Contributing using Gerrit

At OsmoDevCon2016 we discussed problems with our past contribution / patch submission process using mails on the mailing list as well as patchwork. The result was that we wanted to give Gerrit a try for some time and see if it helps us to have a better process. We were (and still are) quite happy with it, and over time most Osmocom projects have migrated to using gerrit.

Gerrit is a review tool that integrates nicely with git and ssh. You can find general information about Gerrit at

The advantages of Gerrit are:
  • patch submission status is automatically tracked, also with several revisions for a patch set.
  • patches are build-tested (and possibly even further tested) by jenkins before they are applied
  • patch submissions not via git send-email but direcly from git

Osmocom Subprojects using Gerrit

The majority of Osmocom sub-projects have chosen to use Gerrit for patch review. In order to check if a given program uses Gerrit, please check the auto-generated list at

If the project is listed there, then it uses Gerrit. If the project is not listed there, please send patches by e-mail to the respective project Mailing_Lists instead.

Configuring Gerrit/Account

You will need to sign up at If you have an Osmocom Redmine account you can use as OpenID provider.

careful: enter 'https' to ensure that your openid credentials are passed on encrypted.
pitfall: if you're logged in on '' (including the 'projects.' part), you should also use the openid provider:; the 'projects.' part may be omitted, what's important is that redmine login and OpenID URLs match. Also, decide for one of those URLs once, because when picking a different OpenID URL next time, you will create a new user instead of logging in as yourself.
note: gerrit will create a distinct user for each openid URL you pass. If you logged in successfully but your user seems to have lost permissions, you may have created an evil twin user: contact us on the mailing list so we can fix it in the user database.

If you have no Osmocom redmine account, you can simply create one online at the "Register" link in the upper right corner.
Even without an existing or new redmine account, you should also be able to use any other OpenID provider to authenticate against gerrit (untested).

After the initial sign-up you will need to:

  • Pick a username (cannot be changed)
  • Add your public ssh key(s)
  • Add email addresses you intend to use as author/comitter

If you would like to push private branches to the Gerrit repository, you also need to be added to the "known users" group.
Please send a short requesting email to .

Setting up Gerrit for commits and pushing

Note: it is easiest to work with gerrit when gerrit is the only remote in your git clone.
When you clone from and add the gerrit remote, git will have two remotes,
so when you first checkout a branch you have to supply the remote explicitly (cumbersome).
The gerrit repositories and are constantly synced, so it is sufficient
to clone from gerrit only.

Simplest: new clone

  • Create a new clone from gerrit
git clone ssh://$$PROJECT.git
  • Fetch the commit hook that adds Change-Id to each commit to uniquely identify a commit
# Option a) using scp
scp -O -P 29418 $ $PROJECT/.git/hooks/

# Option b) using curl
curl -o $PROJECT/.git/hooks/commit-msg
chmod +x $PROJECT/.git/hooks/commit-msg

SSH config

In '~/.ssh/config', add these lines:

Host go
Port 29418

('go' means gerrit.osmocom, replace with your favorite shortcut name,
replace '$USERNAME' with your user name as used on the gerrit website)

Then you can shorten above commands to

git clone ssh://go/$PROJECT.git
scp go:hooks/commit-msg .git/hooks/

Committer must match

Your email address on gerrit and the email address git places in your
commits must match, or you will get rejected with an error message like
"invalid committer". You can add email addresses on the gerrit web UI.

Add gerrit to an existing clone

  • Add the remote to be able to fetch and push to gerrit
PROJECT=$(basename $PWD)
git remote add gerrit ssh://$$PROJECT.git
  • Fetch the commit hook that adds Change-Id to each commit to uniquely identify a commit
# Option a) using scp
scp -P 29418 $ .git/hooks/

# Option b) using curl
curl -o .git/hooks/commit-msg
chmod +x .git/hooks/commit-msg

Push for review


  • your user on gerrit has an SSH public key
  • your patch is committed in your local clone
  • the commit log message has a Change-Id (see 'commit-msg' hook above, and 'Tips and Tricks' below to add a Change-Id to a commit that lacks one.)
git push $REMOTE $GITHASH:refs/for/$BRANCH%topic=$TOPIC

$REMOTE: from above instructions, that's either 'origin' (cloned from gerrit) or 'gerrit' (if you added a second remote).
$GITHASH: the committed patch to push, typically you're on your branch and simply push 'HEAD'.
$BRANCH: you will typically intend a patch to go to 'master'.
%topic=$TOPIC: an optional name you may choose.

