Log message:
Git: update to 2.19.1

These releases fix a security flaw (CVE-2018-17456), which allowed an
attacker to execute arbitrary code by crafting a malicious .gitmodules
file in a project cloned with --recurse-submodules.

When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess.  If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option.  This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".

In addition to fixing the security issue for the user running "clone",
the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
be used to detect such malicious repository content when fetching or
accepting a push. See "transfer.fsckObjects" in git-config(1).

Credit for finding and fixing this vulnerability goes to joernchen
and Jeff King, respectively.

Log message:
git: updated to 2.19.0

Git 2.19 Release Notes

Updates since v2.18
-------------------

UI, Workflows & Features

 * "git diff" compares the index and the working tree.  For paths
   added with intent-to-add bit, the command shows the full contents
   of them as added, but the paths themselves were not marked as new
   files.  They are now shown as new by default.

   "git apply" learned the "--intent-to-add" option so that an
   otherwise working-tree-only application of a patch will add new
   paths to the index marked with the "intent-to-add" bit.

 * "git grep" learned the "--column" option that gives not \ 
just the
   line number but the column number of the hit.

 * The "-l" option in "git branch -l" is an unfortunate \ 
short-hand for
   "--create-reflog", but many users, both old and new, somehow expect
   it to be something else, perhaps "--list".  This step warns when \ 
"-l"
   is used as a short-hand for "--create-reflog" and warns about the
   future repurposing of the it when it is used.

 * The userdiff pattern for .php has been updated.

 * The content-transfer-encoding of the message "git send-email" sends
   out by default was 8bit, which can cause trouble when there is an
   overlong line to bust RFC 5322/2822 limit.  A new option 'auto' to
   automatically switch to quoted-printable when there is such a line
   in the payload has been introduced and is made the default.

 * "git checkout" and "git worktree add" learned to honor
   checkout.defaultRemote when auto-vivifying a local branch out of a
   remote tracking branch in a repository with multiple remotes that
   have tracking branches that share the same names.
   (merge 8d7b558bae ab/checkout-default-remote later to maint).

 * "git grep" learned the "--only-matching" option.

 * "git rebase --rebase-merges" mode now handles octopus merges as
   well.

 * Add a server-side knob to skip commits in exponential/fibbonacci
   stride in an attempt to cover wider swath of history with a smaller
   number of iterations, potentially accepting a larger packfile
   transfer, instead of going back one commit a time during common
   ancestor discovery during the "git fetch" transaction.
   (merge 42cc7485a2 jt/fetch-negotiator-skipping later to maint).

 * A new configuration variable core.usereplacerefs has been added,
   primarily to help server installations that want to ignore the
   replace mechanism altogether.

 * Teach "git tag -s" etc. a few configuration variables (gpg.format
   that can be set to "openpgp" or "x509", and \ 
gpg.<format>.program
   that is used to specify what program to use to deal with the format)
   to allow x.509 certs with CMS via "gpgsm" to be used instead of
   openpgp via "gnupg".

 * Many more strings are prepared for l10n.

 * "git p4 submit" learns to ask its own pre-submit hook if it should
   continue with submitting.

 * The test performed at the receiving end of "git push" to prevent
   bad objects from entering repository can be customized via
   receive.fsck.* configuration variables; we now have gained a
   counterpart to do the same on the "git fetch" side, with
   fetch.fsck.* configuration variables.

 * "git pull --rebase=interactive" learned "i" as a \ 
short-hand for
   "interactive".

 * "git instaweb" has been adjusted to run better with newer Apache on
   RedHat based distros.

 * "git range-diff" is a reimplementation of "git tbdiff" \ 
that lets us
   compare individual patches in two iterations of a topic.

 * The sideband code learned to optionally paint selected keywords at
   the beginning of incoming lines on the receiving end.

 * "git branch --list" learned to take the default sort order from the
   'branch.sort' configuration variable, just like "git tag --list"
   pays attention to 'tag.sort'.

 * "git worktree" command learned "--quiet" option to make \ 
it less
   verbose.

Performance, Internal Implementation, Development Support etc.

 * The bulk of "git submodule foreach" has been rewritten in C.

