From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] git: Update to version 2.38.1 Date: Sun, 27 Nov 2022 11:54:32 +0000 Message-ID: In-Reply-To: <20221126134159.2491023-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6477049412150350746==" List-Id: --===============6477049412150350746== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Michael Tremer > On 26 Nov 2022, at 13:41, Adolf Belka wrote: >=20 > - Update from version 2.37.1 to 2.38.1 > - Update of rootfile > - Changelog > Git v2.38.1 Release Notes > This release merges the security fix that appears in v2.30.6; see > the release notes for that version for details. > Git v2.38 Release Notes > * "git remote show [-n] frotz" now pays attention to negative > pathspec. > * "git push" sometimes performs poorly when reachability bitmaps are > used, even in a repository where other operations are helped by > bitmaps. The push.useBitmaps configuration variable is introduced > to allow disabling use of reachability bitmaps only for "git push". > * "git grep -m" is a way to limit the hits shown per file. > * "git merge-tree" learned a new mode where it takes two commits and > computes a tree that would result in the merge commit, if the > histories leading to these two commits were to be merged. > * "git mv A B" in a sparsely populated working tree can be asked to > move a path between directories that are "in cone" (i.e. expected > to be materialized in the working tree) and "out of cone" > (i.e. expected to be hidden). The handling of such cases has been > improved. > * Earlier, HTTP transport clients learned to tell the server side > what locale they are in by sending Accept-Language HTTP header, but > this was done only for some requests but not others. > * Introduce a safe.barerepository configuration variable that > allows users to forbid discovery of bare repositories. > * Various messages that come from the pack-bitmap codepaths have been > tweaked. > * "git rebase -i" learns to update branches whose tip appear in the > rebased range with "--update-refs" option. > * "git ls-files" learns the "--format" option to tweak its output. > * "git cat-file" learned an option to use the mailmap when showing > commit and tag objects. > * When "git merge" finds that it cannot perform a merge, it should > restore the working tree to the state before the command was > initiated, but in some corner cases it didn't. > * Operating modes like "--batch" of "git cat-file" command learned to > take NUL-terminated input, instead of one-item-per-line. > * "git rm" has become more aware of the sparse-index feature. > * "git rev-list --disk-usage" learned to take an optional value > "human" to show the reported value in human-readable format, like > "3.40MiB". > * The "diagnose" feature to create a zip archive for diagnostic > material has been lifted from "scalar" and made into a feature of > "git bugreport". > * The namespaces used by "log --decorate" from "refs/" hierarchy by > default has been tightened. > * "git rev-list --ancestry-path=3DC A..B" is a natural extension of > "git rev-list A..B"; instead of choosing a subset of A..B to those > that have ancestry relationship with A, it lets a subset with > ancestry relationship with C. > * "scalar" now enables built-in fsmonitor on enlisted repositories, > when able. > * The bash prompt (in contrib/) learned to optionally indicate when > the index is unmerged. > * "git clone" command learned the "--bundle-uri" option to coordinate > with hosting sites the use of pre-prepared bundle files. > * "git range-diff" learned to honor pathspec argument if given. > * "git format-patch --from=3D" can be told to add an in-body > "From:" line even for commits that are authored by the given > with "--force-in-body-from" option. > * The built-in fsmonitor refuses to work on a network mounted > repositories; a configuration knob for users to override this has > been introduced. > * The "scalar" addition from Microsoft is now part of the core Git > installation. > * Collection of what is referenced by objects in promisor packs have > been optimized to inspect these objects in the in-pack order. > * Introduce a helper to see if a branch is already being worked on > (hence should not be newly checked out in a working tree), which > performs much better than the existing find_shared_symref() to > replace many uses of the latter. > * Teach "git archive" to (optionally and then by default) avoid > spawning an external "gzip" process when creating ".tar.gz" (and > ".tgz") archives. > * Allow large objects read from a packstream to be streamed into a > loose object file straight, without having to keep it in-core as a > whole. > * Further preparation to turn git-submodule.sh into a builtin > continues. > * Apply Coccinelle rule to turn raw memmove() into MOVE_ARRAY() cpp > macro, which would improve maintainability and readability. > * Teach "make all" to build gitweb as well. > * Tweak tests so that they still work when the "git init" template > did not create .git/info directory. > * Add Coccinelle rules to detect the pattern of initializing and then > finalizing a structure without using it in between at all, which > happens after code restructuring and the compilers fail to > recognize as an unused variable. > * The code to convert between GPG trust level strings and internal > constants we use to represent them have been cleaned up. > * Support for libnettle as SHA256 implementation has been added. > * The way "git multi-pack" uses parse-options API has been improved. > * A Coccinelle rule (in contrib/) to encourage use of COPY_ARRAY > macro has been improved. > * API tweak to make it easier to run fuzz testing on commit-graph parser. > * Omit fsync-related trace2 entries when their values are all zero. > * The codepath to write multi-pack index has been taught to release a > large chunk of memory that holds an array of objects in the packs, > as soon as it is done with the array, to reduce memory consumption. > * Add a level of redirection to array allocation API in xdiff part, > to make it easier to share with the libgit2 project. > * "git fetch" client logs the partial clone filter used in the trace2 > output. > * The "bundle URI" design gets documented. > * The common ancestor negotiation exchange during a "git fetch" > session now leaves trace log. > * Test portability improvements. > (merge 4d1d843be7 mt/rot13-in-c later to maint). > * The "subcommand" mode is introduced to parse-options API and update > the command line parser of Git commands with subcommands. > * The pack bitmap file gained a bitmap-lookup table to speed up > locating the necessary bitmap for a given commit. > * The assembly version of SHA-1 implementation for PPC has been > removed. > * The server side that responds to "git fetch" and "git clone" > request has been optimized by allowing it to send objects in its > object store without recomputing and validating the object names. > * Annotate function parameters that are not used (but cannot be > removed for structural reasons), to prepare us to later compile > with -Wunused warning turned on. > * Share the text used to explain configuration variables used by "git > " in "git help " with the text from "git help config". > * "git mv A B" in a sparsely populated working tree can be asked to > move a path from a directory that is "in cone" to another directory > that is "out of cone". Handling of such a case has been improved. > * The chainlint script for our tests has been revamped. > * Rewrite of "git add -i" in C that appeared in Git 2.25 didn't > correctly record a removed file to the index, which was fixed. > * Certain diff options are currently ignored when combined-diff is > shown; mark them as incompatible with the feature. > * Adjust technical/bitmap-format to be formatted by AsciiDoc, and > add some missing information to the documentation. > * Fixes for tests when the source directory has unusual characters in > its path, e.g. whitespaces, double-quotes, etc. > * "git mktree --missing" lazily fetched objects that are missing from > the local object store, which was totally unnecessary for the purpose > of creating the tree object(s) from its input. > * Give _() markings to fatal/warning/usage: labels that are shown in > front of these messages. > * References to commands-to-be-typed-literally in "git rebase" > documentation mark-up have been corrected. > * In a non-bare repository, the behavior of Git when the > core.worktree configuration variable points at a directory that has > a repository as its subdirectory, regressed in Git 2.27 days. > * Recent update to vimdiff layout code has been made more robust > against different