Subject: CVS commit: [pkgsrc-2022Q2] pkgsrc/devel
From: S.P.Zeidler
Date: 2022-07-26 21:29:02
Message id: 20220726192902.35C61FB1A@cvs.NetBSD.org

Log Message:
Pullup ticket #6657 - requested by taca
devel/git: security update
devel/git-base: security update
devel/git-docs: security update
www/gitweb: security update

Revisions pulled up:
- devel/git-base/Makefile                                       1.97
- devel/git-base/distinfo                                       1.120-1.121
- devel/git-docs/Makefile                                       1.21
- devel/git/Makefile.version                                    1.106-1.107
- www/gitweb/Makefile                                           1.45

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Jul  6 11:54:00 UTC 2022

   Modified Files:
   	pkgsrc/devel/git: Makefile.version
   	pkgsrc/devel/git-base: Makefile distinfo
   	pkgsrc/devel/git-docs: Makefile
   	pkgsrc/www/gitweb: Makefile

   Log Message:
   git: updated to 2.37.0

   Git v2.37 Release Notes
   ===========
   UI, Workflows & Features

    * "vimdiff[123]" mergetool drivers have been reimplemented with a
      more generic layout mechanism.

    * "git -v" and "git -h" are now understood as "git \ 
--version" and
      "git --help".

    * The temporary files fed to external diff command are now generated
      inside a new temporary directory under the same basename.

    * "git log --since=X" will stop traversal upon seeing a commit that
      is older than X, but there may be commits behind it that is younger
      than X when the commit was created with a faulty clock.  A new
      option is added to keep digging without stopping, and instead
      filter out commits with timestamp older than X.

    * "git -c branch.autosetupmerge=simple branch $A $B" will set the $B
      as $A's upstream only when $A and $B shares the same name, and "git
      -c push.default=simple" on branch $A would push to update the
      branch $A at the remote $B came from.  Also more places use the
      sole remote, if exists, before defaulting to 'origin'.

    * A new doc has been added that lists tips for tools to work with
      Git's codebase.

    * "git remote -v" now shows the list-objects-filter used during
      fetching from the remote, if available.

    * With the new http.curloptResolve configuration, the CURLOPT_RESOLVE
      mechanism that allows cURL based applications to use pre-resolved
      IP addresses for the requests is exposed to the scripts.

    * "git add -i" was rewritten in C some time ago and has been in
      testing; the reimplementation is now exposed to general public by
      default.

    * Deprecate non-cone mode of the sparse-checkout feature.

    * Introduce a filesystem-dependent mechanism to optimize the way the
      bits for many loose object files are ensured to hit the disk
      platter.

    * The "do not remove the directory the user started Git in" logic,
      when Git cannot tell where that directory is, is disabled.  Earlier
      we refused to run in such a case.

    * A mechanism to pack unreachable objects into a "cruft pack",
      instead of ejecting them into loose form to be reclaimed later, has
      been introduced.

    * Update the doctype written in gitweb output to xhtml5.

    * The "transfer.credentialsInURL" configuration variable controls what
      happens when a URL with embedded login credential is used on either
      "fetch" or "push". Credentials are currently only \ 
detected in
      `remote.<name>.url` config, not `remote.<name>.pushurl`.

    * "git revert" learns "--reference" option to use more \ 
human-readable
      reference to the commit it reverts in the message template it
      prepares for the user.

    * Various error messages that talk about the removal of
      "--preserve-merges" in "rebase" have been \ 
strengthened, and "rebase
      --abort" learned to get out of a state that was left by an earlier
      use of the option.

   Performance, Internal Implementation, Development Support etc.

    * The performance of the "untracked cache" feature has been improved
      when "--untracked-files=<mode>" and \ 
"status.showUntrackedFiles"
      are combined.

    * "git stash" works better with sparse index entries.

    * "git show :<path>" learned to work better with the sparse-index
      feature.

    * Introduce and apply coccinelle rule to discourage an explicit
      comparison between a pointer and NULL, and applies the clean-up to
      the maintenance track.

    * Preliminary code refactoring around transport and bundle code.

    * "sparse-checkout" learns to work better with the sparse-index
      feature.

    * A workflow change for translators are being proposed.  git.pot is
      no longer version controlled and it is local responsibility of
      translators to generate it.

    * Plug the memory leaks from the trickiest API of all, the revision
      walker.

    * Rename .env_array member to .env in the child_process structure.

