Release notes for Gerrit 2.6

The REST API is NOT complete yet and some functionality is still missing.

To find out which functionality is available, check the REST endpoint documentation for projects, changes, groups and accounts.

Allow generating Audit events related to REST API execution. The structure of the AuditEvent has been extended to support the new name-multivalue pairs used in the REST API.

This is breaking compatibility with the 2.5 API as it changes the params data type, this is needed anyway as the previous list of Objects was not providing all the necessary information of "what relates to what" in terms of parameters info.

Existing support for SSH and JSON-RPC events have been adapted in order to fit into the new name-multivalue syntax: this allow a generic audit plug-in to capture all parameters regardless of where they have been generated.

Querying changes via REST is now always producing JSON output.

The /changes/ entities now use id to include a triplet of the project, branch and change-id string to uniquely identify that change on the server. This moves the old id field to be named change_id, which is a breaking change.

Some clients may send JSON-ish instead of JSON. Be nice to those clients and accept various useful forms of incorrect syntax:

If the response begins with the JSON magic string, remove it before parsing. If a response is missing this leading string, parse the response as-is.

Simple cases like /review or /abandon can now accept standard form values for basic properties, making it simple for tools to directly post data:

Form field names are JSON field names in the top level object. If dot appears in the name the part to the left is taken as the JSON field name and the part to the right as the key for a Map. This nicely fits with the labels structure used by /review, but doesn’t support the much more complex inline comment case. Clients that need to use more complex fields must use JSON formatting for the request body.

Expand /accounts/{id}/capabilities to permit an administrator to inspect another user’s effective capabilities.

This is recommended to hint to clients what the entity type is when processing the JSON payload.

The output produced when the client requested the h or help property from a JSON API is always produced from constant compiled into the server. Assume this safe to return to the client as text/plain content and avoid wrapping it into an HTML escaped JSON string.

Instead of wrapping the value into an object, just return the string by itself. This better matches what happens with the plain text return format.

If the HTML appears like MSIE might guess it is HTML (such as if it contains <) encode the response as a JSON object instead of as a simple plain text string. This won’t show up very often for clients, and protects MSIE users stuck on ancient versions (pre MSIE 8).

Newer versions of MSIE can disable the content sniffing feature if the server asks it to by setting an extension header. It is annoying, but necessary, that a server needs to say "No really, I am telling you the right Content-Type, trust it."

This feature was added in MSIE 8 Beta 2 so it doesn’t protect users running MSIE 6 or 7, but those are ancient and users should upgrade.

Enable this on the REST API responses because we sometimes send back text/plain results that are really just plain text. Existing JSON responses are protected from accidental sniffing and treatment as HTML thanks to Gson encoding HTML control characters using Unicode character escapes within JSON strings.

Custom dashboards can now be stored in the projects refs/meta/dashboards/* branches.

The project dashboards are shown in a new project screen and can be accessed via REST.

In dashboards queries the ${project} token can be used as placeholder for the project name. This token will be replaced with the project to which a dashboard is being applied.

The foreach parameter which will get appended to all the queries in the dashboard.

It was impossible to block a permission for a group and allow the same permission for a sub-group of that group as the BLOCK permission always won over any ALLOW permission. For example, it was impossible to block the "Forge Committer" permission for all users and then allow it only for a couple of privileged users.

An ALLOW permission has now priority over a BLOCK permission when they are defined in the same access section of a project. To achieve the above mentioned policy the following could be defined:

Across projects the BLOCK permission still wins over any ALLOW permission. This way one cannot override an inherited BLOCK permission in a subproject.

Overruling of BLOCK permissions with ALLOW permissions also works for labels i.e. permission ranges. If a dedicated Verifiers group need to be the only group who can vote in the Verified label and it must be ensured that even project owners cannot change this policy, then the following can be defined in a common parent project:

Users can now propose changes to the global capabilities for review from the WebUI.

Previously site administrators had this capability by default. Now it has to be explicitly assigned, even for site administrators.

Make Gerrit more like a Git server out-of-the box by granting both Administrators and Project Owners permissions to review changes, submit them, create branches, create tags, and push directly to branches.

The refs/meta/config branch of the All-Projects project should only be modified by Gerrit administrators because being able to do modifications on this branch means that the user could assign himself administrator permissions.