end-user vim settings. > * Plug various memory leaks, both in the main code and in test-tool > commands. > * Fixes a long-standing corner case bug around directory renames in > the merge-ort strategy. > * The resolve-undo information in the index was not protected against > GC, which has been corrected. > * A corner case bug where lazily fetching objects from a promisor > remote resulted in infinite recursion has been corrected. > * "git clone" from a repository with some ref whose HEAD is unborn > did not set the HEAD in the resulting repository correctly, which > has been corrected. > * An earlier attempt to plug leaks placed a clean-up label to jump to > at a bogus place, which as been corrected. > * Variable quoting fix in the vimdiff driver of "git mergetool" > * "git shortlog -n" relied on the underlying qsort() to be stable, > which shouldn't have. Fixed. > * A fix for a regression in test framework. > * mkstemp() emulation on Windows has been improved. > * Add missing documentation for "include" and "includeIf" features in > "git config" file format, which incidentally teaches the command > line completion to include them in its offerings. > * Avoid "white/black-list" in documentation and code comments. > * Workaround for a compiler warning against use of die() in > osx-keychain (in contrib/). > * Workaround for a false positive compiler warning. > * "git p4" working on UTF-16 files on Windows did not implement > CRLF-to-LF conversion correctly, which has been corrected. > * "git p4" did not handle non-ASCII client name well, which has been > corrected. > * "rerere-train" script (in contrib/) used to honor commit.gpgSign > while recreating the throw-away merges. > * "git checkout" miscounted the paths it updated, which has been > corrected. > * Fix for a bug that makes write-tree to fail to write out a > non-existent index as a tree, introduced in 2.37. > * There was a bug in the codepath to upgrade generation information > in commit-graph from v1 to v2 format, which has been corrected. > * Gitweb had legacy URL shortener that is specific to the way > projects hosted on kernel.org used to (but no longer) work, which > has been removed. > * Fix build procedure for Windows that uses CMake so that it can pick > up the shell interpreter from local installation location. > * Conditionally allow building Python interpreter on Windows > * Fix to lstat() emulation on Windows. > * Older gcc with -Wall complains about the universal zero initializer > "struct s =3D { 0 };" idiom, which makes developers' lives > inconvenient (as -Werror is enabled by DEVELOPER=3DYesPlease). The > build procedure has been tweaked to help these compilers. > * Plug memory leaks in the failure code path in the "merge-ort" merge > strategy backend. > * "git symbolic-ref symref non..sen..se" is now diagnosed as an error. > * A follow-up fix to a fix for a regression in 2.36 around hooks. > * Avoid repeatedly running getconf to ask libc version in the test > suite, and instead just as it once per script. > * Platform-specific code that determines if a directory is OK to use > as a repository has been taught to report more details, especially > on Windows. > * "vimdiff3" regression fix. > * "git fsck" reads mode from tree objects but canonicalizes the mode > before passing it to the logic to check object sanity, which has > hid broken tree objects from the checking logic. This has been > corrected, but to help existing projects with broken tree objects > that they cannot fix retroactively, the severity of anomalies this > code detects has been demoted to "info" for now. > * Fixes to sparse index compatibility work for "reset" and "checkout" > commands. > * An earlier optimization discarded a tree-object buffer that is > still in use, which has been corrected. > * Fix deadlocks between main Git process and subprocess spawned via > the pipe_command() API, that can kill "git add -p" that was > reimplemented in C recently. > * The sequencer machinery translated messages left in the reflog by > mistake, which has been corrected. > * xcalloc(), imitating calloc(), takes "number of elements of the > array", and "size of a single element", in this order. A call that > does not follow this ordering has been corrected. > * The preload-index codepath made copies of pathspec to give to > multiple threads, which