     * The fsmonitor--daemon handles even more corner cases when
       watching filesystem events.

    * A new bug() and BUG_if_bug() API is introduced to make it easier to
      uniformly log "detect multiple bugs and abort in the end" pattern.

   Fixes since v2.36
   -----------------

    * "git submodule update" without pathspec should silently skip an
      uninitialized submodule, but it started to become noisy by mistake.
      (merge 4f1ccef87c gc/submodule-update-part2 later to maint).

    * "diff-tree --stdin" has been broken for about a year, but 2.36
      release broke it even worse by breaking running the command with
      <pathspec>, which in turn broke "gitk" and got noticed.  \ 
This has
      been corrected by aligning its behaviour to that of "log".
      (merge f8781bfda3 jc/diff-tree-stdin-fix later to maint).

    * Regression fix for 2.36 where "git name-rev" started to sometimes
      reference strings after they are freed.
      (merge 45a14f578e rs/name-rev-fix-free-after-use later to maint).

    * "git show <commit1> <commit2>... -- \ 
<pathspec>" lost the pathspec
      when showing the second and subsequent commits, which has been
      corrected.
      (merge 5cdb38458e jc/show-pathspec-fix later to maint).

    * "git fast-export -- <pathspec>" lost the pathspec when \ 
showing the
      second and subsequent commits, which has been corrected.
      (merge d1c25272f5 rs/fast-export-pathspec-fix later to maint).

    * "git format-patch <args> -- <pathspec>" lost the \ 
pathspec when
      showing the second and subsequent commits, which has been
      corrected.
      (merge 91f8f7e46f rs/format-patch-pathspec-fix later to maint).

    * "git clone --origin X" leaked piece of memory that held value read
      from the clone.defaultRemoteName configuration variable, which has
      been plugged.
      (merge 6dfadc8981 jc/clone-remote-name-leak-fix later to maint).

    * Get rid of a bogus and over-eager coccinelle rule.
      (merge 08bdd3a185 jc/cocci-xstrdup-or-null-fix later to maint).

    * The path taken by "git multi-pack-index" command from the end user
      was compared with path internally prepared by the tool without first
      normalizing, which lead to duplicated paths not being noticed,
      which has been corrected.
      (merge 11f9e8de3d ds/midx-normalize-pathname-before-comparison later to maint).

    * Correct choices of C compilers used in various CI jobs.
      (merge 3506cae04f ab/cc-package-fixes later to maint).

    * Various cleanups to "git p4".
      (merge 4ff0108d9e jh/p4-various-fixups later to maint).

    * The progress meter of "git blame" was showing incorrect numbers
      when processing only parts of the file.
      (merge e5f5d7d42e ea/progress-partial-blame later to maint).

    * "git rebase --keep-base <upstream> \ 
<branch-to-rebase>" computed the
      commit to rebase onto incorrectly, which has been corrected.
      (merge 9e5ebe9668 ah/rebase-keep-base-fix later to maint).

    * Fix a leak of FILE * in an error codepath.
      (merge c0befa0c03 kt/commit-graph-plug-fp-leak-on-error later to maint).

    * Avoid problems from interaction between malloc_check and address
      sanitizer.
      (merge 067109a5e7 pw/test-malloc-with-sanitize-address later to maint).

    * The commit summary shown after making a commit is matched to what
      is given in "git status" not to use the break-rewrite heuristics.
      (merge 84792322ed rs/commit-summary-wo-break-rewrite later to maint).

    * Update a few end-user facing messages around EOL conversion.
      (merge c970d30c2c ah/convert-warning-message later to maint).

    * Trace2 documentation updates.
      (merge a6c80c313c js/trace2-doc-fixes later to maint).

    * Build procedure fixup.
      (merge 1fbfd96f50 mg/detect-compiler-in-c-locale later to maint).

    * "git pull" without "--recurse-submodules=<arg>" made
      submodule.recurse take precedence over fetch.recurseSubmodules by
      mistake, which has been corrected.
      (merge 5819417365 gc/pull-recurse-submodules later to maint).

    * "git bisect" was too silent before it is ready to start computing
      the actual bisection, which has been corrected.
      (merge f11046e6de cd/bisect-messages-from-pre-flight-states later to maint).

    * macOS CI jobs have been occasionally flaky due to tentative version
      skew between perforce and the homebrew packager.  Instead of
      failing the whole CI job, just let it skip the p4 tests when this
      happens.
      (merge f15e00b463 cb/ci-make-p4-optional later to maint).

