From fdd391721922ff0bbe2c2cb97cb1837aa98cbaba Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:21:17 +0000 Subject: import git-1.8.3.1-13.el7 --- diff --git a/.git.metadata b/.git.metadata new file mode 100644 index 0000000..2be2068 --- /dev/null +++ b/.git.metadata @@ -0,0 +1,3 @@ +32562a231fe4422bc033bf872fffa61f41ee2669 SOURCES/git-1.8.3.1.tar.gz +94d48f6f8684aec851124e7d0b835b338a9187ad SOURCES/git-htmldocs-1.8.3.1.tar.gz +0cd759579d4bd75f1cf1ba073b1ab96c49390426 SOURCES/git-manpages-1.8.3.1.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1806bab --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/git-1.8.3.1.tar.gz +SOURCES/git-htmldocs-1.8.3.1.tar.gz +SOURCES/git-manpages-1.8.3.1.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Drop-DESTDIR-from-python-instlibdir.patch b/SOURCES/0001-Drop-DESTDIR-from-python-instlibdir.patch new file mode 100644 index 0000000..b6e7120 --- /dev/null +++ b/SOURCES/0001-Drop-DESTDIR-from-python-instlibdir.patch @@ -0,0 +1,29 @@ +From d40d33173dc24d9b7ad6f5071994f90b5f9a71e8 Mon Sep 17 00:00:00 2001 +From: Todd Zullinger +Date: Wed, 27 Mar 2013 14:01:57 -0400 +Subject: [PATCH] Drop DESTDIR from python instlibdir + +When building packages, we install to DESTDIR but we don't want this to +end up hard-coded in the scripts. + +This needs discussed upstream to find a proper solution. +--- + git_remote_helpers/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/git_remote_helpers/Makefile b/git_remote_helpers/Makefile +index 3d12232..36d40b5 100644 +--- a/git_remote_helpers/Makefile ++++ b/git_remote_helpers/Makefile +@@ -38,7 +38,7 @@ install: $(pysetupfile) + $(PYTHON_PATH) $(pysetupfile) install --prefix $(DESTDIR_SQ)$(prefix) + + instlibdir: $(pysetupfile) +- @echo "$(DESTDIR_SQ)$(prefix)/$(PYLIBDIR)" ++ @echo "$(prefix)/$(PYLIBDIR)" + + clean: + $(QUIET)$(PYTHON_PATH) $(pysetupfile) $(QUIETSETUP) clean -a +-- +1.8.1 + diff --git a/SOURCES/0001-Fix-CVE-2016-2315-CVE-2016-2324.patch b/SOURCES/0001-Fix-CVE-2016-2315-CVE-2016-2324.patch new file mode 100644 index 0000000..0c3aaab --- /dev/null +++ b/SOURCES/0001-Fix-CVE-2016-2315-CVE-2016-2324.patch @@ -0,0 +1,117 @@ +From 73b65b02d5d1aa4612bb7015f80c8cd1b5e828cd Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Fri, 18 Mar 2016 17:14:32 +0100 +Subject: [PATCH] Fix CVE-2016-2315 CVE-2016-2324 + +- added upstream macros for detecting size_t overflow (much more just + for easier related changes in future, if we want to do some yet) +- upstream solution removes function path_name() and modify all related + part of code to replace this function. However, it's too hard for + backport to such old version of git without unchanged behaviour, + so application just die with error message instead. +--- + diff.h | 4 ++-- + git-compat-util.h | 35 +++++++++++++++++++++++++++++++++++ + revision.c | 13 ++++++++++--- + 3 files changed, 47 insertions(+), 5 deletions(-) + +diff --git a/diff.h b/diff.h +index ce123fa..88db230 100644 +--- a/diff.h ++++ b/diff.h +@@ -209,8 +209,8 @@ struct combine_diff_path { + } parent[FLEX_ARRAY]; + }; + #define combine_diff_path_size(n, l) \ +- (sizeof(struct combine_diff_path) + \ +- sizeof(struct combine_diff_parent) * (n) + (l) + 1) ++ st_add4(sizeof(struct combine_diff_path), (l), 1, \ ++ st_mult(sizeof(struct combine_diff_parent), (n))) + + extern void show_combined_diff(struct combine_diff_path *elem, int num_parent, + int dense, struct rev_info *); +diff --git a/git-compat-util.h b/git-compat-util.h +index d493a8c..d5a15fa 100644 +--- a/git-compat-util.h ++++ b/git-compat-util.h +@@ -46,6 +46,14 @@ + #define unsigned_add_overflows(a, b) \ + ((b) > maximum_unsigned_value_of_type(a) - (a)) + ++/* ++ * Returns true if the multiplication of "a" and "b" will ++ * overflow. The types of "a" and "b" must match and must be unsigned. ++ * Note that this macro evaluates "a" twice! ++ */ ++#define unsigned_mult_overflows(a, b) \ ++ ((a) && (b) > maximum_unsigned_value_of_type(a) / (a)) ++ + #ifdef __GNUC__ + #define TYPEOF(x) (__typeof__(x)) + #else +@@ -526,6 +534,33 @@ extern void release_pack_memory(size_t); + typedef void (*try_to_free_t)(size_t); + extern try_to_free_t set_try_to_free_routine(try_to_free_t); + ++static inline size_t st_add(size_t a, size_t b) ++{ ++ if (unsigned_add_overflows(a, b)) ++ die("size_t overflow: %"PRIuMAX" + %"PRIuMAX, ++ (uintmax_t)a, (uintmax_t)b); ++ return a + b; ++} ++#define st_add3(a,b,c) st_add((a),st_add((b),(c))) ++#define st_add4(a,b,c,d) st_add((a),st_add3((b),(c),(d))) ++ ++static inline size_t st_mult(size_t a, size_t b) ++{ ++ if (unsigned_mult_overflows(a, b)) ++ die("size_t overflow: %"PRIuMAX" * %"PRIuMAX, ++ (uintmax_t)a, (uintmax_t)b); ++ return a * b; ++} ++ ++static inline size_t st_sub(size_t a, size_t b) ++{ ++ if (a < b) ++ die("size_t underflow: %"PRIuMAX" - %"PRIuMAX, ++ (uintmax_t)a, (uintmax_t)b); ++ return a - b; ++} ++ ++ + extern char *xstrdup(const char *str); + extern void *xmalloc(size_t size); + extern void *xmallocz(size_t size); +diff --git a/revision.c b/revision.c +index f40ccf1..b897ca6 100644 +--- a/revision.c ++++ b/revision.c +@@ -24,16 +24,21 @@ char *path_name(const struct name_path *path, const char *name) + { + const struct name_path *p; + char *n, *m; +- int nlen = strlen(name); +- int len = nlen + 1; ++ size_t nlen = strlen(name); ++ size_t len = st_add(nlen, 1); ++ ++ if(len >= INT_MAX) ++ die("path_name(): path is too long."); + + for (p = path; p; p = p->up) { + if (p->elem_len) + len += p->elem_len + 1; ++ if(len >= INT_MAX) ++ die("path_name(): path is too long."); + } + n = xmalloc(len); + m = n + len - (nlen + 1); +- strcpy(m, name); ++ memcpy(m, name, nlen + 1); + for (p = path; p; p = p->up) { + if (p->elem_len) { + m -= p->elem_len + 1; +-- +2.4.3 + diff --git a/SOURCES/0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch b/SOURCES/0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch new file mode 100644 index 0000000..73ae548 --- /dev/null +++ b/SOURCES/0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch @@ -0,0 +1,42 @@ +From 86c3e2b5188579bff1ff981910462ad5e563044b Mon Sep 17 00:00:00 2001 +From: Todd Zullinger +Date: Fri, 4 Jan 2013 11:54:21 -0500 +Subject: [PATCH] git-subtree: Use gitexecdir instead of libexecdir + +When the git subtree Makefile includes config.mak from the toplevel, +it's useful to have the same variables set globally applied. Using +gitexecdir instead of libexecdir respects the global settings more +consistently. + +Remove the unused gitdir variable as well. +--- + contrib/subtree/Makefile | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/contrib/subtree/Makefile b/contrib/subtree/Makefile +index 36ae3e4..f87b945 100644 +--- a/contrib/subtree/Makefile ++++ b/contrib/subtree/Makefile +@@ -2,9 +2,8 @@ + -include ../../config.mak + + prefix ?= /usr/local ++gitexecdir ?= $(prefix)/libexec/git-core + mandir ?= $(prefix)/share/man +-libexecdir ?= $(prefix)/libexec/git-core +-gitdir ?= $(shell git --exec-path) + man1dir ?= $(mandir)/man1 + + gitver ?= $(word 3,$(shell git --version)) +@@ -30,7 +29,7 @@ $(GIT_SUBTREE): $(GIT_SUBTREE_SH) + doc: $(GIT_SUBTREE_DOC) + + install: $(GIT_SUBTREE) +- $(INSTALL) -m 755 $(GIT_SUBTREE) $(DESTDIR)$(libexecdir) ++ $(INSTALL) -m 755 $(GIT_SUBTREE) $(DESTDIR)$(gitexecdir) + + install-doc: install-man + +-- +1.7.6 + diff --git a/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch b/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch new file mode 100644 index 0000000..ccec896 --- /dev/null +++ b/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch @@ -0,0 +1,90 @@ +From 7dbd01e4815727ce46de0b5d6c2916fec9154196 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Mon, 5 Dec 2016 16:49:09 +0100 +Subject: [PATCH] http: control GSSAPI credential delegation + +Delegation of credentials is disabled by default in libcurl since +version 7.21.7 due to security vulnerability CVE-2011-2192. Which +makes troubles with GSS/kerberos authentication when delegation +of credentials is required. This can be changed with option +CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter +since libcurl version 7.22.0. + +This patch provides new configuration variable http.delegation +which corresponds to curl parameter "--delegation" (see man 1 curl). + +The following values are supported: + +* none (default). +* policy +* always +--- + http.c | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/http.c b/http.c +index a1c7dcb..e7c77c0 100644 +--- a/http.c ++++ b/http.c +@@ -66,6 +66,19 @@ static struct curl_slist *no_pragma_header; + + static struct active_request_slot *active_queue_head; + ++#if LIBCURL_VERSION_NUM >= 0x071600 ++static const char *curl_deleg; ++static struct { ++ const char *name; ++ long curl_deleg_param; ++} curl_deleg_levels[] = { ++ { "none", CURLGSSAPI_DELEGATION_NONE }, ++ { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG }, ++ { "always", CURLGSSAPI_DELEGATION_FLAG }, ++}; ++#endif ++ ++ + size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_) + { + size_t size = eltsize * nmemb; +@@ -169,6 +182,16 @@ static int http_options(const char *var, const char *value, void *cb) + curl_ssl_try = git_config_bool(var, value); + return 0; + } ++ ++ if (!strcmp("http.delegation", var)) { ++#if LIBCURL_VERSION_NUM >= 0x071600 ++ return git_config_string(&curl_deleg, var, value); ++#else ++ warning("Delegation control is not supported with cURL < 7.22.0"); ++ return 0; ++#endif ++ } ++ + if (!strcmp("http.minsessions", var)) { + min_curl_sessions = git_config_int(var, value); + #ifndef USE_CURL_MULTI +@@ -271,6 +294,21 @@ static CURL *get_curl_handle(void) + #ifdef LIBCURL_CAN_HANDLE_AUTH_ANY + curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); + #endif ++#if LIBCURL_VERSION_NUM >= 0x071600 ++ if (curl_deleg) { ++ int i; ++ for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) { ++ if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) { ++ curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION, ++ curl_deleg_levels[i].curl_deleg_param); ++ break; ++ } ++ } ++ if (i == ARRAY_SIZE(curl_deleg_levels)) ++ warning("Unknown delegation method '%s': using default", ++ curl_deleg); ++ } ++#endif + + if (http_proactive_auth) + init_curl_http_auth(result); +-- +2.5.5 + diff --git a/SOURCES/0001-submodule-allow-only-certain-protocols-for-submodule.patch b/SOURCES/0001-submodule-allow-only-certain-protocols-for-submodule.patch new file mode 100644 index 0000000..e2067b1 --- /dev/null +++ b/SOURCES/0001-submodule-allow-only-certain-protocols-for-submodule.patch @@ -0,0 +1,104 @@ +From 6d69680505dbbc484178105815ed624fab40b2de Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 28 Oct 2015 15:03:01 +0100 +Subject: [PATCH 1/5] submodule: allow only certain protocols for submodule + fetches + +Some protocols (like git-remote-ext) can execute arbitrary +code found in the URL. The URLs that submodules use may come +from arbitrary sources (e.g., .gitmodules files in a remote +repository). Let's restrict submodules to fetching from a +known-good subset of protocols. + +Note that we apply this restriction to all submodule +commands, whether the URL comes from .gitmodules or not. +This is more restrictive than we need to be; for example, in +the tests we run: + + git submodule add ext::... + +which should be trusted, as the URL comes directly from the +command line provided by the user. But doing it this way is +simpler, and makes it much less likely that we would miss a +case. And since such protocols should be an exception +(especially because nobody who clones from them will be able +to update the submodules!), it's not likely to inconvenience +anyone in practice. +--- + git-submodule.sh | 9 +++++++++ + t/t5815-submodule-protos-sh | 43 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+) + create mode 100644 t/t5815-submodule-protos-sh + +diff --git a/git-submodule.sh b/git-submodule.sh +index 79bfaac..bec3362 100755 +--- a/git-submodule.sh ++++ b/git-submodule.sh +@@ -19,6 +19,15 @@ OPTIONS_SPEC= + . git-parse-remote + require_work_tree + ++# Restrict ourselves to a vanilla subset of protocols; the URLs ++# we get are under control of a remote repository, and we do not ++# want them kicking off arbitrary git-remote-* programs. ++# ++# If the user has already specified a set of allowed protocols, ++# we assume they know what they're doing and use that instead. ++: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh} ++export GIT_ALLOW_PROTOCOL ++ + command= + branch= + force= +diff --git a/t/t5815-submodule-protos-sh b/t/t5815-submodule-protos-sh +new file mode 100644 +index 0000000..06f55a1 +--- /dev/null ++++ b/t/t5815-submodule-protos-sh +@@ -0,0 +1,43 @@ ++#!