multiple values were specified Gerrit would fail to start.

    • Do not overwrite httpd.listenUrl during init, until the input has been checked as valid.

      Fix a bug where during the Gerrit init in interactive mode the input was invalid for the HTTP daemon settings, but still written to the configuration file.

    • Add adder in the reviewer-added event.


  • Breaking Changes

    • The weblinksOnly option is removed from the Get Diff REST API endpoint.

      This option was only used by the GWT UI which has been removed. This is a breaking change for any other clients that are using it.

  • New Features

    • Issue 6029: Add support for downloading binary files.

    • Issue 11205: Allow Gerrit admins to reindex a change even when Read access is not allowed on its target branch.

    • Extend the addMenuLink method in the PolyGerrit plugin API to allow plugins to specify a capability that users must have in order to view a top menu item provided by the plugin.

    • Utility script which can be used to remove all refs created for NoteDb in case of rollback to ReviewDb.

    • Issue 11356: Allow to override auto-detected Lucene index configuration.

      The new settings, and allow to manually configure the Lucene index, rather than using auto-detected values, to improve performance.

  • PolyGerrit UI Fixes

    • Issue 10166: Add shortcuts for dashboard and watched changes in PolyGerrit.

    • Issue 11592: Replace ${project} in a foreach query for project dashboards.

    • Issue 10047: Add missing copy buttons for SSH and GPG keys.

    • Issue 11623: Remove leftover handling of GWT’s change edit identifiers.

    • Issue 11562: Fix handling of the “Send feedback” conditional display.

    • Fix regular expression in link text parsing.

    • Issue 11682: Fix edge cases in the download dropdown.

      • Fix support for file addition, deletion and rename.

      • Fix left side content URL when diffing against non base revision, e.g. 2..3.

    • Various improvements of the UX with colors in dark theme.

      See issue 11224, issue 11213, and issue 11004.

    • Upgrade highlight.js to get various syntax highlighting improvements.

      • Issue 11666: Improved support for dart keywords.

      • SVG is added as an alias to xml.js and highlighted as XML.

      • JavaScript supports big number syntax now.

      • cpp syntax highlighting improved.

      • JSON gains support for highlighting comments.

      • C++ gains more keywords.

      • YAML improves matching keys.

  • Elasticsearch Updates

    • Add support for Elasticsearch 7.4.

    • Update elasticsearch-rest-client to 7.4.0.

  • Other Fixes

    • Various fixes in the ‘Create Change’ REST API endpoint:

      • Fix internal server error when creating a merge commit fails with NoMergeBaseException.

      • Reject creation of a merge commit on a non-existing branch.

      • Fail with the correct error message when destination branch does not exist.

      • Fix internal server error when target branch does not exist and the parent option is given.

      • Fix internal server error when base commit does not exist.

    • Issue 11644: Fix setting project description when creating a project by REST API and setting plugin configs at the same time.

    • Issue 11374: Fix handling of plugin capabilities on modification of child collections.

    • Fix init to not overwrite httpd.listenUrl until the input has been validated.

    • Issue 11246: Allow duplicate email addresses to be associated to the same user account.

    • Issue 11367: Fix querying inactive user changes.

    • Issue 11491: Fix git clone/fetch/pull over SSH in high-latency network ending with SSH_MSG_CHANNEL_WINDOW_ADJUST error.

    • Issue 11442: Fix push failing with internal server error sporadically when is configured.

    • Issue 11444: Fix the wrong progress output during online migration in error_log and use the correct charset conversion.

    • Fix change message when automatically abandoning a change for a project that has been deleted.

      The change message and the message tag were inverted.

    • Issue 11137: Remove the gerrit.reportBugText configuration option.

      This option was only used in GWT, which has been removed.

    • Upgrade JGit to

      This version includes a fix for racy atomic ref updates.

  • Replication Plugin Fixes

    • Issue 11145: Drain replication queue before stopping the plugin.

    • Issue 11424: Fix ReplicationTasksStorage exceptions in error_log when triggering replication of all refs.

    • Issue 11573: Fix dropping events during plugin restart.

  • Singleusergroup Plugin Fixes

    • Issue 11498: Fix group resolution for all numeric usernames.


  • Breaking Changes

    • Increase default number of SSHD threads to at least 4.

      The default value of the sshd.threads setting is changed to be either two times the number of available CPU cores, or 4, whichever is greater.

    • Issue 11216: Remove hard-coded bug tracker URL and use configured value if present.

  • New Features

    • Issue 11201: Add ability to have custom label with a missing text value in PolyGerrit

    • Add a PolyGerrit extension point to show a small banner next to the search bar.

      A plugin or a site theme (gerrit-theme.html) may register a custom Element to be inserted into this endpoint.

    • Expose Gerrit’s GWT client library in the plugin API

    • Issue 5791: Add an extension point to allow setting a site banner.

    • Add an extension point to allow custom site footers.

    • Extend QuotaBackend and QuotaEnforcer extension points.

    • Introduce repository size quota enforcer.