    * A bit of test framework fixes with a few fixes to issues found by
      valgrind.
      (merge 7c898554d7 ab/valgrind-fixes later to maint).

    * "git archive --add-file=<path>" picked up the raw \ 
permission bits
      from the path and propagated to zip output in some cases, without
      normalization, which has been corrected (tar output did not have
      this issue).
      (merge 6a61661967 jc/archive-add-file-normalize-mode later to maint).

    * "make coverage-report" without first running "make \ 
coverage" did
      not produce any meaningful result, which has been corrected.
      (merge 96ddfecc5b ep/coverage-report-wants-test-to-have-run later to maint).

    * The "--current" option of "git show-branch" should \ 
have been made
      incompatible with the "--reflog" mode, but this was not enforced,
      which has been corrected.
      (merge 41c64ae0e7 jc/show-branch-g-current later to maint).

    * "git fetch" unnecessarily failed when an unexpected optional
      section appeared in the output, which has been corrected.
      (merge 7709acf7be jt/fetch-peek-optional-section later to maint).

    * The way "git fetch" without "--update-head-ok" ensures \ 
that HEAD in
      no worktree points at any ref being updated was too wasteful, which
      has been optimized a bit.
      (merge f7400da800 os/fetch-check-not-current-branch later to maint).

    * "git fetch --recurse-submodules" from multiple remotes (either from
      a remote group, or "--all") used to make one extra "git \ 
fetch" in
      the submodules, which has been corrected.
      (merge 0353c68818 jc/avoid-redundant-submodule-fetch later to maint).

    * With a recent update to refuse access to repositories of other
      people by default, "sudo make install" and "sudo git \ 
describe"
      stopped working, which has been corrected.
      (merge 6b11e3d52e cb/path-owner-check-with-sudo-plus later to maint).

    * The tests that ensured merges stop when interfering local changes
      are present did not make sure that local changes are preserved; now
      they do.
      (merge 4b317450ce jc/t6424-failing-merge-preserve-local-changes later to \ 
maint).

    * Some real problems noticed by gcc 12 have been fixed, while false
      positives have been worked around.

    * Update the version of FreeBSD image used in Cirrus CI.
      (merge c58bebd4c6 pb/use-freebsd-12.3-in-cirrus-ci later to maint).

    * The multi-pack-index code did not protect the packfile it is going
      to depend on from getting removed while in use, which has been
      corrected.
      (merge 4090511e40 tb/midx-race-in-pack-objects later to maint).

    * Teach "git repack --geometric" work better with \ 
"--keep-pack" and
      avoid corrupting the repository when packsize limit is used.
      (merge 66731ff921 tb/geom-repack-with-keep-and-max later to maint).

    * The documentation on the interaction between "--add-file" and
      "--prefix" options of "git archive" has been improved.
      (merge a75910602a rs/document-archive-prefix later to maint).

    * A git subcommand like "git add -p" spawns a separate git process
      while relaying its command line arguments.  A pathspec with only
      negative elements was mistakenly passed with an empty string, which
      has been corrected.
      (merge b02fdbc80a jc/all-negative-pathspec later to maint).

    * With a more targeted workaround in http.c in another topic, we may
      be able to lift this blanket "GCC12 dangling-pointer warning is
      broken and unsalvageable" workaround.
      (merge 419141e495 cb/buggy-gcc-12-workaround later to maint).

    * A misconfigured 'branch..remote' led to a bug in configuration
      parsing.
      (merge f1dfbd9ee0 gc/zero-length-branch-config-fix later to maint).

    * "git -c diff.submodule=log range-diff" did not show anything for
      submodules that changed in the ranges being compared, and
      "git -c diff.submodule=diff range-diff" did not work correctly.
      Fix this by including the "--submodule=short" output
      unconditionally to be compared.

    * In Git 2.36 we revamped the way how hooks are invoked.  One change
      that is end-user visible is that the output of a hook is no longer
      directly connected to the standard output of "git" that spawns the
      hook, which was noticed post release.  This is getting corrected.
      (merge a082345372 ab/hooks-regression-fix later to maint).

    * Updating the graft information invalidates the list of parents of
      in-core commit objects that used to be in the graft file.

    * "git show-ref --heads" (and "--tags") still iterated \ 
over all the
      refs only to discard refs outside the specified area, which has
      been corrected.
      (merge c0c9d35e27 tb/show-ref-optim later to maint).

