Security Fix
------------
* Some access control sections may be ignored
Gerrit sometimes ignored an access control section in a project if the
exact same section name appeared in All-Projects. The bug required an
unrelated project to have access.inheritFrom set to All-Projects and
be accessed before the project that has the same section name as
All-Projects. This is an unlikely scenario for most servers, as Gerrit
does not normally set inheritFrom equal to All-Projects. The usual
behavior is to not supply this property in project.config, and permit
the implicit inheritence to take place.
Affected Versions
-----------------
This bug first appeared in 2.2, and impacts all releases since.
Work Around
-----------
Administrators that can't immediately upgrade to a patched release
should disable cache permission_sort in gerrit.config:
I am Jialin from Marvell, working on android development. I want to know if there is any interface in gerrit to update DB.
The story is we have built up an auto-build system for android, and as you know, developer’s environment is usually not clean, we need to ensure the patch can be built successfully in a clean environment before merge, We want to create process below.
1. Create account “build_robot” in gerrit
2. User submit patch to gerrit
3. User trigger auto-build with gerrit patch info (like change id, …)
4. Auto build system fetch patch from gerrit, apply patch, and build
5. Audo build system add review comment by using account “build_robot”, then all the human reviewers can see the auto-build result.
Base on our investigation, we found we can write db table PATCH_SET_APPROVALS & CHANGE_MESSAGES by using cmd below:
On Thu, Aug 9, 2012 at 11:59 AM, huodian007 <jialin.chen1...@gmail.com> wrote:
> Hi Shawn,
> I am Jialin from Marvell, working on android development. I want to know if
> there is any interface in gerrit to update DB.
> The story is we have built up an auto-build system for android, and as you
> know, developer’s environment is usually not clean, we need to ensure the
> patch can be built successfully in a clean environment before merge, We want
> to create process below.
> 1. Create account “build_robot” in gerrit
> 2. User submit patch to gerrit
> 3. User trigger auto-build with gerrit patch info (like change id, …)
> 4. Auto build system fetch patch from gerrit, apply patch, and build
> 5. Audo build system add review comment by using account
> “build_robot”, then all the human reviewers can see the auto-build result.
> Base on our investigation, we found we can write db table
> PATCH_SET_APPROVALS & CHANGE_MESSAGES by using cmd below:
On Thursday, August 9, 2012 5:59:34 AM UTC-4, huodian007 wrote:
> Hi Shawn,
> I am Jialin from Marvell, working on android development. I
> want to know if there is any interface in gerrit to update DB.
>
> The story is we have built up an auto-build system for
> android, and as you know, developer’s environment is usually not clean, we need
> to ensure the patch can be built successfully in a clean environment before
> merge, We want to create process below.
> 1. Create
> account “build_robot” in gerrit
> 2. User
> submit patch to gerrit
> 3. User
> trigger auto-build with gerrit patch info (like change id, …)
> 4. Auto
> build system fetch patch from gerrit, apply patch, and build
> 5. Audo
> build system add review comment by using account “build_robot”, then all the
> human reviewers can see the auto-build result.
>
> Base on our investigation, we found we can write db table
> PATCH_SET_APPROVALS & CHANGE_MESSAGES by using cmd below:
> I am Jialin from Marvell, working on android development.
> I want to know if there is any interface in gerrit to
> update DB.
> The story is we have built up an auto-build system for
> android, and as you know, developer’s environment is
> usually not clean, we need to ensure the patch can be
> built successfully in a clean environment before merge,
> We want to create process below.
> 1. Create account “build_robot” in gerrit
> 2. User submit patch to gerrit
> 3. User trigger auto-build with gerrit patch info
> (like change id, …)
> 4. Auto build system fetch patch from gerrit, apply
> patch, and build
> 5. Audo build system add review comment by using
> account “build_robot”, then all the human reviewers can
> see the auto-build result.
> Base on our investigation, we found we can write db table
> PATCH_SET_APPROVALS & CHANGE_MESSAGES by using cmd below:
Why my first gerrit account doesn't have admin privilege?
Then I manually add the first user into account_group_members, the first user is in administrator group now, but still can't create new group, new project, etc.
Anyone knows this issue?
I'm using postgresql8.4 + gerrit 2.4.2 + LDAP
> Security Fix > ------------ > * Some access control sections may be ignored
> Gerrit sometimes ignored an access control section in a project if the > exact same section name appeared in All-Projects. The bug required an > unrelated project to have access.inheritFrom set to All-Projects and > be accessed before the project that has the same section name as > All-Projects. This is an unlikely scenario for most servers, as Gerrit > does not normally set inheritFrom equal to All-Projects. The usual > behavior is to not supply this property in project.config, and permit > the implicit inheritence to take place.
> Affected Versions > ----------------- > This bug first appeared in 2.2, and impacts all releases since.
> Work Around > ----------- > Administrators that can't immediately upgrade to a patched release > should disable cache permission_sort in gerrit.config:
On Wednesday, August 15, 2012 5:11:29 AM UTC-7, Zhihai Wang wrote:
> Why my first gerrit account doesn't have admin privilege?
> Then I manually add the first user into account_group_members, the first > user is in administrator group now, but still can't create new group, new > project, etc.
> Anyone knows this issue?
> I'm using postgresql8.4 + gerrit 2.4.2 + LDAP
> 在 2012年6月25日星期一UTC+8下午11时49分34秒,Shawn Pearce写道:
>> Gerrit 2.2.2.2, 2.3.1, and 2.4.2 are now available:
>> Security Fix >> ------------ >> * Some access control sections may be ignored
>> Gerrit sometimes ignored an access control section in a project if the >> exact same section name appeared in All-Projects. The bug required an >> unrelated project to have access.inheritFrom set to All-Projects and >> be accessed before the project that has the same section name as >> All-Projects. This is an unlikely scenario for most servers, as Gerrit >> does not normally set inheritFrom equal to All-Projects. The usual >> behavior is to not supply this property in project.config, and permit >> the implicit inheritence to take place.
>> Affected Versions >> ----------------- >> This bug first appeared in 2.2, and impacts all releases since.
>> Work Around >> ----------- >> Administrators that can't immediately upgrade to a patched release >> should disable cache permission_sort in gerrit.config:
