This release contains schema changes. To upgrade:
java -jar gerrit.war init -d site_path
As of June 18th 2018, Maven Central discontinued support for TLS v1.1 and below.
When initializing a new site with Java 7, this causes download of third party dependencies such as the MySQL connector to fail. It is therefore necessary to explicitly enable TLS v1.2 on the invocation of java:
java -Dhttps.protocols=TLSv1.2 gerrit.war init -d site_path
This does not affect Java 8, which enables TLS v1.2 by default.
Sites that have already upgraded to version 2.13 may want to migrate from the default H2 database to MySQL or PostgreSQL. This can be done using the MigrateAccountPatchReviewDb program.
Sites that have already upgrade to version 2.13 before 2.13.8 need to manually migrate the reviewed flags database to change the
file_name column length.
After stopping Gerrit, enter the H2 console:
java -jar /path/to/h2.jar -url jdbc:h2:path/to/review_site/db/account_patch_reviews
and then execute the following statement:
ALTER TABLE account_patch_reviews ALTER COLUMN file_name VARCHAR(4096) DEFAULT '' NOT NULL
Depending on the number of rows, this operation may take some time. For example, one million rows may take up to 1 minute.
To use online reindexing for the
changes secondary index when upgrading to 2.13.x, the server must first be upgraded to 2.8 (or 2.9) and then through 2.10, 2.11 and 2.12. Skipping a version will prevent the online reindexer from working.
Gerrit 2.13 introduces a new secondary index for accounts, and this must be indexed offline before starting Gerrit:
java -jar gerrit.war reindex --index accounts -d site_path
If reindexing will be done offline, you may ignore these warnings and upgrade directly to 2.13.x using the following command that will reindex both
accounts secondary indexes:
java -jar gerrit.war reindex -d site_path
The server side hooks functionality is moved to a core plugin. Sites that make use of server side hooks must install this plugin during site init.
lfs.plugin the administrator can configure the name of the plugin which handles LFS requests.
To prevent potential security breaches as described in issue 3311, it is now only possible for a project to subscribe to a submodule if the submodule explicitly allows itself to be subscribed.
Please see the submodules user guide for details.
Note that when upgrading from an earlier version of Gerrit, permissions for any existing subscriptions will be automatically added during the database schema migration.
Metrics about Gerrit's internal state can be sent to external monitoring systems.
Plugins can provide implementations of the metrics interface to report metrics to different monitoring systems. The following plugins are available:
Plugins can also provide their own metrics.
See the metrics documentation for further details.
Server side hooks are moved to the hooks plugin. Sites that make use of server side hooks should install this plugin. After installing the plugin, no additional configuration is needed. The plugin uses the same configuration settings in
The secondary index now supports indexing of accounts.
The reindex program by default reindexes all changes and accounts. A new option allows to explicitly specify whether to reindex changes or accounts.
suggest.fullTextSearchRefresh configuration options are removed. Full text search is supported by default with the account secondary index.
New ssh command to reindex changes.
gerrit.canLoadInIFramein the site configuration.
Issue 106: Allow to select merge commit's parent for diff base in change screen.
Issue 3035: Allow to remove specific votes from a change, while leaving the reviewer on the change.
Issue 3487: Use ‘Ctrl-Alt-e’ instead of ‘e’ to open edit mode.
Add all syntax highlighting available in CodeMirror.
Improve search experience in diff screen.
Ctrl-F, Ctrl-G and Shift-Ctrl-G now bind to the search dialog box provided by CodeMirror's search add-on. Enter and Shift-Enter navigate among the search results from the CodeMirror search, just like they do in a normal browser search. Esc now clears the search result.
If the user sets
Slow in the diff preferences and the file is less than 4000 lines (huge), then Ctrl-F, Ctrl-G and Shift-Ctrl-G fall back to the browser search.
Issue 2968: Allow to go back to change list by keyboard shortcut from diff screens.
change.allowBlame, blame annotations can be shown in the side-by-side diff screen gutter.