Pushing as WIP is easy, just add %wip (or push without %wip to unmark as wip and mark as active for review):

git push $REMOTE $GITHASH:refs/for/$BRANCH%wip

Pushing as WIP with a topic does NOT work like that, you need to do:

git push $REMOTE $GITHASH:refs/for/$BRANCH%wip -o topic=$TOPIC

For example, check out the revision or branch that you want to submit for review,
i.e. the one where your patch or several patches are committed on top of the current master, then:

If you cloned directly from gerrit:

git push origin HEAD:refs/for/master

If you added 'gerrit' as a second remote to an existing clone:

git push gerrit HEAD:refs/for/master

You can optionally add a topic name with

git push origin HEAD:refs/for/master%topic=my_topic

Voting Rules for merging a patch to master

High-level goal: Two people other than the patch author/owner should have given positive review ("Review +1") and the patch must pass automatic build/lint validation ("Verified: +1").

Please follow these voting rules:

Code Review ("CR")

  • Please review patches by others.
  • Do not vote for your own patches (exceptions below).
  • Before merging, each patch should receive at least two reviews that approve merging.

When voting, please follow this social contract (written from the point of a reviewer):

  • When you approve, vote CR +1.
  • If there already is someone else's CR +1, you as a reviewer, not as the author/owner may also choose to vote CR +2.
  • If the patch owner sees two or more CR +1, the patch owner may apply to self a CR +2.
  • Once there is at least one CR +2 and one CR +1 vote, a patch may be merged ("Submit" button), except:
    • If there are two -1 votes, you should not merge, instead clarify the reason and try to fix it.
    • If there is a single -1 vote, you may still merge the patch, if you are sure that the opinion of the -1 vote does not carry.
  • Give the benefit of the doubt to the -1 vote, do not lightheartedly overrule.
  • If there is a CR -2 vote, the patch will likely never pass review, it marks a fundamental flaw.
  • Merging a patch ("Submit" button) may be done by a reviewer or by the patch owner,
    But if there is any negative vote, rather leave merging up to the patch owner.
  • If you remove a +1 vote, try to make sure that there are no other CR +2 votes left alone
    (to prevent accidental "Submit including parents"). If needed, ping other reviewer / admin on IRC.
    But try to vote +1 only when you're sure, hence this situation should be rare.
  • To prevent merging of your own patch before some issue is resolved, consider marking it Work In Progress.

Exceptions for Trivial / Urgent Patches

A patch may receive a direct +2 when:

  • it is very trivial, like a typo fix in a comment or log string, so that it is not worth wasting review time on.
  • it reverts an earlier change that broke the master builds.

In these cases, the patch submitter may decide to +2 to self, after careful consideration. This should be rare.

Verification ("V")

  • For most projects, jenkins takes care of voting V +1 automatically.
  • If you have actually tried out a patch and verified that it works, you may vote V +1.
  • A patch owner may vote V +1 to self in a project that has no Jenkins verification job.


Gerrit allows merging a patch as soon as a CR +2 vote and a V +1 vote are in.
For quite some time, we had CR +2 permissions for only very few gatekeeper reviewers.
The result was that non-gatekeepers' votes seemed to not matter.

To encourage more peer review that actually has an effect, we would like to sum up +1 votes.
We have tried to apply a summing of votes in Gerrit with automatic enforcing
( )
but this had numerous quirks, particularly the issues summary shows wildly mismatching voting status.

The solution is to agree on a social contract: everyone gets +2 permissions,
but you shall only use it when it makes sense. Thanks!

Manage private branches

Use a sub-directory with your name to group your own branches, please.
Note that you must be a member of the "known users" group, see above.

To share / backup local branches to, without starting a code review process on, just push them as usual to gerrit.

  • Note that the git repository must be cloned from the gerrit SSH URL -- all pushing goes to gerrit ("pushurl" as described below also works).
  • All private branches are automatically synced to in a matter of minutes.
  • Private branches do not kick off patch sets for review, they are just branches. To kick off review for all patches on your branch, you'd use a 'refs/for/master' URL, as shown in the example below.

Pitfall: always include both your name and a topic in a branch name, right from the start. If you first create a branch named "fred", creating branches named "fred/topic" later will cause conflicts in the .git admin tree, because first "fred" was a file, and then becomes a directory. Even if you fix it in your local repository, all other git repositories, including those on the build servers, may need manual action to become usable again. One solution is to push a deletion of "fred" and then "git fetch --purge" everywhere else.

