./devel/git, GIT version control suite meta-package

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.27.0, Package name: git-2.27.0, Maintainer: pkgsrc-users

This package is a meta package, collecting the components that are
widely expected to be installed for the GIT distributed version
control suite, i.e., the tool itself, the man pages, and contrib scripts.

See git-base for a minimal installation of the command-line tools.
See git-gitk for the tk-based browser gitk, no longer included in the
git meta-package.


Required to run:
[devel/git-base] [devel/git-docs] [devel/git-contrib]

Required to build:
[pkgtools/cwrappers]

Master sites:


Version history: (Expand)


CVS history: (Expand)


   2020-06-03 16:06:48 by Adam Ciarcinski | Files touched by this commit (6) | Package updated
Log message:
git: updated to 2.27.0

Git 2.27 Release Notes
======================

Updates since v2.26
-------------------

Backward compatibility notes

 * When "git describe C" finds that commit C is pointed by a signed or
   annotated tag, which records T as its tagname in the object, the
   command gives T as its answer.  Even if the user renames or moves
   such a tag from its natural location in the "refs/tags/" hierarchy,
   "git describe C" would still give T as the answer, but in such a
   case "git show T^0" would no longer work as expected.  There may be
   nothing at "refs/tags/T" or even worse there may be a different tag
   instead.

   Starting from this version, "git describe" will always use the
   "long" version, as if the "--long" option were given, \ 
when giving
   its output based on such a misplaced tag to work around the problem.

 * "git pull" issues a warning message until the pull.rebase
   configuration variable is explicitly given, which some existing
   users may find annoying---those who prefer not to rebase need to
   set the variable to false to squelch the warning.

 * The transport protocol version 2, which was promoted to the default
   in Git 2.26 release, turned out to have some remaining rough edges,
   so it has been demoted from the default.

UI, Workflows & Features

 * A handful of options to configure SSL when talking to proxies have
   been added.

 * Smudge/clean conversion filters are now given more information
   (e.g. the object of the tree-ish in which the blob being converted
   appears, in addition to its path, which has already been given).

 * When "git describe C" finds an annotated tag with tagname A to be
   the best name to explain commit C, and the tag is stored in a
   "wrong" place in the refs/tags hierarchy, e.g. refs/tags/B, the
   command gave a warning message but used A (not B) to describe C.
   If C is exactly at the tag, the describe output would be "A", but
   "git rev-parse A^0" would not be equal as "git rev-parse \ 
C^0".  The
   behavior of the command has been changed to use the "long" form
   i.e. A-0-gOBJECTNAME, which is correctly interpreted by rev-parse.

 * "git pull" learned to warn when no pull.rebase configuration
   exists, and neither --[no-]rebase nor --ff-only is given (which
   would result a merge).

 * "git p4" learned four new hooks and also "--no-verify" \ 
option to
   bypass them (and the existing "p4-pre-submit" hook).

 * "git pull" shares many options with underlying "git \ 
fetch", but
   some of them were not documented and some of those that would make
   sense to pass down were not passed down.

 * "git rebase" learned the "--no-gpg-sign" option to countermand
   commit.gpgSign the user may have.

 * The output from "git format-patch" uses RFC 2047 encoding for
   non-ASCII letters on From: and Subject: headers, so that it can
   directly be fed to e-mail programs.  A new option has been added
   to produce these headers in raw.

 * "git log" learned "--show-pulls" that helps pathspec limited
   history views; a merge commit that takes the whole change from a
   side branch, which is normally omitted from the output, is shown
   in addition to the commits that introduce real changes.

 * The interactive input from various codepaths are consolidated and
   any prompt possibly issued earlier are fflush()ed before we read.

 * Allow "git rebase" to reapply all local commits, even if the may be
   already in the upstream, without checking first.

 * The 'pack.useSparse' configuration variable now defaults to 'true',
   enabling an optimization that has been experimental since Git 2.21.

 * "git rebase" happens to call some hooks meant for \ 
"checkout" and
   "commit" by this was not a designed behaviour than historical
   accident.  This has been documented.

 * "git merge" learns the "--autostash" option.

 * "sparse-checkout" UI improvements.

 * "git update-ref --stdin" learned a handful of new verbs to let the
   user control ref update transactions more explicitly, which helps
   as an ingredient to implement two-phase commit-style atomic
   ref-updates across multiple repositories.

 * "git commit-graph write" learned different ways to write out split
   files.

 * Introduce an extension to the commit-graph to make it efficient to
   check for the paths that were modified at each commit using Bloom
   filters.

