Release notes for Gerrit 2.0.19, 2.0.19.1, 2.0.19.2

The cookie used to identify a signed-in user has been changed. All users will be automatically signed-out during this upgrade, and will need to sign-in again after the upgrade is complete. Users who try to use a web session from before the upgrade may receive the obtuse error message "Invalid xsrfKey in request". Prior web clients are misinterpreting the error from the server. Users need to sign-out and sign-in again to pick up a new session. This change was necessary to close GERRIT-83, see below.

Administrators who wish to preserve user sessions across server restarts must set [http://gerrit.googlecode.com/svn/documentation/2.0/config-gerrit.html#cache.directory cache.directory] in gerrit.config. This allows Gerrit to flush the set of active sessions to disk during shutdown, and load them back during startup.

This upgrade adds a new required column to the changes table, something which cannot be done while users are creating records. Like .18, I strongly suggest a full shutdown, schema upgrade, then startup approach. Apply the database specific schema script:

Thanks to Ulrik Sjölin we now have gerrit create-project available over SSH, to construct a new repository and database record for a project. Documentation has also been updated to reflect that the command is now available.

The "Require Signed-off-by line" feature in a project is now more liberal. Gerrit now requires that the commit be signed off by either the author or the committer. This was relaxed because kernel developers often cherry-pick in patches signed off by the author and by Linus Torvalds, but not by the committer who did the backport cherry-pick.

Setting cache.name.diskLimit to 0 will disable the disk for that cache, even though cache.directory was set. This allows sites to set cache.diff.diskLimit to 0 to avoid caching the diff records on disk, but still allow caching web_sessions to disk, so that live sessions are maintained across server restarts. This is a change in behavior, the prior meaning of diskLimit = 0 was "unlimited", which is not very sane given how Ehcache manages the on disk cache files.

Timeouts for any cache.name.maxAge may now be specified in human readable units, such as "12 days" or "3 hours". The server will automatically convert them to minutes during parsing. If no unit is specified, minutes are assumed, to retain compatibility with prior releases.

Gerrit now has native LDAP support. Setting auth.type to HTTP_LDAP and then configuring the handful of ldap properties in gerrit.config will allow Gerrit to load group membership directly from the organization’s LDAP server. This replaces the need for the sync-groups script posted in the wiki. See: http://gerrit.googlecode.com/svn/documentation/2.0/config-gerrit.html#ldap If you use the sync-groups script from the wiki page, you would also need to delete the group members after upgrading, to remove unnecessary records in your database: {{{ DELETE FROM account_group_members WHERE group_id IN ( SELECT group_id FROM account_groups WHERE automatic_membership = Y); }}}

User information loaded from LDAP, such as full name or SSH username, cannot be modified by the end-user. This allows the Gerrit site administrator to require that users conform to the standard information published by the organization’s directory service. Updates in LDAP are automatically reflected in Gerrit the next time the user signs-in.

When using an HTTP SSO product, clicking on a Gerrit link received out-of-band (e.g. by email or IM) often required clicking the link twice. On the first click Gerrit redirect you to the organization’s single-sign-on authentication system, which upon success redirected to your dashboard. The actual target of the link was often lost, so a second click was required. With .19 and later, if the administrator changes the frontend web server to perform authentication only for the /login/ subdirectory of Gerrit, this can be avoided. For example with Apache:

Schema upgrades for PostgreSQL now validate that the current schema version matches the expected schema version at the start of the upgrade script. If the schema does not match, the script aborts, although it will spew many errors.

Uploading commits to a project now requires that the new commits share a common ancestry with the existing commits of that project. This catches and prevents problems caused by a user making a typo in the project name, and inadvertently selecting the wrong project.

Gerrit now looks for Change-Id: I…. in the footer area of a commit message and uses this to identify a change record within the project. If the listed Change-Id has not been seen before, a new change record is created. If the Change-Id is already known, Gerrit updates the change with the new commit. This simplifies updating multiple changes at once, such as might happen when rebasing an entire series of commits that are still being reviewed. A commit-msg hook can be installed to automatically generate these Change-Id lines during initial commit: {{{ scp -P 29418 review.example.com:hooks/commit-msg .git/hooks/ }}} Using this hook ensures that the Change-Id is predicatable once the commit is uploaded for review. For more details, please see the docs: http://gerrit.googlecode.com/svn/documentation/2.0/user-changeid.html

We found yet another bug with the side-by-side view failing under certain conditions. I think this is the last bug.

Images weren’t displaying correctly, even though mimetype.image/png.safe was true in gerrit.config. Turned out to be a problem with the parameter decoding of the /cat/ servlet, as well as the link being generated wrong.

In Gerrit 2.0.18 JGit had a bug where the repository wasn’t being reused in memory. This meant that we were constantly reloading the repository data in from disk, so the server was always maxed out at core.packedGitLimit and core.packedGitOpenFiles, as no data was being reused from the cache. Fixed in this release.

Timeouts were not always shown correctly, sometimes 12 hours was showing up as 2.5 days, which is completely wrong. Fixed.

The "Reply" button didn’t work if the comment was on the last line of the file, the browser caught an array index out of bounds exception as we walked off the end of the table looking for where to insert the new editor box.

The sign-out link now does more than delete the cookie from the user’s browser, it also removes the token from the server side. By removing it from the server, we prevent replay attacks where an attacker has observed the user’s cookie and then later tries to issue their own requests with the user’s cookie. Note that this sort of attack is difficult if SSL is used, as the attacker would have a much more difficult time of sniffing the user’s cookie while it was still live.

Changing the SSH username on the web immediately affected the SSH daemon, but the web still showed the old username. This was due to the change operation not flushing the cache that the web code was displaying from. Fixed.

It was possible for users to upload replacement commits to the wrong project, e.g. uploading a replacement commit to project B while picking a change number from project A. Fixed.

Closing changes by pushing their commits directly into the branch didn’t always work as expected, due to some data not being initialized correctly.

scp command on the server side threw exceptions when a client aborted the data transfer. We typically don’t care to log such cases.

Users were not a member of "Registered Users", this was a rather serious bug in the code as it meant many users lost their access rights.

Above I mentioned we should handle this error as "Not Signed In", only the pattern match wasn’t quite right. Fixed.

HTTP_LDAP broke using local usernames to match an account. Fixed.

Line wrapping group names like "All Users" when the description column has a very long name in it is ugly.

If a user cannot access a change, let the owner know when they try to add the user as a reviewer, or CC them on it.

The commit-msg hook didn’t allow users to abort accidental git commit invocations, as it still modified the file, making git commit think that the end-user wanted to make a commit. Anyone who has a copy of the hook should upgrade to the new hook, if possible.

As reported on repo-discuss, recursive search is sometimes necessary, and is now the default.

I decided to remove this URL, its a pain to support and not discoverable. Its unlikely anyone is really using it, but if they are, they could try using "#q,owner:email,n,z" instead.