were left leaked. > * Update the version of Ubuntu used for GitHub Actions CI from 18.04 > to 22.04. > * The auto-stashed local changes created by "git merge --autostash" > was mixed into a conflicted state left in the working tree, which > has been corrected. > * Multi-pack index got corrupted when preferred pack changed from one > pack to another in a certain way, which has been corrected. > (merge 99e4d084ff tb/midx-with-changing-preferred-pack-fix later to maint= ). > * The clean-up of temporary files created via mks_tempfile_dt() was > racy and attempted to unlink() the leading directory when signals > are involved, which has been corrected. > (merge babe2e0559 rs/tempfile-cleanup-race-fix later to maint). > * FreeBSD portability fix for "git maintenance" that spawns "crontab" > to schedule tasks. > (merge ee69e7884e bc/gc-crontab-fix later to maint). > * Those who use diff-so-fancy as the diff-filter noticed a regression > or two in the code that parses the diff output in the built-in > version of "add -p", which has been corrected. > (merge 0a101676e5 js/add-p-diff-parsing-fix later to maint). > * Segfault fix-up to an earlier fix to the topic to teach "git reset" > and "git checkout" work better in a sparse checkout. > (merge 037f8ea6d9 vd/sparse-reset-checkout-fixes later to maint). > * "git diff --no-index A B" managed its the pathnames of its two > input files rather haphazardly, sometimes leaking them. The > command line argument processing has been straightened out to clean > it up. > (merge 2b43dd0eb5 rs/diff-no-index-cleanup later to maint). > * "git rev-list --verify-objects" ought to inspect the contents of > objects and notice corrupted ones, but it didn't when the commit > graph is in use, which has been corrected. > (merge b27ccae34b jk/rev-list-verify-objects-fix later to maint). > * More fixes to "add -p" > (merge 64ec8efb83 js/builtin-add-p-portability-fix later to maint). > * The parser in the script interface to parse-options in "git > rev-parse" has been updated to diagnose a bogus input correctly. > (merge f20b9c36d0 ow/rev-parse-parseopt-fix later to maint). > * The code that manages list-object-filter structure, used in partial > clones, leaked the instances, which has been plugged. > (merge 66eede4a37 jk/plug-list-object-filter-leaks later to maint). > * Fix another UI regression in the reimplemented "add -p". > (merge f6f0ee247f rs/add-p-worktree-mode-prompt-fix later to maint). > * "git fetch" over protocol v2 sent an incorrect ref prefix request > to the server and made "git pull" with configured fetch refspec > that does not cover the remote branch to merge with fail, which has > been corrected. > (merge 49ca2fba39 jk/proto-v2-ref-prefix-fix later to maint). > * A result from opendir() was leaking in the commit-graph expiration > codepath, which has been plugged. > (merge 12f1ae5324 ml/commit-graph-expire-dir-leak-fix later to maint). > * Just like we have coding guidelines, we now have guidelines for > reviewers. > (merge e01b851923 vd/doc-reviewing-guidelines later to maint). > * Other code cleanup, docfix, build fix, etc. > (merge 77b9e85c0f vd/fix-perf-tests later to maint). > (merge 0682bc43f5 jk/test-crontab-fixes later to maint). > (merge b46dd1726c cc/doc-trailer-whitespace-rules later to maint). > Git 2.37.4 Release Notes > This primarily is to backport various fixes accumulated on the 'maste= r' > front since 2.37.3, and also includes the same security fixes as in = v2.30.6. > * CVE-2022-39253: > When relying on the `--local` clone optimization, Git dereferences > symbolic links in the source repository before creating hardlinks > (or copies) of the dereferenced link in the destination repository. > This can lead to surprising behavior where arbitrary files are > present in a repository's `$GIT_DIR` when cloning from a malicious > repository. > Git will no longer dereference symbolic links via the `--local` > clone mechanism, and will instead refuse to clone repositories that > have symbolic links present in the `$GIT_DIR/objects` directory. > Additionally, the value of `protocol.file.allow` is changed to be > "user" by default. > Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. > The fix was authored by Taylor Blau, with help from Johannes > Schindelin. > * CVE-2022-39260: > An overly-long command string given to `git