 * The approxidate parser learns to parse seconds with fraction and
   ignore fractional part.

 * The userdiff patterns for Markdown documents have been added.

 * The sparse-checkout patterns have been forbidden from excluding all
   paths, leaving an empty working tree, for a long time.  This
   limitation has been lifted.

 * "git restore --staged --worktree" now defaults to take the contents
   out of "HEAD", instead of erring out.

 * "git p4" learned to recover from a (broken) state where a directory
   and a file are recorded at the same path in the Perforce repository
   the same way as their clients do.

 * "git multi-pack-index repack" has been taught to honor some
   repack.* configuration variables.

Performance, Internal Implementation, Development Support etc.

 * The advise API has been revamped to allow more systematic enumeration of
   advice knobs in the future.

 * SHA-256 transition continues.

 * The code to interface with GnuPG has been refactored.

 * "git stash" has kept an escape hatch to use the scripted version
   for a few releases, which got stale.  It has been removed.

 * Enable tests that require GnuPG on Windows.

 * Minor test usability improvement.

 * Trace2 enhancement to allow logging of the environment variables.

 * Test clean-up continues.

 * Perf-test update.

 * A Windows-specific test element has been made more robust against
   misuse from both user's environment and programmer's errors.

 * Various tests have been updated to work around issues found with
   shell utilities that come with busybox etc.

 * The config API made mixed uses of int and size_t types to represent
   length of various pieces of text it parsed, which has been updated
   to use the correct type (i.e. size_t) throughout.

 * The "--decorate-refs" and "--decorate-refs-exclude" \ 
options "git
   log" takes have learned a companion configuration variable
   log.excludeDecoration that sits at the lowest priority in the
   family.

 * A new CI job to build and run test suite on linux with musl libc
   has been added.

 * Update the CI configuration to use GitHub Actions, retiring the one
   based on Azure Pipelines.

 * The directory traversal code had redundant recursive calls which
   made its performance characteristics exponential with respect to
   the depth of the tree, which was corrected.

 * "git blame" learns to take advantage of the \ 
"changed-paths" Bloom
   filter stored in the commit-graph file.

 * The "bugreport" tool has been added.

 * The object walk with object filter "--filter=tree:0" can now take
   advantage of the pack bitmap when available.

 * Instead of always building all branches at GitHub via Actions,
   users can specify which branches to build.

 * Codepaths that show progress meter have been taught to also use the
   start_progress() and the stop_progress() calls as a "region" to be
   traced.

 * Instead of downloading Windows SDK for CI jobs for windows builds
   from an external site (wingit.blob.core.windows.net), use the one
   created in the windows-build job, to work around quota issues at
   the external site.
   2020-04-20 22:03:32 by Leonardo Taccari | Files touched by this commit (2) | Package updated
Log message:
git: Update to 2.26.2

Changes:
2.26.2
------
This release is to address the security issue: CVE-2020-11008

 * With a crafted URL that contains a newline or empty host, or lacks
   a scheme, the credential helper machinery can be fooled into
   providing credential information that is not appropriate for the
   protocol in use and host being contacted.

   Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
   credentials are not for a host of the attacker's choosing; instead,
   they are for some unspecified host (based on how the configured
   credential helper handles an absent "host" parameter).

   The attack has been made impossible by refusing to work with
   under-specified credential patterns.

Credit for finding the vulnerability goes to Carlo Arenas.
   2020-04-14 20:27:31 by Leonardo Taccari | Files touched by this commit (2) | Package updated
Log message:
git: Update to 2.26.1

Changes:
2.26.1
------
This release is to address the security issue: CVE-2020-5260

 * With a crafted URL that contains a newline in it, the credential
   helper machinery can be fooled to give credential information for
   a wrong host.  The attack has been made impossible by forbidding
   a newline character in any value passed via the credential
   protocol.

Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.
   2020-04-02 09:46:42 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
git: updated to 2.26.0

Git 2.26 Release Notes
======================

Updates since v2.25
-------------------

Backward compatibility notes

 * "git rebase" uses a different backend that is based on the 'merge'
   machinery by default.  There are a few known differences in the
   behaviour from the traditional machinery based on patch+apply.

   If your workflow is negatively affected by this change, please
   report it to git@vger.kernel.org so that we can take a look into
   it.  After doing so, you can set the 'rebase.backend' configuration
   variable to 'apply', in order to use the old default behaviour in
   the meantime.

UI, Workflows & Features

 * Sample credential helper for using .netrc has been updated to work
   out of the box.

 * gpg.minTrustLevel configuration variable has been introduced to
   tell various signature verification codepaths the required minimum
   trust level.