      Introduce “/repository:size” quota group that gets examined when commits get pushed to the repository.

    • Issue 11028: Add support for “Link Another Identity” screen in PolyGerrit

    • CommitApi: Add method to get commit info

    • Allow to set content type in the PolyGerrit plugin REST API interface

    • Add changeCleanup.cleanupAccountPatchReview configuration parameter to wipe out AccountPatchReview data when change gets auto-abandoned.

  • Elasticsearch Updates

    • Issue 11266: Add support for Elasticsearch 6.8.

    • Issue 11267: Add support for Elasticsearch 7.3.

    • Update elasticsearch-rest-client to 7.3.1.

  • PolyGerrit UI Fixes

    • Issue 11350: Upgrade highlight.js to latest master revision.

    • Issue 11096: Fix page not opening after a couple of times switching between GWT and PolyGerrit UI.

    • Fix dialog popup when going to /admin/create-project.

    • Add support for /groups

    • Redirect /groups/self to /settings/#Groups

    • Issue 10733: Fix anchors not working at page load on settings page

    • Issue 10062: Fix Polygerrit converting plus (+) to space when calling email.confirm API, and then failing with “invalid token”

    • Issue 11344: Fix commentlink URL and HTML links when canonical URL includes a base link.

  • Other Fixes

    • Issue 11348: Display on error_log the progress of the online migration from ReviewDb to NoteDb.

    • Issue 11235:

      Fix ls-user-refs reporting wrong results because it was not using the identity of the username given as parameter.

    • Issue 11222: Skip receive.maxBatchCommits when skip-validation option is passed and a commit validator implements shouldValidateAllCommits

    • Issue 11083: Set the correct new revision on change-merged events when submitting by push.

      When multiple changes are submitted at the same time by push, the new revision in all the change-merged events should be the revision of the head of the destination branch after all changes are submitted.

    • Adapt script to work on Alpine Linux.

    • Issue 10855: Fix standalone GWT plugin builds failing because of a broken transitive load of GWT_PLUGIN_DEPS for in-tree plugin builds

    • Issue 11148: Speedup online reindex migration by skipping evaluation of submit rules for closed changes.

    • Issue 11016: Fix Gerrit slave site init leads to update failure on system_config caused by read-only transaction

    • Issue 11106: Fix missing comment context for left side in email notifications.

    • Issue 11110: Do not swallow the exceptions that caused REST-API to return with a status >= 400.

    • Issue 11086: When a WIP change is implicitly merged by direct push to the branch, its WIP state is unset.

    • Issue 11082: Close changes oldest first when submitting on push.

    • Submit: Fix wrong conflict resolution

    • Add methods on the change API to get comments and draft comments as lists.

    • Make DefaultChangeReportFormatter extendible by plugins.

    • Add back the oneByExternalId method on InternalAccountQuery.

      This was removed in 2.16 but is added back so it can be used by plugins and extensions.

    • Fix and expand documentation of REST API to get revision files

    • Fix detecting changes of parent trees when computing change kind for merge commit.

      A new patch set of a merge change is considered as NO_CHANGE if the commits have the same delta and trees. For merge commits this includes comparing the trees of the parent commits.

    • Reduce log spam of “setting reductionLimit” debug messages of the Prolog engine.

    • Issue 11325: Do not update change set modified date on ReviewDb when a user delete all its draft changes.

    • Fix rebase change REST API returned status code.

      The rebase change REST API return 422 Unprocessable Entity, instead of 500 Internal Server Error, If the specified base change is missing

    • Catch all exceptions for reporting on Schema_130 migration and display the name of the project that failed the migration.

    • Issue 11271 Update rules_go to 0.18.6 for compatibility with Bazel 0.27.0

    • Issue 11248: Ensures that a newly added label in a parent project is available in the ACL configuration of a child project.

  • Replication Plugin Fixes

    • Issue 10852: Fix stale replications caused by in-flight pushes not properly removed when failed.

    • Issue 11204: Fix creation of missing repository when replicating to a Gerrit server over HTTP.

    • Issue 11175: Introduce new ref-filtering extension point for preventing replication of outdated SHA1s, mostly useful in a multi-site scenario to prevent split-brain.

    • Issue 11055: Fix failure to start when re-triggering persisted events

    • Issue 11172: Fix persisted event is removed before all replications to all nodes are completed.

    • When replication plugin is stopped or reloaded, mark all the currently pending replications as cancelled.

    • Allow to configure timeout for SSH connections and SSH commands.

      The timeouts can be configured with gerrit.sshConnectionTimeout and gerrit.sshCommandTimeout, respectively.

    • Make more classes and fields public/protected to ease extensibility.

    • Improve handling of remote repository creation failures.

    • Reintroduce boolean return value of methods in AdminApi.

    • Refactor AdminApiFactory to an interface with a default implementation that gets bound as a dynamic item, which can be replaced by derived implementations.

    • When rescheduling due to in-flight push also log the in-flight task ID.