 * The in-core "commit" object had an all-purpose "void \ 
*util" field,
   which was tricky to use especially in library-ish part of the
   code.  All of the existing uses of the field has been migrated to a
   more dedicated "commit-slab" mechanism and the field is eliminated.

 * A less often used command "git show-index" has been modernized.
   (merge fb3010c31f jk/show-index later to maint).

 * The conversion to pass "the_repository" and then \ 
"a_repository"
   throughout the object access API continues.

 * Continuing with the idea to programatically enumerate various
   pieces of data required for command line completion, teach the
   codebase to report the list of configuration variables
   subcommands care about to help complete them.

 * Separate "rebase -p" codepath out of "rebase -i" \ 
implementation to
   slim down the latter and make it easier to manage.

 * Make refspec parsing codepath more robust.

 * Some flaky tests have been fixed.

 * Continuing with the idea to programmatically enumerate various
   pieces of data required for command line completion, the codebase
   has been taught to enumerate options prefixed with "--no-" to
   negate them.

 * Build and test procedure for netrc credential helper (in contrib/)
   has been updated.

 * Remove unused function definitions and declarations from ewah
   bitmap subsystem.

 * Code preparation to make "git p4" closer to be usable with Python 3.

 * Tighten the API to make it harder to misuse in-tree .gitmodules
   file, even though it shares the same syntax with configuration
   files, to read random configuration items from it.

 * "git fast-import" has been updated to avoid attempting to create
   delta against a zero-byte-long string, which is pointless.

 * The codebase has been updated to compile cleanly with -pedantic
   option.
   (merge 2b647a05d7 bb/pedantic later to maint).

 * The character display width table has been updated to match the
   latest Unicode standard.
   (merge 570951eea2 bb/unicode-11-width later to maint).

 * test-lint now looks for broken use of "VAR=VAL shell_func" in test
   scripts.

 * Conversion from uchar[40] to struct object_id continues.

 * Recent "security fix" to pay attention to contents of \ 
".gitmodules"
   while accepting "git push" was a bit overly strict than necessary,
   which has been adjusted.

 * "git fsck" learns to make sure the optional commit-graph file is in
   a sane state.

 * "git diff --color-moved" feature has further been tweaked.

 * Code restructuring and a small fix to transport protocol v2 during
   fetching.

 * Parsing of -L[<N>][,[<M>]] parameters "git blame" and \ 
"git log"
   take has been tweaked.

 * lookup_commit_reference() and friends have been updated to find
   in-core object for a specific in-core repository instance.

 * Various glitches in the heuristics of merge-recursive strategy have
   been documented in new tests.

 * "git fetch" learned a new option "--negotiation-tip" to \ 
limit the
   set of commits it tells the other end as "have", to reduce wasted
   bandwidth and cycles, which would be helpful when the receiving
   repository has a lot of refs that have little to do with the
   history at the remote it is fetching from.

 * For a large tree, the index needs to hold many cache entries
   allocated on heap.  These cache entries are now allocated out of a
   dedicated memory pool to amortize malloc(3) overhead.

 * Tests to cover various conflicting cases have been added for
   merge-recursive.

 * Tests to cover conflict cases that involve submodules have been
   added for merge-recursive.

 * Look for broken "&&" chains that are hidden in subshell, many of
   which have been found and corrected.

 * The singleton commit-graph in-core instance is made per in-core
   repository instance.

 * "make DEVELOPER=1 DEVOPTS=pedantic" allows developers to compile
   with -pedantic option, which may catch more problematic program
   constructs and potential bugs.

 * Preparatory code to later add json output for telemetry data has
   been added.

 * Update the way we use Coccinelle to find out-of-style code that
   need to be modernised.

 * It is too easy to misuse system API functions such as strcat();
   these selected functions are now forbidden in this codebase and
   will cause a compilation failure.

 * Add a script (in contrib/) to help users of VSCode work better with
   our codebase.

 * The Travis CI scripts were taught to ship back the test data from
   failed tests.
   (merge aea8879a6a sg/travis-retrieve-trash-upon-failure later to maint).

