Subject: CVS commit: [pkgsrc-2015Q4] pkgsrc/devel
From: Benny Siegert
Date: 2016-03-22 19:55:23
Message id: 20160322185523.54EA8FBB5@cvs.NetBSD.org

Log Message:
Pullup ticket #4953 - requested by sevan
devel/git-base: security fix

Revisions pulled up:
- devel/git-base/Makefile                                       1.22-1.23
- devel/git-base/PLIST                                          1.11-1.12
- devel/git-base/distinfo                                       1.42-1.46
- devel/git-base/patches/patch-builtin_pack-objects.c           1.1
- devel/git-base/patches/patch-builtin_rev-list.c               1.1
- devel/git-base/patches/patch-http-push.c                      1.1
- devel/git-base/patches/patch-list-objects.c                   1.1
- devel/git-base/patches/patch-list-objects.h                   1.1
- devel/git-base/patches/patch-pack-bitmap-write.c              1.1
- devel/git-base/patches/patch-pack-bitmap.c                    1.1
- devel/git-base/patches/patch-reachable.c                      1.1
- devel/git-base/patches/patch-revision.c                       1.1
- devel/git-base/patches/patch-revision.h                       1.1
- devel/git/Makefile.version                                    1.36-1.39

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Fri Jan  8 17:37:20 UTC 2016

   Modified Files:
           pkgsrc/devel/git: Makefile.version
           pkgsrc/devel/git-base: PLIST distinfo

   Log Message:
   Changes 2.7.0:
   UI, Workflows & Features

   * The appearance of "gitk", particularly on high DPI monitors, have
     been improved.  "gitk" also comes with an undated translation for
     Swedish and Japanese.

   * "git remote" learned "get-url" subcommand to show the \ 
URL for a
     given remote name used for fetching and pushing.

   * There was no way to defeat a configured rebase.autostash variable
     from the command line, as "git rebase --no-autostash" was missing.

   * "git log --date=local" used to only show the normal (default)
     format in the local timezone.  The command learned to take 'local'
     as an instruction to use the local timezone with other formats,

   * The refs used during a "git bisect" session is now per-worktree so
     that independent bisect sessions can be done in different worktrees
     created with "git worktree add".

   * Users who are too busy to type three extra keystrokes to ask for
     "git stash show -p" can now set stash.showPatch configuration
     variable to true to always see the actual patch, not just the list
     of paths affected with feel for the extent of damage via diffstat.

   * "quiltimport" allows to specify the series file by honoring the
     $QUILT_SERIES environment and also --series command line option.

   * The use of 'good/bad' in "git bisect" made it confusing to use when
     hunting for a state change that is not a regression (e.g. bugfix).
     The command learned 'old/new' and then allows the end user to
     say e.g. "bisect start --term-old=fast --term-new=slow" to find a
     performance regression.

   * "git interpret-trailers" can now run outside of a Git repository.

   * "git p4" learned to reencode the pathname it uses to communicate
     with the p4 depot with a new option.

   * Give progress meter to "git filter-branch".

   * Allow a later "!/abc/def" to override an earlier "/abc" that
     appears in the same .gitignore file to make it easier to express
     "everything in /abc directory is ignored, except for ...".

   * Teach "git p4" to send large blobs outside the repository by
     talking to Git LFS.

   * Prepare for Git on-disk repository representation to undergo
     backward incompatible changes by introducing a new repository
     format version "1", with an extension mechanism.

   * "git worktree" learned a "list" subcommand.

   * "git clone --dissociate" learned that it can be used even when
     "--reference" was not used at the same time.

   * "git blame" learnt to take "--first-parent" and \ 
"--reverse" at the
     same time when it makes sense.

   * "git checkout" did not follow the usual "--[no-]progress"
     convention and implemented only "--quiet" that is essentially
     a superset of "--no-progress".  Extend the command to support the
     usual "--[no-]progress".

   * The semantics of transfer.hideRefs configuration variable have been
     extended to work better with the ref "namespace" feature that lets
     you throw unrelated bunches of repositories in a single physical
     repository and virtually serve them as separate ones.

   * send-email config variables whose values are pathnames now go
     through the ~username/ expansion.

   * bash completion learnt to TAB-complete recipient addresses given
     to send-email.

   * The credential-cache daemon can be told to ignore SIGHUP to work
     around issue when running Git from inside emacs.

   * "git push" learned new configuration for doing \ 
"--recurse-submodules"
     on each push.