/bin/sh ++ ++test_description='test protocol whitelisting with submodules' ++. ./test-lib.sh ++. "$TEST_DIRECTORY"/lib-proto-disable.sh ++ ++setup_ext_wrapper ++setup_ssh_wrapper ++ ++test_expect_success 'setup repository with submodules' ' ++ mkdir remote && ++ git init remote/repo.git && ++ (cd remote/repo.git && test_commit one) && ++ # submodule-add should probably trust what we feed it on the cmdline, ++ # but its implementation is overly conservative. ++ GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module && ++ GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module && ++ git commit -m "add submodules" ++' ++ ++test_expect_success 'clone with recurse-submodules fails' ' ++ test_must_fail git clone --recurse-submodules . dst ++' ++ ++test_expect_success 'setup individual updates' ' ++ rm -rf dst && ++ git clone . dst && ++ git -C dst submodule init ++' ++ ++test_expect_success 'update of ssh allowed' ' ++ git -C dst submodule update ssh-module ++' ++ ++test_expect_success 'update of ext not allowed' ' ++ test_must_fail git -C dst submodule update ext-module ++' ++ ++test_expect_success 'user can override whitelist' ' ++ GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module ++' ++ ++test_done +-- +2.1.0 + diff --git a/SOURCES/0002-transport-add-a-protocol-whitelist-environment-varia.patch b/SOURCES/0002-transport-add-a-protocol-whitelist-environment-varia.patch new file mode 100644 index 0000000..d908739 --- /dev/null +++ b/SOURCES/0002-transport-add-a-protocol-whitelist-environment-varia.patch @@ -0,0 +1,207 @@ +From cfa4e13f09d07f679ffacdddfbe0ef44d1de32d9 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 28 Oct 2015 15:21:08 +0100 +Subject: [PATCH 2/5] transport: add a protocol-whitelist environment variable + +If we are cloning an untrusted remote repository into a +sandbox, we may also want to fetch remote submodules in +order to get the complete view as intended by the other +side. However, that opens us up to attacks where a malicious +user gets us to clone something they would not otherwise +have access to (this is not necessarily a problem by itself, +but we may then act on the cloned contents in a way that +exposes them to the attacker). + +Ideally such a setup would sandbox git entirely away from +high-value items, but this is not always practical or easy +to set up (e.g., OS network controls may block multiple +protocols, and we would want to enable some but not others). + +We can help this case by providing a way to restrict +particular protocols. We use a whitelist in the environment. +This is more annoying to set up than a blacklist, but +defaults to safety if the set of protocols git supports +grows). If no whitelist is specified, we continue to default +to allowing all protocols (this is an "unsafe" default, but +since the minority of users will want this sandboxing +effect, it is the only sensible one). + +A note on the tests: ideally these would all be in a single +test file, but the git-daemon and httpd test infrastructure +is an all-or-nothing proposition rather than a test-by-test +prerequisite. By putting them all together, we would be +unable to test the file-local code on machines without +apache. +--- + Documentation/git.txt | 32 ++++++++++++++++++++++++++++++++ + connect.c | 4 ++++ + transport-helper.c | 2 ++ + transport.c | 21 ++++++++++++++++++++- + transport.h | 7 +++++++ + 5 files changed, 65 insertions(+), 1 deletion(-) + +diff --git a/Documentation/git.txt b/Documentation/git.txt +index 443d88f..179a0e8 100644 +--- a/Documentation/git.txt ++++ b/Documentation/git.txt +@@ -847,6 +847,38 @@ GIT_LITERAL_PATHSPECS:: + literal paths to Git (e.g., paths previously given to you by + `git ls-tree`, `--raw` diff output, etc). + ++`GIT_ALLOW_PROTOCOL`:: ++ If set, provide a colon-separated list of protocols which are ++ allowed to be used with fetch/push/clone. This is useful to ++ restrict recursive submodule initialization from an untrusted ++ repository. Any protocol not mentioned will be disallowed (i.e., ++ this is a whitelist, not a blacklist). If the variable is not ++ set at all, all protocols are enabled. The protocol names ++ currently used by git are: ++ ++ - `file`: any local file-based path (including `file://` URLs, ++ or local paths) ++ ++ - `git`: the anonymous git protocol over a direct TCP ++ connection (or proxy, if configured) ++ ++ - `ssh`: git over ssh (including `host:path` syntax, ++ `git+ssh://`, etc). ++ ++ - `rsync`: git over rsync ++ ++ - `http`: git over http, both "smart http" and "dumb http". ++ Note that this does _not_ include `https`; if you want both, ++ you should specify both as `http:https`. ++ ++ - any external helpers are named by their protocol (e.g., use ++ `hg` to allow the `git-remote-hg` helper) +++ ++Note that this controls only git's internal protocol selection. ++If libcurl is used (e.g., by the `http` transport), it may ++redirect to other protocols. There is not currently any way to ++restrict this. ++ + + Discussion[[Discussion]] + ------------------------ +diff --git a/connect.c b/connect.c +index f57efd0..6d4ea13 100644 +--- a/connect.c ++++ b/connect.c +@@ -6,6 +6,7 @@ + #include "run-command.h" + #include "remote.h" + #include "url.h" ++#include "transport.h" + + static char *server_capabilities; + +@@ -587,6 +588,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig, + * cannot connect. + */ + char *target_host = xstrdup(host); ++ transport_check_allowed("git"); + if (git_use_proxy(host)) + conn = git_proxy_connect(fd, host); + else +@@ -623,6 +625,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig, + if (protocol == PROTO_SSH) { + const char *ssh = getenv("GIT_SSH"); + int putty = ssh && strcasestr(ssh, "plink"); ++ transport_check_allowed("ssh"); + if (!ssh) ssh = "ssh"; + + *arg++ = ssh; +@@ -639,6 +642,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig, + /* remove repo-local variables from the environment */ + conn->env = local_repo_env; + conn->use_shell = 1; ++ transport_check_allowed("file"); + } + *arg++ = cmd.buf; + *arg = NULL; +diff --git a/transport-helper.c b/transport-helper.c +index 522d791..be8402a 100644 +--- a/transport-helper.c ++++ b/transport-helper.c +@@ -932,6 +932,8 @@ int transport_helper_init(struct transport *transport, const char *name) + struct helper_data *data = xcalloc(sizeof(*data), 1); + data->name = name; + ++ transport_check_allowed(name); ++ + if (getenv("GIT_TRANSPORT_HELPER_DEBUG")) + debug = 1; + +diff --git a/transport.c b/transport.c +index ba5d8af..733717d 100644 +--- a/transport.c ++++ b/transport.c +@@ -894,6 +894,20 @@ static int external_specification_len(const char *url) + return strchr(url, ':') - url; + } + ++void transport_check_allowed(const char *type) ++{ ++ struct string_list allowed = STRING_LIST_INIT_DUP; ++ const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ ++ if (!v) ++ return; ++ ++ string_list_split(&allowed, v, ':', -1); ++ if (!unsorted_string_list_has_string(&allowed, type)) ++ die("transport '%s' not allowed", type); ++ string_list_clear(&allowed, 0); ++} ++ + struct transport *transport_get(struct remote *remote, const char *url) + { + const char *helper; +@@ -925,12 +939,14 @@ struct transport *transport_get(struct remote *remote, const char *url) + if (helper) { + transport_helper_init(ret, helper); + } else if (!prefixcmp(url, "rsync:")) { ++ transport_check_allowed("rsync"); + ret->get_refs_list = get_refs_via_rsync; + ret->fetch = fetch_objs_via_rsync; + ret->push = rsync_transport_push; + ret->smart_options = NULL; + } else if (is_local(url) && is_file(url) && is_bundle(url, 1)) { + struct bundle_transport_data *data = xcalloc(1, sizeof(*data)); ++ transport_check_allowed("file"); + ret->data = data; + ret->get_refs_list = get_refs_from_bundle; + ret->fetch = fetch_refs_from_bundle; +@@ -942,7 +958,10 @@ struct transport *transport_get(struct remote *remote, const char *url) + || !prefixcmp(url, "ssh://") + || !prefixcmp(url, "git+ssh://") + || !prefixcmp(url, "ssh+git://")) { +- /* These are builtin smart transports. */ ++ /* ++ * These are builtin smart transports; "allowed" transports ++ * will be checked individually in git_connect. ++ */ + struct git_transport_data *data = xcalloc(1, sizeof(*data)); + ret->data = data; + ret->set_option = NULL; +diff --git a/transport.h b/transport.h +index fcb1d25..2beda7d 100644 +--- a/transport.h ++++ b/transport.h +@@ -113,6 +113,13 @@ struct transport { + /* Returns a transport suitable for the url */ + struct transport *transport_get(struct remote *, const char *); + ++/* ++ * Check whether a transport is allowed by the environment, ++ * and die otherwise. type should generally be the URL scheme, ++ * as described in Documentation/git.txt ++ */ ++void transport_check_allowed(const char *type); ++ + /* Transport options which apply to git:// and scp-style URLs */ + + /* The program to use on the remote side to send a pack */ +-- +2.1.0 + diff --git a/SOURCES/0003-transport-refactor-protocol-whitelist-code.patch b/SOURCES/0003-transport-refactor-protocol-whitelist-code.patch new file mode 100644 index 0000000..ff5416d --- /dev/null +++ b/SOURCES/0003-transport-refactor-protocol-whitelist-code.patch @@ -0,0 +1,107 @@ +From 9b9aabe6ab5d07227c1c02781f03a3c38fbc27b0 Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Tue, 22 Sep 2015 18:03:49 -0400 +Subject: [PATCH 3/5] transport: refactor protocol whitelist code + +The current callers only want to die when their transport is +prohibited. But future callers want to query the mechanism +without dying. + +Let's break out a few query functions, and also save the +results in a static list so we don't have to re-parse for +each query. + +Based-on-a-patch-by: Blake Burkhart +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano +--- + transport.c | 38 ++++++++++++++++++++++++++++++-------- + transport.h | 15 +++++++++++++-- + 2 files changed, 43 insertions(+), 10 deletions(-) + +diff --git a/transport.c b/transport.c +index 733717d..2dbdca0 100644 +--- a/transport.c ++++ b/transport.c +@@ -894,18 +894,40 @@ static int external_specification_len(const char *url) + return strchr(url, ':') - url; + } + +-void transport_check_allowed(const char *type) ++static const struct string_list *protocol_whitelist(void) + { +- struct string_list allowed = STRING_LIST_INIT_DUP; +- const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ static int enabled = -1; ++ static struct string_list allowed = STRING_LIST_INIT_DUP; ++ ++ if (enabled < 0) { ++ const char *v = getenv("GIT_ALLOW_PROTOCOL"); ++ if (v) { ++ string_list_split(&allowed, v, ':', -1); ++ sort_string_list(&allowed); ++ enabled = 1; ++ } else { ++ enabled = 0; ++ } ++ } + +- if (!v) +- return; ++ return enabled ? &allowed : NULL; ++} ++ ++int is_transport_allowed(const char *type) ++{ ++ const struct string_list *allowed = protocol_whitelist(); ++ return !allowed || string_list_has_string(allowed, type); ++} + +- string_list_split(&allowed, v, ':', -1); +- if (!unsorted_string_list_has_string(&allowed, type)) ++void transport_check_allowed(const char *type) ++{ ++ if (!is_transport_allowed(type)) + die("transport '%s' not allowed", type); +- string_list_clear(&allowed, 0); ++} ++ ++int transport_restrict_protocols(void) ++{ ++ return !!protocol_whitelist(); + } + + struct transport *transport_get(struct remote *remote, const char *url) +diff --git a/transport.h b/transport.h +index 2beda7d..7707c27 100644 +--- a/transport.h ++++ b/transport.h +@@ -114,12 +114,23 @@ struct transport { + struct transport *transport_get(struct remote *, const char *); + + /* ++ * Check whether a transport is allowed by the environment. Type should ++ * generally be the URL scheme, as described in Documentation/git.txt ++ */ ++int is_transport_allowed(const char *type); ++ ++/* + * Check whether a transport is allowed by the environment, +- * and die otherwise. type should generally be the URL scheme, +- * as described in Documentation/git.txt ++ * and die otherwise. + */ + void transport_check_allowed(const char *type); + ++/* ++ * Returns true if the user has attempted to turn on protocol ++ * restrictions at all. ++ */ ++int transport_restrict_protocols(void); ++ + /* Transport options which apply to git:// and scp-style URLs */ + + /* The program to use on the remote side to send a pack */ +-- +2.1.0 + diff --git a/SOURCES/0004-http-limit-redirection-to-protocol-whitelist.patch b/SOURCES/0004-http-limit-redirection-to-protocol-whitelist.patch new file mode 100644 index 0000000..293f16c --- /dev/null +++ b/SOURCES/0004-http-limit-redirection-to-protocol-whitelist.patch @@ -0,0 +1,77 @@ +From 2d22150270739cd29d0ac6bc329e0a2e2910d7d9 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Fri, 23 Oct 2015 17:36:57 +0200 +Subject: [PATCH 4/5] http-limit-redirection-to-protocol-whitelist + +Previously, libcurl would follow redirection to any protocol +it was compiled for support with. This is desirable to allow +redirection from HTTP to HTTPS. However, it would even +successfully allow redirection from HTTP to SFTP, a protocol +that git does not otherwise support at all. Furthermore +git's new protocol-whitelisting could be bypassed by +following a redirect within the remote helper, as it was +only enforced at transport selection time. + +This patch limits redirects within libcurl to HTTP, HTTPS, +FTP and FTPS. If there is a protocol-whitelist present, this +list is limited to those also allowed by the whitelist. As +redirection happens from within libcurl, it is impossible +for an HTTP redirect to a protocol implemented within +another remote helper. + +When the curl version git was compiled with is too old to +support restrictions on protocol redirection, we warn the +user if GIT_ALLOW_PROTOCOL restrictions were requested. This +is a little inaccurate, as even without that variable in the +environment, we would still restrict SFTP, etc, and we do +not warn in that case. But anything else means we would +literally warn every time git accesses an http remote. +--- + http.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/http.c b/http.c +index 92aba59..235c2d5 100644 +--- a/http.c ++++ b/http.c +@@ -6,6 +6,7 @@ + #include "credential.h" + #include "version.h" + #include "pkt-line.h" ++#include "transport.h" + + int active_requests; + int http_is_verbose; +@@ -252,6 +253,7 @@ static int has_cert_password(void) + static CURL *get_curl_handle(void) + { + CURL *result = curl_easy_init(); ++ long allowed_protocols = 0; + + if (!curl_ssl_verify) { + curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0); +@@ -301,6 +303,21 @@ static CURL *get_curl_handle(void) + #elif LIBCURL_VERSION_NUM >= 0x071101 + curl_easy_setopt(result, CURLOPT_POST301, 1); + #endif ++#if LIBCURL_VERSION_NUM >= 0x071304 ++ if (is_transport_allowed("http")) ++ allowed_protocols |= CURLPROTO_HTTP; ++ if (is_transport_allowed("https")) ++ allowed_protocols |= CURLPROTO_HTTPS; ++ if (is_transport_allowed("ftp")) ++ allowed_protocols |= CURLPROTO_FTP; ++ if (is_transport_allowed("ftps")) ++ allowed_protocols |= CURLPROTO_FTPS; ++ curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols); ++#else ++ if (transport_restrict_protocols()) ++ warning("protocol restrictions not applied to curl redirects because\n" ++ "your curl version is too old (>= 7.19.4)"); ++#endif + + if (getenv("GIT_CURL_VERBOSE")) + curl_easy_setopt(result, CURLOPT_VERBOSE, 1); +-- +2.1.0 + diff --git a/SOURCES/0005-http-limit-redirection-depth.patch b/SOURCES/0005-http-limit-redirection-depth.patch new file mode 100644 index 0000000..471f4eb --- /dev/null +++ b/SOURCES/0005-http-limit-redirection-depth.patch @@ -0,0 +1,31 @@ +From 7f3bfdbc2670b4960242fa1b229dde6bcb2b463b Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Fri, 23 Oct 2015 17:39:59 +0200 +Subject: [PATCH 5/5] http: limit redirection depth + +By default, libcurl will follow circular http redirects +forever. Let's put a cap on this so that somebody who can +trigger an automated fetch of an arbitrary repository (e.g., +for CI) cannot convince git to loop infinitely. + +The value chosen is 20, which is the same default that +Firefox uses. +--- + http.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/http.c b/http.c +index 235c2d5..a1c7dcb 100644 +--- a/http.c ++++ b/http.c +@@ -298,6 +298,7 @@ static CURL *get_curl_handle(void) + } + + curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1); ++ curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20); + #if LIBCURL_VERSION_NUM >= 0x071301 + curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL); + #elif LIBCURL_VERSION_NUM >= 0x071101 +-- +2.1.0 + diff --git a/SOURCES/0007-git-prompt.patch b/SOURCES/0007-git-prompt.patch new file mode 100644 index 0000000..a179403 --- /dev/null +++ b/SOURCES/0007-git-prompt.patch @@ -0,0 +1,53 @@ +From 7e546ae76da784185ba9515ed86e435ba17fdd65 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 29 Mar 2017 13:08:28 +0200 +Subject: [PATCH] git-prompt.sh: don't put unsanitized branch names in $PS1 + +--- + contrib/completion/git-prompt.sh | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/contrib/completion/git-prompt.sh b/contrib/completion/git-prompt.sh +index eaf5c36..2c872e5 100644 +--- a/contrib/completion/git-prompt.sh ++++ b/contrib/completion/git-prompt.sh +@@ -360,8 +360,11 @@ __git_ps1 () + fi + + local f="$w$i$s$u" ++ b=${b##refs/heads/} + if [ $pcmode = yes ]; then + local gitstring= ++ __git_ps1_branch_name=$b ++ b="\${__git_ps1_branch_name}" + if [ -n "${GIT_PS1_SHOWCOLORHINTS-}" ]; then + local c_red='\e[31m' + local c_green='\e[32m' +@@ -371,7 +374,7 @@ __git_ps1 () + local ok_color=$c_green + local branch_color="$c_clear" + local flags_color="$c_lblue" +- local branchstring="$c${b##refs/heads/}" ++ local branchstring="$c$b" + + if [ $detached = no ]; then + branch_color="$ok_color" +@@ -400,13 +403,13 @@ __git_ps1 () + fi + gitstring="$gitstring\[$c_clear\]$r$p" + else +- gitstring="$c${b##refs/heads/}${f:+ $f}$r$p" ++ gitstring="$c$b${f:+ $f}$r$p" + fi + gitstring=$(printf -- "$printf_format" "$gitstring") + PS1="$ps1pc_start$gitstring$ps1pc_end" + else + # NO color option unless in PROMPT_COMMAND mode +- printf -- "$printf_format" "$c${b##refs/heads/}${f:+ $f}$r$p" ++ printf -- "$printf_format" "$c$b${f:+ $f}$r$p" + fi + fi + } +-- +2.5.5 + diff --git a/SOURCES/0008-Fix-CVE-2017-8386.patch b/SOURCES/0008-Fix-CVE-2017-8386.patch new file mode 100644 index 0000000..88b19e9 --- /dev/null +++ b/SOURCES/0008-Fix-CVE-2017-8386.patch @@ -0,0 +1,26 @@ +From 654dbd112ab7cbe0a162afaab645a971da62d433 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 17 May 2017 11:37:01 +0200 +Subject: [PATCH] Fix CVE-2017-8386 + +See the commit 3ec804490 in upstream repository for more info. +--- + shell.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shell.c b/shell.c +index 1429870..72ed0fa 100644 +--- a/shell.c ++++ b/shell.c +@@ -13,7 +13,7 @@ static int do_generic_cmd(const char *me, char *arg) + const char *my_argv[4]; + + setup_path(); +- if (!arg || !(arg = sq_dequote(arg))) ++ if (!arg || !(arg = sq_dequote(arg)) || *arg == '-') + die("bad argument"); + if (prefixcmp(me, "git-")) + die("bad command"); +-- +2.9.4 + diff --git a/SOURCES/0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch b/SOURCES/0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch new file mode 100644 index 0000000..9c011e2 --- /dev/null +++ b/SOURCES/0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch @@ -0,0 +1,47 @@ +From d6c38a748291246ebe2f7a9e966db24f4b4f839c Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 13 Sep 2017 03:09:59 +0200 +Subject: [PATCH] remote-curl: fall back to Basic auth if Negotiate fails + +See the upstream commit 4dbe66464 +--- + http.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/http.c b/http.c +index e7c77c0..3320590 100644 +--- a/http.c ++++ b/http.c +@@ -60,6 +60,9 @@ static const char *user_agent; + + static struct credential cert_auth = CREDENTIAL_INIT; + static int ssl_cert_password_required; ++#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY ++static unsigned long http_auth_methods = CURLAUTH_ANY; ++#endif + + static struct curl_slist *pragma_header; + static struct curl_slist *no_pragma_header; +@@ -572,6 +575,9 @@ struct active_request_slot *get_active_slot(void) + curl_easy_setopt(slot->curl, CURLOPT_UPLOAD, 0); + curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1); + curl_easy_setopt(slot->curl, CURLOPT_FAILONERROR, 1); ++#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY ++ curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods); ++#endif + if (http_auth.password) + init_curl_http_auth(slot->curl); + +@@ -856,6 +862,9 @@ int handle_curl_result(struct slot_results *results) + credential_reject(&http_auth); + return HTTP_NOAUTH; + } else { ++#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY ++ http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE; ++#endif + credential_fill(&http_auth); + return HTTP_REAUTH; + } +-- +2.13.5 + diff --git a/SOURCES/git-1.5-gitweb-home-link.patch b/SOURCES/git-1.5-gitweb-home-link.patch new file mode 100644 index 0000000..74c8390 --- /dev/null +++ b/SOURCES/git-1.5-gitweb-home-link.patch @@ -0,0 +1,12 @@ +diff -up git-1.7.2/gitweb/gitweb.perl.orig git-1.7.2/gitweb/gitweb.perl +--- git-1.7.2/gitweb/gitweb.perl.orig 2010-07-21 23:35:25.000000000 +0200 ++++ git-1.7.2/gitweb/gitweb.perl 2010-07-22 10:49:50.385707086 +0200 +@@ -79,7 +79,7 @@ our $projectroot = "++GITWEB_PROJECTROOT + our $project_maxdepth = "++GITWEB_PROJECT_MAXDEPTH++"; + + # string of the home link on top of all pages +-our $home_link_str = "++GITWEB_HOME_LINK_STR++"; ++our $home_link_str = $ENV{'SERVER_NAME'} ? "git://" . $ENV{'SERVER_NAME'} : "projects"; + + # name of your site or organization to appear in page titles + # replace this with something more descriptive for clearer bookmarks diff --git a/SOURCES/git-1.7-el5-emacs-support.patch b/SOURCES/git-1.7-el5-emacs-support.patch new file mode 100644 index 0000000..25b3c31 --- /dev/null +++ b/SOURCES/git-1.7-el5-emacs-support.patch @@ -0,0 +1,252 @@ +From 424058e0607b4b3c558d19633090e06e7bd2b851 Mon Sep 17 00:00:00 2001 +From: Todd Zullinger +Date: Wed, 2 Feb 2011 21:24:44 -0500 +Subject: [PATCH] Restore vc-git.el for basic compatibility on EL-5 + +This is the vc-git.el from 1.6.4.1, the last version to include it. +Most uses will be better served by the vc-git.el which is provided by +emacs >= 22.2, but on EL-5 we don't have the luxury of a modern emacs. +--- + contrib/emacs/Makefile | 2 +- + contrib/emacs/vc-git.el | 216 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 217 insertions(+), 1 deletions(-) + create mode 100644 contrib/emacs/vc-git.el + +diff --git a/contrib/emacs/Makefile b/contrib/emacs/Makefile +index 24d9312..a48540a 100644 +--- a/contrib/emacs/Makefile ++++ b/contrib/emacs/Makefile +@@ -2,7 +2,7 @@ + + EMACS = emacs + +-ELC = git.elc git-blame.elc ++ELC = git.elc vc-git.elc git-blame.elc + INSTALL ?