Download: 3.2.13 | 3.2.12 | 3.2.11 | 3.2.10 | 3.2.8 | 3.2.7 | 3.2.6 | 3.2.5.1 | 3.2.5 | 3.2.3 | 3.2.2 | 3.2.1 | 3.2.0

Documentation: 3.2.13 | 3.2.12 | 3.2.11 | 3.2.10 | 3.2.8 | 3.2.7 | 3.2.6 | 3.2.5.1 | 3.2.5 | 3.2.3 | 3.2.2 | 3.2.1 | 3.2.0

Release Highlights

  • Polymer 3

  • File Uploads in frontend

  • Performance improvements on mergeability check and accounts caching

  • Support for Java 11

Important Notes

Support for Java 11

Gerrit is now officially supported on Java 11, in addition to Java 8. Running on Java 11 was already possible from v2.16.13, v3.0.4 and v3.1.0, but not officially supported because of the lack of a CI validation on Java 11 for stable-2.16, stable-3.0 and stable-3.1 branches.

Please note that Java 11 has a number of improvements and breaking changes compared to Java 8. Refer to the Java 11 release notes for more details.

Gerrit v3.2 has been validated with Java 11, with the following known issues:

  • Issue 11567: Java 11 runtime & startTLS LDAP broken: ‘error code 8 - BindSimple: Transport encryption’.

  • Issue 12639: WARNING: An illegal reflective access operation has occurred, when starting Gerrit.

Schema Changes

This release contains schema changes. To upgrade:

  java -jar gerrit.war init -d site_path

The changes index version has been increased. To run off-line reindexing of the changes (optional):

  java -jar gerrit.war reindex --index changes -d site_path

By default the changes index is automatically rebuilt upon the Gerrit startup after the upgrade.

PERFORMANCE WARNING: The migration process performs the cleanup of the zombie draft comments in the All-Users.git repository that have been left behind since the introduction of NoteDb. It is highly recommended to perform a git gc --aggressive of the All-Users.git repository BEFORE running the migration. Also the reindex of all the changes can take a significant amount of time for large-scale installations.

Also, make sure that the All-Users.git resides on a fast access local filesystem for minimizing the migration time.

Native packaging

  • Upgrade the Docker/Ubuntu image to Ubuntu 20.04

  • Upgrade the Docker/CentOS image to CentOS 8.1.1911

  • Move to OpenJDK 11

    Gerrit v3.2 supports both Java 8 and 11. However, Java 11 is the best choice for large production servers thanks to the introduction of more advanced Garbage Collection strategies and associated tuning for large heaps.

Zero-downtime Upgrade

Gerrit supports zero-downtime upgrade from Gerrit v3.1.6 (or later) when configured using a high-availability configuration, when the Git repositories are stored in a shared filesystem such as NFS or similar.

For upgrading with zero-downtime, you should enable the rolling upgrade migration in gerrit.config on both Gerrit masters by setting the gerrit.experimentalRollingUpgrade to true.

During the zero-downtime upgrade, Gerrit end-users would not notice any outage or service disruption. They will be able to perform the normal Gerrit operations on the GUI or using the Git protocol.

The zero-downtime upgrade consists of the following steps:

  1. Have Gerrit masters upgraded to v3.1.6 (or later) in high-availability configuration, healthy and able to handle the incoming traffic properly.
  2. Set gerrit.experimentalRollingUpgrade to true in gerrit.config on both Gerrit masters.
  3. Set the first Gerrit master unhealthy.
  4. Shutdown the first Gerrit master and then upgrade to v3.2.
  5. Startup the first Gerrit master and wait for the on-line reindex to complete.
  6. Verify that the first Gerrit master is working properly and then make it healthy again.
  7. Wait for the first Gerrit master to start serving traffic normally.
  8. Repeat steps 3. to 7. for the second Gerrit master.
  9. Remove gerrit.experimentalRollingUpgrade from gerrit.config on both Gerrit masters.

NOTE: During the zero-downtime upgrade, the nodes may experience an increase of CPU and memory utilisation due to the online reindexing activity. If testing reveals that the nodes are not able to keep sustained load in conjunction with the online reindexing, then you have to follow the standard migration path.

Breaking Changes

  • Issue 12527: Elasticsearch: Support for EOL versions v5.6 and v6.0 to v6.5 is discontinued

  • Issue 12858: ListGroups: the –query2 option in the groups query REST-API has been renamed to –query

  • Gerrit metrics associated with H2 disk-statistics are now disabled by default. The disk-statistics can be enabled again by setting cache.enableDiskStatMetrics in gerrit.config.