 * The command line completion (in contrib/) learned to complete
   subcommands and arguments to "git worktree".

 * Disambiguation logic to tell revisions and pathspec apart has been
   tweaked so that backslash-escaped glob special characters do not
   count in the "wildcards are pathspec" rule.

 * One effect of specifying where the GIT_DIR is (either with the
   environment variable, or with the "git --git-dir=<where> cmd"
   option) is to disable the repository discovery.  This has been
   placed a bit more stress in the documentation, as new users often
   get confused.

 * Two help messages given when "git add" notices the user gave it
   nothing to add have been updated to use advise() API.

 * A new version of fsmonitor-watchman hook has been introduced, to
   avoid races.

 * "git config" learned to show in which "scope", in \ 
addition to in
   which file, each config setting comes from.

 * The basic 7 colors learned the brighter counterparts
   (e.g. "brightred").

 * "git sparse-checkout" learned a new "add" subcommand.

 * A configuration element used for credential subsystem can now use
   wildcard pattern to specify for which set of URLs the entry
   applies.

 * "git clone --recurse-submodules --single-branch" now uses the same
   single-branch option when cloning the submodules.

 * "git rm" and "git stash" learns the new \ 
"--pathspec-from-file"
   option.

 * "git am --show-current-patch" is a way to show the piece of e-mail
   for the stopped step, which is not suitable to directly feed "git
   apply" (it is designed to be a good "git am" input).  It learned a
   new option to show only the patch part.

 * Handling of conflicting renames in merge-recursive have further
   been made consistent with how existing codepaths try to mimic what
   is done to add/add conflicts.

Performance, Internal Implementation, Development Support etc.

 * Tell .editorconfig that in this project, *.txt files are indented
   with tabs.

 * The test-lint machinery knew to check "VAR=VAL shell_function"
   construct, but did not check "VAR= shell_function", which has been
   corrected.

 * Replace "git config --bool" calls with "git config \ 
--type=bool" in
   sample templates.

 * The effort to move "git-add--interactive" to C continues.

 * Improve error message generation for "git submodule add".

 * Preparation of test scripts for the day when the object names will
   use SHA-256 continues.

 * Warn programmers about pretend_object_file() that allows the code
   to tentatively use in-core objects.

 * The way "git pack-objects" reuses objects stored in existing pack
   to generate its result has been improved.

 * The transport protocol version 2 becomes the default one.

 * Traditionally, we avoided threaded grep while searching in objects
   (as opposed to files in the working tree) as accesses to the object
   layer is not thread-safe.  This limitation is getting lifted.

 * "git rebase -i" (and friends) used to unnecessarily check out the
   tip of the branch to be rebased, which has been corrected.

 * A low-level API function get_oid(), that accepts various ways to
   name an object, used to issue end-user facing error messages
   without l10n, which has been updated to be translatable.

 * Unneeded connectivity check is now disabled in a partial clone when
   fetching into it.

 * Some rough edges in the sparse-checkout feature, especially around
   the cone mode, have been cleaned up.

 * The diff-* plumbing family of subcommands now pay attention to the
   diff.wsErrorHighlight configuration, which has been ignored before;
   this allows "git add -p" to also show the whitespace problems to
   the end user.

 * Some codepaths were given a repository instance as a parameter to
   work in the repository, but passed the_repository instance to its
   callees, which has been cleaned up (somewhat).

 * Memory footprint and performance of "git name-rev" has been
   improved.

 * The object reachability bitmap machinery and the partial cloning
   machinery were not prepared to work well together, because some
   object-filtering criteria that partial clones use inherently rely
   on object traversal, but the bitmap machinery is an optimization
   to bypass that object traversal.  There however are some cases
   where they can work together, and they were taught about them.

 * "git rebase" has learned to use the merge backend (i.e. the
   machinery that drives "rebase -i") by default, while allowing
   "--apply" option to use the "apply" backend (e.g. the moral
   equivalent of "format-patch piped to am").  The rebase.backend
   configuration variable can be set to customize.

 * Underlying machinery of "git bisect--helper" is being refactored
   into pieces that are more easily reused.

Fixes since v2.25
-----------------

 * "git commit" gives output similar to "git status" when \ 
there is
   nothing to commit, but without honoring the advise.statusHints
   configuration variable, which has been corrected.

 * has_object_file() said "no" given an object registered to the
   system via pretend_object_file(), making it inconsistent with
   read_object_file(), causing lazy fetch to attempt fetching an
   empty tree from promisor remotes.