= install + INSTALL_ELC = $(INSTALL) -m 644 + prefix ?= $(HOME) +diff --git a/contrib/emacs/vc-git.el b/contrib/emacs/vc-git.el +new file mode 100644 +index 0000000..b8f6be5 +--- /dev/null ++++ b/contrib/emacs/vc-git.el +@@ -0,0 +1,216 @@ ++;;; vc-git.el --- VC backend for the git version control system ++ ++;; Copyright (C) 2006 Alexandre Julliard ++ ++;; This program is free software; you can redistribute it and/or ++;; modify it under the terms of the GNU General Public License as ++;; published by the Free Software Foundation; either version 2 of ++;; the License, or (at your option) any later version. ++;; ++;; This program is distributed in the hope that it will be ++;; useful, but WITHOUT ANY WARRANTY; without even the implied ++;; warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR ++;; PURPOSE. See the GNU General Public License for more details. ++;; ++;; You should have received a copy of the GNU General Public ++;; License along with this program; if not, write to the Free ++;; Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, ++;; MA 02111-1307 USA ++ ++;;; Commentary: ++ ++;; This file contains a VC backend for the git version control ++;; system. ++;; ++;; To install: put this file on the load-path and add GIT to the list ++;; of supported backends in `vc-handled-backends'; the following line, ++;; placed in your ~/.emacs, will accomplish this: ++;; ++;; (add-to-list 'vc-handled-backends 'GIT) ++;; ++;; TODO ++;; - changelog generation ++;; - working with revisions other than HEAD ++;; ++ ++(eval-when-compile (require 'cl)) ++ ++(defvar git-commits-coding-system 'utf-8 ++ "Default coding system for git commits.") ++ ++(defun vc-git--run-command-string (file &rest args) ++ "Run a git command on FILE and return its output as string." ++ (let* ((ok t) ++ (str (with-output-to-string ++ (with-current-buffer standard-output ++ (unless (eq 0 (apply #'call-process "git" nil '(t nil) nil ++ (append args (list (file-relative-name file))))) ++ (setq ok nil)))))) ++ (and ok str))) ++ ++(defun vc-git--run-command (file &rest args) ++ "Run a git command on FILE, discarding any output." ++ (let ((name (file-relative-name file))) ++ (eq 0 (apply #'call-process "git" nil (get-buffer "*Messages") nil (append args (list name)))))) ++ ++(defun vc-git-registered (file) ++ "Check whether FILE is registered with git." ++ (with-temp-buffer ++ (let* ((dir (file-name-directory file)) ++ (name (file-relative-name file dir))) ++ (and (ignore-errors ++ (when dir (cd dir)) ++ (eq 0 (call-process "git" nil '(t nil) nil "ls-files" "-c" "-z" "--" name))) ++ (let ((str (buffer-string))) ++ (and (> (length str) (length name)) ++ (string= (substring str 0 (1+ (length name))) (concat name "\0")))))))) ++ ++(defun vc-git-state (file) ++ "git-specific version of `vc-state'." ++ (let ((diff (vc-git--run-command-string file "diff-index" "-z" "HEAD" "--"))) ++ (if (and diff (string-match ":[0-7]\\{6\\} [0-7]\\{6\\} [0-9a-f]\\{40\\} [0-9a-f]\\{40\\} [ADMU]\0[^\0]+\0" diff)) ++ 'edited ++ 'up-to-date))) ++ ++(defun vc-git-workfile-version (file) ++ "git-specific version of `vc-workfile-version'." ++ (let ((str (with-output-to-string ++ (with-current-buffer standard-output ++ (call-process "git" nil '(t nil) nil "symbolic-ref" "HEAD"))))) ++ (if (string-match "^\\(refs/heads/\\)?\\(.+\\)$" str) ++ (match-string 2 str) ++ str))) ++ ++(defun vc-git-symbolic-commit (commit) ++ "Translate COMMIT string into symbolic form. ++Returns nil if not possible." ++ (and commit ++ (with-temp-buffer ++ (and ++ (zerop ++ (call-process "git" nil '(t nil) nil "name-rev" ++ "--name-only" "--tags" ++ commit)) ++ (goto-char (point-min)) ++ (= (forward-line 2) 1) ++ (bolp) ++ (buffer-substring-no-properties (point-min) (1- (point-max))))))) ++ ++(defun vc-git-previous-version (file rev) ++ "git-specific version of `vc-previous-version'." ++ (let ((default-directory (file-name-directory (expand-file-name file))) ++ (file (file-name-nondirectory file))) ++ (vc-git-symbolic-commit ++ (with-temp-buffer ++ (and ++ (zerop ++ (call-process "git" nil '(t nil) nil "rev-list" ++ "-2" rev "--" file)) ++ (goto-char (point-max)) ++ (bolp) ++ (zerop (forward-line -1)) ++ (not (bobp)) ++ (buffer-substring-no-properties ++ (point) ++ (1- (point-max)))))))) ++ ++(defun vc-git-next-version (file rev) ++ "git-specific version of `vc-next-version'." ++ (let* ((default-directory (file-name-directory ++ (expand-file-name file))) ++ (file (file-name-nondirectory file)) ++ (current-rev ++ (with-temp-buffer ++ (and ++ (zerop ++ (call-process "git" nil '(t nil) nil "rev-list" ++ "-1" rev "--" file)) ++ (goto-char (point-max)) ++ (bolp) ++ (zerop (forward-line -1)) ++ (bobp) ++ (buffer-substring-no-properties ++ (point) ++ (1- (point-max))))))) ++ (and current-rev ++ (vc-git-symbolic-commit ++ (with-temp-buffer ++ (and ++ (zerop ++ (call-process "git" nil '(t nil) nil "rev-list" ++ "HEAD" "--" file)) ++ (goto-char (point-min)) ++ (search-forward current-rev nil t) ++ (zerop (forward-line -1)) ++ (buffer-substring-no-properties ++ (point) ++ (progn (forward-line 1) (1- (point)))))))))) ++ ++(defun vc-git-revert (file &optional contents-done) ++ "Revert FILE to the version stored in the git repository." ++ (if contents-done ++ (vc-git--run-command file "update-index" "--") ++ (vc-git--run-command file "checkout" "HEAD"))) ++ ++(defun vc-git-checkout-model (file) ++ 'implicit) ++ ++(defun vc-git-workfile-unchanged-p (file) ++ (let ((sha1 (vc-git--run-command-string file "hash-object" "--")) ++ (head (vc-git--run-command-string file "ls-tree" "-z" "HEAD" "--"))) ++ (and head ++ (string-match "[0-7]\\{6\\} blob \\([0-9a-f]\\{40\\}\\)\t[^\0]+\0" head) ++ (string= (car (split-string sha1 "\n")) (match-string 1 head))))) ++ ++(defun vc-git-register (file &optional rev comment) ++ "Register FILE into the git version-control system." ++ (vc-git--run-command file "update-index" "--add" "--")) ++ ++(defun vc-git-print-log (file &optional buffer) ++ (let ((name (file-relative-name file)) ++ (coding-system-for-read git-commits-coding-system)) ++ (vc-do-command buffer 'async "git" name "rev-list" "--pretty" "HEAD" "--"))) ++ ++(defun vc-git-diff (file &optional rev1 rev2 buffer) ++ (let ((name (file-relative-name file)) ++ (buf (or buffer "*vc-diff*"))) ++ (if (and rev1 rev2) ++ (vc-do-command buf 0 "git" name "diff-tree" "-p" rev1 rev2 "--") ++ (vc-do-command buf 0 "git" name "diff-index" "-p" (or rev1 "HEAD") "--")) ++ ; git-diff-index doesn't set exit status like diff does ++ (if (vc-git-workfile-unchanged-p file) 0 1))) ++ ++(defun vc-git-checkin (file rev comment) ++ (let ((coding-system-for-write git-commits-coding-system)) ++ (vc-git--run-command file "commit" "-m" comment "--only" "--"))) ++ ++(defun vc-git-checkout (file &optional editable rev destfile) ++ (if destfile ++ (let ((fullname (substring ++ (vc-git--run-command-string file "ls-files" "-z" "--full-name" "--") ++ 0 -1)) ++ (coding-system-for-read 'no-conversion) ++ (coding-system-for-write 'no-conversion)) ++ (with-temp-file destfile ++ (eq 0 (call-process "git" nil t nil "cat-file" "blob" ++ (concat (or rev "HEAD") ":" fullname))))) ++ (vc-git--run-command file "checkout" (or rev "HEAD")))) ++ ++(defun vc-git-annotate-command (file buf &optional rev) ++ ; FIXME: rev is ignored ++ (let ((name (file-relative-name file))) ++ (call-process "git" nil buf nil "blame" name))) ++ ++(defun vc-git-annotate-time () ++ (and (re-search-forward "[0-9a-f]+ (.* \\([0-9]+\\)-\\([0-9]+\\)-\\([0-9]+\\) \\([0-9]+\\):\\([0-9]+\\):\\([0-9]+\\) \\([-+0-9]+\\) +[0-9]+)" nil t) ++ (vc-annotate-convert-time ++ (apply #'encode-time (mapcar (lambda (match) (string-to-number (match-string match))) '(6 5 4 3 2 1 7)))))) ++ ++;; Not really useful since we can't do anything with the revision yet ++;;(defun vc-annotate-extract-revision-at-line () ++;; (save-excursion ++;; (move-beginning-of-line 1) ++;; (and (looking-at "[0-9a-f]+") ++;; (buffer-substring (match-beginning 0) (match-end 0))))) ++ ++(provide 'vc-git) +-- +1.7.3.4 + diff --git a/SOURCES/git-cve-2017-1000117.patch b/SOURCES/git-cve-2017-1000117.patch new file mode 100644 index 0000000..ccdfa9c --- /dev/null +++ b/SOURCES/git-cve-2017-1000117.patch @@ -0,0 +1,85 @@ +diff --git a/cache.h b/cache.h +index 94ca1ac..2ab9ffd 100644 +--- a/cache.h ++++ b/cache.h +@@ -744,6 +744,14 @@ char *strip_path_suffix(const char *path, const char *suffix); + int daemon_avoid_alias(const char *path); + int offset_1st_component(const char *path); + ++/* ++ * Returns true iff "str" could be confused as a command-line option when ++ * passed to a sub-program like "ssh". Note that this has nothing to do with ++ * shell-quoting, which should be handled separately; we're assuming here that ++ * the string makes it verbatim to the sub-program. ++ */ ++int looks_like_command_line_option(const char *str); ++ + /* object replacement */ + #define READ_SHA1_FILE_REPLACE 1 + extern void *read_sha1_file_extended(const unsigned char *sha1, enum object_type *type, unsigned long *size, unsigned flag); +diff --git a/connect.c b/connect.c +index 6d4ea13..970f565 100644 +--- a/connect.c ++++ b/connect.c +@@ -450,6 +450,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host) + + get_host_and_port(&host, &port); + ++ if (looks_like_command_line_option(host)) ++ die("strange hostname '%s' blocked", host); ++ if (looks_like_command_line_option(port)) ++ die("strange port '%s' blocked", port); ++ + argv = xmalloc(sizeof(*argv) * 4); + argv[0] = git_proxy_command; + argv[1] = host; +@@ -613,6 +618,10 @@ struct child_process *git_connect(int fd[2], const char *url_orig, + + conn = xcalloc(1, sizeof(*conn)); + ++ if (looks_like_command_line_option(path)) ++ die("strange pathname '%s' blocked", path); ++ ++ + strbuf_init(&cmd, MAX_CMD_LEN); + strbuf_addstr(&cmd, prog); + strbuf_addch(&cmd, ' '); +@@ -626,6 +635,10 @@ struct child_process *git_connect(int fd[2], const char *url_orig, + const char *ssh = getenv("GIT_SSH"); + int putty = ssh && strcasestr(ssh, "plink"); + transport_check_allowed("ssh"); ++ if (looks_like_command_line_option(host)) ++ die("strange hostname '%s' blocked", host); ++ ++ + if (!ssh) ssh = "ssh"; + + *arg++ = ssh; +diff --git a/path.c b/path.c +index 04ff148..713d79b 100644 +--- a/path.c ++++ b/path.c +@@ -701,3 +701,9 @@ int offset_1st_component(const char *path) + return 2 + is_dir_sep(path[2]); + return is_dir_sep(path[0]); + } ++ ++int looks_like_command_line_option(const char *str) ++{ ++ return str && str[0] == '-'; ++} ++ +diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh +index 5531bd1..d3b2651 100755 +--- a/t/t5532-fetch-proxy.sh ++++ b/t/t5532-fetch-proxy.sh +@@ -40,4 +40,9 @@ test_expect_success 'fetch through proxy works' ' + test_cmp expect actual + ' + ++test_expect_success 'funny hostnames are rejected before running proxy' ' ++ test_must_fail git fetch git://-remote/repo.git 2>stderr && ++ ! grep "proxying for" stderr ++' ++ + test_done diff --git a/SOURCES/git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch b/SOURCES/git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch new file mode 100644 index 0000000..37a22dd --- /dev/null +++ b/SOURCES/git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch @@ -0,0 +1,26 @@ +From 09891c65a5f7409ce0bd37daced0ff31fbb1b1c9 Mon Sep 17 00:00:00 2001 +From: Todd Zullinger +Date: Mon, 23 Mar 2009 00:03:36 -0400 +Subject: [PATCH] git-cvsimport: Ignore cvsps-2.2b1 Branches: output + +Signed-off-by: Todd Zullinger +--- + git-cvsimport.perl | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/git-cvsimport.perl b/git-cvsimport.perl +index e439202..d020f1a 100755 +--- a/git-cvsimport.perl ++++ b/git-cvsimport.perl +@@ -952,7 +952,7 @@ while () { + } elsif (/^-+$/) { # end of unknown-line processing + $state = 1; + } elsif ($state != 11) { # ignore stuff when skipping +- print STDERR "* UNKNOWN LINE * $_\n"; ++ print STDERR "* UNKNOWN LINE * $_\n" unless /^Branches: /; + } + } + commit() if $branch and $state != 11; +-- +1.6.2.2 + diff --git a/SOURCES/git-gui.desktop b/SOURCES/git-gui.desktop new file mode 100644 index 0000000..f74f066 --- /dev/null +++ b/SOURCES/git-gui.desktop @@ -0,0 +1,9 @@ +[Desktop Entry] +Name=Git GUI +GenericName=Git GUI +Comment=A graphical interface to Git +Exec=git gui +Icon=/usr/share/git-gui/lib/git-gui.ico +Terminal=false +Type=Application +Categories=Development; diff --git a/SOURCES/git-init.el b/SOURCES/git-init.el new file mode 100644 index 0000000..d2a96a7 --- /dev/null +++ b/SOURCES/git-init.el @@ -0,0 +1,5 @@ +;; Git VC backend +(add-to-list 'vc-handled-backends 'GIT t) +(autoload 'git-status "git" "GIT mode." t) +(autoload 'git-blame-mode "git-blame" + "Minor mode for incremental blame for Git." t) diff --git a/SOURCES/git-request-pull-fix.patch b/SOURCES/git-request-pull-fix.patch new file mode 100644 index 0000000..264985d --- /dev/null +++ b/SOURCES/git-request-pull-fix.patch @@ -0,0 +1,13 @@ +diff --git a/git-request-pull.sh b/git-request-pull.sh +index d566015..71abbf4 100755 +--- a/git-request-pull.sh ++++ b/git-request-pull.sh +@@ -79,7 +79,7 @@ find_matching_ref=' + my ($sha1, $ref, $deref) = /^(\S+)\s+(\S+?)(\^\{\})?$/; + next unless ($sha1 eq $ARGV[1]); + $found = abbr($ref); +- if ($deref && $ref eq "tags/$ARGV[2]") { ++ if ($deref && $ref eq "refs/tags/$ARGV[2]") { + $tagged = $found; + last; + } diff --git a/SOURCES/git.conf.httpd b/SOURCES/git.conf.httpd new file mode 100644 index 0000000..4f4eac7 --- /dev/null +++ b/SOURCES/git.conf.httpd @@ -0,0 +1,7 @@ +Alias /git /var/www/git + + + Options +ExecCGI + AddHandler cgi-script .cgi + DirectoryIndex gitweb.cgi + diff --git a/SOURCES/git.socket b/SOURCES/git.socket new file mode 100644 index 0000000..3dec01d --- /dev/null +++ b/SOURCES/git.socket @@ -0,0 +1,9 @@ +[Unit] +Description=Git Activation Socket + +[Socket] +ListenStream=9418 +Accept=true + +[Install] +WantedBy=sockets.target diff --git a/SOURCES/git.xinetd.in b/SOURCES/git.xinetd.in new file mode 100644 index 0000000..540e070 --- /dev/null +++ b/SOURCES/git.xinetd.in @@ -0,0 +1,14 @@ +# default: off +# description: The git dæmon allows git repositories to be exported using \ +# the git:// protocol. + +service git +{ + disable = yes + socket_type = stream + wait = no + user = nobody + server = @GITCOREDIR@/git-daemon + server_args = --base-path=@BASE_PATH@ --export-all --user-path=public_git --syslog --inetd --verbose + log_on_failure += USERID +} diff --git a/SOURCES/git@.service b/SOURCES/git@.service new file mode 100644 index 0000000..185ff25 --- /dev/null +++ b/SOURCES/git@.service @@ -0,0 +1,8 @@ +[Unit] +Description=Git Repositories Server Daemon +Documentation=man:git-daemon(1) + +[Service] +User=nobody +ExecStart=-/usr/libexec/git-core/git-daemon --base-path=/var/lib/git --export-all --user-path=public_git --syslog --inetd --verbose +StandardInput=socket diff --git a/SOURCES/gitweb.conf.in b/SOURCES/gitweb.conf.in new file mode 100644 index 0000000..c04a96b --- /dev/null +++ b/SOURCES/gitweb.conf.in @@ -0,0 +1,53 @@ +# The gitweb config file is a fragment of perl code. You can set variables +# using "our $variable = value"; text from "#" character until the end of a +# line is ignored. See perlsyn(1) man page for details. +# +# See /usr/share/doc/gitweb-*/README and /usr/share/doc/gitweb-*/INSTALL for +# more details and available configuration variables. + +# Set the path to git projects. This is an absolute filesystem path which will +# be prepended to the project path. +#our $projectroot = "@PROJECTROOT@"; + +# Set the list of git base URLs used for URL to where fetch project from, i.e. +# the full URL is "$git_base_url/$project". By default this is empty +#our @git_base_url_list = qw(git://git.example.com +# ssh://git.example.com@PROJECTROOT@); + +# Enable the 'blame' blob view, showing the last commit that modified +# each line in the file. This can be very CPU-intensive. Disabled by default +#$feature{'blame'}{'default'} = [1]; +# +# Allow projects to override the default setting via git config file. +# Example: gitweb.blame = 0|1; +#$feature{'blame'}{'override'} = 1; + +# Disable the 'snapshot' link, providing a compressed archive of any tree. This +# can potentially generate high traffic if you have large project. Enabled for +# .tar.gz snapshots by default. +# +# Value is a list of formats defined in %known_snapshot_formats that you wish +# to offer. +#$feature{'snapshot'}{'default'} = []; +# +# Allow projects to override the default setting via git config file. +# Example: gitweb.snapshot = tbz2,zip; (use "none" to disable) +#$feature{'snapshot'}{'override'} = 1; + +# Disable grep search, which will list the files in currently selected tree +# containing the given string. This can be potentially CPU-intensive, of +# course. Enabled by default. +#$feature{'grep'}{'default'} = [0]; +# +# Allow projects to override the default setting via git config file. +# Example: gitweb.grep = 0|1; +#$feature{'grep'}{'override'} = 1; + +# Disable the pickaxe search, which will list the commits that modified a given +# string in a file. This can be practical and quite faster alternative to +# 'blame', but still potentially CPU-intensive. Enabled by default. +#$feature{'pickaxe'}{'default'} = [0]; +# +# Allow projects to override the default setting via git config file. +# Example: gitweb.pickaxe = 0|1; +#$feature{'pickaxe'}{'override'} = 1; diff --git a/SPECS/git.spec b/SPECS/git.spec new file mode 100644 index 0000000..8f26a1f --- /dev/null +++ b/SPECS/git.spec @@ -0,0 +1,1451 @@ +# Pass --without docs to rpmbuild if you don't want the documentation + +# Settings for EL-5 +# - Leave git-* binaries in %{_bindir} +# - Don't use noarch subpackages +# - Use proper libcurl devel package +# - Patch emacs and tweak docbook spaces +# - Explicitly enable ipv6 for git-daemon +# - Use prebuilt documentation, asciidoc is too old +# - Define missing python macro +%if 0%{?rhel} && 0%{?rhel} <= 5 +%global gitcoredir %{_bindir} +%global noarch_sub 0 +%global libcurl_devel curl-devel +%global emacs_old 1 +%global docbook_suppress_sp 1 +%global enable_ipv6 1 +%global use_prebuilt_docs 1 +%global filter_yaml_any 1 +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} +%else +%global gitcoredir %{_libexecdir}/git-core +%global noarch_sub 1 +%global libcurl_devel libcurl-devel +%global emacs_old 0 +%global docbook_suppress_sp 0 +%global enable_ipv6 0 +%global use_prebuilt_docs 0 +%global filter_yaml_any 0 +%endif + +# Use systemd instead of xinetd on Fedora 19+ and RHEL 7+ +%if 0%{?fedora} >= 19 || 0%{?rhel} >= 7 +%global use_systemd 1 +%else +%global use_systemd 0 +%endif + +# Build gnome-keyring git-credential helper on Fedora and RHEL >= 7 +%if 0%{?fedora} || 0%{?rhel} >= 7 +%global gnome_keyring 1 +%else +%global gnome_keyring 0 +%endif + +%if (0%{?fedora} && 0%{?fedora} < 19) || (0%{?rhel} && 0%{?rhel} < 7) +%global with_desktop_vendor_tag 1 +%else +%global with_desktop_vendor_tag 0 +%endif + +Name: git +Version: 1.8.3.1 +Release: 13%{?dist} +Summary: Fast Version Control System +License: GPLv2 +Group: Development/Tools +URL: http://git-scm.com/ +Source0: http://git-core.googlecode.com/files/%{name}-%{version}.tar.gz +Source2: git-init.el +Source3: git.xinetd.in +Source4: git.conf.httpd +Source5: git-gui.desktop +Source6: gitweb.conf.in +Source10: http://git-core.googlecode.com/files/%{name}-manpages-%{version}.tar.gz +Source11: http://git-core.googlecode.com/files/%{name}-htmldocs-%{version}.tar.gz +Source12: git@.service +Source13: git.socket +Patch0: git-1.5-gitweb-home-link.patch +# https://bugzilla.redhat.com/490602 +Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch +# https://bugzilla.redhat.com/600411 +Patch3: git-1.7-el5-emacs-support.patch +Patch5: 0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch +# This fixes the build when python is enabled. Needs discussion upstream to +# find a proper solution. +Patch6: 0001-Drop-DESTDIR-from-python-instlibdir.patch + +# whole set is for https://bugzilla.redhat.com/show_bug.cgi?id=1273889 +Patch7: 0001-submodule-allow-only-certain-protocols-for-submodule.patch +Patch8: 0002-transport-add-a-protocol-whitelist-environment-varia.patch +Patch9: 0003-transport-refactor-protocol-whitelist-code.patch +Patch10: 0004-http-limit-redirection-to-protocol-whitelist.patch +Patch11: 0005-http-limit-redirection-depth.patch + +# various non-CVE bugs +Patch13: 0001-http-control-GSSAPI-credential-delegation.patch +Patch17: 0009-remote-curl-fall-back-to-Basic-auth-if-Negotiate-fai.patch +Patch18: git-request-pull-fix.patch + +# CVE +Patch12: 0001-Fix-CVE-2016-2315-CVE-2016-2324.patch +Patch14: 0007-git-prompt.patch +Patch15: 0008-Fix-CVE-2017-8386.patch +Patch16: git-cve-2017-1000117.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +%if ! %{use_prebuilt_docs} && ! 0%{?_without_docs} +BuildRequires: asciidoc >= 8.4.1 +BuildRequires: xmlto +%endif +BuildRequires: desktop-file-utils +BuildRequires: emacs +BuildRequires: expat-devel +BuildRequires: gettext +BuildRequires: %{libcurl_devel} +%if %{gnome_keyring} +BuildRequires: libgnome-keyring-devel +%endif +BuildRequires: pcre-devel +BuildRequires: openssl-devel +BuildRequires: zlib-devel >= 1.2 +%if %{use_systemd} +# For macros +BuildRequires: systemd +%endif + +Requires: less +Requires: openssh-clients +Requires: perl(Error) +Requires: perl(Term::ReadKey) +Requires: perl-Git = %{version}-%{release} +Requires: rsync +Requires: zlib >= 1.2 + +Provides: git-core = %{version}-%{release} +Obsoletes: git-core <= 1.5.4.3 + +# Obsolete git-arch +Obsoletes: git-arch < %{version}-%{release} + +%description +Git is a fast, scalable, distributed revision control system with an +unusually rich command set that provides both high-level operations +and full access to internals. + +The git rpm installs the core tools with minimal dependencies. To +install all git packages, including tools for integrating with other +SCMs, install the git-all meta-package. + +%package all +Summary: Meta-package to pull in all git tools +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release} +Requires: git-cvs = %{version}-%{release} +Requires: git-email = %{version}-%{release} +Requires: git-gui = %{version}-%{release} +Requires: git-svn = %{version}-%{release} +Requires: git-p4 = %{version}-%{release} +Requires: gitk = %{version}-%{release} +Requires: perl-Git = %{version}-%{release} +Requires: emacs-git = %{version}-%{release} +Obsoletes: git <= 1.5.4.3 + +%description all +Git is a fast, scalable, distributed revision control system with an +unusually rich command set that provides both high-level operations +and full access to internals. + +This is a dummy package which brings in all subpackages. + +%package bzr +Summary: Git tools for working with bzr repositories +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release} +Requires: bzr + +%description bzr +%{summary}. + +%package daemon +Summary: Git protocol dæmon +Group: Development/Tools +Requires: git = %{version}-%{release} +%if %{use_systemd} +Requires: systemd +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +%else +Requires: xinetd +%endif +%description daemon +The git dæmon for supporting git:// access to git repositories + +%package -n gitweb +Summary: Simple web interface to git repositories +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release} + +%description -n gitweb +Simple web interface to track changes in git repositories + +%package hg +Summary: Git tools for working with mercurial repositories +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release} +Requires: mercurial + +%description hg +%{summary}. + +%package p4 +Summary: Git tools for working with Perforce depots +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +BuildRequires: python +Requires: git = %{version}-%{release} +%description p4 +%{summary}. + +%package svn +Summary: Git tools for importing Subversion repositories +Group: Development/Tools +Requires: git = %{version}-%{release}, subversion, perl(Term::ReadKey) +%description svn +Git tools for importing Subversion repositories. + +%package cvs +Summary: Git tools for importing CVS repositories +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release}, cvs +Requires: cvsps +Requires: perl-DBD-SQLite +%description cvs +Git tools for importing CVS repositories. + +%package email +Summary: Git tools for sending email +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release}, perl-Git = %{version}-%{release} +Requires: perl(Authen::SASL) +Requires: perl(Net::SMTP::SSL) +%description email +Git tools for sending email. + +%package gui +Summary: Git GUI tool +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release}, tk >= 8.4 +Requires: gitk = %{version}-%{release} +%description gui +Git GUI tool. + +%package -n gitk +Summary: Git revision tree visualiser +Group: Development/Tools +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release}, tk >= 8.4 +%description -n gitk +Git revision tree visualiser. + +%package -n perl-Git +Summary: Perl interface to Git +Group: Development/Libraries +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release} +BuildRequires: perl(Error), perl(ExtUtils::MakeMaker) +Requires: perl(Error) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) + +%description -n perl-Git +Perl interface to Git. + +%package -n perl-Git-SVN +Summary: Perl interface to Git::SVN +Group: Development/Libraries +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: git = %{version}-%{release} +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) + +%description -n perl-Git-SVN +Perl interface to Git. + +%package -n emacs-git +Summary: Git version control system support for Emacs +Group: Applications/Editors +Requires: git = %{version}-%{release} +%if %{noarch_sub} +BuildArch: noarch +Requires: emacs(bin) >= %{_emacs_version} +%else +Requires: emacs-common +%endif + +%description -n emacs-git +%{summary}. + +%package -n emacs-git-el +Summary: Elisp source files for git version control system support for Emacs +Group: Applications/Editors +%if %{noarch_sub} +BuildArch: noarch +%endif +Requires: emacs-git = %{version}-%{release} + +%description -n emacs-git-el +%{summary}. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%if %{emacs_old} +%patch3 -p1 +%endif +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 + +%if %{use_prebuilt_docs} +mkdir -p prebuilt_docs/{html,man} +tar xf %{SOURCE10} -C prebuilt_docs/man +tar xf %{SOURCE11} -C prebuilt_docs/html +# Remove non-html files +find prebuilt_docs/html -type f ! -name '*.html' | xargs rm +find prebuilt_docs/html -type d | xargs rmdir --ignore-fail-on-non-empty +%endif + +# Use these same options for every invocation of 'make'. +# Otherwise it will rebuild in %%install due to flags changes. +cat << \EOF > config.mak +V = 1 +CFLAGS = %{optflags} +BLK_SHA1 = 1 +NEEDS_CRYPTO_WITH_SSL = 1 +USE_LIBPCRE = 1 +ETC_GITCONFIG = %{_sysconfdir}/gitconfig +DESTDIR = %{buildroot} +INSTALL = install -p +GITWEB_PROJECTROOT = %{_var}/lib/git +GNU_ROFF = 1 +htmldir = %{_docdir}/%{name}-%{version} +prefix = %{_prefix} +gitwebdir = %{_var}/www/git +EOF + +%if "%{gitcoredir}" == "%{_bindir}" +echo gitexecdir = %{_bindir} >> config.mak +%endif + +%if %{docbook_suppress_sp} +# This is needed for 1.69.1-1.71.0 +echo DOCBOOK_SUPPRESS_SP = 1 >> config.mak +%endif + +# Filter bogus perl requires +# packed-refs comes from a comment in contrib/hooks/update-paranoid +# YAML::Any is optional and not available on el5 +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed \ +%if %{filter_yaml_any} + -e '/perl(YAML::Any)/d' \ +%endif + -e '/perl(packed-refs)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}/%{name}-req +chmod +x %{__perl_requires} + +%build +sh configure --with-c-compiler=gcc +make %{?_smp_mflags} git-daemon LDFLAGS="-pie -Wl,-z,relro,-z,now" CFLAGS="$RPM_OPT_FLAGS -fPIC" +make %{?_smp_mflags} all -o git-daemon +%if ! %{use_prebuilt_docs} && ! 0%{?_without_docs} +make %{?_smp_mflags} doc +%endif + +make -C contrib/emacs + +%if %{gnome_keyring} +make -C contrib/credential/gnome-keyring/ +%endif + +make -C contrib/subtree/ + +# Remove shebang from bash-completion script +sed -i '/^#!bash/,+1 d' contrib/completion/git-completion.bash + +%install +rm -rf %{buildroot} +make %{?_smp_mflags} INSTALLDIRS=vendor install -o git-daemon +%if ! %{use_prebuilt_docs} && ! 0%{?_without_docs} +make %{?_smp_mflags} INSTALLDIRS=vendor install-doc -o git-daemon +%else +cp -a prebuilt_docs/man/* %{buildroot}%{_mandir} +cp -a prebuilt_docs/html/* Documentation/ +%endif + +%if %{emacs_old} +%global _emacs_sitelispdir %{_datadir}/emacs/site-lisp +%global _emacs_sitestartdir %{_emacs_sitelispdir}/site-start.d +%endif +%global elispdir %{_emacs_sitelispdir}/git +make -C contrib/emacs install \ + emacsdir=%{buildroot}%{elispdir} +for elc in %{buildroot}%{elispdir}/*.elc ; do + install -pm 644 contrib/emacs/$(basename $elc .elc).el \ + %{buildroot}%{elispdir} +done +install -Dpm 644 %{SOURCE2} \ + %{buildroot}%{_emacs_sitestartdir}/git-init.el + +%if %{gnome_keyring} +install -pm 755 contrib/credential/gnome-keyring/git-credential-gnome-keyring \ + %{buildroot}%{gitcoredir} +# Remove built binary files, otherwise they will be installed in doc +make -C contrib/credential/gnome-keyring/ clean +%endif + +make -C contrib/subtree install +%if ! %{use_prebuilt_docs} +make -C contrib/subtree install-doc +%endif + +mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d +install -pm 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/httpd/conf.d/git.conf +sed "s|@PROJECTROOT@|%{_var}/lib/git|g" \ + %{SOURCE6} > %{buildroot}%{_sysconfdir}/gitweb.conf + +find %{buildroot} -type f -name .packlist -exec rm -f {} ';' +find %{buildroot} -type f -name '*.bs' -empty -exec rm -f {} ';' +find %{buildroot} -type f -name perllocal.pod -exec rm -f {} ';' + +# Remove remote-helper python libraries and scripts, these are not ready for +# use yet +rm -rf %{buildroot}%{python_sitelib} %{buildroot}%{gitcoredir}/git-remote-testgit + +# git-archimport is not supported +find %{buildroot} Documentation -type f -name 'git-archimport*' -exec rm -f {} ';' + +exclude_re="archimport|email|git-citool|git-cvs|git-daemon|git-gui|git-remote-bzr|git-remote-hg|gitk|p4|svn" +(find %{buildroot}{%{_bindir},%{_libexecdir}} -type f | grep -vE "$exclude_re" | sed -e s@^%{buildroot}@@) > bin-man-doc-files +(find %{buildroot}{%{_bindir},%{_libexecdir}} -mindepth 1 -type d | grep -vE "$exclude_re" | sed -e 's@^%{buildroot}@%dir @') >> bin-man-doc-files +(find %{buildroot}%{perl_vendorlib} -type f | sed -e s@^%{buildroot}@@) > perl-git-files +(find %{buildroot}%{perl_vendorlib} -mindepth 1 -type d | sed -e 's@^%{buildroot}@%dir @') >> perl-git-files +# Split out Git::SVN files +grep Git/SVN perl-git-files > perl-git-svn-files +sed -i "/Git\/SVN/ d" perl-git-files +%if %{!?_without_docs:1}0 +(find %{buildroot}%{_mandir} -type f | grep -vE "$exclude_re|Git" | sed -e s@^%{buildroot}@@ -e 's/$/*/' ) >> bin-man-doc-files +%else +rm -rf %{buildroot}%{_mandir} +%endif + +mkdir -p %{buildroot}%{_var}/lib/git +%if %{use_systemd} +mkdir -p %{buildroot}%{_unitdir} +cp -a %{SOURCE12} %{SOURCE13} %{buildroot}%{_unitdir} +%else +mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d +# On EL <= 5, xinetd does not enable IPv6 by default +enable_ipv6=" # xinetd does not enable IPv6 by default + flags = IPv6" +perl -p \ + -e "s|\@GITCOREDIR\@|%{gitcoredir}|g;" \ + -e "s|\@BASE_PATH\@|%{_var}/lib/git|g;" \ +%if %{enable_ipv6} + -e "s|^}|$enable_ipv6\n$&|;" \ +%endif + %{SOURCE3} > %{buildroot}%{_sysconfdir}/xinetd.d/git +%endif + +# Install bzr and hg remote helpers from contrib +install -pm 755 contrib/remote-helpers/git-remote-{bzr,hg} %{buildroot}%{gitcoredir} + +# Setup bash completion +mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d +install -pm 644 contrib/completion/git-completion.bash %{buildroot}%{_sysconfdir}/bash_completion.d/git + +# Install tcsh completion +mkdir -p %{buildroot}%{_datadir}/git-core/contrib/completion +install -pm 644 contrib/completion/git-completion.tcsh \ + %{buildroot}%{_datadir}/git-core/contrib/completion/ + +# Move contrib/hooks out of %%docdir and make them executable +mkdir -p %{buildroot}%{_datadir}/git-core/contrib +mv contrib/hooks %{buildroot}%{_datadir}/git-core/contrib +chmod +x %{buildroot}%{_datadir}/git-core/contrib/hooks/* +pushd contrib > /dev/null +ln -s ../../../git-core/contrib/hooks +popd > /dev/null + +# Install git-prompt.sh +mkdir -p %{buildroot}%{_datadir}/git-core/contrib/completion +install -pm 644 contrib/completion/git-prompt.sh \ + %{buildroot}%{_datadir}/git-core/contrib/completion/ + +# install git-gui .desktop file +desktop-file-install \ +%if %{with_desktop_vendor_tag} + --vendor fedora \ +%endif + --dir=%{buildroot}%{_datadir}/applications %{SOURCE5} + +# find translations +%find_lang %{name} %{name}.lang +cat %{name}.lang >> bin-man-doc-files + +# quiet some rpmlint complaints +chmod -R g-w %{buildroot} +find %{buildroot} -name git-mergetool--lib | xargs chmod a-x +rm -f {Documentation/technical,contrib/emacs,contrib/credential/gnome-keyring}/.gitignore +chmod a-x Documentation/technical/api-index.sh +find contrib -type f | xargs chmod -x + + +%clean +rm -rf %{buildroot} + +%if %{use_systemd} +%post daemon +%systemd_post git@.service + +%preun daemon +%systemd_preun git@.service + +%postun daemon +%systemd_postun_with_restart git@.service +%endif + +%files -f bin-man-doc-files +%defattr(-,root,root) +%{_datadir}/git-core/ +%doc README COPYING Documentation/*.txt Documentation/RelNotes contrib/ +%{!?_without_docs: %doc Documentation/*.html Documentation/docbook-xsl.css} +%{!?_without_docs: %doc Documentation/howto Documentation/technical} +%{_sysconfdir}/bash_completion.d + +%files bzr +%defattr(-,root,root) +%{gitcoredir}/git-remote-bzr + +%files hg +%defattr(-,root,root) +%{gitcoredir}/git-remote-hg + +%files p4 +%defattr(-,root,root) +%{gitcoredir}/*p4* +%{gitcoredir}/mergetools/p4merge +%doc Documentation/*p4*.txt +%{!?_without_docs: %{_mandir}/man1/*p4*.1*} +%{!?_without_docs: %doc Documentation/*p4*.html } + +%files svn +%defattr(-,root,root) +%{gitcoredir}/*svn* +%doc Documentation/*svn*.txt +%{!?_without_docs: %{_mandir}/man1/*svn*.1*} +%{!?_without_docs: %doc Documentation/*svn*.html } + +%files cvs +%defattr(-,root,root) +%doc Documentation/*git-cvs*.txt +%{_bindir}/git-cvsserver +%{gitcoredir}/*cvs* +%{!?_without_docs: %{_mandir}/man1/*cvs*.1*} +%{!?_without_docs: %doc Documentation/*git-cvs*.html } + +%files email +%defattr(-,root,root) +%doc Documentation/*email*.txt +%{gitcoredir}/*email* +%{!?_without_docs: %{_mandir}/man1/*email*.1*} +%{!?_without_docs: %doc Documentation/*email*.html } + +%files gui +%defattr(-,root,root) +%{gitcoredir}/git-gui* +%{gitcoredir}/git-citool +%{_datadir}/applications/*git-gui.desktop +%{_datadir}/git-gui/ +%{!?