  • The number of comments per change are limited to 5000, and their size to 16k. The limits can be customized in gerrit.config using the change.maxComments and change.commentSizeLimit settings.

New Features

Mergeability behavior and performance

This release introduces a configuration setting change.mergeabilityComputationBehavior that defines when Gerrit computes the mergability of a change .

Computing the mergability of changes is an expensive operation that can be become a bottleneck for large Gerrit installations. The new setting allows administrators to control this expense. Please refer to the Gerrit documentation for more details about this setting.

The setting change.api.excludeMergeableInChangeInfo is no longer used and may be removed from gerrit.config.

New accounts cache

Introduction of a brand-new AccountCache decomposed into smaller chunks that can be cached individually:

  • External IDs + user name (cached in ExternalIdCache)
  • CachedAccountDetails (newly cached)
  • Gerrit’s default settings CachedAccountDetails – a new class representing all information stored under the user’s ref (refs/users/<sharded-id>)

The new structure is cleverly designed to require a lot less I/O when an entry needs to be reloaded and lowering the ratio of cache-miss in case of user’s details updates.

New external groups cache

Gerrit can be linked to external user directories like LDAP, providing Gerrit with external users and groups. External groups can be added to Gerrit to restrict access to refs and repos and are mainly used for permissions evaluation.

The following new additional caches have been introduced and can be customized in gerrit.config:

  • groups_external: Caches all the external groups available to Gerrit.
  • groups_external_persisted: Caches all external groups available to Gerrit at some point in history.

File Uploads

File Uploads are now supported in the User Interface or through the REST API.

New Revert permission

Introduce a new permission to allow/deny the ability to revert a change through the Gerrit UI.

The permission is automatically added to the Registered Users as part of the schema upgrade. To deny reverts, Gerrit administrators should remove this permission from All-Projects ACL.

New is:merge merge operator for searching changes

Introduce the new is:merge operator for allowing to find changes that are merge commits. This change requires a full reindex of the changes, which may take quite a long time to compute for large-sized installations.

When choosing the on-line reindexing option (default) Gerrit can still operate with the old index version, disabling the is:merge operator until the new index has been successfully rebuilt.

New SSH commands

New SSH commands introduced:

  • gerrit set-topic: set the topic of a change (existing REST-API surfaced via SSH)
  • gerrit sequence show: show the current sequences value from All-Projects.git or All-Users.git
  • gerrit sequence set: set the next value for sequences in All-Projects.git or All-Users.git

Review labels stickiness

New CherryPickOf field for a change

After a change is created or updated using the ‘cherry-pick’ functionality, the cherry-picked change includes a new field in the change info returned from REST APIs called CherryPickOf with the source change number and the patchset.

New Gerrit configuration: instanceId

Introduce the instanceId configuration for multi-master Gerrit setups. For more details check:

Other performance optimizations

  • Ability to configure the number of relevant changes to consider when suggesting the reviewers on the changes screen, using the gerrit.config setting suggest.relevantChanges

PolyGerrit UI

The Gerrit frontend has been migrated from Polymer 2 to Polymer 3.

  • Users can now cherry pick entire topics.

  • Gerrit supports adding display names. Hosts can configure first name or username as default.

  • The reply dialog now shows the entire comment thread instead of the comment list.

  • Issue 6293: More self-evident transitions from WIP state. “Start Review” button added to change view.

  • Issue 8153: Improvements to rebase indicator: display a hover card instead of a tooltip with the icon including the possible rebase action.

  • Issue 10444: UI for deleting change messages for Gerrit Administrators.

  • Issue 10890: Repository list: Move “Repository Browser” column left of “Description” column.

  • Issue 11441: Add in-product reminder to keep discussions respectful.

    Some code review discussions can become a bit rough and some people perceived discussions as not always respectful. Add an in-product reminder to keep discussions respectful when a reply is typed, optionally with linking to the code of conduct.

  • Issue 11493: Add an “Edit” button to the diff view in the PolyGerrit UI.

  • Issue 11521: Display trace ID in error popup if request failed and server did a trace.

  • Issue 11522: REST API for review labels in the project configuration.

  • Issue 11705: Show count of changes in User Dashboard.

  • Issue 11706: Allow editing the commit message as part of a change edit.

  • Issue 11973: Add copy-to-clipboard for generated HTTP password.

  • Issue 12364: Add support for going to a specific line number in the inline editor.

Download commands plugin

  • Issue 11594 Merge the repo-vs-git logic into GitDownloadCommand directly.