Issue 989: New option to control email notifications.
Users can now choose between ‘Enabled’, ‘Disabled’ and ‘CC Me on Comments I Write’.
New option to control adding ‘Signed-off-by’ footer in commit message of new changes created online.
New option to control auto-indent width in inline editor.
Issue 890: New diff option to control whether to skip unchanged files when navigating to the previous or the next file.
In order to avoid potentially confusing behavior, when submitting changes in a batch, submit type rules may not be used to mix submit types on a single branch, and trying to submit such a batch will fail.
Rename ‘Suggest Account’ to ‘Query Account’ and add support for arbitrary account queries.
_more_accounts flag is set on the last result when there are more results than the limit. The
ALL_EMAILS options may be set to control whether the results should include details (full name, email, username, avatars) and all emails, respectively.
New endpoint: Get Watched Projects.
New endpoint: Set Watched Projects.
New endpoint: Delete Watched Projects.
New endpoint: Get Star Labels from Change.
New endpoint: Update Star Labels on Change.
New endpoint: Get OAuth Access Token.
New endpoint: List Contributor Agreements.
New endpoint: Sign Contributor Agreement.
-sas an alias for
--suggeston the Suggest Group endpoint.
async option to the Run GC endpoint to allow garbage collection to run asynchronously.
New endpoint: List Access Rights.
New endpoint: Add, Update and Delete Access Rights.
New endpoint: Create Tag.
New endpoint: Get Mergeable Information.
Plugins may now store secure settings in
etc/$PLUGIN.secure.config where they will be decoded by the Secure Store implementation.
Gson is now an exported dependency. Plugins no longer need to explicitly add a dependency on it.
New project option to reject implicit merge commits.
The ‘Reject Implicit Merges’ option can be enabled to prevent non-merge commits from implicitly bringing unwanted changes into a branch. This can happen for example when a commit is made based on one branch but is mistakenly pushed to another, for example based on
refs/heads/master but pushed to
New Add Patch Set capability to control who is allowed to upload a new patch set to an existing change.
Allow to specify who should be notified by email when uploading a change.
Issue 3220: Append approval info to every comment-added stream event and hook.
administrateServer capability can be assigned to groups by setting
capability.administrateServer in the site configuration.
Configuring this option can be a useful fail-safe to recover a server in the event an administrator removed all groups from the
administrateServer capability, or to ensure that specific groups always have administration capabilities.
New configuration options to configure JGit repository cache parameters.
-b as an alias of
--batch in the init program.
Don't add the same SSH key multiple times.
If an already existing SSH key was added, a duplicate entry was added to the list of user's SSH keys.
Respect the ‘Require a valid contributor agreement to upload’ setting when creating changes via the UI.
If a user had not signed a CLA, it was still possible for them to create a new change with the ‘Revert’ or ‘Cherry Pick’ button.
Make Lucene index more stable when being interrupted.
Don't show the
idle columns in the
show-connections output when the ssh backend is NIO2.
The NIO2 backend doesn't provide the start and idle times, and the values being displayed were just dummy values. Now these values are only displayed for the MINA backend.
Issue 6965: Fix ‘missing tree’ on repos where
git prune has been run.
Issue 4150: Deleting a draft inline comment no longer causes the change's
Updated field to be bumped.
Issue 4099: Fix SubmitWholeTopic does not update subscriptions.
Issue 3603: Fix editing a submodule via inline edit.
Issue 4069: Fix highlights in scrollbar overview ruler not moved when extending the displayed area.
Issue 3446: Respect the
Skip Deleted diff preference.
Issue 3445: Respect the
Skip Uncommented diff preference.
Issue 4051: Fix empty
From email header.
Issue 3423: Fix intraline diff for added spaces.
Issue 1867: Remove
no changes made error case when the only difference between a new commit and the previous patch set of the change is the committer.
Issue 3831: Prevent creating groups with the same name as a system group.