 * Complete an update to tutorial that encourages "git switch" over
   "git checkout" that was done only half-way.

 * C pedantry ;-) fix.

 * The code that tries to skip over the entries for the paths in a
   single directory using the cache-tree was not careful enough
   against corrupt index file.

 * Reduce unnecessary round-trip when running "ls-remote" over the
   stateless RPC mechanism.

 * "git restore --staged" did not correctly update the cache-tree
   structure, resulting in bogus trees to be written afterwards, which
   has been corrected.

 * The code recently added to move to the entry beyond the ones in the
   same directory in the index in the sparse-cone mode did not count
   the number of entries to skip over incorrectly, which has been
   corrected.

 * Rendering by "git log --graph" of ancestry lines leading to a merge
   commit were made suboptimal to waste vertical space a bit with a
   recent update, which has been corrected.

 * Work around test breakages caused by custom regex engine used in
   libasan, when address sanitizer is used with more recent versions
   of gcc and clang.

 * Minor bugfixes to "git add -i" that has recently been rewritten in C.

 * "git fetch --refmap=" option has got a better documentation.

 * "git checkout X" did not correctly fail when X is not a local
   branch but could name more than one remote-tracking branches
   (i.e. to be dwimmed as the starting point to create a corresponding
   local branch), which has been corrected.
   (merge fa74180d08 am/checkout-file-and-ref-ref-ambiguity later to maint).

 * Corner case bugs in "git clean" that stems from a (necessarily for
   performance reasons) awkward calling convention in the directory
   enumeration API has been corrected.

 * A fetch that is told to recursively fetch updates in submodules
   inevitably produces reams of output, and it becomes hard to spot
   error messages.  The command has been taught to enumerate
   submodules that had errors at the end of the operation.
   (merge 0222540827 es/fetch-show-failed-submodules-atend later to maint).

 * The "--recurse-submodules" option of various subcommands did not
   work well when run in an alternate worktree, which has been
   corrected.

 * Futureproofing a test not to depend on the current implementation
   detail.

 * Running "git rm" on a submodule failed unnecessarily when
   .gitmodules is only cache-dirty, which has been corrected.

 * C pedantry ;-) fix.

 * "git grep --no-index" should not get affected by the contents of
   the .gitmodules file but when "--recurse-submodules" is given or
   the "submodule.recurse" variable is set, it did.  Now these
   settings are ignored in the "--no-index" mode.

 * Technical details of the bundle format has been documented.

 * Unhelpful warning messages during documentation build have been squelched.

 * "git rebase -i" identifies existing commits in its todo file with
   their abbreviated object name, which could become ambiguous as it
   goes to create new commits, and has a mechanism to avoid ambiguity
   in the main part of its execution.  A few other cases however were
   not covered by the protection against ambiguity, which has been
   corrected.

 * Allow the rebase.missingCommitsCheck configuration to kick in when
   "rebase --edit-todo" and "rebase --continue" restarts the \ 
procedure.
   (merge 5a5445d878 ag/edit-todo-drop-check later to maint).

 * The way "git submodule status" reports an initialized but not yet
   populated submodule has not been reimplemented correctly when a
   part of the "git submodule" command was rewritten in C, which has
   been corrected.
   (merge f38c92452d pk/status-of-uncloned-submodule later to maint).

 * The code to automatically shrink the fan-out in the notes tree had
   an off-by-one bug, which has been killed.

 * The index-pack code now diagnoses a bad input packstream that
   records the same object twice when it is used as delta base; the
   code used to declare a software bug when encountering such an
   input, but it is an input error.

 * The code to compute the commit-graph has been taught to use a more
   robust way to tell if two object directories refer to the same
   thing.
   (merge a7df60cac8 tb/commit-graph-object-dir later to maint).

 * "git remote rename X Y" needs to adjust configuration variables
   (e.g. branch.<name>.remote) whose value used to be X to Y.
   branch.<name>.pushRemote is now also updated.

 * Update to doc-diff.

 * Doc markup fix.

 * "git check-ignore" did not work when the given path is explicitly
   marked as not ignored with a negative entry in the .gitignore file.

 * The merge-recursive machinery failed to refresh the cache entry for
   a merge result in a couple of places, resulting in an unnecessary
   merge failure, which has been fixed.

 * Fix for a bug revealed by a recent change to make the protocol v2
   the default.

 * In rare cases "git worktree add <path>" could think that \ 
<path>
   was already a registered worktree even when it wasn't and refuse
   to add the new worktree. This has been corrected.
   (merge bb69b3b009 es/worktree-avoid-duplication-fix later to maint).