    Created separate “getRepoCommand” and “getCommand” methods for downstream classes to extend with the default “getRepoCommand” defaulting to null.

  • Issue 11609 “Download patch” UI includes an option for also creating a local branch.

    A very standard workflow is to download a change from Gerrit then want to make edits and then repo upload the changes back to Gerrit. Allow developers who are not familiar with the idiosyncrasies of repo, to easily create a local branch when checking out changes.

End-to-end tests

  • Allow end-to-end tests to proportionally scale on their expected execution times.

    A power_factor environment property was added to the end-to-end tests core framework. Using that optional property, scenario steps can take some more (or less) time prior to expecting proper completion.

    The way to set that property locally then depends on the target runtime environment, or SUT latency. The property may be used for either core or plugin scenarios.

  • FlushProjectsCache related scenarios added to core (and the high-availability plugin).

  • Support for relative runtime weights in scenarios.

    Each scenario can now either weight like any other by default, or override that default with a greater weight value, compared to siblings that are lighter on execution times.

    Beside core, make the high-availability and multi-site plugin scenarios reuse this.

  • Allow scenarios to create and delete Gerrit changes alongside projects.

    Add the corresponding core support for an optional http request body to every such GerritSimulation. Either automate or allow environment properties to feed the related input test data.

    Beside core, make the high-availability and multi-site plugin scenarios test changes that way. The latter currently has Issue 12693 as a known limitation.

REST APIs

  • Accounts

  • Changes

    • Query Changes API now supports a new no-limit parameter to remove the default limit on queries and return all results. This might not be supported by all index backends. Also, the SKIP_MERGEABLE option for skipping the mergeability flag option is not supported anymore.

    • Revert Change now truncates the revert message if it exceeds 63 characters, by cutting it down to 59 characters with the ellipsis (…​) in the end. Also, the API requires now the new revert permission, otherwise a 403 Forbidden status code is returned.

    • Revert Submission API for creating a submission-id for grouping multiple changes that belong to the same submission (e.g. topic submission).

    • Change file content in Change Edit API supports now uploading binary content.

    • New Preview Fix API for gettings the diffs of all files for a certain fix-id. This is intended to be used in conjunction with robot comments.

    • New allow_conflicts option in all REST-API that perform a server-side merge or cherry-pick.

  • Groups

    • Query Groups API accepts the query as parameter for groups filtering, instead of the query2 which was a temporary name given to avoid clashes with an earlier deprecated parameter.
  • Projects

    • Brand-new set of Label Endpoints API for managing the project review labels in a programmatic way, without having to directly modify directly the project.config in the refs/meta/config of the repository.

Bug Fixes

  • Replication plugin fixes

    • Issue 11672: Change the storage structure of the persisted replication tasks to avoid losing events.

    • Issue 11745: Fix firing pending “..all..” events on startup.

    • Issue 11760: Make persistent task keys stable.

    • Issue 12678: Fix missing replication Id in replication logs.

    • Issue 12719: Fix replication start --wait to track in-flight collisions and to not fail.

    • Issue 12731: Don’t lose state when there’s a pending push to the same ref.

  • PolyGerrit fixes

    • Issue 4616: Open commentlinks to changes on the same server in the same tab.

    • Issue 7083: Stop query from executing if predicate is empty.

    • Issue 8068: Fix screenreader: In unified mode, stop showing “0 added/removed”.

    • Issue 9296: Fix wrong diff of commit message between different patch sets of a merge commit.

    • Issue 11515: Fix Ctrl-Enter on Move Change

    • Issue 11552: Fix prev/next on diff screen with unchanged files containing only comments.

    • Issue 11625: Avoid multiple notifications for existing reviewers.

    • Issue 11697: Fix rendering of commentlinks without leading whitespace.

    • Issue 11725: Fix diff view file name shown even when the file wasn’t changed, but only included because contains a comment.

    • Issue 11727: Fix blue underline missing from active tabs.

    • Issue 11782: Fix assignment of CSS style for CodeReview -1 labels within comments.

    • Issue 11969: Fix tab index in reply dialog.

    • Issue 11980: Fix handling of LDAP groups containing a dot in the PolyGerrit permissions screen.

    • Issue 11984: Fix top menu bar on iOS.

    • Issue 11993: Stop loading fonts from external resources.

    • Issue 12020: Fix ‘New Contributor Agreement’ screen.

    • Issue 12024: Fix undefined branch in create-destination-dialog.

    • Issue 12031: Fix issues with caching edited commit message.

    • Issue 12067: Fix blank screen after upgrading.