Issue 3754: Fix
View All Accounts permission to allow accounts REST endpoint to access email info.
gitweb.type default to
disabled when not explicitly set.
Previously the behavior was not documented and it would default to type
gitweb. In cases where there was no gitweb config at all, this would result in broken links due to
null being used as the URL.
Issue 4488: Improve error message when
Change-Id line is missing in commit message.
The error message now includes the sha1 of the commit, so that it is easier to track down which commit failed validation when multiple commits are pushed at the same time.
Don't check mergeability of draft changes.
Draft changes can be deleted but not abandoned so there is no way for an administrator to get rid of the them on behalf of the users. This can become a problem when there many draft changes because the mergeability check can be costly.
The mergeability check is no longer done for draft changes, but will be done when the draft change is published.
Fix internal server error when plugin-provided file history weblink is null.
It is valid for a plugin to provide a null weblink, but doing so resulted in an internal server error.
Add dependency on blame-cache 0.1-9
Add dependency on guava-retrying 2.0.0
Add dependency on jsr305 3.0.1
Add dependency on metrics-core 3.1.2
Upgrade auto-value to 1.3-rc1
Upgrade commons-net to 3.5
Upgrade CodeMirror to 5.17.0
Upgrade Guava to 19.0
Upgrade Gson to 2.7
Upgrade Guice to 4.1.0
Upgrade gwtjsonrpc to 1.9
Upgrade gwtorm to 1.15
Upgrade javassist to 3.20.0-GA
Upgrade Jetty to 9.2.14.v20151106
Upgrade JGit to 126.96.36.199609210915-r
Upgrade joda-convert to 1.8.1
Upgrade joda-time to 2.9.4
Upgrade Lucene to 5.5.0
Upgrade mina to 2.0.10
Upgrade sshd-core to 1.2.0
Upgrade jsch to 0.1.54 to fix CVE-2016-5725: Directory traversal vulnerability.
Versions of jsch prior to 0.1.54 have a directory traversal vulnerability on Windows. When the mode is
ChannelSftp.OVERWRITE, it allows remote SFTP servers to write to arbitrary files via a
..\ (dot dot backslash) in a response to a recursive
For other fixes in jsch since 0.1.53, please refer to the jsch change log.
Fix null pointer exception in event dispatcher when event contains a null account attribute.
The account attribute can be null for example in the
change-abandoned event generated for changes abandoned by Gerrit's auto cleanup.
Issue 7425: Add
sshd.waitTimeout configuration to set
In sshd a new channel property, channel-output-wait-for-space-timeout, was introduced with a default value of 30 seconds.
This was not being set, causing any clone operations lasting longer than 30 seconds to fail.
Administrators may now increase this value by setting
Issue 8279: Always check for
Change-Id in subject line during commit validation:
A commit with an empty commit message except for a
Change-Id line in the subject was only rejected if “Require Change-Id” was enabled.
Issue 8280: Fix validation of
Change-Id line when creating changes from the UI:
When a change was created via the UI (or via the REST API), the
Change-Id footer line was not validated. This resulted in it being possible to create a change with an invalid
Issue 8284: Fix unnecessary addition of
Change-Id to changes created from the UI:
When a change was created via the UI (or via the REST API), a
Change-Id line was added without first checking if one already existed.
Issue 8299: Fix insertion of
Signed-off-by line after existing footer lines in changes created from the UI.
When a change was created via the UI (or via the REST API) and the commit message included a
Change-Id line or any other footer line, the
Signed-off-by footer was appended to the end of the last footer instead of on a new line.
Fix parsing of permissions when expanding parameters.
Keep old timestamps during data migration.
In some cases the “created on” field was updated to the time of the migration when replacing the “Submitted” state with “New”.
Don't use account index to look up external IDs when authenticating with OAuth or OpenID.
The account index is not available on slaves, causing authentication with OAuth and OpenID to fail.
