[ANNOUNCE] Gerrit 3.5.3 w/ Security Fixes

[Luca Milanesio]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Gerrit version 3.5.3 is now available.

This release includes a security fix where a user was able
to create a new branch out a revision not visible to him.
See the release notes for more details.

Release Notes:
https://www.gerritcodereview.com/3.5.html#353

Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.5.3/index.html

Log of changes since 3.5.2:
https://gerrit.googlesource.com/gerrit/+log/v3.5.2..v3.5.3?no-merges

Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.5.3.war

SHA1:
70d87bebb6d490afa67eb446091ba1d3f5d528f6

SHA256:
9246ae2413f50c1ecc9869793eaefa587d9b1ecf2d4bf689a194b4931ed9d9ad

MD5:
b3c8985c83fbe5ac63637226815fb365

Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmM/PUsACgkQC0731aK2
mH4A8w/+P1UW8RtEj8I+zfsiT1IlAEV107/ewlRi3KXgtVuA9ur/ER5aqFRKfOz4
SyEsdRH3gzkXDeesZUMYRd4LM6nZ6SA2+3z4fYZGGUaGLCEVg1pCGmdGlV6udaeD
MMQk0+Z8MTBpVEulKruI8S6G0CfIPFXF/qu73T9oeMAK4VGEDb+PiYdwU627tC/f
1+UXVqaQ4ZnpPli2aXDscXmqsCI6wp0aE/kOho8x2/G0/YZqprs4c58yxuMavC7w
A88PEAOep0u7uA+6H3FjjwNy6jCoHyVIWi4uQ2NmLeuMo3j9pwktX3XuPgHhyGR0
leQOBrN597XH/B1htbNDDQjgHhwaKoKI+0dFNh20hi/PZnKc5IqzZqNeoX4bv9dC
6xvmgKlkhfSNTPVJ+luHsR3m3vNM8T7AFxu2SL3UXls6DzQmQASXrjJeGNs6DEWu
4srtIbPiV36laPmQIOr9zaYsFUVey5TpDuC4FjxMQGLwZKBUKJthUGM/bU/LLeMt
QvOkncxq5Iui0y60zrIfQq34KvCXi4cfqnnV8ZpdVlCH9YBxXHozxyBcrhuNRWYA
hvEGKfBZ0uqAZrdq/eQ6Sb1uH0uqB0LbKXux6U5m6hCQb4GjozjyrclGrs7imAGN
+0RZ/ihiBN3eOApJIiAGPmR6o+yX7x5XSqZladH+T8GaH3tQ7uc=
=dDCL
-----END PGP SIGNATURE-----

[Luca Milanesio]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Binary packages (Deb / Rpm) of Gerrit version 3.5.3 are now available
=====================================================================

How to install/upgrade: 3.5.3
*****************************

If you have a previous version of Gerrit 3.x installed via native packages:

(on Debian / Ubuntu)
apt-get update && apt-get install gerrit=3.5.3-1

(on AlmaLinux / RedHat)
yum clean all && yum install gerrit-3.5.3-1

(on Fedora)
dnf clean all && dnf install gerrit-3.5.3-1

If it is a new installation and you don't have the GerritForge repositories
configured, please follow the instructions at:
http://gitenterprise.me/2015/02/27/gerrit-2-10-rpm-and-debian-packages-available/

Docker images
*************

Gerrit is distributed on DockerHub at:
https://hub.docker.com/r/gerritcodereview/gerrit/

The following tags have been published
3.5.3 => 3.5.3-almalinux8
3.5.3-almalinux8
3.5.3-ubuntu20

More information on how to use Gerrit Docker image for testing, staging, and production at:
https://gerrit.googlesource.com/docker-gerrit

MacOS native package
********************

MacOS Gerrit native installer is available for download at:

https://gerritforge.com/gerrit/mac/gerrit-installer-3.5.3.pkg

SHA1:
ac8c2aa0a7b404d9e8237ca4d395863934289689

SHA256:
c6e2318d197d0e879f0df5498b0442568f125dedd66ddae61a93e6cfa404619d

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmM/PfEACgkQC0731aK2
mH4Gjg/+Jc11+WhppAiAkJqb7szkTF4HU6sXFprqU1gE9zs7jo662zFkqA8X8xlc
So6cUeSeuPVzGoh3N1ZVZpq7x/8SpKIdEv1roc7YLtiRSvqc2TrINmX0hOjbnRBg
JlbXE/MCzKqknqE5bvl06K9SC3Faz5JOiNV7X4nV3iR84hcaiz8gKwj8TRpX0kw2
WTIMwlEIDpsqeBoAHXHSYvYoc7YAZESLbgly6xveZUS8sopFKVNW9F8diw3bv98i
NbSA11s28umxS82sediAtht/s7crcozKG/dXsb7SuOH+WCD21+j7tZKfIZHOLFGm
mwG3v9oJyNvwvlYs2+QTP31QRJqC20DG53qa5JePY5vs6Vd38KdPSaZhQoIFGeI3
9tq3mof2/H5r7hHkTaHeIuu8VlYdfPNG/Qlh97EBcz3LiW8gm0spgZTWpwmVmvMM
x7Jha5UotNr159tC7j8NjNaqibJiHuNenV8TjgGosNdmSJR9bFD5/oyiqGGHje34
zqtrMOh1zfxs3GoKvYS5rZX3t3Soj4xX+mOi0sdHnMPQ2c7cThHjn+JRxnXKqfnS
PLlV5ikDM6JQxyyLZkIGFGqW11hl4Wu8WsrLoRpEgPrvWPvMRc6noGgW7ur2m7rs
p0iLkDdDA8R96t4xLfZa9aCVsX6yXLFrqOcWCRIuoWZif1pGBTs=
=lt2M
-----END PGP SIGNATURE-----

[Aaron Smith]

Do we know when the v3.5.3 tag will be available at https://gerrit.googlesource.com/docker-gerrit ? A fresh clone of this repo doesn't have this tag.

$ git tag | grep v3.5
v3.3.5
v3.5.0.1
v3.5.1
v3.5.2

[Luca Milanesio]

On 19 Oct 2022, at 22:00, Aaron Smith <asm...@taranawireless.com> wrote:

Do we know when the v3.5.3 tag will be available at https://gerrit.googlesource.com/docker-gerrit ? A fresh clone of this repo doesn't have this tag.

$ git tag | grep v3.5
v3.3.5
v3.5.0.1
v3.5.1
v3.5.2

Apologies, I still had it locally and didn’t push it.

Pushed now, can you check?

Thanks for the feedback.

Luca.

[1] https://gerrit-review.googlesource.com/admin/repos/docker-gerrit,tags/q/filter:v3.5.3

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/5b4b1ee0-317b-4ce6-8db2-338667c05145n%40googlegroups.com.

[Aaron Smith]

Yep, I see it now. Thank you!

[Aaron Smith]

Any chance you have the tags locally for the missing 3.6 and 3.7 images? Here's what I see in the docker-gerrit repo:
v3.6.0
v3.6.0-rc0
v3.6.0-rc2
v3.6.0-rc3
v3.6.0-rc4
v3.6.0-rc5
v3.6.1
v3.6.3
v3.7.0
v3.7.0-rc1
v3.7.0-rc2
v3.7.0-rc3
v3.7.0-rc4
v3.7.0-rc5
v3.7.2

[Luca Milanesio]

On 17 Jul 2023, at 23:17, 'Aaron Smith' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Any chance you have the tags locally for the missing 3.6 and 3.7 images? Here's what I see in the docker-gerrit repo:
v3.6.0
v3.6.0-rc0
v3.6.0-rc2
v3.6.0-rc3
v3.6.0-rc4
v3.6.0-rc5
v3.6.1
v3.6.3
v3.7.0
v3.7.0-rc1
v3.7.0-rc2
v3.7.0-rc3
v3.7.0-rc4
v3.7.0-rc5
v3.7.2

Done, let me know if you are missing anything else.

Luca.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/9e673c53-b225-462e-9cb8-2422769989cfn%40googlegroups.com.

[Aaron Smith]

Hmmmm, did a pull and I'm still seeing the same tag list as above. No v3.6.6, v3.7.4, etc.

[Luca Milanesio]

On 18 Jul 2023, at 00:12, 'Aaron Smith' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Hmmmm, did a pull and I'm still seeing the same tag list as above. No v3.6.6, v3.7.4, etc.

Have you tired the URL directly?

https://gerrit-review.googlesource.com/admin/repos/docker-gerrit,tags/q/filter:v3.6.6

HTH

Luca.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/93125672-17cb-4fec-bba4-3a24f0194430n%40googlegroups.com.

[Aaron Smith]

No, I had followed the links from the release notes, to docker.com, to github.com and cloned from there. I just cloned from your linked gerrit page and I now see the tags. Thank you!

[Luca Milanesio]

On 18 Jul 2023, at 00:20, 'Aaron Smith' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

No, I had followed the links from the release notes, to docker.com, to github.com and cloned from there. I just cloned from your linked gerrit page and I now see the tags. Thank you!

I see, the GitHub repos are just a read-only replicas and they may take a while to get updated.

They’ll eventually show up there as well :-)

Luca.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/a619e2aa-9e15-4572-a80f-b4dfd1af89a7n%40googlegroups.com.