    • Issue 12108: Add missing ‘Page …’ on pagination links in the repository list.

    • Issue 12184: Fix link in blame annotation to link directly to the commit.

    • Issue 12197: Fix rendering of commentlinks using link in PolyGerrit UI.

    • Issue 12224: Honor the date format preference when displaying dates.

    • Issue 12385: Fix memory leak in gr-plugin-endpoints.

    • Issue 12707: Apply diff preferences immediately after pressing “Save”.

    • Issue 12726: Fix incorrect highlighting after / character in Javascript.

    • Issue 12775: Fix parent of previous patch sets not being available.

  • Other fixes

    • Issue 3340: Fix internal server errors when setting project access permission with bad regex.

    • Issue 7645: Fix thread deadlock when loading accounts from the account cache.

      Replacing Guava caches with Caffeine reduces the chances of having the deadlocks and improves the cache performance.

    • Issue 7969: Fix internal server error when diffing MERGE_LIST between different patch sets of a merge commit.

    • Issue 8952: Do not require explicit “Push Tag” rights to refs/tags/* for pushing an annotated tag over HTTPS.

    • Issue 10397: Don’t send notification email when publishing a change edit on a WIP change.

    • Issue 11650: Fix reindexing of changes after project is deleted in the delete-project plugin.

    • Issue 11962: Fix advertisement of refs/meta/config in git protocol v2 when client does not have access to it.

    • Issue 11986: Fix fetching individual ref with git protocol v2.

    • Issue 11989: Fix internal server error when pushing over SSH with git protocol v2.

    • Issue 12070: Fix internal server error on git over HTTP calls when SSHD is enabled.

    • Issue 12243: Fix unexpected deactivation of service user accounts.

    • Issue 12246: Fix generation of duplicate ChangeIds when creating a new change via REST.

    • Issue 12440: Fix the access-path for AbstractGitCommand subclasses.

    • Issue 12444: Add support for max_result_window in Elasticsearch index configuration.

    • Issue 12473: Fix broken links in Elasticsearch configuration documentation.

    • Issue 12606: Fix visibleto predicate for groups.

    • Issue 12747: Fix change query visibility for internal user.

    • Issue 12755: Block the removal of the Realm primary external ids.

Dependency Updates

  • Upgrade flogger to 0.5.1

  • Upgrade guava to 29.0

  • Upgrade guice to 4.2.3

  • Upgrade jgit to 5.8.0.202005061305-m2

  • Upgrade mina-sshd to 2.4.0

  • Upgrade ow2 to 7.2

  • Upgrade truth to 1.0.1

Documentation updates

  • New Gerrit walkthrough guide for GitHub users for allowing an easier transition for those who are coming from a Pull Request workflow.

  • New guide on how to backup Gerrit.

  • Replace the term slave with replica in the Gerrit documentation, for alignment to the new term used in the configuration. The slave term is still supported but deprecated.

  • Issue 12573: Added documentation of the commit-container PolyGerrit extension endpoint.

Bugfix Releases

3.2.13

  • New Features

    • Issue 14930: Include Command-Status in the httpd_log and the httpd_log.json

      Indicates the overall result of the GIT command over HTTP.

      Refer to the docs for more details.

  • Bug Fixes

    • Issue 9812 Issue 7338: Merge commit cannot be moved

      If a merge was targetting branch A, but then it was decided to create a new branch for this merge named B, which starts from A - The merge is still valid for B, and the user has no way to move it without amending and creating a new change.

    • Issue 15024: Gerrit event json formatter produces inconsistent payload for different projects

      AllProjectsName and AllUsersName were serialised as: {“name”:”All-Projects”} and {“name”:”All-Users”} while all other projects were serialised as a JSON string. The different JSON payloads were causing issues with the HA configuration using the high-availability plugin.

    • Issue 14968: PluginServletContext does not implement javax.servlet.ServletContext.getVirtualServerName()

      Remove the noise on error_log of c.g.g.h.p.PluginServletContext does not implement j.s.ServletContext.getVirtualServerName(), when running Gerrit on Tomcat 8.5.69.

3.2.12

  • Security Fixes

    • Issue 14732: Commits/IncludedIn exposes branch names without respecting the ACLs on branches

      When calling the REST endpoint for listing all branches that a commit SHA1 is part of, the commit is properly checked for visibility against the ACLs (it is a REST resource) but the branches are not checked.

      The included-in may expose the list of non-visible branches to a user that has visibility of the SHA1.

    • Issue 7282: Hide repository name and description when user has no access

      Gitiles did not respect Gerrit’s permission and would show the repo name and description to any user who could guess the name. The repositories list as well as the content APIs were not affected.

  • Bug Fixes

    • Issue 14785: Limit returned changes for a triplet without Change-Id

      Fix a bug where invoking the REST-API /changes/repo~branch~ without mentioning the change-id resulted in the full scan of all changes on a repository/branch causing a high CPU overload and occupying the request threads for a long time.

    • Issue 14776: Prevent removing e-mail associated with OpenID external IDs

      Gerrit prevents the user from removing the email address associated with their OpenId account.

    • Change 312602: Fix Mariadb status matching for AccountPatchReview

      Mariadb connector uses SQLException.getSQLState() which returns the ANSI SQLSTATE value, not the MariaDB/mysql error code. Fix the removal of duplicate key detection when an already reviewed file opened up again returned 500 because of the incorrect handling of SQLSTATE value.

    • Change 312382: Fix deleting edits when change is merged

      Fix the support of deleting a change edit after it has been merged or abandoned.

3.2.11

  • Breaking Changes

    • Elasticsearch: Support for EOL versions 7.4 and 7.5 is discontinued, as they became EOL earlier this year.
  • Bug Fixes

    • Issue 14495: SSH thread leak with authentication exception

      A show-queue will show tasks in the Batch (or Interactive) queue hanging forever as a consequence of a Git/HTTP thread ended because of an error.

    • Issue 14577: Dedicated mergeable endpoint shouldn’t be called if change.mergeabilityComputationBehavior is set to API_REF_UPDATED_AND_CHANGE_REINDEX

    • Issue 14600: Empty registered field on profile settings screen

    • Issue 14613: Gerrit is killed before the gracefulStopTimeout

      Avoids gerrit.sh killing the in-flight Git/HTTP just after 30 seconds regardless of the httpd.gracefulStopTimeout configuration value.

    • Issue 14639: Searching repositories by name is case-sensitive

      Restore the correct project search that was case-insensitive in 2.16.27, 3.1.3 and 3.3.2.

    • Issue 14645: Username to lowercase conversion fails with duplicates

      Duplicated accounts names associated with the same account id was making the conversion to lowercase fail.

    • Change 307602: Fix NPE while accessing draft refs

    • Change 307482: EqualsLabelPredicate: fix bug that prevents matching owner votes

  • Dependency Updates

    • Update JGit to 73f8acdc5c97e068143c86765995c4fb6923ee91.

3.2.10

  • Bug Fixes

    • Issue 14553: Gerrit REST-API fails when using /a/ prefix and cookies

      Recent fix to support GerritAccount Cookie authentication for Git/HTTP broke existing Python (or other) scripting when performing automation with Gerrit REST-API. That is due to the generation of the GerritAccount cookie in the HTTP response, which Python automatically manages to reuse in subsequent calls.

    • Issue 13721: Don’t serve polygerrit assets for git requests

      After migration to Polymer UI, PolyGerrit static resources are mounted at the root of the gerrit URL, and would collide with project namespaces, so that the project with these prefixes cannot be served with Git over HTTP protocol.

3.2.9 (withdrawn)

  • Fix EqualsLabelPredicate to not fail when calling match() from a plugin

    Calling match() on the EqualsLabelPredicate returned from ChangeQueryBuilder.parse() in a plugin fails when in the context of an HTTP query.

  • Fix registration redirect on OpenID

  • Log when a new SSH connection is rejected due to exceeded limit

    When the sshd.maxConnectionsPerUser got exceeded for a user, new connections from that user were rejected but no log entry was reported.

  • Issue 14127: Fix binding of DELETE REST calls from plugins.

    The processing of the DELETE request actually never reached the delete-project plugin due to bug in the RestApiServlet which wrongly delegated the request to a child collection in Gerrit core.

  • Issue 13140: OpenID: Remove support for Yahoo! OpenID provider.

    Yahoo! discontinued support for OpenID provider: “OpenID2 will be EOLed on 6/30/20”

  • Issue 14246: Creation of internal account does not respect auth.userNameToLowerCase.

    The CreateAccount SSH command and REST API was able to create accounts with usernames that contained uppercase letters even if auth.userNameToLowerCase was set to true.

  • Issue 14490: Missing LDAP metrics for authentication.

    Expose the LDAP metrics in terms of latency and call rates so that any problem can be highlighted early on and potentially alerted to the Gerrit admin.

  • Issue 14497: Git/HTTP traffic overloads LDAP with duplicate authentication requests.