In addition to being administrator Gerrit requires that the administrator has the Push access right for refs/meta/config in order to be able to modify it (just as with all other branches administrators do not have edit permissions by default).

The problem was that assigning the Push access right for refs/meta/config on the All-Projects project was not allowed.

Having the Push access right for refs/meta/config on the All-Projects project without being administrator has no effect.

Git doesn’t want to modify the network protocol to support passing data from the git push client to the server. Work around this by embedding option data into a new style of reference specification:

is now parsed by the server as:

If % is used the extra information after the branch name is parsed as options with args4j. Each option is delimited by ,.

Selecting publish vs. draft should be done with the options draft or publish, appearing anywhere in the refspec after the % marker:

Most teams seem to expect Gerrit to manage simple merges within a source code file. Enable this out-of-the-box.

All GC runs are logged in a GC log file.

If gerrit is called without arguments, it will now show a list of available commands with their descriptions.

rule is now a subcommand of the test-submit command.

This makes it a little easier to query for group names that contain a space over SSH:

An HTTP plugin may want more control over its URL space, but still delegate to the plugin servlet’s magic handling for static files and documentation. Add JAR attributes to configure these prefixes.

Similarly like the submit_rule there is now a submit_type predicate which returns the allowed submit type for a change. When the submit_type predicate is not provided in the rules.pl then the project default submit type is used for all changes of that project.

Filtering the results of the submit_type is also supported in the same way like filtering the results of the submit_rule. Using a submit_type_filter predicate one can enforce a particular submit type from a parent project.

A new method gerrit:commit_stats(-Files,-Insertions, -Deletions) was added.

This may help automated systems to be less noisy. Tools can now choose which review updates should send email, and which categories of users on a change should get that email.

Most project teams seem confused with the out-of-the-box experience needing to vote on both Code-Review and Verified categories in order to submit a change. Simplify the out-of-the-box workflow to only have Code-Review. When a team installs the Hudson/Jenkins integration or their own build system they can now trivially add the Verified category by pasting 5 lines into project.config.

An infrastructure for testing the Gerrit daemon via REST and/or SSH protocols has been added. Gerrit daemon is run in the headless mode and in the same JVM where the tests run. Besides using REST/SSH, the tests can also access Gerrit server internals to prepare the test environment and to perform assertions.

A new review site is created for each test and the Gerrit daemon is started on that site. When the test has finished the Gerrit daemon is shutdown.

Exit with error if the asciidoc executable is not available or has version lower than 8.6.3.

The release script is aborted if asciidoc is missing.

The documentation will always be generated unless -Dgerrit.documentation.skip is given on the command line.

The acceptance profile is no longer used. Acceptance tests will always be run unless -Dgerrit.acceptance-tests.skip=True is given on the command line.

On running the garbage collection JGit creates bitmap data that is saved to an auxiliary file. The bitmap optimizations improve the clone and fetch performance. git-core will ignore the bitmap data.

Do not check the visibility of the change for each suggested account if the ref is visible by all registered users.

On a system with about 2-3000 users, where most of the projects are visible by every registered user, this improves the performance of the suggesting reviewer by a factor of 1000 at least.

For Git repositories with many changes the time for calculating visible refs is reduced by 30-50%.

Some sites manage to run their repositories in a way that prevents users from ever being able to create refs/for, refs/drafts or refs/publish names in a repository. Allow admins on those servers to disable this (somewhat) expensive check before every upload.

Some admins may just want to require all updates to projects to be made through the web interface, and avoid the small expense of a background thread ticking off changes.

If this value is not configured by the server administrator performance on larger text files suffers considerably and Gerrit may grind to a halt and be unable to answer users.

Default to either 25% of the available JVM heap or ~2048m.

Avoid adding refs/changes/ and refs/tags/ to RevWalk’s as uninteresting since JGit RevWalk doesn’t perform well when a large number of objects is marked as uninteresting.

PatchSet.isRef() is used extensively when preparing for a ref advertisement and the regular expression used by isRefs() was notably costly in these circumstances, especially since it could not be pre-compiled.

The regular expression is removed and the check is now directly implemented. As result the performance of git ls-remote could be increased by up to 15%.

If set to true, Gerrit will validate that all referenced objects that are not included in the received pack are reachable by the user.

Carrying out this check on Git repositories with many refs and commits can be a very CPU-heavy operation. For non public Gerrit servers it may make sense to disable this check, which is now possible.