Replication plugin: Fix replication retries when
maxRetries is set to 0.
Issue 6176: Fix internal server error when old patch set is not found.
Issue 6605: Fix searching for change by Change-Id triplet when project name matches Change-Id pattern.
For projects whose name matched the Change-Id pattern, i.e. named something like
iabcde, it was not possible to search for changes using the Change-Id triplet
Issue 3345: Preserve line endings in inline editor.
When a file with Windows line endings was edited all the line ending characters were replaced by Unix style line endings.
Fix line wrapping in inline editor.
The line wrapping preference was respected for the diff screens, but not for the inline editor.
Fix cyclic dependency when using
The starting mode where
site_path is not specified (as a system property) and Gerrit first connects to the database using the ReviewDb JNDI property from the servlet container was broken since version 2.13 due to a cyclic dependency in Guice bindings.
Extend upload validation interface to allow listening to negotiation start.
This can be used to check rate limits for fetch requests. Rate limits should be checked before git transport negotation starts to avoid unnecessary work in case the limit is already reached.
Allow to set Jetty HTTPD socket timeout.
A new setting
httpd.idleTimeout makes the Jetty HTTPD socket timeout configurable so to tailor the socket and thread consumption to the needs of setups with different latencies and bandwidth.
Add metrics for reviewer suggestion.
reviewer_suggestion/query_groups record the latency of querying accounts and groups for reviewer suggestion.
Improvements in “reviewed” flags cache
Issue 5906: Fix performance regression.
Fix SQL statements used to clear “reviewed” flags.
The SQL statements were using
+ rather than
= which resulted in more entries than expected being deleted.
file_name column length.
Upgrade JGit to 188.8.131.52704071617-r.
This includes more fixes for handling of invalid packfiles. See JGit bug 514170 for details.
Issue 5817: Be more consistent about object ids used in ref operation validation.
ReceiveCommand passed to
RefOperationValidationListener did not always have the old and new objectd Ids set, which could result in crashes when dereferenced by plugins.
Fix potential server error when extracting footer lines from commits.
Fix merging a merge commit that refers to commits not submitted as changes.
Fix redundant notifications on change screen.
Allow project owner to use set-project ssh command.
REST API and UI allow project owner to change the project settings so inconsistency is fixed by allowing the same in the ssh command.
account indexed extension point.
Similar to the existing
change indexed extension point, this allows plugins to be notified when an account has been indexed.
Prevent circular module dependency when running in external container.
Since 2.13 it was not possible to run Gerrit in an external container due to circular dependency between the database module and the note DB migration module.
This is fixed, but the site path must be explicitly set in a system property:
Use submitter's identity for merge commit in Rebase if Necessary.
When a merge commit was not fast-forward, gerrit created a “merge of merge” commit with its server identity instead of the submitter's identity.
Issue 4637: Fix “Class not found” errors when running on IBM JDK.
The metrics module had a dependency on com.sun internal classes that are not available in the JRE from other providers such as IBM, resulting in ClassNotFound exceptions when initializing the CPU usage metric.
Issue 5689: Fix internal server error when directory in git root is inaccessible.
If a directory in the site's git root was not accessible, an internal server error prevented the list of projects from being populated.
Issue 5652: reviewnotes plugin: Fix export of review notes.
Issue 5190: Fix email notifications when adding new reviewers.
Issue 5055: Fix cache eviction order when linking new external IDs.
Issue 5727: Fix failure to start when JVM does not support CPU and file descripto metrics.
Allow to continue reindex despite failures.
If indexing a change failed for some reason, indexing would be stopped and remaining changes would not be indexed. Now an error message will be displayed and indexing will continue.
Allow user with “Maintain Server” permission to find all changes.
Allowing users delegated to maintain the server to find non-visible changes in the CLI allows them to perform ad-hoc indexing.
Fix deletion of the last file from config branch.
If the last file was deleted from the config branch, the file was not actually deleted and the original content was kept. For example this occurred when deleting all project watches when the
watch.config file was the only file on the branch.