    When authenticating incoming Git calls over HTTP the BasicAuth filter was called 3 times per call triggering multiple authentications against the backend.

  • Issue 14508: Allow GerritAccount Cookie authentication for Git/HTTP.

    Allow to create a Gerrit session from the GerritAccount cookie set on the Git client, so that only the first HTTP call will actually authenticate and create a session whilst all the others would just reuse the existing cookie.

  • Issue 11142: ssh to gerrit with no args requires standard input to terminate.

  • JGit Issue 552173 Too many open files when fetching repos with lots of refs

    JGit update fixes “Too many open files” errors.

  • Dependency Updates

    • Update JGit to f2e5bace4841758927d47db7d20e4a6f7353ce57.

3.2.8

  • New Features

    • Issue 14091: Support the highlighting of LaTeX files with .tex extension.
  • Breaking Changes

    • Elasticsearch: Support for EOL versions 7.2 and 7.3 is discontinued. Both elasticsearch versions became EOL recently.

    • Issue 13931: Disallow editing the Change-Id during inline edits.

  • Bug Fixes

    • Issue 12443: Stop generating continuous “logging context is not empty” in error_log.

    • Issue 12847 Issue 12862: Fix NPE on trying to send email for user without email address.

    • Issue 14097: Allow enabling of Git GC button for non-local Git repository managers, such as multi-site repositories.

    • Issue 14118: Quota management: enforce repository size on pack rather than on object.

    • Issue 14193: Ensure InternalUser can parse groups.

  • PolyGerrit Fixes

    • Issue 14035: Change –gr-formatted-text-prose-max-width from 80ch to 120ch.

    • Issue 14104: Decorate the number line element of a blank side, otherwise it won’t be affected by the “hide-left” action to hide one side of the diff

    • Issue 14257: Fix empty TopMenu drop down list.

  • Documentation updates

    • Align the recommended buildifier version to v4.0, the same used in the CI.

    • Development guidelines: mention that Optional in arguments is discouraged (use @Nullable instead) but may be used as return type.

  • Dependency Updates

    • Update highlight.js to 10.6.0.

3.2.7

  • New Features

    • Add change query option allowing administrators to skip visibility filtering.

      Add a new REST-API change query option “skip-visibility” to allow administrators to skip visibility filtering.

  • Security Fixes

    • Issue 13858 CVE-2021-22553: Fixed memory leak in Git-over-HTTP requests.

      Unauthenticated users could exploit this problem in a Denial of Service attack, causing the server to go out-of-memory.

  • PolyGerrit Fixes

    • Issue 11811: Fix comments on partial text selection on Safari.

    • Issue 13870: Polygerrit: Remove license headers in minified gr-app.js.

  • Replication plugin fixes

    • Don’t check read permission when authgroup isn’t set.

      Do not check for read permission when authGroup is not set since the user is a RemoteSiteUser that is-an InternalUser having read access to everything. This fixes a regression introduced in v3.1.10 that prevented the All-Users.git repository to be fully replicated to Gerrit replicas.

  • Bug Fixes

    • Issue 13803: Limit number of ambiguous accounts in error message.

      Don’t list more than 3 ambiguous accounts in error message of UnresolvableAccountException in order to prevent flooding the log and displaying a lot of sensitive account data in an error dialog.

    • Issue 13936: Fix badly formatted error message shown in error dialog.

    • Issue 13884: Fix ‘is:submittable’ query on multiple submit records.

  • Dependency Updates

    • Update highlight.js to 10.5.0.

    • Update Jetty to 9.4.35.v20201120.

    • Downgrade soy-template to 2019-10-08.

3.2.6

  • Breaking Changes

    • Elasticsearch: Support for EOL version 6.8 is discontinued. This was the last supported minor version of Elasticsearch 6 in Gerrit. From this release, Gerrit no longer supports V6 but only the already supported versions 7.x of Elasticsearch.

      • Speaking of which, support for 7.0 and 7.1 is discontinued too, as both elasticsearch versions also became EOL recently.
  • Security Fixes

    • Issue 12629: Verify hostname when sending emails via SMTP server with SMTPSClient.

      The SMTP server’s certificate and hostname must be verified if encryption is enabled with SSL verification in the host settings (sendemail.smtpEncryption and sendemail.sslVerify).

  • PolyGerrit Fixes

    • Add a warning if submitting a change with an open change edit.
  • Bug Fixes

    • Issue 13544 Ensure that GC#deleteOrphans respects pack lock:

      If pack or index files are guarded by a pack lock (.keep file) deleteOrphans() should not touch the respective files protected by the lock file.