 * "git push" should stop from updating a branch that is checked out
   when receive.denyCurrentBranch configuration is set, but it failed
   to pay attention to checkouts in secondary worktrees.  This has
   been corrected.
   (merge 4d864895a2 hv/receive-denycurrent-everywhere later to maint).

 * "git rebase BASE BRANCH" rebased/updated the tip of BRANCH and
   checked it out, even when the BRANCH is checked out in a different
   worktree.  This has been corrected.
   (merge b5cabb4a96 es/do-not-let-rebase-switch-to-protected-branch later to maint).

 * "git describe" in a repository with multiple root commits sometimes
   gave up looking for the best tag to describe a given commit with
   too early, which has been adjusted.

 * "git merge signed-tag" while lacking the public key started to say
   "No signature", which was utterly wrong.  This regression has been
   reverted.

 * MinGW's poll() emulation has been improved.

 * "git show" and others gave an object name in raw format in its
   error output, which has been corrected to give it in hex.

 * "git fetch" over HTTP walker protocol did not show any progress
   output.  We inherently do not know how much work remains, but still
   we can show something not to bore users.
   (merge 7655b4119d rs/show-progress-in-dumb-http-fetch later to maint).

 * Both "git ls-remote -h" and "git grep -h" give short \ 
usage help,
   like any other Git subcommand, but it is not unreasonable to expect
   that the former would behave the same as "git ls-remote --head"
   (there is no other sensible behaviour for the latter).  The
   documentation has been updated in an attempt to clarify this.
   2020-03-19 18:08:06 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
git: updated to 2.52.2

Git 2.25.2 Release Notes
========================

Fixes since v2.25.1
-------------------

 * Minor bugfixes to "git add -i" that has recently been rewritten in C.

 * An earlier update to show the location of working tree in the error
   message did not consider the possibility that a git command may be
   run in a bare repository, which has been corrected.

 * The "--recurse-submodules" option of various subcommands did not
   work well when run in an alternate worktree, which has been
   corrected.

 * Running "git rm" on a submodule failed unnecessarily when
   .gitmodules is only cache-dirty, which has been corrected.

 * "git rebase -i" identifies existing commits in its todo file with
   their abbreviated object name, which could become ambigous as it
   goes to create new commits, and has a mechanism to avoid ambiguity
   in the main part of its execution.  A few other cases however were
   not covered by the protection against ambiguity, which has been
   corrected.

 * The index-pack code now diagnoses a bad input packstream that
   records the same object twice when it is used as delta base; the
   code used to declare a software bug when encountering such an
   input, but it is an input error.

 * The code to automatically shrink the fan-out in the notes tree had
   an off-by-one bug, which has been killed.

 * "git check-ignore" did not work when the given path is explicitly
   marked as not ignored with a negative entry in the .gitignore file.

 * The merge-recursive machinery failed to refresh the cache entry for
   a merge result in a couple of places, resulting in an unnecessary
   merge failure, which has been fixed.

 * Fix for a bug revealed by a recent change to make the protocol v2
   the default.

 * "git merge signed-tag" while lacking the public key started to say
   "No signature", which was utterly wrong.  This regression has been
   reverted.

 * MinGW's poll() emulation has been improved.

 * "git show" and others gave an object name in raw format in its
   error output, which has been corrected to give it in hex.

 * Both "git ls-remote -h" and "git grep -h" give short \ 
usage help,
   like any other Git subcommand, but it is not unreasonable to expect
   that the former would behave the same as "git ls-remote --head"
   (there is no other sensible behaviour for the latter).  The
   documentation has been updated in an attempt to clarify this.

Also contains various documentation updates, code clean-ups and minor fixups.
   2020-02-24 17:08:10 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
git: updated to 2.25.1

Git 2.25.1 Release Notes
========================

Fixes since v2.25
-----------------

 * "git commit" gives output similar to "git status" when \ 
there is
   nothing to commit, but without honoring the advise.statusHints
   configuration variable, which has been corrected.

 * has_object_file() said "no" given an object registered to the
   system via pretend_object_file(), making it inconsistent with
   read_object_file(), causing lazy fetch to attempt fetching an
   empty tree from promisor remotes.

 * The code that tries to skip over the entries for the paths in a
   single directory using the cache-tree was not careful enough
   against corrupt index file.

 * Complete an update to tutorial that encourages "git switch" over
   "git checkout" that was done only half-way.

 * Reduce unnecessary round-trip when running "ls-remote" over the
   stateless RPC mechanism.

 * "git restore --staged" did not correctly update the cache-tree
   structure, resulting in bogus trees to be written afterwards, which
   has been corrected.