 * The parse-options machinery learned to refrain from enclosing
   placeholder string inside a "<bra" and "ket>" pair \ 
automatically
   without PARSE_OPT_LITERAL_ARGHELP.  Existing help text for option
   arguments that are not formatted correctly have been identified and
   fixed.
   (merge 5f0df44cd7 rs/parse-opt-lithelp later to maint).

 * Noiseword "extern" has been removed from function decls in the
   header files.

 * A few atoms like %(objecttype) and %(objectsize) in the format
   specifier of "for-each-ref --format=<format>" can be filled \ 
without
   getting the full contents of the object, but just with the object
   header.  These cases have been optimized by calling
   oid_object_info() API (instead of reading and inspecting the data).

 * The end result of documentation update has been made to be
   inspected more easily to help developers.

 * The API to iterate over all objects learned to optionally list
   objects in the order they appear in packfiles, which helps locality
   of access if the caller accesses these objects while as objects are
   enumerated.

 * Improve built-in facility to catch broken &&-chain in the tests.

 * The more library-ish parts of the codebase learned to work on the
   in-core index-state instance that is passed in by their callers,
   instead of always working on the singleton "the_index" instance.

 * A test prerequisite defined by various test scripts with slightly
   different semantics has been consolidated into a single copy and
   made into a lazily defined one.
   (merge 6ec633059a wc/make-funnynames-shared-lazy-prereq later to maint).

 * After a partial clone, repeated fetches from promisor remote would
   have accumulated many packfiles marked with .promisor bit without
   getting them coalesced into fewer packfiles, hurting performance.
   "git repack" now learned to repack them.

 * Partially revert the support for multiple hash functions to regain
   hash comparison performance; we'd think of a way to do this better
   in the next cycle.

 * "git help --config" (which is used in command line completion)
   missed the configuration variables not described in the main
   config.txt file but are described in another file that is included
   by it, which has been corrected.

 * The test linter code has learned that the end of here-doc mark
   "EOF" can be quoted in a double-quote pair, not just in a
   single-quote pair.

Log message:
Recursive bump for perl5-5.28.0

Log message:
revbump after boost-libs update

Log message:
git: updated to 2.18.0

2.18.0:

UI, Workflows & Features

 * Rename detection logic that is used in "merge" and \ 
"cherry-pick" has
   learned to guess when all of x/a, x/b and x/c have moved to z/a,
   z/b and z/c, it is likely that x/d added in the meantime would also
   want to move to z/d by taking the hint that the entire directory
   'x' moved to 'z'.  A bug causing dirty files involved in a rename
   to be overwritten during merge has also been fixed as part of this
   work.  Incidentally, this also avoids updating a file in the
   working tree after a (non-trivial) merge whose result matches what
   our side originally had.

 * "git filter-branch" learned to use a different exit code to allow
   the callers to tell the case where there was no new commits to
   rewrite from other error cases.

 * When built with more recent cURL, GIT_SSL_VERSION can now specify
   "tlsv1.3" as its value.

 * "git gui" learned that "~/.ssh/id_ecdsa.pub" and
   "~/.ssh/id_ed25519.pub" are also possible SSH key files.
   (merge 2e2f0288ef bb/git-gui-ssh-key-files later to maint).

 * "git gui" performs commit upon CTRL/CMD+ENTER but the
   CTRL/CMD+KP_ENTER (i.e. enter key on the numpad) did not have the
   same key binding.  It now does.
   (merge 28a1d94a06 bp/git-gui-bind-kp-enter later to maint).

 * "git gui" has been taught to work with old versions of tk (like
   8.5.7) that do not support "ttk::style theme use" as a way to query
   the current theme.
   (merge 4891961105 cb/git-gui-ttk-style later to maint).

 * "git rebase" has learned to honor "--signoff" option when \ 
using
   backends other than "am" (but not "--preserve-merges").

 * "git branch --list" during an interrupted "rebase -i" now lets
   users distinguish the case where a detached HEAD is being rebased
   and a normal branch is being rebased.

 * "git mergetools" learned talking to guiffy.

 * The scripts in contrib/emacs/ have outlived their usefulness and
   have been replaced with a stub that errors out and tells the user
   there are replacements.

 * The new "working-tree-encoding" attribute can ask Git to convert the
   contents to the specified encoding when checking out to the working
   tree (and the other way around when checking in).