    • Issue 13775 Honor toogleWipState permission for %ready %wip push options:

    • Issue 13781 Compact the REST-API output JSON unconditionally:

      The output JSON was initially compacted only when the Accept header was set to application/json: the compaction is now done unconditionally, unless the pp=1 query parameter is specified.

    • Issue 13786 ForRef#check should permit internal users to read all refs:

      Make PermissionBackend#ForRef authoritative change introduced a regression where gerrit internal users (e.g. plugins) were not taken into consideration when checking READ permission. As consequence the All-Users.git repository did not get any of the user’s refs replicated to the slaves. After the upgrade it is required to trigger a forced replication of the All-Users.git repository manually.

    • Avoid logging ssh exception for stream is already closed when length=0 if present in the stacktrace.

  • Documentation Updates

    • Clarify that ‘m’ push option sets patch set description.

    • Clarify that disk cache metrics require cache.enableDiskStatMetrics.

  • Dependency Updates

    • Upgrade Bazel toolchain to 3.1.0.

    • Upgrade testcontainers to 1.15.1.

    • Upgrade Jetty to 9.4.33.v20201020.

3.2.5.1

  • Bug Fixes

    • Issue 13698: Java runtime mismatch on Java 8 since after upgrading to v3.2.5.

3.2.5

  • Breaking Changes

    • Elasticsearch: Support for EOL versions 6.6 and 6.7 is discontinued.

    • Issue 13184: Logging: --console-log-flag of gerrit.war daemon respects log.textLogging and log.jsonLogging options

      Change in the default behaviour of the --console-log flag. Since log.textLogging in the gerrit.config is true by default, using the --console-log-flag now writes logs to the error_log-file in addition to stderr by default. This can be avoided by setting log.textLogging = false.

    • Issue 13701: X-Forwarded-Proto is now required because of underlying upgrade of the Jetty library, when Gerrit is accessed through an HTTP(/S) reverse-proxy.

  • Security Fixes

    • Issue 13621 CVE-2020-8919: Make PermissionBackend#ForRef authoritative.

      Fixes a misconception that leads to data being accessible through Gerrit APIs that should be locked down.

      Gerrit had two components for determining if a Git ref is visible to a user: (Default)RefFilter and PermissionBackend#ForRef (e.g., RefControl). The former was always capable of providing correct results for all refs. The latter only had logic to decide if a Git ref is visible according to the Gerrit READ permissions. This includes all refs under refs/heads as well as any other ref that isn’t a database ref or a Git tag. This component was unaware of Git tags and notedb-related refs. Hence, when asked for a database reference such as refs/changes/xx/yyyyxx/meta, the logic would allow access if the user has READ permissions on any of the ref prefixes (such as the default “read refs/* Anonymous Users”).

      That was problematic, because it bypassed documented behavior where a user should only have access to a change if he can see the destination ref. The same goes for other database references.

    • Issue 13514 CVE-2020-8920: Work around Gitiles bug on All-Users visibility.

      Gitiles has a special FilteredRepository wrapper that allows carefully hiding refs based on the project’s ACLs. There is however an optimization that skips the filtering in case a user has READ permissions on every ACL pattern(s). When the target repository is All-Users, the optimization turns into a security issue because it allows seeing all personal information associated with all accounts, i.e.:

      • draft comments
      • draft edits
      • personally identifiable information (PII) of all users
      • external ids

      This fix now blocks Gitiles or any other part of Gerrit to abuse this power when the target repository is All-Users, where nobody can be authorized to skip the ACLs evaluation anyway.

  • Bug Fixes

    • Issue 13307: Do not forward events generated by multiple Gerrit servers in high-availability configuration.

    • Issue 13349: Allow disabling SSH on Gerrit replica, when disabled in gerrit.config.

    • Issue 13408: ReceiveCommits: potential NPE when auto-closing changes.

    • Issue 13412: gerrit test-submit is not available when ssh download is disabled.

  • PolyGerrit Fixes

    • Issue 11706: Allow editing the commit message as part of change edit.

    • Issue 13175: Fix gr-hovercard-behavior under Firefox.

    • Issue 13328: Project dashboard links stored in ‘My’ menu (GWT) lead to ‘cannot load page’ in PolyGerrit.

    • Issue 13350: Cannot add group to (cc-)review if its UUID is not the internal one.

    • Issue 13402: Errors not displayed by delete-project plugin, if project deletion fails.