This joins up 3 requests into a single call, which should speed up initial page load for most users.

During Ref Advertisements (via VisibleRefFilter), all changes need to be fetched from the database to allow Gerrit to figure out which change refs are visible and should be advertised to the user. To reduce database traffic a cache for changes was introduced. This cache is disabled by default since it can mess up multi-server setups.

Add a new Gerrit configuration parameter that controls whether newly created groups should be by default visible to all registered users.

Added the ability to only allow email addresses under specific domains to be used for OpenID login.

The allowed domains can be configured by setting auth.openIdDomain in the Gerrit configuration.

Gerrit has been requiring this field for several versions now, but init did not configure it. Ensure there is a value set so the server is not confused at runtime.

While submodule subscriptions can be fetched by branch, some plugins (e.g.: delete-project) would rather need to access all submodule subscriptions of a project (regardless of the branch). Instead of iterating over all branches of a project, and fetching the subscription for each branch separately, we allow fetching of subscriptions directly by projects.

Authentication with CLIENT_SSL_CERT_LDAP didn’t work if the certificate contained email address.

If Gerrit connects to an AD LDS [1] server it will guess its type as RCF_2307 instead of ActiveDirectory. The reason is that an AD LDS doesn’t support the "1.2.840.113556.1.4.800" capability. However, AD LDS behaves like ActiveDirectory and Gerrit also needs to guess its type as ActiveDirectory to make the default query patterns work properly.

Extend the LDAP server type guessing by checking for presence of the "1.2.840.113556.1.4.1851" capability which indicates that this LDAP server runs ActiveDirectory as AD LDS [2].

Also remove the check for the presence of the "defaultNamingContext" attribute as we don’t use it anywhere and, by default, this attribute is not set on an AD LDS [3]

[1] http://msdn.microsoft.com/en-us/library/aa705886(VS.85).aspx
[2] http://msdn.microsoft.com/en-us/library/cc223364.aspx
[3] http://technet.microsoft.com/en-us/library/cc816929(v=ws.10).aspx

Some backends have external management interfaces that are not embedded into Gerrit Code Review. Allow those backends to supply a URL to the web management interface for a group, so a user can manage their membership, view current members, or do whatever other features the group system might support.

Some backends also have an email address associated with every group. Sending email to that address will distribute the message to the group’s members. Permit backends to supply an optional email address, and use this in the project level notification system if a group is selected as the target for a message.

Expose all cheaply known group UUIDs from the ProjectCache, enumerating groups used by access controls. This allows a backend that has a large number of groups to filter its getKnownGroups() output to only groups that may be relevant for this Gerrit server.

The best use case to consider is an LDAP server at a large organization. A typical user may belong to 50 LDAP groups, but only 3 are relevant to this Gerrit server. Taking the intersection of the two groups limits the output Gerrit displays to users, or uses when considering same group visibility.

?, %, *, :, <, >, |, $, \r are now forbidden in project names.

Add --headless option to the Daemon which will start Gerrit daemon without the Web UI front end (headless mode).

This may be useful for running Gerrit server with an alternative (rest based) UI or when starting Gerrit server for the purpose of automated REST/SSH based testing.

Currently this option is only supported via the --headless option of the daemon program. We would need to introduce a config option in order to support this feature for deployed war mode.

Fixes some issues with IE9 and IE10.

This error message was incorrectly displayed if a permission without rules was added, although the save was actually successful.

This error message was incorrectly displayed if multiple sections for the same ref were added, although the save was actually successful.

The Gerrit server may enforce several restrictions on the commit message (change-id required, signed-off-by, etc). A user was able to get around these restrictions by reverting a commit using the UI.

Following the navigation link in the dependencies table on the change screen, the user can directly navigate to dependent changes. The value for Old Version History of the current change was incorrectly applied to the new change. If the value was invalid for the new change the Old Version History field became blank.

The ListBox was not always cleared and as result the same entries were sometimes added multiple times e.g. after rebasing a change in the WebUI.

When two patches were compared that were identical No Differences is displayed to the user. In this case the patch headers disappeared and as result the user couldn’t change the patch selection anymore.

In some cases displaying the intraline diff failed with an exception like this:

This happened when the old line was:

and the new line was:

Strip off the leading and trailing spaces from the Full Name that the user enters on the Contact Information form.