    * Remove redundant copying (with index v3 and older) or possible
      over-reading beyond end of mmapped memory (with index v4) has been
      corrected.
      (merge 6d858341d2 zh/read-cache-copy-name-entry-fix later to maint).

    * Sample watchman interface hook sometimes failed to produce
      correctly formatted JSON message, which has been corrected.
      (merge 134047b500 sn/fsmonitor-missing-clock later to maint).

    * Use-after-free (with another forget-to-free) fix.
      (merge 323822c72b ab/remote-free-fix later to maint).

    * Remove a coccinelle rule that is no longer relevant.
      (merge b1299de4a1 jc/cocci-cleanup later to maint).

    * Other code cleanup, docfix, build fix, etc.
      (merge e6b2582da3 cm/reftable-0-length-memset later to maint).
      (merge 0b75e5bf22 ab/misc-cleanup later to maint).
      (merge 52e1ab8a76 ea/rebase-code-simplify later to maint).
      (merge 756d15923b sg/safe-directory-tests-and-docs later to maint).
      (merge d097a23bfa ds/do-not-call-bug-on-bad-refs later to maint).
      (merge c36c27e75c rs/t7812-pcre2-ws-bug-test later to maint).
      (merge 1da312742d gf/unused-includes later to maint).
      (merge 465b30a92d pb/submodule-recurse-mode-enum later to maint).
      (merge 82b28c4ed8 km/t3501-use-test-helpers later to maint).
      (merge 72315e431b sa/t1011-use-helpers later to maint).
      (merge 95b3002201 cg/vscode-with-gdb later to maint).
      (merge fbe5f6b804 tk/p4-utf8-bom later to maint).
      (merge 17f273ffba tk/p4-with-explicity-sync later to maint).
      (merge 944db25c60 kf/p4-multiple-remotes later to maint).
      (merge b014cee8de jc/update-ozlabs-url later to maint).
      (merge 4ec5008062 pb/ggg-in-mfc-doc later to maint).
      (merge af845a604d tb/receive-pack-code-cleanup later to maint).
      (merge 2acf4cf001 js/ci-gcc-12-fixes later to maint).
      (merge 05e280c0a6 jc/http-clear-finished-pointer later to maint).
      (merge 8c49d704ef fh/transport-push-leakfix later to maint).
      (merge 1d232d38bd tl/ls-tree-oid-only later to maint).
      (merge db7961e6a6 gc/document-config-worktree-scope later to maint).
      (merge ce18a30bb7 fs/ssh-default-key-command-doc later to maint).

   To generate a diff of this commit:
   cvs rdiff -u -r1.105 -r1.106 pkgsrc/devel/git/Makefile.version
   cvs rdiff -u -r1.96 -r1.97 pkgsrc/devel/git-base/Makefile
   cvs rdiff -u -r1.119 -r1.120 pkgsrc/devel/git-base/distinfo
   cvs rdiff -u -r1.20 -r1.21 pkgsrc/devel/git-docs/Makefile
   cvs rdiff -u -r1.44 -r1.45 pkgsrc/www/gitweb/Makefile

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Thu Jul 14 10:55:37 UTC 2022

   Modified Files:
   	pkgsrc/devel/git: Makefile.version
   	pkgsrc/devel/git-base: distinfo

   Log Message:
   git: updated to 2.37.1

   Git 2.37.1 Release Notes
   ============

   This release merges up the fixes that appear in v2.30.5, v2.31.4,
   v2.32.3, v2.33.4, v2.34.4, v2.35.4, and v2.36.2 to address the
   security issue CVE-2022-29187; see the release notes for these
   versions for details.

   Fixes since Git 2.37
   --------------------

    * Rewrite of "git add -i" in C that appeared in Git 2.25 didn't
      correctly record a removed file to the index, which is an old
      regression but has become widely known because the C version has
      become the default in the latest release.

    * Fix for CVS-2022-29187.

   To generate a diff of this commit:
   cvs rdiff -u -r1.106 -r1.107 pkgsrc/devel/git/Makefile.version
   cvs rdiff -u -r1.120 -r1.121 pkgsrc/devel/git-base/distinfo

Files:
RevisionActionfile
1.105.2.1modifypkgsrc/devel/git/Makefile.version
1.119.2.1modifypkgsrc/devel/git-base/distinfo