 * The "git config" command uses separate options e.g. "--int",
   "--bool", etc. to specify what type the caller wants the value to
   be interpreted as.  A new "--type=<typename>" option has been
   introduced, which would make it cleaner to define new types.

 * "git config --get" learned the "--default" option, to help the
   calling script.  Building on top of the above changes, the
   "git config" learns "--type=color" type.  Taken together, \ 
you can
   do things like "git config --get foo.color --default blue" and get
   the ANSI color sequence for the color given to foo.color variable,
   or "blue" if the variable does not exist.

 * "git ls-remote" learned an option to allow sorting its output based
   on the refnames being shown.

 * The command line completion (in contrib/) has been taught that "git
   stash save" has been deprecated ("git stash push" is the preferred
   spelling in the new world) and does not offer it as a possible
   completion candidate when "git stash push" can be.

 * "git gc --prune=nonsense" spent long time repacking and then
   silently failed when underlying "git prune --expire=nonsense"
   failed to parse its command line.  This has been corrected.

 * Error messages from "git push" can be painted for more visibility.

 * "git http-fetch" (deprecated) had an optional and experimental
   "feature" to fetch only commits and/or trees, which nobody used.
   This has been removed.

 * The functionality of "$GIT_DIR/info/grafts" has been superseded by
   the "refs/replace/" mechanism for some time now, but the internal
   code had support for it in many places, which has been cleaned up
   in order to drop support of the "grafts" mechanism.

 * "git worktree add" learned to check out an existing branch.

 * "git --no-pager cmd" did not have short-and-sweet single letter
   option. Now it does as "-P".
   (merge 7213c28818 js/no-pager-shorthand later to maint).

 * "git rebase" learned "--rebase-merges" to transplant the whole
   topology of commit graph elsewhere.

 * "git status" learned to pay attention to UI related diff
   configuration variables such as diff.renames.

 * The command line completion mechanism (in contrib/) learned to load
   custom completion file for "git $command" where $command is a
   custom "git-$command" that the end user has on the $PATH when using
   newer version of bash-completion.

 * "git send-email" can sometimes offer confirmation dialog "Send this
   email?" with choices 'Yes', 'No', 'Quit', and 'All'.  A new action
   'Edit' has been added to this dialog's choice.

 * With merge.renames configuration set to false, the recursive merge
   strategy can be told not to spend cycles trying to find renamed
   paths and merge them accordingly.

 * "git status" learned to honor a new status.renames configuration to
   skip rename detection, which could be useful for those who want to
   do so without disabling the default rename detection done by the
   "git diff" command.

 * Command line completion (in contrib/) learned to complete pathnames
   for various commands better.

 * "git blame" learns to unhighlight uninteresting metadata from the
   originating commit on lines that are the same as the previous one,
   and also paint lines in different colors depending on the age of
   the commit.

 * Transfer protocol v2 learned to support the partial clone.

 * When a short hexadecimal string is used to name an object but there
   are multiple objects that share the string as the prefix of their
   names, the code lists these ambiguous candidates in a help message.
   These object names are now sorted according to their types for
   easier eyeballing.

 * "git fetch $there $refspec" that talks over protocol v2 can take
   advantage of server-side ref filtering; the code has been extended
   so that this mechanism triggers also when fetching with configured
   refspec.

 * Our HTTP client code used to advertise that we accept gzip encoding
   from the other side; instead, just let cURL library to advertise
   and negotiate the best one.

 * "git p4" learned to "unshelve" shelved commit from P4.
   (merge 123f631761 ld/p4-unshelve later to maint).

Log message:
git: updated to 2.17.1

Git v2.17.1:

Fixes:

 * This release contains the same fixes made in the v2.13.7 version of
   Git, covering CVE-2018-11233 and 11235, and forward-ported to
   v2.14.4, v2.15.2 and v2.16.4 releases.  See release notes to
   v2.13.7 for details.

 * In addition to the above fixes, this release has support on the
   server side to reject pushes to repositories that attempt to create
   such problematic .gitmodules file etc. as tracked contents, to help
   hosting sites protect their customers by preventing malicious
   contents from spreading.

Log message:
revbump for boost-libs update

Log message:
git-base: bump PKGREVISION for more installed files.