If in the top level menu All is selected and the user navigates to a change and then from the change to the project by clicking on the project link in the ChangeInfoBlock, the project screen is loaded but the Projects menu was not selected.

If there are no HTML tags in the text, just break on lines.

In the change screen, after clicking on an element of the Add Reviewer suggestion list, users expect to be able to add the reviewer by hitting enter. This did not work in Firefox.

The enter key detection was not working in all browsers (e.g. Firefox).

If we load a page without a query string, such as Projects→List, My→Changes, or Settings, it might be confusing to show the old query string from the previous page. The query string is now cleared out when switching pages, leaving the help text visible.

The provided suggestions should highlight the part that the user has already typed as bold text. This only worked for the first operator. For suggestions of any further operator no highlighting was done.

The hint text should be a light gray on the white background, but was coming up black on initial page load due to a style setup ordering issue between the SearchPanel and the HintTextBox.

These links shouldn’t have an anchor location. There is nothing for the browser to remember or visit if it were opened in a new tab for example.

If a change cannot be merged due to unsatisfiable dependencies a comment is added to the change that lists the missing commits and says that a rebase is necessary.

For each missing commit the comment said "Depends on patch set X of …, however the current patch set is Y."

If multiple commits are missing it may be that for some commits the dependency is not outdated (X == Y). In this case the message was confusing.

", however the current patch set is Y." is now skipped if Y == X.

URL-unescape the path portion of a change history token to correctly handle paths with URL-escapable characters, i.e. +, ' ', etc.

The /accounts/self/capabilities/ didn’t return the Email Reviewers capability when it was not explicitly assigned, although by default everyone has the Email Reviewers capability.

If Email Reviewers capability was allowed or denied, /accounts/self/capabilities/ returned the Email Reviewers capability always as true, which was wrong for the DENY case.

If the project requires fast-forwards, the merge cannot succeed once a lock failure occurs, but in other cases, it is safe to retry the merge immediately.

Gerrit already avoids adding reviewers from footer lines when a new draft change is created. Now the same is done for draft patch sets.

If there is a magic branch visible during push, just hide it from the client. Administrators can clear these by accessing the repository directly.

Everything under refs/changes/ should be protected by Gerrit, users shouldn’t be able to delete a particular patch set or a whole change from the review process.

When writing the description to project.config, it is also necessary to write it to the description file in the repository so the same text is visible in CGit or GitWeb.

When the All-Projects project is created during the schema initialization, HEAD is set to point to the refs/meta/config branch. When HEAD is updated an entry into the reflog is written. This ref log entry should contain the ID of the initial commit as target, but instead the target was the zero ID.

On the second push of the same commit to refs/for/<branch name>, Gerrit returns no new changes.

However if the user pushed to refs/changes/<change id>, Gerrit returned internal server error.

Route not just /p/ but any Git access to the same thread pool as the SSH server is using, allowing all requests to compete fairly for resources.

When a commit was directly pushed into a repository (bypassing code review) and this commit had a Change-Id in its commit message then the corresponding change was not automatically closed if it was open.

If a submitted change failed to merge because the destination branch didn’t exist anymore, it stayed in state Submitted, Merge Pending. This meant Gerrit was re-attempting to merge this change (e.g. on startup), but this didn’t make sense. Either the branch did still not exist (then there was no need to try merging it) or a new branch with the old name was created (then it was questionable if the change should still be merged into this branch). This is why it’s better to set the change back to the Review in Progress state and update it with a message saying that it couldn’t be merged because the destination branch doesn’t exist anymore.

In addition Gerrit was writing an error into the error log if a change couldn’t be merged because the destination branch was missing. That was not really a server error and is not logged anymore.

Creating a new Gerrit project was firing the GitReferenceUpdated event for the refs/meta/config branch two times.

When the creation of one or more references failed ReceiveCommits failed with internal server error and wrote the following error log: "Only X of Y new change refs created in xxx; aborting" The printed value for Y could be wrong since it didn’t include the replaceCount. As a result, a confusing message like "Only 0 of 0 new change refs created in xxx; aborting" could appear in the error log.

For direct child projects of the All-Projects project the name of the parent project was incorrectly retrieved if the parent name was not explicitly stored as All-Projects in the project.config file.