The typical transcript for "Fred" developing feature "Kazoo" looks like this:

# First, set up ~/.ssh/config so that 'go' points at
# Then:
git clone ssh://go/sandbox

cd sandbox
# create local branch
git checkout -b fred/kazoo

git add kazoo.c
git commit -m "implement kazoo" 

# just invoke 'git push' and git tells you how to create the branch once-off:
git push
|fatal: The current branch kazoo has no upstream branch.
|To push the current branch and set the remote as upstream, use
|    git push --set-upstream origin fred/kazoo

git push --set-upstream origin fred/kazoo
# Now the branch exists on gerrit, very soon will also exist on

# Further tweaks
git add kazoo.h
git commit --amend

# You are free to force-push private branches
git push -f

# origin/master has changed? Rebase onto the latest.
git fetch
git rebase -i origin/master
# resolve conflicts...
git push -f

# Feature is ready, submit the entire branch to Gerrit code review
git push origin HEAD:refs/for/master/kazoo

List changesets in gerrit

git ls-remote gerrit changes/*

Tips and Tricks

A commit lacks a Change-Id

once you added the commit hook as above, just re-edit the commit log message, e.g. with

git commit --amend

or by

git rebase -i

and in the upcoming editor replacing 'pick' with 'r' in front of the commit to edit.

No need to change the commit log if you don't want to, just exit the editor and the commit hook will add a Change-Id.

Ignore WIP patches

Using following operators in "search" field of web UI allows to ignore Work-in-progress changes:

status:open AND -is:wip

Fetch fast from, push to gerrit

Gerrit has moved to a faster host, so this should no longer be necessary. Anyway...

Adding a second remote forces you to explicitly pass the remote on the command line ("origin").
It is possible to have only one remote for convenience, with different push and pull URLs:

git remote set-url origin$ORG/$PROJECT
git remote set-url --push origin ssh://$$PROJECT

With above .ssh config you can also use the shorter ssh:// URL:

git remote set-url --push origin ssh://go/$PROJECT

The resulting .git/config in libosmocore would look something like:

[remote "origin"]
        url =
        pushurl = ssh://go/libosmocore
        fetch = +refs/heads/*:refs/remotes/origin/*

Now you're fetching from, which is lightning fast, while pushing patches will still go to gerrit as usual.

Throw-away branch

If you need to adjust and re-submit patches, it may be handy to create a throw-away branch ("R D" in magit-gerrit in emacs for example),
make your changes/amendments and then send patch(es) back to gerrit while removing temporary branch automatically with "git review -f".

Fetch a patch from gerrit

This script (I called it P) makes fetching a patch set from gerrit a breeze:

# fetch gerrit patch into new branch named like the patch number.
# Usage: go to a git clone and pass a patch number:
#   cd openbsc
#   P 973
# or
#   P 973/2
# Will create new local branches '973_4' (if 4 is the latest patch set)
# or '973_2', respectively.


if [ -z "$patch" ]; then
  echo "Usage: P 1234[/5]" 
  exit 1

if [ -z "$(echo "$patch" | grep '/')" ]; then

if [ -z "$(echo "$patch" | grep '^/')" ]; then

remote="$(git remote get-url --push origin)" 

last_set="$(git ls-remote "$remote" "changes/*" | grep "$patch" | sed 's#.*/\([^/]*\)$#\1 &#' | sort -n | tail -n 1)" 
if [ -z "$last_set" ]; then
  echo "Not found: $patch" 
  exit 1

change_name="$(echo "$last_set" | sed 's/.*\(refs.*\)/\1/')" 
branch_name="$(echo "$change_name" | sed 's#refs/changes/../\([0-9]*\)/\([0-9]*\)#\1_\2#')" 

set -x
git fetch "$remote" "$change_name" 
git co -b "$branch_name" FETCH_HEAD

Re-submit a Branch with Amended Commits

On a feature branch, one typically has numerous commits that depend on their preceding commits.
Often, some of the branch commits need to be amended for fixes. You can re-submit changes to
patches on your branch by pushing in the same way that you first submitted the branch.

Note: if you modify the Change-Ids in the commit logs, your push would open entirely new
review entries and you would have to abandon your previous submission. Comments on the first
submission are "lost" and you cannot diff between patch sets.

Re-submit Previously Abandoned Changes

You have to edit the Change-Ids, on a branch that would be every single commit log message.

cd openbsc
git co my-branch
git rebase -i master
# replace all 'pick' with 'r' (or 'reword'), exit your editor
# git presents each commit log message for editing

502 Bad Gateway

When getting a "Bad Gateway" error message upon trying to login on gerrit, you probably just need to restart your web browser. The reason is not clear.

scp fails with "subsystem request failed on channel 0"

Most likely, you're using a very recent OpenSSH release (9.0 - check 43 for more info), which changes the scp program to use the SFTP protocol under the hood.

$ scp -P 29418 .git/hooks/
subsystem request failed on channel 0
scp: Connection closed

To work around the problem on the client side, use the new -O (that is an uppercase letter "o") switch when invoking scp, which will cause it to fall back to the legacy behavior.