  • Replication plugin Fixes

    • Issue 12769: Pending replication events can delay the Gerrit startup for too long.
  • End-to-end Tests Improvements

    • Issue 13082: Add Eclipse support for Gatling-based development of the end-to-end tests.
  • Documentation Updates

    • New documentation for the GC section in jgit.config with the details of the relevant JGit settings for tuning the repositories GC.

    • New documentation for the receive section in jgit.config with the documentation of the autogc setting.

    • Documentation of how to enable Git protocol v2 on jgit.config.

    • Documentation of Gerrit logs format.

    • Documentation of the X-Forwarded-For header on HTTP/HTTPS reverse proxy configuration.

    • New sshd.gracefulStopTimeout setting for allowing incoming SSH connections to drain upon Gerrit shutdown.

  • Dependency Updates

    • Caffeine 2.8.5

    • Jetty 9.4.32.v20200930

    • JGit v5.8.1.202007141445-r

    • Google Truth 1.1

    • Soy 2020-08-24

3.2.4

This minor release has been withdrawn.

3.2.3

  • Security Fixes

    • Issue 12846: BadMessageException: 500: Response header too large.

      CVE-2019-17638

      Bump Jetty version to 9.4.30.v20200611 to fix regression introduced in Jetty version: 9.4.27.v20200227.

      Response header overflow leads to buffer corruptions Jetty server always allocates maximum response header size.

      For more details see also upstream issues:

      Issue 4936 Issue 4541

  • Bug Fixes

    • Issue 12813: e2e-tests: Add CheckMasterBranchReplica1 scenarios

    • Issue 12934: Fix selection on diff with range comments

    • Issue 12952: Handle duplicate label values on project load and push of config updates

    • Issue 12959: Submit: Use updated change for response

      The response was sent with the change instance from before it got submitted, rather than the updated change. As a result, the response contained the status “NEW” rather than “MERGED”.

    • Issue 12988: Fix issue with auto registering ssh commands

    • Issue 13166: Include request latency in httpd_log.json

      The latency field was missing in the entries of JSON-formatted http logs.

  • PolyGerrit Fixes

    • Issue 12994: Fix toggle on iOS

      This works around an issue where by clicking on iOS causes the toggle to act like a double tap, thus switches back off.

    • Issue 13080: Fix the position of the hovercard

      The desired position was ‘right’, but it appeared ‘bottom-right’, because the height of the hovercard was calculated as 2px at the time of updating the position.

    • Issue 13054: Restore keyboard shortcut for expand all diff context

      In gerrit 2.16 release the keyboard shortcuts system was redesigned, but the binding for Shift+x shortcut for expand all diffs was lost. Restore this binding and confirm that it is now listed in the help dialog and works as expected.

  • Documentation Updates

    • Issue 10385: Document “Toggle Work In Progress state” permission
  • Replication plugin fixes:

    • Issue 12779: Only fire the specified pending event URI

    • Issue 12940: Fix issue with URI lock release after replication task cancellation

    • Issue 12986: Revert “Get a URI lock before running tasks.”

      May still be missing some lock release calls and caused the loss of replication events in queue when backed by the same task storage file.

  • Dependency Updates

    • JGit v5.8.1.202007141445-r

3.2.2

  • Security Fixes

  • Bug Fixes

    • Issue 12680: Run projects reindex after Gerrit init only when needed, speeding up the upgrade process.

    • Issue 12778: Fix Included In filter not working in the search box.

    • Issue 12909: Fx missing index creation after Gerrit init.

    • Issue 12918: Fix missing email notifications for project watches for changes created via cherry-pick.

    • Issue 12884: DatabasePubKeyAuth: Exclude comment from peer key line if present

  • PolyGerrit Fixes

    • Issue 11368: Fix Javascript error if project has incorrect access configuration in Global Capabilities.

    • Issue 12899: Speedup the rendering of changes with large number of comments by lazy loading them when expanded.

  • Documentation Updates

    • Issue 12869: Add documentation on how to move a change across branches.

    • Issue 12870: Update WIP workflow user guide.

3.2.1

  • New Features

    • Support for rolling upgrade.

    • New interface AccountActivationListener available to plugins for listening to accounts activation status changes.

  • Security Fixes

    • Issue 12717: Deny access over HTTP for disabled accounts.

      A disabled account was still able to access over HTTP until the existing session expired.

    • Close active SSH connections associated to an account that has been disabled.

  • Bug Fixes

    • Issue 12850: Ignore WIP changes in “CCed on” dashboard section.
  • PolyGerrit Fixes

    • Issue 11706: Support commit message modification as part of the inline edit session.
  • Documentation Updates