If the author of a change isn’t known to Gerrit (pushed with Forge Author permissions), trying to abandon that change over SSH failed with an NPE.

In a background thread Gerrit periodically scans for new or changed plugins. On every such a rescan disabled plugins were loaded and a new copy of their jar files was stored in the review site’s tmp folder.

Loaded plugin jars are copied to the review site’s tmp folder to support hot updates of the plugin jars in the plugins folder. On Gerrit shutdown these copies of the jar files should be cleaned up. For this purpose a CleanupHandle is created, but the CleanupHandle wasn’t enqueued in the cleanupQueue which is why cleanup on Gerrit shutdown didn’t happen.

Loaded plugin jars are copied to the review site’s tmp folder to support hot updates of the plugin jars in the plugins folder. On Gerrit shutdown these copies of the jar files should be cleaned up. For this purpose a CleanupHandle is created. The deletion of the tmp file in the CleanupHandle can fail although the jar file was closed. In this case reattempt the deletion on termination of the virtual machine. This normally succeeds.

When two plugins, say pluginA, and pluginB had been loaded, and pluginA was removed from $sitePath/plugins, pluginA got stopped, and a cleaning run was ordered. But this cleaning run cleaned both plugins and both plugins had their jars removed. This left pluginB visible to Gerrit although it’s backing jar was gone. Upon calling not yet initialized parts of pluginB (e.g.: viewing not yet viewed Documentation pages of pluginB), exceptions as following were thrown:

ServerInformation class was already bound, therefore it shouldn’t be bound a second time for Gerrit extensions.

onModuleLoad() method is automatically called by GWT framework. Calling it once again in PluginGenerator caused double plugin initialization.

Listing plugins requires being an administrator. This was missed in the REST API.

If a user is watching All Comments on All-Projects this should apply to all projects.

This spammed the log when using OpenID, for each and every login.

This function does not work on binary logging enabled servers, as MySQL is unable to execute the function on slaves without causing possible corruption. Drop the function since it was only created to help administrators, and is unsafe.

Relative submodules do not start with /. Instead they start with ../. Fix the Submodule Subscriptions engine to recognize relative submodules.

If the project absolute path had any whitespace, the commit hook failed to complete because a script variable was not enclosed in double quotes.

It’s possible that the submitter is null. Add a check for this before invoking the change-merged hook with it.

GitWeb Caching was not working when its cgi file was executed from outside. The same approach will also work with vanilla GitWeb.

When asking for the known groups a user belongs to they may belong to an internal group by way of membership in a non-internal group, such as LDAP. Cache in memory the complete list of any non-internal group UUIDs used as members of an internal group. These must get checked for membership before completing the known group data from the internal backend.

Setting maxAge to a small value can result in the browser endlessly redirecting trying to setup a new valid session. Warn administrators that the value is set smaller than 5 minutes.

DefaultCacheFactory already uses SECONDS as default time unit for cache.*.maxAge.

Update the described default time unit for cache.*.maxAge in the documentation.

Administrators may need to update their configuration to for the new default time unit.

This is not a GIF, it is an "MS Windows icon resource". Some browsers may skip the image if the type is wrong.

IE looks for a two-word "shortcut icon" relationship. Other browsers interpret this as two relationships, one of which is "icon", so they can handle this syntax as well.

See:

It is wrong to include the servlet API in a WAR’s WEB-INF/lib directory. This confuses some servlet containers who refuse to load the Gerrit WAR. Instead package the Jetty runtime and the servlet API in a new WEB-INF/pgm-lib directory.

If the user alters their identity in the container invalidate the Gerrit user session and force a new one to begin.

Servers that run with auth.type = HTTP or HTTP_LDAP are unable to use the web UI because the Authorization code supplied by the UI overrides the browser’s native Authorization header and causes the request to be blocked at the HTTP reverse proxy, before Gerrit even sees the request.

Instead insert a unique token into X-Gerrit-Auth, leaving the HTTP standard Authorization header unspecified and available for use in HTTP reverse proxies.

Add examples for GET requests to the REST API documentation on which the user can click to fire the requests. This allows users to immediately try out the requests and play around with them.

This document no longer deals exclusively with custom dashboards, it now describes project level dashboards also.

It is better to first define the JNDI data source in the application server and then deploy Gerrit than opposite. This should avoid errors like "No DataSource" on the first deployment.