   * "format-patch" has learned a new option to zero-out the commit
     object name on the mbox "From " line.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Sun Feb  7 10:27:23 UTC 2016

   Modified Files:
           pkgsrc/devel/git: Makefile.version
           pkgsrc/devel/git-base: PLIST distinfo

   Log Message:
   Git v2.7.1 Release Notes
   ========================

   Fixes since v2.7
   ----------------

    * An earlier change in 2.5.x-era broke users' hooks and aliases by
      exporting GIT_WORK_TREE to point at the root of the working tree,
      interfering when they tried to use a different working tree without
      setting GIT_WORK_TREE environment themselves.

    * The "exclude_list" structure has the usual "alloc, nr" \ 
pair of
      fields to be used by ALLOC_GROW(), but clear_exclude_list() forgot
      to reset 'alloc' to 0 when it cleared 'nr' to discard the managed
      array.

    * "git send-email" was confused by escaped quotes stored in the alias
      files saved by "mutt", which has been corrected.

    * A few unportable C construct have been spotted by clang compiler
      and have been fixed.

    * The documentation has been updated to hint the connection between
      the '--signoff' option and DCO.

    * "git reflog" incorrectly assumed that all objects that used to be
      at the tip of a ref must be commits, which caused it to segfault.

    * The ignore mechanism saw a few regressions around untracked file
      listing and sparse checkout selection areas in 2.7.0; the change
      that is responsible for the regression has been reverted.

    * Some codepaths used fopen(3) when opening a fixed path in $GIT_DIR
      (e.g. COMMIT_EDITMSG) that is meant to be left after the command is
      done.  This however did not work well if the repository is set to
      be shared with core.sharedRepository and the umask of the previous
      user is tighter.  They have been made to work better by calling
      unlink(2) and retrying after fopen(3) fails with EPERM.

    * Asking gitweb for a nonexistent commit left a warning in the server
      log.

    * "git rebase", unlike all other callers of "gc --auto", \ 
did not
      ignore the exit code from "gc --auto".

    * Many codepaths that run "gc --auto" before exiting kept packfiles
      mapped and left the file descriptors to them open, which was not
      friendly to systems that cannot remove files that are open.  They
      now close the packs before doing so.

    * A recent optimization to filter-branch in v2.7.0 introduced a
      regression when --prune-empty filter is used, which has been
      corrected.

    * The description for SANITY prerequisite the test suite uses has
      been clarified both in the comment and in the implementation.

    * "git tag" started listing a tag "foo" as \ 
"tags/foo" when a branch
      named "foo" exists in the same repository; remove this unnecessary
      disambiguation, which is a regression introduced in v2.7.0.

    * The way "git svn" uses auth parameter was broken by Subversion
      1.9.0 and later.

    * The "split" subcommand of "git subtree" (in contrib/) \ 
incorrectly
      skipped merges when it shouldn't, which was corrected.

    * A few options of "git diff" did not work well when the command was
      run from a subdirectory.

    * dirname() emulation has been added, as Msys2 lacks it.

    * The underlying machinery used by "ls-files -o" and other commands
      have been taught not to create empty submodule ref cache for a
      directory that is not a submodule.  This removes a ton of wasted
      CPU cycles.

    * Drop a few old "todo" items by deciding that the change one of them
      suggests is not such a good idea, and doing the change the other
      one suggested to do.

    * Documentation for "git fetch --depth" has been updated for clarity.

    * The command line completion learned a handful of additional options
      and command specific syntax.

   Also includes a handful of documentation and test updates.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Feb 29 10:50:55 UTC 2016

   Modified Files:
           pkgsrc/devel/git: Makefile.version
           pkgsrc/devel/git-base: distinfo

   Log Message:
   Changes 2.7.2:
   * The low-level merge machinery has been taught to use CRLF line
     termination when inserting conflict markers to merged contents that
     are themselves CRLF line-terminated.
   * "git worktree" had a broken code that attempted to auto-fix
     possible inconsistency that results from end-users moving a
     worktree to different places without telling Git (the original
     repository needs to maintain backpointers to its worktrees, but
     "mv" run by end-users who are not familiar with that fact will
     obviously not adjust them), which actually made things worse
     when triggered.
   * "git push --force-with-lease" has been taught to report if the push
     needed to force (or fast-forwarded).
   * The emulated "yes" command used in our test scripts has been
     tweaked not to spend too much time generating unnecessary output
     that is not used, to help those who test on Windows where it would
     not stop until it fills the pipe buffer due to lack of SIGPIPE.
   * The vimdiff backend for "git mergetool" has been tweaked to arrange
     and number buffers in the order that would match the expectation of
     majority of people who read left to right, then top down and assign
     buffers 1 2 3 4 "mentally" to local base remote merge windows based
     on that order.
   * The documentation for "git clean" has been corrected; it mentioned
     that .git/modules/* are removed by giving two "-f", which has never
     been the case.
   * Paths that have been told the index about with "add -N" are not
     quite yet in the index, but a few commands behaved as if they
     already are in a harmful way.