shell` can result in > overflow in `split_cmdline()`, leading to arbitrary heap writes and > remote code execution when `git shell` is exposed and the directory > `$HOME/git-shell-commands` exists. > `git shell` is taught to refuse interactive commands that are > longer than 4MiB in size. `split_cmdline()` is hardened to reject > inputs larger than 2GiB. > Credit for finding CVE-2022-39260 goes to Kevin Backhouse of > GitHub. The fix was authored by Kevin Backhouse, Jeff King, and > Taylor Blau. > * An earlier optimization discarded a tree-object buffer that is > still in use, which has been corrected. > * Fix deadlocks between main Git process and subprocess spawned via > the pipe_command() API, that can kill "git add -p" that was > reimplemented in C recently. > * xcalloc(), imitating calloc(), takes "number of elements of the > array", and "size of a single element", in this order. A call that > does not follow this ordering has been corrected. > * The preload-index codepath made copies of pathspec to give to > multiple threads, which were left leaked. > * Update the version of Ubuntu used for GitHub Actions CI from 18.04 > to 22.04. > * The auto-stashed local changes created by "git merge --autostash" > was mixed into a conflicted state left in the working tree, which > has been corrected. > Also contains other minor documentation updates and code clean-ups. > Git 2.37.3 Release Notes > This primarily is to backport various fixes accumulated on the 'maste= r' > front since 2.37.2. > * The build procedure for Windows that uses CMake has been updated to > pick up the shell interpreter from local installation location. > * Conditionally allow building Python interpreter on Windows > * Fix to lstat() emulation on Windows. > * Older gcc with -Wall complains about the universal zero initializer > "struct s =3D { 0 };" idiom, which makes developers' lives > inconvenient (as -Werror is enabled by DEVELOPER=3DYesPlease). The > build procedure has been tweaked to help these compilers. > * Plug memory leaks in the failure code path in the "merge-ort" merge > strategy backend. > * Avoid repeatedly running getconf to ask libc version in the test > suite, and instead just as it once per script. > * Platform-specific code that determines if a directory is OK to use > as a repository has been taught to report more details, especially > on Windows. > * "vimdiff3" regression has been corrected. > * "git fsck" reads mode from tree objects but canonicalizes the mode > before passing it to the logic to check object sanity, which has > hid broken tree objects from the checking logic. This has been > corrected, but to help exiting projects with broken tree objects > that they cannot fix retroactively, the severity of anomalies this > code detects has been demoted to "info" for now. > * Fixes to sparse index compatibility work for "reset" and "checkout" > commands. > * Documentation for "git add --renormalize" has been improved. > Also contains other minor documentation updates and code clean-ups. > Git 2.37.2 Release Notes > This primarily is to backport various fixes accumulated on the 'maste= r' > front since 2.37.1. > * "git shortlog -n" relied on the underlying qsort() to be stable, > which shouldn't have. Fixed. > * Variable quoting fix in the vimdiff driver of "git mergetool". > * An earlier attempt to plug leaks placed a clean-up label to jump to > at a bogus place, which as been corrected. > * Fixes a long-standing corner case bug around directory renames in > the merge-ort strategy. > * Recent update to vimdiff layout code has been made more robust > against different end-user vim settings. > * In a non-bare repository, the behavior of Git when the > core.worktree configuration variable points at a directory that has > a repository as its subdirectory, regressed in Git 2.27 days. > * References to commands-to-be-typed-literally in "git rebase" > documentation mark-up have been corrected. > * Give _() markings to fatal/warning/usage: labels that are shown in > front of these messages. > * "git mktree --missing" lazily fetched objects that are missing from > the local object store, which was totally unnecessary for the purpose > of creating the tree object(s) from its input. > * Fixes for tests when the source directory has unusual characters in > its path, e.g. whitespaces, double-quotes, etc. > * Adjust