 * The code recently added to move to the entry beyond the ones in the
   same directory in the index in the sparse-cone mode did not count
   the number of entries to skip over incorrectly, which has been
   corrected.

 * Work around test breakages caused by custom regex engine used in
   libasan, when address sanitizer is used with more recent versions
   of gcc and clang.

 * "git fetch --refmap=" option has got a better documentation.

 * Corner case bugs in "git clean" that stems from a (necessarily for
   performance reasons) awkward calling convention in the directory
   enumeration API has been corrected.

 * "git grep --no-index" should not get affected by the contents of
   the .gitmodules file but when "--recurse-submodules" is given or
   the "submodule.recurse" variable is set, it did.  Now these
   settings are ignored in the "--no-index" mode.

 * Technical details of the bundle format has been documented.

 * Unhelpful warning messages during documentation build have been
   squelched.
   2020-01-20 21:07:41 by Adam Ciarcinski | Files touched by this commit (6) | Package updated
Log message:
git: updated to 2.25.0

Git 2.25 Release Notes
======================

Updates since v2.24
-------------------

Backward compatibility notes

UI, Workflows & Features

 * A tutorial on object enumeration has been added.

 * The branch description ("git branch --edit-description") has been
   used to fill the body of the cover letters by the format-patch
   command; this has been enhanced so that the subject can also be
   filled.

 * "git rebase --preserve-merges" has been marked as deprecated; this
   release stops advertising it in the "git rebase -h" output.

 * The code to generate multi-pack index learned to show (or not to
   show) progress indicators.

 * "git apply --3way" learned to honor merge.conflictStyle
   configuration variable, like merges would.

 * The custom format for "git log --format=<format>" learned the l/L
   placeholder that is similar to e/E that fills in the e-mail
   address, but only the local part on the left side of '@'.

 * Documentation pages for "git shortlog" now list commit limiting
   options explicitly.

 * The patterns to detect function boundary for Elixir language has
   been added.

 * The completion script (in contrib/) learned that the "--onto"
   option of "git rebase" can take its argument as the value of the
   option.

 * The userdiff machinery has been taught that "async def" is another
   way to begin a "function" in Python.

 * "git range-diff" learned to take the \ 
"--notes=<ref>" and the
   "--no-notes" options to control the commit notes included in the
   log message that gets compared.

 * "git rev-parse --show-toplevel" run outside of any working tree did
   not error out, which has been corrected.

 * A few commands learned to take the pathspec from the standard input
   or a named file, instead of taking it as the command line
   arguments, with the "--pathspec-from-file" option.

 * "git submodule" learned a subcommand "set-url".

 * "git log" family learned "--pretty=reference" that gives \ 
the name
   of a commit in the format that is often used to refer to it in log
   messages.

 * The interaction between "git clone --recurse-submodules" and
   alternate object store was ill-designed.  The documentation and
   code have been taught to make more clear recommendations when the
   users see failures.

 * Management of sparsely checked-out working tree has gained a
   dedicated "sparse-checkout" command.

 * Miscellaneous small UX improvements on "git-p4".

 * "git sparse-checkout list" subcommand learned to give its output in
   a more concise form when the "cone" mode is in effect.

Performance, Internal Implementation, Development Support etc.

 * Debugging support for lazy cloning has been a bit improved.

 * Move the definition of a set of bitmask constants from 0ctal
   literal to (1U<<count) notation.

 * Test updates to prepare for SHA-2 transition continues.

 * Crufty code and logic accumulated over time around the object
   parsing and low-level object access used in "git fsck" have been
   cleaned up.

 * The implementation of "git log --graph" got refactored and then its
   output got simplified.

 * Follow recent push to move API docs from Documentation/ to header
   files and update config.h

 * "git bundle" has been taught to use the parse options API.  "git
   bundle verify" learned "--quiet" and "git bundle \ 
create" learned
   options to control the progress output.

 * Handling of commit objects that use non UTF-8 encoding during
   "rebase -i" has been improved.

 * The beginning of rewriting "git add -i" in C.

 * A label used in the todo list that are generated by "git rebase
   --rebase-merges" is used as a part of a refname; the logic to come
   up with the label has been tightened to avoid names that cannot be
   used as such.

 * The logic to avoid duplicate label names generated by "git rebase
   --rebase-merges" forgot that the machinery itself uses "onto" as a
   label name, which must be avoided by auto-generated labels, which
   has been corrected.