$ scp -O -P 29418 .git/hooks/
commit-msg                                              100% 2174     9.5KB/s   00:00

Commit hook: Always put Change-Id at the bottom of the log message

The commit-msg hook places a Change-Id tag in the footer, often above other tags like 'Depends:' or 'Related:'. Since the Change-Id is an implementation detail for Gerrit, I personally prefer it always placed right at the bottom. This simple edit changes the commit-msg hook to add Change-Id at the bottom unconditionally:

sed -i 's/if (unprinted /if (0 \&\& unprinted /' .git/hooks/commit-msg

The goal is to disable the condition in line 163 with an 'if (0...':

                        if (0 && unprinted && match(tolower(footer[line]), changeIdAfter) != 1) {
                                unprinted = 0
                                print "Change-Id: I'"$id"'" 

Then the Change-Id will be placed by line 170 instead.

Reasons for Particular Configuration

Rebase if necessary

There are different merge strategies that Gerrit performs to accept patches.
Each project can be configured to a specific merge strategy, but unfortunately you can't
decide on a strategy per patch submission.

It seems that the "Merge if Necessary" strategy is best supported, but it creates non-linear
history with numerous merge commits that are usually not at all necessary.

Instead, the "Cherry Pick" strategy puts each patch onto current master's HEAD to create
linear history. However, this will cause merge failures as soon as one patch depends on
another submitted patch, as typical for a feature branch submission.

So we prefer the "Rebase if Necessary" strategy, which always tries to apply your patches to
the current master HEAD, in sequence with the previous patches on the same branch.

Private Branches: Create a new change for every commit...

Say you have an extensive feature in development, and you want to keep it on the
upstream git repository to a) keep it safe and b) collaborate with other devs on it.
So, of course, you have regularly pushed to refs/heads/yoyodyne/feature.

Since you have the gerrit commit hook installed, your feature branch already has
Change-Id tags in all commit log messages.

Now your feature is complete and you would like to submit it to master.
Alas, Gerrit refuses to accept your patch submission for master, because it
knows the Change-Ids are also on a different branch.

Gerrit by default enforces that a Change-Id must be unique across all branches,
so that each submission for review is separate for each branch. Instead, we
want to handle Change-Ids per-branch, so that you can have the same change
submitted to different branches, as separate patch submissions, without having
to cosmetically adjust the Change-Id.

Solution: set the option
Create a new change for every commit not in the target branch to TRUE

Allow content merges

By default, gerrit compares patches only by the files' paths. If two paths are the same,
it immediately shows them as conflicts (path conflicts).

In software development, a conflict usually means an actual content conflict, so if the
edits are in two entirely separate places in the file, we don't consider this a conflict.

By setting Allow content merges to TRUE in the git project config, we tell Gerrit to
perform text merges of the submitted patches and only complain about actual content
conflicts, in the usual software engineering sense.


Adding a new repository

1. create the repository in the Gerrit UI, inherit from "All-Projects"
2. a) project does not exist on 2. b) project exists on
  • explicitly add gerrit as a second remote and push all branches/tags from to gerrit.

3. configure a jenkins build testing job for this project (see gerrit-verifications.yml in osmo-ci.git/jobs)

git replication to is enabled automatically, nothing to be done here. In case of doubt, try
ssh -p 29418 replication start --all --wait

Deleting a repository

ssh -p 29418 delete-project delete --yes-really-delete NAME

Adding users to groups

Normally, the gerrit UI auto-completes a user name in the edit field. It has happened
though that an existing user is not auto-completed, as if it didn't exist. In that case,
find out the user ID (seven digit number like 1000123) and just enter that.

The user ID can be found on the user's "Settings" page, or in the database (s.b.).

Querying the database directly

If your user has permission to access the database, you can place SQL queries using the
'gerrit gsql' commands over ssh:

ssh go "gerrit gsql -c \"show tables\"" 
ssh go "gerrit gsql -c \"select full_name,account_id from accounts\"" 

(see ~/.ssh/config above for the 'go' shortcut)

This seems to be the MySQL dialect.

The "...\"...\"" quoting allows including single-quotes in the SQL statements.

Fix evil twin users

If differing openid URLs have lead to evil twin users shadowing the same email address just without the permissions, we end up with duplicate users showing up in the UI, e.g. when you want to add somebody as a reviewer.

In past gerrit vesions based on ReviewDB, one could use SQL statements to manipulate the database. However, gerrit has migrated to NoteDB, and hence this access is no longer possible.

You can find information on how to manipulate users using the REST API at

You can get a list of identities for one given e-mail address (e.g. using

curl ''

which would give you a result like this:

    "_account_id": 1000028
    "_account_id": 1000140

And subsequetly check which of the identities you want to keep or remove:

curl --user http_user:http_pass  ''
curl --user http_user:http_pass ''

The "intended" ones typically have URLs, while the unintended/dupliacte ones have http (not https) or use or instead.

Once you have found the duplicate (in this case 100140), you can deactivate the duplicate using

curl --user http_user:http_pass -X DELETE ''

Updated by manawyrm 10 months ago · 130 revisions

Add picture from clipboard (Maximum size: 48.8 MB)