update to 2.36.0

Release notes: https://github.com/git/git/raw/v2.36.0/Documentation/RelNotes/2.36.0.txt
2022-04-18 14:11:02 -04:00 · 2022-04-18 14:11:02 -04:00 · dbec023603
commit dbec023603
parent 59a5ed4cff
5 changed files with 7 additions and 217 deletions
--- a/0001-t0033-add-tests-for-safe.directory.patch
+++ b/0001-t0033-add-tests-for-safe.directory.patch
@ -1,72 +0,0 @@
-From e47363e5a8bdf5144059d664c45c0975243ef05b Mon Sep 17 00:00:00 2001
-From: Derrick Stolee <derrickstolee@github.com>
-Date: Wed, 13 Apr 2022 15:32:29 +0000
-Subject: [PATCH 1/3] t0033: add tests for safe.directory
-
-It is difficult to change the ownership on a directory in our test
-suite, so insert a new GIT_TEST_ASSUME_DIFFERENT_OWNER environment
-variable to trick Git into thinking we are in a differently-owned
-directory. This allows us to test that the config is parsed correctly.
-
-Signed-off-by: Derrick Stolee <derrickstolee@github.com>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
- setup.c                   |  3 ++-
- t/t0033-safe-directory.sh | 34 ++++++++++++++++++++++++++++++++++
- 2 files changed, 36 insertions(+), 1 deletion(-)
- create mode 100755 t/t0033-safe-directory.sh
-
-diff --git a/setup.c b/setup.c
-index 95d5b00940..3c6ed17af9 100644
--- a/setup.c
-+++ b/setup.c
-@@ -1053,7 +1053,8 @@ static int ensure_valid_ownership(const char *path)
- {
- 	struct safe_directory_data data = { .path = path };
- 
-	if (is_path_owned_by_current_user(path))
-+	if (!git_env_bool("GIT_TEST_ASSUME_DIFFERENT_OWNER", 0) &&
-+	    is_path_owned_by_current_user(path))
- 		return 1;
- 
- 	read_very_early_config(safe_directory_cb, &data);
-diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
-new file mode 100755
-index 0000000000..9380ff3d01
--- /dev/null
-+++ b/t/t0033-safe-directory.sh
-@@ -0,0 +1,34 @@
-+#!/bin/sh
-+
-+test_description='verify safe.directory checks'
-+
-+. ./test-lib.sh
-+
-+GIT_TEST_ASSUME_DIFFERENT_OWNER=1
-+export GIT_TEST_ASSUME_DIFFERENT_OWNER
-+
-+expect_rejected_dir () {
-+	test_must_fail git status 2>err &&
-+	grep "safe.directory" err
-+}
-+
-+test_expect_success 'safe.directory is not set' '
-+	expect_rejected_dir
-+'
-+
-+test_expect_success 'safe.directory does not match' '
-+	git config --global safe.directory bogus &&
-+	expect_rejected_dir
-+'
-+
-+test_expect_success 'safe.directory matches' '
-+	git config --global --add safe.directory "$(pwd)" &&
-+	git status
-+'
-+
-+test_expect_success 'safe.directory matches, but is reset' '
-+	git config --global --add safe.directory "" &&
-+	expect_rejected_dir
-+'
-+
-+test_done
--- a/0002-setup-fix-safe.directory-key-not-being-checked.patch
+++ b/0002-setup-fix-safe.directory-key-not-being-checked.patch
@ -1,48 +0,0 @@
-From bb50ec3cc300eeff3aba7a2bea145aabdb477d31 Mon Sep 17 00:00:00 2001
-From: Matheus Valadares <me@m28.io>
-Date: Wed, 13 Apr 2022 15:32:30 +0000
-Subject: [PATCH 2/3] setup: fix safe.directory key not being checked
-
-It seems that nothing is ever checking to make sure the safe directories
-in the configs actually have the key safe.directory, so some unrelated
-config that has a value with a certain directory would also make it a
-safe directory.
-
-Signed-off-by: Matheus Valadares <me@m28.io>
-Signed-off-by: Derrick Stolee <derrickstolee@github.com>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
- setup.c                   | 3 +++
- t/t0033-safe-directory.sh | 5 +++++
- 2 files changed, 8 insertions(+)
-
-diff --git a/setup.c b/setup.c
-index 3c6ed17af9..4b9f073617 100644
--- a/setup.c
-+++ b/setup.c
-@@ -1034,6 +1034,9 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
- {
- 	struct safe_directory_data *data = d;
- 
-+	if (strcmp(key, "safe.directory"))
-+		return 0;
-+
- 	if (!value || !*value)
- 		data->is_safe = 0;
- 	else {
-diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
-index 9380ff3d01..6f33c0dfef 100755
--- a/t/t0033-safe-directory.sh
-+++ b/t/t0033-safe-directory.sh
-@@ -21,6 +21,11 @@ test_expect_success 'safe.directory does not match' '