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Sat Mar 12 11:33:32 UTC 2016

   Modified Files:
           pkgsrc/devel/git: Makefile.version
           pkgsrc/devel/git-base: Makefile distinfo

   Log Message:
   Changes 2.7.3:

   * Traditionally, the tests that try commands that work on the
     contents in the working tree were named with "worktree" in their
     filenames, but with the recent addition of "git worktree"
     subcommand, whose tests are also named similarly, it has become
     harder to tell them apart.  The traditional tests have been renamed
     to use "work-tree" instead in an attempt to differentiate them.

   * Many codepaths forget to check return value from git_config_set();
     the function is made to die() to make sure we do not proceed when
     setting a configuration variable failed.

   * Handling of errors while writing into our internal asynchronous
     process has been made more robust, which reduces flakiness in our
     tests.

   * "git show 'HEAD:Foo[BAR]Baz'" did not interpret the argument as a
     rev, i.e. the object named by the the pathname with wildcard
     characters in a tree object.

   * "git rev-parse --git-common-dir" used in the worktree feature
     misbehaved when run from a subdirectory.

   * The "v(iew)" subcommand of the interactive "git am -i" \ 
command was
     broken in 2.6.0 timeframe when the command was rewritten in C.

   * "git merge-tree" used to mishandle "both sides added" \ 
conflict with
     its own "create a fake ancestor file that has the common parts of
     what both sides have added and do a 3-way merge" logic; this has
     been updated to use the usual "3-way merge with an empty blob as
     the fake common ancestor file" approach used in the rest of the
     system.

   * The memory ownership rule of fill_textconv() API, which was a bit
     tricky, has been documented a bit better.

   * The documentation did not clearly state that the 'simple' mode is
     now the default for "git push" when push.default configuration is
     not set.

   * Recent versions of GNU grep are pickier when their input contains
     arbitrary binary data, which some of our tests uses.  Rewrite the
     tests to sidestep the problem.

   * A helper function "git submodule" uses since v2.7.0 to list the
     modules that match the pathspec argument given to its subcommands
     (e.g. "submodule add <repo> <path>") has been fixed.

   * "git config section.var value" to set a value in per-repository
     configuration file failed when it was run outside any repository,
     but didn't say the reason correctly.

   * The code to read the pack data using the offsets stored in the pack
     idx file has been made more carefully check the validity of the
     data in the idx.

---
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Wed Mar 16 19:38:52 UTC 2016

   Modified Files:
           pkgsrc/devel/git-base: Makefile distinfo
   Added Files:
           pkgsrc/devel/git-base/patches: patch-builtin_pack-objects.c
               patch-builtin_rev-list.c patch-http-push.c patch-list-objects.c
               patch-list-objects.h patch-pack-bitmap-write.c patch-pack-bitmap.c
               patch-reachable.c patch-revision.c patch-revision.h

   Log Message:
   Patch for CVE-2016-2324
    Obtained via Debian Security Tracker
    https://security-tracker.debian.org/tracker/CVE-2016-2324
    https://github.com/git/git/commit/9831e92bfa833ee9c0ce464bbc2f941ae6c2698d
   Bump pkgrev

Files:
RevisionActionfile
1.35.2.1modifypkgsrc/devel/git/Makefile.version
1.10.4.1modifypkgsrc/devel/git-base/PLIST
1.41.2.1modifypkgsrc/devel/git-base/distinfo
1.1.2.2addpkgsrc/devel/git-base/patches/patch-builtin_pack-objects.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-builtin_rev-list.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-http-push.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-list-objects.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-list-objects.h
1.1.2.2addpkgsrc/devel/git-base/patches/patch-pack-bitmap-write.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-pack-bitmap.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-reachable.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-revision.c
1.1.2.2addpkgsrc/devel/git-base/patches/patch-revision.h