  • Hooks Plugin Fixes

    • Issue 10823: Allow to configure the number of hook execution workers.

      By setting hooks.executorThreads the number of workers can be configured. If not set, it defaults to 1 which was the previously fixed value.


  • Upgrade JGit to

  • Issue 10858: Fix starting Gerrit under Tomcat 8.

  • Issue 10664: Fix duplicate key detection in MySQL patch review database.

  • Issue 11016: Fix failure to initialize on slave.

  • Issue 10763: Fix ACLs to allow regexes for tag and ref permissions.

    The documentation states that reference names can also be described with a regular expression by prefixing the reference name with ^, but the UI only showed the creation field when a non-regex name was used.

  • Issue 11082: Close changes oldest first when submitting on push.

  • Issue 11059: Fix setting BLOCK on partial label range in permissions.

  • Issue 10790: Avoid evaluating submit rules twice for open changes.

    Prolog submit rules were evaluated twice per page view for an open change, which caused performance degradation on projects defining complex rules.

  • Issue 10943: Set References: header on new change notification mail.

    GMail changed the way emails are grouped in conversation view, which, combined with the fact that Amazon SES changes the Message-ID header, resulted in the new change notification email not being grouped with subsequent emails related to the same change.

  • Issue 10952: Fix definition of PID in

  • Issue 10852: Replication plugin: Fix scheduling starvation.

  • Issue 10896: Fix eliding project name without slash in notification emails.

  • Issue 10359: LDAP: support servers that do not allow anonymous browsing.

    Add ldap.supportAnonymous configuration setting in gerrit.config to support servers that do not allow anonymous browsing. Default is true per standard and best practice.

  • Show submit button with tooltip when not allowed to submit.

    The submit button was hidden when the user did not have permission to submit, or other conditions prevented submit (for example the change being WIP).

  • Don’t send “GPG keys added” notification when no GPG keys were added.

    A GPG key update can include both addition and removal of GPG keys. The notification email for addition of new keys was always sent, even if the update only removed keys.

  • Update email notifications on changing security related settings.

    Email notifications are now sent when a GPG or SSH key is removed, and when the HTTP password is deleted or changed.

    An email notification is now always sent when an SSH key is added to an account, even when it was added by an administrator.

    These notifications allow to alert the user if their account is compromised and keys or password are altered by the attacker.

  • Remove explicit dependency on protobuf_java.

    The protobuf_java library is now consumed from rules_closure.

  • Improve performance of migration of accounts to schema 146.

    • Migration of the accounts is parallelized. The default number of threads used is the number of available processors. This can be customized using the threadcount system property.

    • Before the migration, gc --prune=now is executed.

    • When hosted on FileRepository, refs are packed after migration of every 1000 accounts.

    • A progress indicator counts every 100 accounts migrated.

  • Allow commit validation listeners to ignore the skip-validation push option.

    Gerrit allows certain users to skip validation of new commits by passing the skip-validation push option.

    A new method shouldValidateAllCommits is added on the CommitValidationListener, to allow plugin implemented validators to override this option and always be invoked for new commits. The new method has a default implementation that returns false meaning that existing implementations don’t need to be modified and will behave the same as before.

  • Optimize commit and ref operation validation for non-ff push.

    On a non-ff push all the commits were validated before the ref operation was validated. On a push with many commits, validating all the commits is wasteful in the case where the ref operation is rejected. The logic is changed so that the ref operation validation is performed before the commit validation.

  • Disallow change index task duplication.

    It was possible for multiple index tasks to be queued for the same change.

  • Fix formatting issues and inconsistencies in soy email templates.

  • Use URL Formatter interface to generate URL in outgoing emails.

  • Fix error message when JRE is not found when starting Gerrit.

    The error message recommended to check for a JRE “>= 1.7”, but Gerrit requires Java 8 minimum.

  • Expose the createProject method of the CreateProject class to plugins.

    This allows plugins to directly invoke the project creation, avoiding the checks that are performed when invoking via the apply method.

  • Expose the jsr305 library in the plugin API.

  • Upgrade gitiles to 0.2-10.

    Includes a fix for rendering of metalinks in the navigation bar.

  • Elasticsearch Fixes

    • Issue 10499: Set default number of shards according to Elasticsearch version.

      In Elasticsearch version 7.0 the default number of shards was reduced from 5 to 1.

      See the Elasticsearch documentation for details.

    • Issue 10496 and Issue 10844: Fix usage of include_type_name in index creation.

    • Add support for Elasticsearch 7.1.

    • Upgrade elasticsearch-rest-client to 7.1.1.

  • PolyGerrit UI Fixes

    • Only display 404 page on initial load.

    • Don’t reload when viewing dashboard.

    • Fix hiding the HTTP password screen.

      It was possible for the HTTP password to be un-hidden using CSS.

    • Add an extension point to allow adding links to the user header.

  • Documentation Updates

    • Issue 10897: Update links to Google individual and corporate CLA pages.

    • Clarify that account must have a username to be able to set HTTP password.

    • Fix formatting in project config documentation.