_without_docs: %{_mandir}/man1/git-gui.1*} +%{!?_without_docs: %doc Documentation/git-gui.html} +%{!?_without_docs: %{_mandir}/man1/git-citool.1*} +%{!?_without_docs: %doc Documentation/git-citool.html} + +%files -n gitk +%defattr(-,root,root) +%doc Documentation/*gitk*.txt +%{_bindir}/*gitk* +%{_datadir}/gitk +%{!?_without_docs: %{_mandir}/man1/*gitk*.1*} +%{!?_without_docs: %doc Documentation/*gitk*.html } + +%files -n perl-Git -f perl-git-files +%defattr(-,root,root) +%exclude %{_mandir}/man3/*Git*SVN*.3pm* +%{!?_without_docs: %{_mandir}/man3/*Git*.3pm*} + +%files -n perl-Git-SVN -f perl-git-svn-files +%defattr(-,root,root) +%{!?_without_docs: %{_mandir}/man3/*Git*SVN*.3pm*} + +%files -n emacs-git +%defattr(-,root,root) +%doc contrib/emacs/README +%dir %{elispdir} +%{elispdir}/*.elc +%{_emacs_sitestartdir}/git-init.el + +%files -n emacs-git-el +%defattr(-,root,root) +%{elispdir}/*.el + +%files daemon +%defattr(-,root,root) +%doc Documentation/*daemon*.txt +%if %{use_systemd} +%{_unitdir}/git.socket +%{_unitdir}/git@.service +%else +%config(noreplace)%{_sysconfdir}/xinetd.d/git +%endif +%{gitcoredir}/git-daemon +%{_var}/lib/git +%{!?_without_docs: %{_mandir}/man1/*daemon*.1*} +%{!?_without_docs: %doc Documentation/*daemon*.html} + +%files -n gitweb +%defattr(-,root,root) +%doc gitweb/INSTALL gitweb/README +%config(noreplace)%{_sysconfdir}/gitweb.conf +%config(noreplace)%{_sysconfdir}/httpd/conf.d/git.conf +%{_var}/www/git/ + + +%files all +# No files for you! + +%changelog +* Wed Sep 13 2017 Petr Stodulka - 1.8.3.1-13 +- fall back to Basic auth if Negotiate fails + Resolves: #1490998 +- handle request-pull when multiple tags point to the same commit + Resolves: #1192146 + +* Fri Aug 11 2017 Petr Stodulka - 1.8.3.1-12 +- prevent command injection via malicious ssh URLs + Resolves: CVE-2017-1000117 + +* Wed May 17 2017 Petr Stodulka - 1.8.3.1-11 +- dissalow repo names beginning with dash + Resolves: CVE-2017-8386 + +* Wed Mar 29 2017 Petr Stodulka -1.8.3.1-10 +- do not put unsanitized branch names in $PS1 + Resolves: CVE-2014-9938 + +* Fri Feb 24 2017 Petr Stodulka -1.8.3.1-9 +- add control of GSSAPI credential delegation to enable HTTP(S)-SSO + authentication + Resolves: #1369173 + +* Sat Mar 19 2016 Petr Stodulka - 1.8.3.1-8 +- remove needles check of xmalloc from previous patch + Resolves: #1318255 + +* Fri Mar 18 2016 Petr Stodulka - 1.8.3.1-7 +- fix heap overflow CVE-2016-2315 CVE-2016-2324 + Resolves: #1318255 + +* Wed Oct 28 2015 Petr Stodulka - 1.8.3.1-6 +- fix arbitrary code execution via crafted URLs + Resolves: #1274737 + +* Fri Jun 19 2015 Petr Stodulka - 1.8.3.1-5 +- Rename the git.service into git@.service + Resolves #1135071 + +* Fri Jan 24 2014 Daniel Mach - 1.8.3.1-4 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 1.8.3.1-3 +- Mass rebuild 2013-12-27 + +* Fri Jun 14 2013 Todd Zullinger - 1.8.3.1-1 +- Update to 1.8.3.1 +- Add bzr and hg subpackages, thanks to Michael Scherer (#974800) + +* Mon May 13 2013 Jon Ciesla - 1.8.2.1-4 +- Fix typo introduced in 1.8.2-3, fixed desktop tag. + +* Wed May 1 2013 Tom Callaway - 1.8.2.1-3 +- conditionalize systemd vs xinetd +- cleanup systemd handling (it was not quite right in -2) + +* Tue Apr 30 2013 Tom Callaway - 1.8.2.1-2 +- switch to systemd instead of xinetd (bz 737183) + +* Sun Apr 14 2013 Todd Zullinger - 1.8.2.1-1 +- Update to 1.8.2.1 +- Exclude optional perl(YAML::Any) dependency on EL-5 + +* Wed Apr 10 2013 Jon Ciesla - 1.8.2-3 +- Drop desktop vendor tag for >= f19. + +* Wed Mar 27 2013 Todd Zullinger - 1.8.2-2 +- Require perl(Term::ReadKey) for git add --interactive (#928328) +- Drop DESTDIR from python instlibdir +- Fix bogus changelog dates + +* Tue Mar 19 2013 Adam Tkac - 1.8.2-1 +- update to 1.8.2 +- 0001-DESTDIR-support-in-contrib-subtree-Makefile.patch has been merged + +* Tue Feb 26 2013 Todd Zullinger - 1.8.1.4-2 +- Update asciidoc requirements, drop unsupported ASCIIDOC7 +- Define GNU_ROFF to force ASCII apostrophes in manpages (so copy/paste works) +- Install tcsh completion (requires manual setup by users) +- Clean up dist conditionals, don't pretend to support EL-4 builds +- Use prebuilt documentation on EL-5, where asciidoc is too old +- Respect gitexecdir variable in git-subtree install + +* Wed Feb 20 2013 Adam Tkac - 1.8.1.4-1 +- update to 1.8.1.4 + +* Wed Jan 30 2013 Adam Tkac - 1.8.1.2-1 +- update to 1.8.1.2 +- own directories which should be owned (#902517) + +* Thu Jan 03 2013 Adam Tkac - 1.8.1-1 +- update to 1.8.1 +- build git-svn as arch subpkg due to new git-remote-testsvn binary + +* Tue Dec 11 2012 Adam Tkac - 1.8.0.2-1 +- update to 1.8.0.2 + +* Thu Dec 06 2012 Adam Tkac - 1.8.0.1-2 +- don't install some unneeded credential-gnome-keyring stuff + +* Thu Nov 29 2012 Adam Tkac - 1.8.0.1-1 +- update to 1.8.0.1 +- include git-subtree in git rpm (#864651) + +* Mon Oct 29 2012 Adam Tkac - 1.8.0-1 +- update to 1.8.0 +- include git-credential-gnome-keyring helper in git pkg +- 0001-cvsimport-strip-all-inappropriate-tag-strings.patch was merged + +* Thu Oct 25 2012 Adam Tkac - 1.7.12.1-2 +- move git-prompt.sh into usr/share/git-core/contrib/completion (#854061) + +* Thu Sep 27 2012 Adam Tkac - 1.7.12.1-1 +- update to 1.7.12.1 +- cvsimport should skip more characters (#850640) + +* Thu Aug 23 2012 Todd Zullinger - 1.7.12-2 +- Install git-prompt.sh which provides __git_ps1() + +* Wed Aug 22 2012 Adam Tkac - 1.7.12-1 +- update to 1.7.12 + +* Wed Aug 15 2012 Todd Zullinger - 1.7.11.5-1 +- Update to 1.7.11.5 +- Add git-p4 subpackage (#844008) + +* Tue Aug 07 2012 Adam Tkac - 1.7.11.4-1 +- update to 1.7.11.4 + +* Fri Jul 27 2012 Fedora Release Engineering - 1.7.11.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 25 2012 Todd Zullinger - 1.7.11.2-2 +- Split perl(Git::SVN) into its own package (#843182) + +* Mon Jul 16 2012 Adam Tkac - 1.7.11.2-1 +- update to 1.7.11.2 + +* Thu Jun 28 2012 Petr Pisar - 1.7.10.4-2 +- Perl 5.16 rebuild + +* Fri Jun 15 2012 Adam Tkac - 1.7.10.4-1 +- update to 1.7.10.4 + +* Thu Jun 07 2012 Petr Pisar - 1.7.10.2-2 +- Perl 5.16 rebuild + +* Mon May 14 2012 Adam Tkac - 1.7.10.2-1 +- update to 1.7.10.2 + +* Thu May 03 2012 Adam Tkac - 1.7.10.1-1 +- update to 1.7.10.1 + +* Tue Apr 10 2012 Adam Tkac - 1.7.10-1 +- update to 1.7.10 + +* Fri Mar 30 2012 Adam Tkac - 1.7.9.5-1 +- update to 1.7.9.5 + +* Thu Mar 08 2012 Adam Tkac - 1.7.9.3-1 +- update to 1.7.9.3 + +* Wed Feb 15 2012 Todd Zullinger - 1.7.9.1-1 +- Update to 1.7.9.1 +- Fix EPEL builds (rpm doesn't accept mutiple -f options in %files) + +* Fri Feb 10 2012 Petr Pisar - 1.7.9-2 +- Rebuild against PCRE 8.30 + +* Mon Jan 30 2012 Adam Tkac - 1.7.9-1 +- update to 1.7.9 + +* Thu Jan 19 2012 Adam Tkac - 1.7.8.4-1 +- update to 1.7.8.4 + +* Thu Jan 12 2012 Adam Tkac - 1.7.8.3-1 +- update to 1.7.8.3 + +* Mon Jan 02 2012 Adam Tkac - 1.7.8.2-1 +- update to 1.7.8.2 + +* Fri Dec 23 2011 Adam Tkac - 1.7.8.1-1 +- update to 1.7.8.1 + +* Wed Dec 07 2011 Adam Tkac - 1.7.8-1 +- update to 1.7.8 + +* Tue Nov 29 2011 Adam Tkac - 1.7.7.4-1 +- update to 1.7.7.4 + +* Thu Nov 10 2011 Adam Tkac - 1.7.7.3-1 +- update to 1.7.7.3 + +* Mon Nov 07 2011 Adam Tkac - 1.7.7.2-1 +- update to 1.7.7.2 + +* Tue Nov 01 2011 Adam Tkac - 1.7.7.1-1 +- update to 1.7.7.1 + +* Wed Oct 26 2011 Fedora Release Engineering - 1.7.7-2 +- Rebuilt for glibc bug#747377 + +* Thu Oct 20 2011 Adam Tkac - 1.7.7-1 +- update to 1.7.7 + - git-1.6-update-contrib-hooks-path.patch is no longer needed + +* Mon Sep 26 2011 Adam Tkac - 1.7.6.4-1 +- update to 1.7.6.4 + +* Wed Sep 07 2011 Todd Zullinger - 1.7.6.2-1 +- Update to 1.7.6.2 +- Fixes incompatibility caused by git push --quiet fix + http://thread.gmane.org/gmane.comp.version-control.git/180652 + +* Mon Aug 29 2011 Todd Zullinger - 1.7.6.1-2 +- Build with PCRE support (#734269) + +* Fri Aug 26 2011 Todd Zullinger - 1.7.6.1-1 +- Update to 1.7.6.1 +- Include gpg signature for tarball in SRPM + +* Fri Aug 05 2011 Todd Zullinger - 1.7.6-5 +- Fix git push --quiet, thanks to Clemens Buchacher (#725593) +- Obsolete git-arch as needed + +* Tue Jul 26 2011 Todd Zullinger - 1.7.6-4 +- Drop git-arch on fedora >= 16, the tla package has been retired +- Rework most spec file dist conditionals to make future changes easier + +* Thu Jul 21 2011 Petr Sabata - 1.7.6-3 +- Perl mass rebuild + +* Wed Jul 20 2011 Petr Sabata - 1.7.6-2 +- Perl mass rebuild + +* Wed Jun 29 2011 Adam Tkac - 1.7.6-1 +- update to 1.7.6 + +* Mon Jun 20 2011 Marcela Mašláňová - 1.7.5.4-2 +- Perl mass rebuild + +* Thu Jun 09 2011 Adam Tkac - 1.7.5.4-1 +- update to 1.7.5.4 + +* Tue May 24 2011 Adam Tkac - 1.7.5.2-1 +- update to 1.7.5.2 + +* Thu May 05 2011 Adam Tkac - 1.7.5.1-1 +- update to 1.7.5.1 + +* Wed Apr 27 2011 Adam Tkac - 1.7.5-1 +- update to 1.7.5 + +* Mon Apr 11 2011 Adam Tkac - 1.7.4.4-1 +- update to 1.7.4.4 + +* Mon Mar 28 2011 Adam Tkac - 1.7.4.2-1 +- update to 1.7.4.2 +- move man3/Git.3pm file to perl-Git subpkg (#664889) +- add perl-DBD-SQLite dependency to git-cvs (#602410) + +* Sun Feb 13 2011 Todd Zullinger - 1.7.4.1-1 +- Update to 1.7.4.1 +- Clean up documentation settings (the defaults changed in 1.7.4) +- Improve EL-5 compatibility, thanks to Kevin Fenzi for emacs testing + +* Tue Feb 08 2011 Fedora Release Engineering - 1.7.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 31 2011 Adam Tkac - 1.7.4-1 +- update to 1.7.4 + +* Wed Jan 19 2011 Adam Tkac - 1.7.3.5-1 +- update to 1.7.3.5 + +* Thu Dec 16 2010 Adam Tkac - 1.7.3.4-1 +- update to 1.7.3.4 + +* Mon Dec 06 2010 Adam Tkac - 1.7.3.3-1 +- update to 1.7.3.3 + +* Fri Oct 22 2010 Adam Tkac - 1.7.3.2-1 +- update to 1.7.3.2 + +* Thu Sep 30 2010 Adam Tkac - 1.7.3.1-1 +- update to 1.7.3.1 + +* Wed Sep 29 2010 jkeating - 1.7.3-3 +- Rebuilt for gcc bug 634757 + +* Mon Sep 20 2010 Todd Zullinger - 1.7.3-2 +- Ensure the release notes are included in %%doc + +* Sun Sep 19 2010 Todd Zullinger - 1.7.3-1 +- Update to 1.7.3 + +* Tue Sep 07 2010 Adam Tkac - 1.7.2.3-1 +- update to 1.7.2.3 + +* Fri Aug 20 2010 Adam Tkac - 1.7.2.2-1 +- update to 1.7.2.2 + +* Fri Jul 30 2010 Thomas Spura - 1.7.2.1-2 +- cherry-pick: "Do not unquote + into ' ' in URLs" + +* Thu Jul 29 2010 Todd Zullinger - 1.7.2.1-1 +- Update to git-1.7.2.1 + +* Thu Jul 22 2010 Adam Tkac - 1.7.2-1 +- update to 1.7.2 + +* Fri Jul 02 2010 Adam Tkac - 1.7.1.1-1 +- update to 1.7.1.1 + +* Fri Jun 25 2010 Adam Tkac - 1.7.1-2 +- rebuild against new perl + +* Tue May 04 2010 Todd Zullinger - 1.7.1-1 +- git-1.7.1 +- Fix conditionals for EL-6 +- Comply with Emacs add-on packaging guidelines (#573423), Jonathan Underwood + - Place elisp source files in separate emacs-git-el package + - Place git support files in own directory under site-lisp + - Use Emacs packaging macros + +* Thu Apr 29 2010 Marcela Maslanova - 1.7.0.1-2 +- Mass rebuild with perl-5.12.0 + +* Mon Mar 01 2010 Todd Zullinger - 1.7.0.1-1 +- git-1.7.0.1 + +* Sat Feb 13 2010 Todd Zullinger - 1.7.0-1 +- git-1.7.0 +- Link imap-send with libcrypto (#565147) +- Disable building of unused python remote helper libs + +* Tue Jan 26 2010 Todd Zullinger - 1.6.6.1-1 +- git-1.6.6.1 +- Use %%{gitcoredir}/git-daemon as xinetd server option, for SELinux (#529682) +- Make %%{_var}/lib/git the default gitweb projectroot (#556299) +- Include gitweb/INSTALL file as documentation, the gitweb README refers to it +- Ship a short example gitweb config file (%%{_sysconfdir}/gitweb.conf) +- Remove long fixed xinetd IPv6 workaround on Fedora (#557528) +- Install missing gitweb.js (#558740) + +* Wed Dec 23 2009 Todd Zullinger - 1.6.6-1 +- git-1.6.6 + +* Fri Dec 11 2009 Todd Zullinger - 1.6.5.6-1 +- git-1.6.5.6 + +* Sun Dec 06 2009 Todd Zullinger - 1.6.5.5-1 +- git-1.6.5.5 + +* Fri Dec 4 2009 Stepan Kasal - 1.6.5.3-2 +- rebuild against perl 5.10.1 + +* Sat Nov 21 2009 Todd Zullinger - 1.6.5.3-1 +- git-1.6.5.3 +- Only BR perl(Error) on Fedora and RHEL >= 5 +- Use config.mak to set build options +- Improve compatibility with EPEL +- Replace $RPM_BUILD_ROOT with %%{buildroot} +- Fix Obsoletes for those rebuilding on EL-4 + +* Mon Oct 26 2009 Todd Zullinger - 1.6.5.2-1 +- git-1.6.5.2 +- Drop asciidoc --unsafe option, it should not be needed anymore +- Don't use install -t/-T, they're not compatible with older coreutils +- Don't use -perm /a+x with find, it's incompatible with older findutils + +* Sat Oct 17 2009 Todd Zullinger - 1.6.5.1-1 +- git-1.6.5.1 + +* Sun Oct 11 2009 Todd Zullinger - 1.6.5-1 +- git-1.6.5 + +* Mon Sep 28 2009 Todd Zullinger - 1.6.5-0.2.rc2 +- git-1.6.5.rc2 +- Enable Linus' block-sha1 implementation + +* Wed Sep 16 2009 Todd Zullinger - 1.6.4.4-1 +- git-1.6.4.4 + +* Sun Sep 13 2009 Todd Zullinger - 1.6.4.3-1 +- git-1.6.4.3 + +* Sun Aug 30 2009 Todd Zullinger - 1.6.4.2-1 +- git-1.6.4.2 + +* Sat Aug 22 2009 Todd Zullinger - 1.6.4.1-1 +- git-1.6.4.1 + +* Fri Aug 21 2009 Tomas Mraz - 1.6.4-2 +- rebuilt with new openssl + +* Wed Jul 29 2009 Todd Zullinger - 1.6.4-1 +- git-1.6.4 + +* Fri Jul 24 2009 Fedora Release Engineering - 1.6.