 * We have had compatibility fallback macro definitions for "PRIuMAX",
   "PRIu32", etc. but did not for "PRIdMAX", while the code \ 
used the
   last one apparently without any hiccup reported recently.  The
   fallback macro definitions for these <inttypes.h> macros that must
   appear in C99 systems have been removed.

 * Recently we have declared that GIT_TEST_* variables take the
   usual boolean values (it used to be that some used "non-empty
   means true" and taking GIT_TEST_VAR=YesPlease as true); make
   sure we notice and fail when non-bool strings are given to
   these variables.

 * Users of oneway_merge() (like "reset --hard") learned to take
   advantage of fsmonitor to avoid unnecessary lstat(2) calls.

 * Performance tweak on "git push" into a repository with many refs
   that point at objects we have never heard of.

 * PerfTest fix to avoid stale result mixed up with the latest round
   of test results.

 * Hide lower-level verify_signed-buffer() API as a pure helper to
   implement the public check_signature() function, in order to
   encourage new callers to use the correct and more strict
   validation.

 * Unnecessary reading of state variables back from the disk during
   sequencer operation has been reduced.

 * The code has been made to avoid gmtime() and localtime() and prefer
   their reentrant counterparts.

 * In a repository with many packfiles, the cost of the procedure that
   avoids registering the same packfile twice was unnecessarily high
   by using an inefficient search algorithm, which has been corrected.

 * Redo "git name-rev" to avoid recursive calls.

 * FreeBSD CI support via Cirrus-CI has been added.

Fixes since v2.24
-----------------

 * "rebase -i" ceased to run post-commit hook by mistake in an earlier
   update, which has been corrected.

 * "git notes copy $original" ought to copy the notes attached to the
   original object to HEAD, but a mistaken tightening to command line
   parameter validation made earlier disabled that feature by mistake.

 * When all files from some subdirectory were renamed to the root
   directory, the directory rename heuristics would fail to detect that
   as a rename/merge of the subdirectory to the root directory, which has
   been corrected.

 * Code clean-up and a bugfix in the logic used to tell worktree local
   and repository global refs apart.

 * "git stash save" in a working tree that is sparsely checked out
   mistakenly removed paths that are outside the area of interest.

 * "git rev-parse --git-path HEAD.lock" did not give the right path
   when run in a secondary worktree.

 * "git merge --no-commit" needs "--no-ff" if you do not \ 
want to move
   HEAD, which has been corrected in the manual page for "git bisect".

 * "git worktree add" internally calls "reset --hard" that \ 
should not
   descend into submodules, even when submodule.recurse configuration
   is set, but it was affected.  This has been corrected.

 * Messages from die() etc. can be mixed up from multiple processes
   without even line buffering on Windows, which has been worked
   around.

 * HTTP transport had possible allocator/deallocator mismatch, which
   has been corrected.

 * The watchman integration for fsmonitor was racy, which has been
   corrected to be more conservative.

 * Fetching from multiple remotes into the same repository in parallel
   had a bad interaction with the recent change to (optionally) update
   the commit-graph after a fetch job finishes, as these parallel
   fetches compete with each other.  Which has been corrected.

 * Recent update to "git stash pop" made the command empty the index
   when run with the "--quiet" option, which has been corrected.

 * "git fetch" codepath had a big "do not lazily fetch missing objects
   when I ask if something exists" switch.  This has been corrected by
   marking the "does this thing exist?" calls with "if not please \ 
do not
   lazily fetch it" flag.

 * Test update to avoid wasted cycles.

 * Error handling after "git push" finishes sending the packdata and
   waits for the response to the remote side has been improved.

 * Some codepaths in "gitweb" that forgot to escape URLs generated
   based on end-user input have been corrected.

 * CI jobs for macOS has been made less chatty when updating perforce
   package used during testing.

 * "git unpack-objects" used to show progress based only on the number
   of received and unpacked objects, which stalled when it has to
   handle an unusually large object.  It now shows the throughput as
   well.

 * The sequencer machinery compared the HEAD and the state it is
   attempting to commit to decide if the result would be a no-op
   commit, even when amending a commit, which was incorrect, and
   has been corrected.

 * The code to parse GPG output used to assume incorrectly that the
   finterprint for the primary key would always be present for a valid
   signature, which has been corrected.

 * "git submodule status" and "git submodule status \ 
--cached" show
   different things, but the documentation did not cover them
   correctly, which has been corrected.

 * "git reset --patch $object" without any pathspec should allow a
   tree object to be given, but incorrectly required a committish,
   which has been corrected.

 * "git submodule status" that is run from a subdirectory of the
   superproject did not work well, which has been corrected.