- 	expect_rejected_dir
- '
- 
-+test_expect_success 'path exist as different key' '
-+	git config --global foo.bar "$(pwd)" &&
-+	expect_rejected_dir
-+'
-+
- test_expect_success 'safe.directory matches' '
- 	git config --global --add safe.directory "$(pwd)" &&
- 	git status
--- a/0003-setup-opt-out-of-check-with-safe.directory.patch
+++ b/0003-setup-opt-out-of-check-with-safe.directory.patch
@ -1,88 +0,0 @@
-From 0f85c4a30b072a26d74af8bbf63cc8f6a5dfc1b8 Mon Sep 17 00:00:00 2001
-From: Derrick Stolee <derrickstolee@github.com>
-Date: Wed, 13 Apr 2022 15:32:31 +0000
-Subject: [PATCH 3/3] setup: opt-out of check with safe.directory=*
-
-With the addition of the safe.directory in 8959555ce
-(setup_git_directory(): add an owner check for the top-level directory,
-2022-03-02) released in v2.35.2, we are receiving feedback from a
-variety of users about the feature.
-
-Some users have a very large list of shared repositories and find it
-cumbersome to add this config for every one of them.
-
-In a more difficult case, certain workflows involve running Git commands
-within containers. The container boundary prevents any global or system
-config from communicating `safe.directory` values from the host into the
-container. Further, the container almost always runs as a different user
-than the owner of the directory in the host.
-
-To simplify the reactions necessary for these users, extend the
-definition of the safe.directory config value to include a possible '*'
-value. This value implies that all directories are safe, providing a
-single setting to opt-out of this protection.
-
-Note that an empty assignment of safe.directory clears all previous
-values, and this is already the case with the "if (!value || !*value)"
-condition.
-
-Signed-off-by: Derrick Stolee <derrickstolee@github.com>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
- Documentation/config/safe.txt |  7 +++++++
- setup.c                       |  6 ++++--
- t/t0033-safe-directory.sh     | 10 ++++++++++
- 3 files changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/Documentation/config/safe.txt b/Documentation/config/safe.txt
-index 63597b2df8..6d764fe0cc 100644
--- a/Documentation/config/safe.txt
-+++ b/Documentation/config/safe.txt
-@@ -19,3 +19,10 @@ line option `-c safe.directory=<path>`.
- The value of this setting is interpolated, i.e. `~/<path>` expands to a
- path relative to the home directory and `%(prefix)/<path>` expands to a
- path relative to Git's (runtime) prefix.
-++
-+To completely opt-out of this security check, set `safe.directory` to the
-+string `*`. This will allow all repositories to be treated as if their
-+directory was listed in the `safe.directory` list. If `safe.directory=*`
-+is set in system config and you want to re-enable this protection, then
-+initialize your list with an empty value before listing the repositories
-+that you deem safe.
-diff --git a/setup.c b/setup.c
-index 4b9f073617..aad9ace0af 100644
--- a/setup.c
-+++ b/setup.c
-@@ -1037,9 +1037,11 @@ static int safe_directory_cb(const char *key, const char *value, void *d)
- 	if (strcmp(key, "safe.directory"))
- 		return 0;
- 
-	if (!value || !*value)
-+	if (!value || !*value) {
- 		data->is_safe = 0;
-	else {
-+	} else if (!strcmp(value, "*")) {
-+		data->is_safe = 1;
-+	} else {
- 		const char *interpolated = NULL;
- 
- 		if (!git_config_pathname(&interpolated, key, value) &&
-diff --git a/t/t0033-safe-directory.sh b/t/t0033-safe-directory.sh
-index 6f33c0dfef..239d93f4d2 100755
--- a/t/t0033-safe-directory.sh
-+++ b/t/t0033-safe-directory.sh
-@@ -36,4 +36,14 @@ test_expect_success 'safe.directory matches, but is reset' '
- 	expect_rejected_dir
- '
- 
-+test_expect_success 'safe.directory=*' '
-+	git config --global --add safe.directory "*" &&
-+	git status
-+'
-+
-+test_expect_success 'safe.directory=*, but is reset' '
-+	git config --global --add safe.directory "" &&
-+	expect_rejected_dir
-+'
-+
- test_done
--- a/git.spec
+++ b/git.spec
@ -77,14 +77,14 @@
 %endif