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sun Jun 28 2009 Todd Zullinger - 1.6.3.3-1 +- git-1.6.3.3 +- Move contributed hooks to %%{_datadir}/git-core/contrib/hooks (bug 500137) +- Fix rpmlint warnings about Summary and git-mergetool--lib missing shebang + +* Fri Jun 19 2009 Todd Zullinger - 1.6.3.2-3 +- Temporarily disable asciidoc's safe mode until bug 506953 is fixed + +* Fri Jun 19 2009 Todd Zullinger - 1.6.3.2-2 +- Fix git-daemon hang on invalid input (CVE-2009-2108, bug 505761) + +* Fri Jun 05 2009 Todd Zullinger - 1.6.3.2-1 +- git-1.6.3.2 +- Require emacs >= 22.2 for emacs support (bug 495312) +- Add a .desktop file for git-gui (bug 498801) +- Set ASCIIDOC8 and ASCIIDOC_NO_ROFF to correct documentation issues, + the sed hack to fix bug 485161 should no longer be needed +- Escape newline in git-daemon xinetd description (bug 502393) +- Add xinetd to git-daemon Requires (bug 504105) +- Organize BuildRequires/Requires, drop redundant expat Requires +- Only build noarch subpackages on Fedora >= 10 +- Only build emacs and arch subpackages on Fedora +- Handle curl/libcurl naming for EPEL and Fedora + +* Fri Apr 03 2009 Todd Zullinger - 1.6.2.2-1 +- git-1.6.2.2 +- Include contrib/ dir in %%doc (bug 492490) +- Don't set DOCBOOK_XSL_172, fix the '\&.ft' with sed (bug 485161) +- Ignore Branches output from cvsps-2.2b1 (bug 490602) +- Remove shebang from bash-completion script +- Include README in gitweb subpackage + +* Mon Mar 09 2009 Todd Zullinger - 1.6.2-1 +- git-1.6.2 +- Include contrib/emacs/README in emacs subpackage +- Drop upstreamed git-web--browse patch + +* Tue Feb 24 2009 Todd Zullinger - 1.6.1.3-2 +- Require perl(Authen::SASL) in git-email (bug 483062) +- Build many of the subpackages as noarch +- Update URL field + +* Mon Feb 09 2009 Todd Zullinger 1.6.1.3-1 +- git-1.6.1.3 +- Set htmldir so "git help -w " works +- Patch git-web--browse to not use "/sbin/start" to browse +- Include git-daemon documentation in the git-daemon package + +* Thu Jan 29 2009 Josh Boyer 1.6.1.2-1 +- git-1.6.1.2 + +* Mon Jan 26 2009 Todd Zullinger 1.6.1.1-1 +- git-1.6.1.1 +- Make compile more verbose + +* Fri Jan 16 2009 Tomas Mraz 1.6.1-2 +- rebuild with new openssl + +* Sat Jan 03 2009 Todd Zullinger 1.6.1-1 +- Install git-* commands in %%{_libexecdir}/git-core, the upstream default +- Remove libcurl from Requires, rpm will pick this up automatically +- Consolidate build/install options in %%make_git (Roland McGrath) +- Include DirectoryIndex in gitweb httpd-config (bug 471692) +- Define DOCBOOK_XSL_172 to fix minor manpage issues +- Rename %%{_var}/lib/git-daemon to %%{_var}/lib/git +- Preserve timestamps on installed files +- Quiet some rpmlint complaints +- Use macros more consistently + +* Sat Dec 20 2008 Todd Zullinger 1.6.0.6-1 +- git-1.6.0.6 +- Fixes a local privilege escalation bug in gitweb + (http://article.gmane.org/gmane.comp.version-control.git/103624) +- Add gitk Requires to git-gui (bug 476308) + +* Thu Dec 11 2008 Josh Boyer 1.6.0.5-1 +- git-1.6.0.5 + +* Mon Nov 17 2008 Seth Vidal +- switch from /srv/git to /var/lib/git-daemon for packaging rules compliance + +* Fri Nov 14 2008 Josh Boyer 1.6.0.4-1 +- git-1.6.0.4 + +* Wed Oct 22 2008 Josh Boyer 1.6.0.3-1 +- git-1.6.0.3 +- Drop curl requirement in favor of libcurl (bug 449388) +- Add requires for SMTP-SSL perl module to make git-send-email work (bug 443615) + +* Thu Aug 28 2008 James Bowes 1.6.0.1-1 +- git-1.6.0.1 + +* Thu Jul 24 2008 James Bowes 1.5.6-4 +- git-1.5.6.4 + +* Thu Jun 19 2008 James Bowes 1.5.6-1 +- git-1.5.6 + +* Tue Jun 3 2008 Stepan Kasal 1.5.5.3-2 +- use tar.bz2 instead of tar.gz + +* Wed May 28 2008 James Bowes 1.5.5.3-1 +- git-1.5.5.3 + +* Mon May 26 2008 James Bowes 1.5.5.2-1 +- git-1.5.5.2 + +* Mon Apr 21 2008 James Bowes 1.5.5.1-1 +- git-1.5.5.1 + +* Wed Apr 09 2008 James Bowes 1.5.5-1 +- git-1.5.5 + +* Fri Apr 04 2008 James Bowes 1.5.4.5-3 +- Remove the last two requires on git-core. + +* Wed Apr 02 2008 James Bowes 1.5.4.5-2 +- Remove a patch that's already upstream. + +* Fri Mar 28 2008 James Bowes 1.5.4.5-1 +- git-1.5.4.5 + +* Wed Mar 26 2008 James Bowes 1.5.4.4-4 +- Own /etc/bash_completion.d in case bash-completion isn't installed. + +* Tue Mar 25 2008 James Bowes 1.5.4.4-3 +- Include the sample hooks from contrib/hooks as docs (bug 321151). +- Install the bash completion script from contrib (bug 433255). +- Include the html docs in the 'core' package again (bug 434271). + +* Wed Mar 19 2008 James Bowes 1.5.4.4-2 +- Obsolete git <= 1.5.4.3, to catch going from F8 to rawhide/F9 + +* Thu Mar 13 2008 James Bowes 1.5.4.4-1 +- git-1.5.4.4 + +* Mon Mar 3 2008 Tom "spot" Callaway 1.5.4.3-3 +- rebuild for new perl (again) + +* Sun Feb 24 2008 Bernardo Innocenti 1.5.4.3-2 +- Do not silently overwrite /etc/httpd/conf.d/git.conf + +* Sat Feb 23 2008 James Bowes 1.5.4.3-1 +- git-1.5.4.3 +- Include Kristian Høgsberg's changes to rename git-core to + git and git to git-all. + +* Sun Feb 17 2008 James Bowes 1.5.4.2-1 +- git-1.5.4.2 + +* Mon Feb 11 2008 Jeremy Katz - 1.5.4.1-2 +- Add upstream patch (e62a641de17b172ffc4d3a803085c8afbfbec3d1) to have + gitweb rss feeds point be commitdiffs instead of commit + +* Sun Feb 10 2008 James Bowes 1.5.4.1-1 +- git-1.5.4.1 + +* Tue Feb 05 2008 Tom "spot" Callaway 1.5.4-3 +- rebuild for new perl + +* Sun Feb 03 2008 James Bowes 1.5.4-1 +- Add BuidRequires on gettext. + +* Sat Feb 02 2008 James Bowes 1.5.4-1 +- git-1.5.4 + +* Tue Jan 08 2008 James Bowes 1.5.3.8-1 +- git-1.5.3.8 + +* Fri Dec 21 2007 James Bowes 1.5.3.7-2 +- Have git metapackage require explicit versions (bug 247214) + +* Mon Dec 03 2007 Josh Boyer 1.5.3.7-1 +- git-1.5.3.7 + +* Tue Nov 27 2007 Josh Boyer 1.5.3.6-1 +- git-1.5.3.6 +- git-core requires perl(Error) (bug 367861) +- git-svn requires perl(Term:ReadKey) (bug 261361) +- git-email requires perl-Git (bug 333061) + +* Wed Oct 24 2007 Lubomir Kundrak 1.5.3.4-2 +- git-Perl requires Error package + +* Tue Oct 09 2007 James Bowes 1.5.3.4-1 +- git-1.5.3.4 + +* Sun Sep 30 2007 James Bowes 1.5.3.3-1 +- git-1.5.3.3 + +* Wed Sep 26 2007 James Bowes 1.5.3.2-1 +- git-1.5.3.2 + +* Thu Sep 06 2007 Josh Boyer 1.5.3.1-2 +- Include git-gui and git-citool docs + +* Thu Sep 06 2007 Josh Boyer 1.5.3.1-1 +- git-1.5.3.1-1 + +* Thu Aug 23 2007 James Bowes 1.5.2.5-1 +- git-1.5.2.5-1 + +* Fri Aug 03 2007 Josh Boyer 1.5.2.4-1 +- git-1.5.2.4-1 + +* Tue Jul 03 2007 Josh Boyer 1.5.2.2-3 +- Add git-daemon and gitweb packages + +* Thu Jun 21 2007 Josh Boyer 1.5.2.2-2 +- Add emacs-git package (#235431) + +* Mon Jun 18 2007 James Bowes 1.5.2.2-1 +- git-1.5.2.2 + +* Fri Jun 08 2007 James Bowes 1.5.2.1-1 +- git-1.5.2.1 + +* Sun May 13 2007 Quy Tonthat +- Added lib files for git-gui +- Added Documentation/technical (As needed by Git Users Manual) + +* Tue May 8 2007 Quy Tonthat +- Added howto files + +* Fri Mar 30 2007 Chris Wright 1.5.0.6-1 +- git-1.5.0.6 + +* Mon Mar 19 2007 Chris Wright 1.5.0.5-1 +- git-1.5.0.5 + +* Tue Mar 13 2007 Chris Wright 1.5.0.3-1 +- git-1.5.0.3 + +* Fri Mar 2 2007 Chris Wright 1.5.0.2-2 +- BuildRequires perl-devel as of perl-5.8.8-14 (bz 230680) + +* Mon Feb 26 2007 Chris Wright 1.5.0.2-1 +- git-1.5.0.2 + +* Tue Feb 13 2007 Nicolas Pitre +- Update core package description (Git isn't as stupid as it used to be) + +* Mon Feb 12 2007 Junio C Hamano +- Add git-gui and git-citool. + +* Sun Dec 10 2006 Chris Wright 1.4.4.2-2 +- no need to install manpages executable (bz 216790) +- use bytes for git-cvsserver + +* Sun Dec 10 2006 Chris Wright 1.4.4.2-1 +- git-1.4.4.2 + +* Mon Nov 6 2006 Jindrich Novy 1.4.2.4-2 +- rebuild against the new curl + +* Tue Oct 17 2006 Chris Wright 1.4.2.4-1 +- git-1.4.2.4 + +* Wed Oct 4 2006 Chris Wright 1.4.2.3-1 +- git-1.4.2.3 + +* Fri Sep 22 2006 Chris Wright 1.4.2.1-1 +- git-1.4.2.1 + +* Mon Sep 11 2006 Chris Wright 1.4.2-1 +- git-1.4.2 + +* Thu Jul 6 2006 Chris Wright 1.4.1-1 +- git-1.4.1 + +* Tue Jun 13 2006 Chris Wright 1.4.0-1 +- git-1.4.0 + +* Thu May 4 2006 Chris Wright 1.3.3-1 +- git-1.3.3 +- enable git-email building, prereqs have been relaxed + +* Thu May 4 2006 Chris Wright 1.3.2-1 +- git-1.3.2 + +* Fri Apr 28 2006 Chris Wright 1.3.1-1 +- git-1.3.1 + +* Wed Apr 19 2006 Chris Wright 1.3.0-1 +- git-1.3.0 + +* Mon Apr 10 2006 Chris Wright 1.2.6-1 +- git-1.2.6 + +* Wed Apr 5 2006 Chris Wright 1.2.5-1 +- git-1.2.5 + +* Wed Mar 1 2006 Chris Wright 1.2.4-1 +- git-1.2.4 + +* Wed Feb 22 2006 Chris Wright 1.2.3-1 +- git-1.2.3 + +* Tue Feb 21 2006 Chris Wright 1.2.2-1 +- git-1.2.2 + +* Thu Feb 16 2006 Chris Wright 1.2.1-1 +- git-1.2.1 + +* Mon Feb 13 2006 Chris Wright 1.2.0-1 +- git-1.2.0 + +* Wed Feb 1 2006 Chris Wright 1.1.6-1 +- git-1.1.6 + +* Tue Jan 24 2006 Chris Wright 1.1.4-1 +- git-1.1.4 + +* Sun Jan 15 2006 Chris Wright 1.1.2-1 +- git-1.1.2 + +* Tue Jan 10 2006 Chris Wright 1.1.1-1 +- git-1.1.1 + +* Tue Jan 10 2006 Chris Wright 1.1.0-1 +- Update to latest git-1.1.0 (drop git-email for now) +- Now creates multiple packages: +- git-core, git-svn, git-cvs, git-arch, gitk + +* Mon Nov 14 2005 H. Peter Anvin 0.99.9j-1 +- Change subpackage names to git- instead of git-core- +- Create empty root package which brings in all subpackages +- Rename git-tk -> gitk + +* Thu Nov 10 2005 Chris Wright 0.99.9g-1 +- zlib dependency fix +- Minor cleanups from split +- Move arch import to separate package as well + +* Tue Sep 27 2005 Jim Radford +- Move programs with non-standard dependencies (svn, cvs, email) + into separate packages + +* Tue Sep 27 2005 H. Peter Anvin +- parallelize build +- COPTS -> CFLAGS + +* Fri Sep 16 2005 Chris Wright 0.99.6-1 +- update to 0.99.6 + +* Fri Sep 16 2005 Horst H. von Brand +- Linus noticed that less is required, added to the dependencies + +* Sun Sep 11 2005 Horst H. von Brand +- Updated dependencies +- Don't assume manpages are gzipped + +* Thu Aug 18 2005 Chris Wright 0.99.4-4 +- drop sh_utils, sh-utils, diffutils, mktemp, and openssl Requires +- use RPM_OPT_FLAGS in spec file, drop patch0 + +* Wed Aug 17 2005 Tom "spot" Callaway 0.99.4-3 +- use dist tag to differentiate between branches +- use rpm optflags by default (patch0) +- own %%{_datadir}/git-core/ + +* Mon Aug 15 2005 Chris Wright +- update spec file to fix Buildroot, Requires, and drop Vendor + +* Sun Aug 07 2005 Horst H. von Brand +- Redid the description +- Cut overlong make line, loosened changelog a bit +- I think Junio (or perhaps OSDL?) should be vendor... + +* Thu Jul 14 2005 Eric Biederman +- Add the man pages, and the --without docs build option + +* Thu Jul 7 2005 Chris Wright +- initial git spec file