Engineering Steering Committee Meetings, July 23 and Mar 6, 2024

Patrick Hiesel, Luca Milanesio, Saša Živkov

Update to Servlet API 6.0 (ESC of July 23)

JGit moved to Jakarta 5.0 back in May 2024 and when its next branch was merged to master, it made it incompatible with Gerrit that still relies on servlet API v3.1.0. JGit has now moved to Jakarta Servlet-API v6.0.

The impact of upgrading Gerrit to Jakarta is large and it implies amending all imports to javax.servlet. Patrick is checking the impact and status of Google’s implementation of the Servlet API.

SPAM on gerrit-review.googlesource.com (ESC of July 23)

Spammers have been targeting Gerrit changes on gerrit-review.googlesource.com.

The repo-discuss mailing list has a message moderation policy that allows existing regular members to keep on posting without delay; however, new users would require a manual approval by a moderator. Taking the same approach for Gerrit would be one option.

Patrick offered to check also another option where gerrit-review.googlesource.com could require strong authentication (e.g. using Google Authenticator or a valid Mobile Phone with text message verification) for allowing users to access Gerrit.

Security issues when running Gerrit on Windows Server (ESC of July 23)

Gerrit Code Review is not actively tested, verified and supported on Microsoft Windows Server. It is a common agreement amongst the ESC members that the status-quo needs to be made more visible and explicit in Gerrit documentation. It is not in the interest of the community to activey fix problems reported on Windows Server, including security issues, when they do not impact Linux or other popular Unix platforms.

Luca has created Change 433917 for amending Gerrit documentation accordingly.

Library compliance speed-lane (ESC of Mar 6)

Saša highlighted that the library updates in the Gerrit code-base are often slowed down by delays in obtaining the Library-Compliance +1 and therefore changes getting merged.

Patrick highlighted the challenges at Google where all the libraries need to aligned across all products, which takes some time because of the challenges in making the associated code changes.

Luca proposed a speed-lane process where dependencies updates can be trialled in the Gerrit open-source community first and then adopted by Google at later time once the products alignment process is complete. That would be potentially feasible if the dependencies changes do not involve source code changes in the Gerrit code-base but only a different build process.

The ESC agreed to document the speed-lane process and make a trial for the forthcoming dependencies updates, especially the urgent ones related to security fixes in the 3rd party libraries.

Gerrit-CI security incident - CVE-2024-23897 (ESC of Mar 6)

Luca reported the status of the actions taken to mitigate the impact of the Jenins security vulnerability CVE-2024-23897 on the Gerrit CI. The sequence of events, mitigations and post-mortem analysis is published on Google Docs and all actions have been completed, with the split of the CI system into two parts:

  • Public Gerrit CI for incoming change validations but without any stored credentials or keys.

  • Private Gerrit CI (not exposed to any external network) for publishing of the Gerrit homepage and other End-to-End validations that would require the use of stored credentials.

Transition of the RBE executions to BuildBuddy (ESC of Mar 6)

Luca has presented the work made by Alvaro for transitioning the execution of Gerrit RBE builds to BuildBuddy with on-premises workload executors.

The ESC agreed to transitioning the executions to BuildBuddy / on-premises.