Support at-sign (
@) in usernames.
Some federated identity systems, such as Shibboleth, use login names including the at-sign.
Enable systemd socket activation.
httpd.inheritChannel to true, the server can be socket activated by
Be more consistent about object ids used in ref operation validation.
In some cases the new and old Ids were not set, which could cause null pointer exceptions in ref operation validations listeners trying to dereference them.
Upgrade JGit to 184.108.40.206703201650-r.
Among other bug fixes, this version includes a fix for packfile list inconsistency in memory due to temporary lack of system resources during read, which caused transient “file not found” errors.
Allow Git LFS to authenticate via SSH.
LFS plugins can now provide an implementation of
git-lfs-authenticate which allows the Git LFS client to use the SSH protocol to either obtain the LFS endpoint URL or authorize the following LFS upload/download operation.
Allow Git LFS to authenticate via HTTP.
Git LFS requests include the authorization as HTTP Basic but this was ignored and the user was treated as anonymous.
Don't require Add Patch Set permission for submit by rebase.
When the submit strategy was Rebase If Necessary and a rebase was needed for the submit, the submit failed if the user didn't have the Add Patch Set permission. However for submitting a change the Submit permission alone should be sufficient.
The behavior is now consistent with the Cherry-Pick submit strategy which also doesn't require the Add Patch Set permission if a cherry-pick is done on submit.
Add a passwd program to set values in the
secure.config file when a secure store implementation is used.
Allow plugins to define their own prefix for metrics reporting.
plugin.name.metricsPrefix plugins can set the root name under which their metrics are reported.
Allow HTTP password when using LDAP and basic authentication.
It was not possible to use HTTP password to validate git over HTTP and REST API requests if LDAP was used along with HTTP basic authentication.
Allow callers to define notify handling when adding reviewers to a change by REST API.
Issue 4563: Only send one email when reviewers are added to a change in bulk.
Issue 5237: Don't truncate long lines in diff screens.
Issue 5298: Fix history token in Groups screen's “Members” tab.
Fix garbled text with Unicode display names obtained from HTTP headers.
Make error message for rejecting Egit placeholder Change-Id consistent.
Fix naming and prompt message for password entry in init steps.
Fix Gitweb review link generation.
Hooks plugin: emit metrics for hook execution latency, count, and errors.
Don't use fast-forward to update submodule subscription when superproject has a merge submit strategy.
Fix sorting of subscribed branches in submodule update.
Fix handling of submodule config entries.
Fix ordering of projects in submodule update.
Issue 5200: Ensure that indexes are closed properly on shutdown.
The indexes were not closed on shutdown, which caused data to be lost due to not being flushed to disk.
Enable the ‘Delete Edit’ button for merged changes.
If a merged change has an edit revision, it should still be possible to delete the edit.
Do not check visibility of parent project when creating a new project.
A project can be visible to a user but not necessarily its parent. To be consistent, a user with create-project permission should be able to create a project with a parent that exists even if the parent is not visible to the user.
Fix ‘Can’t insert change/patch set' error when prior patch set has no parent, but next patch set has 1 parent.
Issue 5179: Make startup timeout configurable.
container.startupTimeout it is possible to configure the maximum time to wait for the
gerrit.sh start command to run a new Gerrit daemon successfully.
Issue 4715: Add missing reviewers visibility check for suggestions from account index.
Fix Gitweb HTTP URL generation.
The generated Gitweb URL contained an invalid ‘p’ character, and did not require authentication for projects not visible to anonymous users.
Issue 5090: Fix overwriting of another user's account external Id.
Issue 4909: Fix broken Gitweb weblink for config history on project access page.
Issue 4908: Add back support for parent revision weblinks.
Support for weblinks for the parent revision(s) was removed in 2.13 but this functionality is still wanted by some users. Support is added back, by allowing plugins to provide a specific link for parent revisions. For the built-in Gitweb links, the link template provided by the
revision setting is used.
Add DB connection pool verification.
There was no verification of the connection pool, so a broken connection would result in an internal server error when trying to read a change from the database.
Add support for moving a change's destination branch with the SSH
Version 2.13 introduced the ‘move change’ REST endpoint, but support via ssh was omitted.
Add REST endpoint to reindex a single account.
The new endpoint is useful to manually reindex a single account that has become stale in the index.
Issue 4633: Filter out unrelated projects when getting project watches from index.
Issue 4848: Upgrade Postgresql JDBC driver to 9.4.1211.jre7.
Older versions of Postgresql JDBC driver rely on finalize() methods in order to avoid leaking unclosed database objects. Given finalize methods are unpredictable (no guarantee about prompt execution, if at all), in some high load environments this could lead to a memory leak with millions of JDBC objects pending finalization.
Issue 4841: Hooks plugin: Make sure
GIT_DIR environment variable is set in
Issue 4911: Fix internal server error when providing an invalid Change-Id to the index ssh command.
Issue 4643: Strip newlines out of ssh public keys.
If an ssh public key contained newlines, each line was migrated to the git backend as a separate key, each of which was considered invalid. Now, newlines are stripped out. Note that this fix is not effective for sites that have already been migrated to 2.13.x from an earlier version.
--format option on the list plugins REST API endpoint.
--format option from the REST API had the side effect of also removing it from the corresponding ssh command, which was a breaking change for some users.
Fix classpath collision with Servlet API for GWT plugins.
Hooks plugin: Always return the output from the
The output of the
ref-update hook is now sent back to the client.
Fix migration to schema version 127 on case-sensitive file systems.
Fix internal server error when using
has:draft search predicate.
Fix internal server error caused by plugin returning null for external included-in.
Fix internal server error in
set-members command when a group to be added is not visible to the caller.
Fix reindexing change by ssh command.
When reindexing a change by ssh, the change was loaded from the index rather than from the database.
Export prolog runtime in plugin API.
Allow to delete caches if not empty when initializing site during upgrade.
Caches may be stale during upgrade, so the init program now offers to delete them.
--delete-caches option is added to allow force delete of all caches.
Issue 4797: Fix internal server error in OAuth extension point when E-Mail is not set.
Issue 4784: Allow to edit user name for OAuth providers that don't expose user names.
Issue 4627: Fix internal server error in OAuth extension point when user name is not set.
Issue 4466: Fix deadlock during Lucene index shutdown.
Index account on account creation
This prevents creation of new accounts on every logout/login sequence.
Add support for Microsoft Internet Explorer 10 and 11, and Microsoft Edge.
Issue 4630: Fix server error when navigating up to change while ‘Working’ is displayed.
Issue 4631: Read project watches from database.
Project watches were being read from the git backend by default, but the migration to git is not yet completed.
Issue 4632: Fix server error when deleting multiple SSH keys from the Web UI.
Attempting to delete multiple keys in parallel resulted in a lock failure when removing the keys from the git backend.
Issue 4645: Fix malformed account suggestions.
If the query contained several query terms and one of the query terms was a substring of ‘strong’, the suggestion was malformed.
Hooks plugin: Fix incorrect value passed to
The URL was being generated using the change's Change-Id rather than the change number.
Replication plugin: Fix Guava ProvisionException when replicating from slave.
Check for CLA when creating project config changes from the web UI.
If contributor agreements were enabled and required for a project, and the user had not signed a CLA, it was still possible to upload changes for review on
refs/meta/config by making changes in the project access editor and pressing ‘Save for Review’.
Fix server errors in ‘Set Access’ and ‘Get Access’ REST enpoints.
Stability improvements in event dispatch mechanism.
Issue 4618: Fix internal server error after online reindexing completed.
Fix internal server error when cloning from slaves and not all refs are visible.
Fix JSON deserialization error causing stream event client to no longer receive events.