 * The revision walking machinery uses resources like per-object flag
   bits that need to be reset before a new iteration of walking
   begins, but the resources related to topological walk were not
   cleared correctly, which has been corrected.

 * TravisCI update.

 * While running "revert" or "cherry-pick --edit" for multiple
   commits, a recent regression incorrectly detected "nothing to
   commit, working tree clean", instead of replaying the commits,
   which has been corrected.

 * Work around a issue where a FD that is left open when spawning a
   child process and is kept open in the child can interfere with the
   operation in the parent process on Windows.

 * One kind of progress messages were always given during commit-graph
   generation, instead of following the "if it takes more than two
   seconds, show progress" pattern, which has been corrected.

 * "git rebase" did not work well when format.useAutoBase
   configuration variable is set, which has been corrected.

 * The "diff" machinery learned not to lose added/removed blank lines
   in the context when --ignore-blank-lines and --function-context are
   used at the same time.

 * The test on "fast-import" used to get stuck when \ 
"fast-import" died
   in the middle.

 * "git format-patch" can take a set of configured format.notes values
   to specify which notes refs to use in the log message part of the
   output.  The behaviour of this was not consistent with multiple
   --notes command line options, which has been corrected.

 * "git p4" used to ignore lfs.storage configuration variable, which
   has been corrected.

 * Assorted fixes to the directory traversal API.

 * Forbid pathnames that the platform's filesystem cannot represent on
   MinGW.

 * "git rebase --signoff" stopped working when the command was written
   in C, which has been corrected.

 * An earlier update to Git for Windows declared that a tree object is
   invalid if it has a path component with backslash in it, which was
   overly strict, which has been corrected.  The only protection the
   Windows users need is to prevent such path (or any path that their
   filesystem cannot check out) from entering the index.

 * The code to write split commit-graph file(s) upon fetching computed
   bogus value for the parameter used in splitting the resulting
   files, which has been corrected.

 * Other code cleanup, docfix, build fix, etc.
   2019-12-10 19:32:38 by Leonardo Taccari | Files touched by this commit (3) | Package updated
Log message:
git: Update to 2.24.1

Changes:
2.24.1
======

This release merges up the fixes that appear in v2.14.6, v2.15.4,
v2.17.3, v2.20.2 and in v2.21.1, addressing the security issues
CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, CVE-2019-1387, and
CVE-2019-19604.

 * CVE-2019-1348:
   The --export-marks option of git fast-import is exposed also via
   the in-stream command feature export-marks=... and it allows
   overwriting arbitrary paths.

 * CVE-2019-1349:
   When submodules are cloned recursively, under certain circumstances
   Git could be fooled into using the same Git directory twice. We now
   require the directory to be empty.

 * CVE-2019-1350:
   Incorrect quoting of command-line arguments allowed remote code
   execution during a recursive clone in conjunction with SSH URLs.

 * CVE-2019-1351:
   While the only permitted drive letters for physical drives on
   Windows are letters of the US-English alphabet, this restriction
   does not apply to virtual drives assigned via subst <letter>:
   <path>. Git mistook such paths for relative paths, allowing writing
   outside of the worktree while cloning.

 * CVE-2019-1352:
   Git was unaware of NTFS Alternate Data Streams, allowing files
   inside the .git/ directory to be overwritten during a clone.

 * CVE-2019-1353:
   When running Git in the Windows Subsystem for Linux (also known as
   "WSL") while accessing a working directory on a regular Windows
   drive, none of the NTFS protections were active.

 * CVE-2019-1354:
   Filenames on Linux/Unix can contain backslashes. On Windows,
   backslashes are directory separators. Git did not use to refuse to
   write out tracked files with such filenames.

 * CVE-2019-1387:
   Recursive clones are currently affected by a vulnerability that is
   caused by too-lax validation of submodule names, allowing very
   targeted attacks via remote code execution in recursive clones.

Credit for finding these vulnerabilities goes to Microsoft Security
Response Center, in particular to Nicolas Joly. The `fast-import`
fixes were provided by Jeff King, the other fixes by Johannes
Schindelin with help from Garima Singh.

 * CVE-2019-19604:
   The change to disallow `submodule.<name>.update=!command` entries in
   `.gitmodules` which was introduced v2.15.4 (and for which v2.17.3
   added explicit fsck checks) fixes the vulnerability in v2.20.x where
   a recursive clone followed by a submodule update could execute code
   contained within the repository without the user explicitly having
   asked for that.

Credit for finding this vulnerability goes to Joern Schneeweisz,
credit for the fixes goes to Jonathan Nieder.