 # Define for release candidates
-%global rcrev   .rc2
+#global rcrev   .rc0

 # Set path to the package-notes linker script
 %global _package_note_file  %{_builddir}/%{name}-%{version}%{?rcrev}/.package_note-%{name}-%{version}-%{release}.%{_arch}.ld

 Name:           git
 Version:        2.36.0
-Release:        0.3%{?rcrev}%{?dist}
+Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@ -116,11 +116,6 @@ Source99:       print-failed-test-output
 # https://bugzilla.redhat.com/490602
 Patch0:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch

-# Usability improvements on top of CVE-2022-24765
-Patch1:         0001-t0033-add-tests-for-safe.directory.patch
-Patch2:         0002-setup-fix-safe.directory-key-not-being-checked.patch
-Patch3:         0003-setup-opt-out-of-check-with-safe.directory.patch
-
 %if %{with docs}
 # pod2man is needed to build Git.3pm
 BuildRequires:  %{_bindir}/pod2man
@ -1041,6 +1036,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Mon Apr 18 2022 Todd Zullinger <tmz@pobox.com> - 2.36.0-1
+- update to 2.36.0
+
 * Thu Apr 14 2022 Todd Zullinger <tmz@pobox.com> - 2.36.0-0.3.rc2
 - usability improvements on top of CVE-2022-24765

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (git-2.36.0.rc2.tar.xz) = dfdd49fc7d25c6e2c4291afd5e9c234f4180226d9219cb6e70328dfdeb585a982a2f3b375ede578570825fff9f68ea126b3342512644906dc4333f9f953fe4a3
-SHA512 (git-2.36.0.rc2.tar.sign) = 8b7abfabd47f2be269717e6eb832bcdecf502efc11caa8533a3851e7fbd21e41644322d0784e73efc4dfd5bf4bc1b1094f8dedbd72758e7522b12d045507618c
+SHA512 (git-2.36.0.tar.xz) = dce0d7dbe684af070271830a01bf1b9cc289182f5106f6e3303b1b3a0d5dc74bebf6ac0174373db05a28f5acc62acb095bc9385dabeeecc1d6e8567dce29b766
+SHA512 (git-2.36.0.tar.sign) = 51343a6443a95db4e896687987876d5259fe8e52fc14bbaa87314f7e3be3e36655d087c6453ca8208face5b28db10b503e5e52487cfa3f3664d2b4a761561815