technical/bitmap-format to be formatted by AsciiDoc, and > add some missing information to the documentation. > * Certain diff options are currently ignored when combined-diff is > shown; mark them as incompatible with the feature. > * "git clone" from a repository with some ref whose HEAD is unborn > did not set the HEAD in the resulting repository correctly, which > has been corrected. > * mkstemp() emulation on Windows has been improved. > * Add missing documentation for "include" and "includeIf" features in > "git config" file format, which incidentally teaches the command > line completion to include them in its offerings. > * Avoid "white/black-list" in documentation and code comments. > * Workaround for a compiler warning against use of die() in > osx-keychain (in contrib/). > * Workaround for a false positive compiler warning. > * The resolve-undo information in the index was not protected against > GC, which has been corrected. > * A corner case bug where lazily fetching objects from a promisor > remote resulted in infinite recursion has been corrected. > * "git p4" working on UTF-16 files on Windows did not implement > CRLF-to-LF conversion correctly, which has been corrected. > * "git p4" did not handle non-ASCII client name well, which has been > corrected. > * "rerere-train" script (in contrib/) used to honor commit.gpgSign > while recreating the throw-away merges. > * "git checkout" miscounted the paths it updated, which has been > corrected. > * Fix for a bug that makes write-tree to fail to write out a > non-existent index as a tree, introduced in 2.37. > * There was a bug in the codepath to upgrade generation information > in commit-graph from v1 to v2 format, which has been corrected. > Also contains minor documentation updates and code clean-ups. >=20 > Signed-off-by: Adolf Belka > --- > config/rootfiles/packages/git | 4 ++++ > lfs/git | 6 +++--- > 2 files changed, 7 insertions(+), 3 deletions(-) >=20 > diff --git a/config/rootfiles/packages/git b/config/rootfiles/packages/git > index e2bce72bb..fd8cc2214 100644 > --- a/config/rootfiles/packages/git > +++ b/config/rootfiles/packages/git > @@ -5,6 +5,7 @@ usr/bin/git-shell > usr/bin/git-upload-archive > usr/bin/git-upload-pack > #usr/bin/gitk > +#usr/bin/scalar > #usr/libexec/git-core > #usr/libexec/git-core/git > usr/libexec/git-core/git-add > @@ -48,6 +49,7 @@ usr/libexec/git-core/git-cvsimport > usr/libexec/git-core/git-cvsserver > usr/libexec/git-core/git-daemon > usr/libexec/git-core/git-describe > +usr/libexec/git-core/git-diagnose > usr/libexec/git-core/git-diff > usr/libexec/git-core/git-diff-files > usr/libexec/git-core/git-diff-index > @@ -175,6 +177,7 @@ usr/libexec/git-core/git-var > usr/libexec/git-core/git-verify-commit > usr/libexec/git-core/git-verify-pack > usr/libexec/git-core/git-verify-tag > +usr/libexec/git-core/git-version > usr/libexec/git-core/git-web--browse > usr/libexec/git-core/git-whatchanged > usr/libexec/git-core/git-worktree > @@ -203,6 +206,7 @@ usr/libexec/git-core/mergetools/tortoisemerge > usr/libexec/git-core/mergetools/vimdiff > usr/libexec/git-core/mergetools/winmerge > usr/libexec/git-core/mergetools/xxdiff > +usr/libexec/git-core/scalar > #usr/share/git-core > #usr/share/git-core/templates > usr/share/git-core/templates/branches > diff --git a/lfs/git b/lfs/git > index a4bed2722..d5bc66799 100644 > --- a/lfs/git > +++ b/lfs/git > @@ -24,7 +24,7 @@ >=20 > include Config >=20 > -VER =3D 2.37.1 > +VER =3D 2.38.1 > SUMMARY =3D Fast, scalable, distributed revision control system >=20 > THISAPP =3D git-$(VER) > @@ -33,7 +33,7 @@ DL_FROM =3D $(URL_IPFIRE) > DIR_APP =3D $(DIR_SRC)/$(THISAPP) > TARGET =3D $(DIR_INFO)/$(THISAPP) > PROG =3D git > -PAK_VER =3D 25 > +PAK_VER =3D 26 >=20 > DEPS =3D perl-Authen-SASL perl-MIME-Base64 perl-Net-SMTP-SSL >=20 > @@ -47,7 +47,7 @@ objects =3D $(DL_FILE) >=20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >=20 > -$(DL_FILE)_BLAKE2 =3D b5423e4628f8c727aa74b3f7c7da12d46814eb45adfe84bf57e8= 7a33e85a0a793ff690f4c1f7d2da4824bc8dd7d1df1c06cbe96adae857177d3fb204941b53ef > +$(DL_FILE)_BLAKE2 =3D 50e4e9ef04d9eef7c10aba1f0d53d5d15f50ea9a8c344733e7a7= 865e2f2a833edb4f4b5882f47dd39389dfdedf22a813cfe3d35ab950d6543d21e0294ce17f2d >=20 > install : $(TARGET) >=20 > --=20 > 2.38.1 >=20 --===============6477049412150350746==--