Using the same variable make it clearer that we're referring to the same
thing as upstream when the Makefile uses gitexecdir.
Remove a stale conditional in git-cvs for handling the case where git's
binaries are stored in %{_bindir}. This support was dropped after
EL-5's support ended. Most similar conditionals were removed in 903d8f3
(Remove EL-5 and old Fedora conditionals, 2017-07-22).
Also remove the conditional setting of 'gitexecdir = %{_bindir}' which
was only used on EL-5 to prevent moving the git binaries during the
update to git-1.6.
After this change, the only rpmlint issues are incorrect-fsf-address
errors:
git-gui.noarch: E: incorrect-fsf-address /usr/libexec/git-core/git-gui
git-gui.noarch: E: incorrect-fsf-address /usr/libexec/git-core/git-citool
git.x86_64: E: incorrect-fsf-address /usr/share/emacs/site-lisp/git/git.el
git-core-doc.x86_64: E: incorrect-fsf-address /usr/share/doc/git/contrib/hg-to-git/hg-to-git.py
git-core-doc.x86_64: E: incorrect-fsf-address /usr/share/doc/git/contrib/emacs/git.el
git-core-doc.x86_64: E: incorrect-fsf-address /usr/share/doc/git/contrib/fast-import/import-directories.perl
git-debuginfo.x86_64: E: incorrect-fsf-address /usr/src/debug/git-2.15.0/trace.c
These issues will be fixed in the next upstream release, with the
following commits:
https://github.com/git/git/commit/484257925fhttps://github.com/git/git/commit/63100874c1
In ef7ac1a (git-p4: adjust python2 shebang manually, 2017-08-03) we
dropped PYTHON_PATH due to failures in t9020-remote-svn.
Digging deeper, the issue appears to be caused by the test calling a
script which has a hard-coded #!/usr/bin/python shebang. On newer
fedora releases, /usr/bin/python is python3.
Replacing the shebang in contrib/svn-fe/svnrdump_sim.py (the script the
test calls) with #!%{__python2} allows the test to succeed while setting
PYTHON_PATH in config.mak, as desired.
Use '%{summary}.' as the %description for all subpackages where the
summary and description matched. This is one less place to change
if/when we update a summary/description in the future.
While looking at rpmlint complaints, gitk had a spelling warning because
the summary/description used the British English spelling of
"visualiser." Rather than simply change that to the American English
spelling, change the summary/description to match the gitk
documentation. Do the same for git-gui.
Using %summary fixes the %description for perl-Git-SVN, which previously
used the %description from perl-Git mistakenly.
Also improve/clarify the summary of git-gnome-keyring, git-send-email,
and git-svn.
The git-all subpackage added an obsoletes for older git packages in
0c4a11c (git 1.5.4.3 and include krh's change to rename git-core to git,
2008-02-23).
The git-arch subpackage was obsoleted many years ago in 3f997b4
(Obsolete git-arch as needed, 2011-08-05).
We don't need to carry either of these obsoletes any longer.
We cannot be sure that users installing the git package have not mounted
the git bin and lib dirs on different file systems. The cost is a small
amount of extra disk space (1.25M in the current build).
The expiration of the signing subkey was recently extended. Ensure
we're using a current copy of the key to avoid any output from gpg
stating that the key is expired.
While our current usage of gpgv2 is not affected by the expired signing
subkey, anyone importing the key and using 'gpg2 --verify' would see
'Note: This key has expired!' in the output.
For reference, here is the process used to update the key:
(cd ~/src/git && git cat-file blob junio-gpg-pub | gpg2 --import)
fpr='96E07AF25771955980DAD10020D04E5A713660A7'
gpg2 --keyserver hkp://keys.gnupg.net --refresh-keys $fpr
gpg2 --export-options export-minimal --no-emit-version --armor \
--export $fpr > gpgkey-junio.asc
Here is the ouput from gpg2 --list-sigs¹ before:
pub rsa4096/20D04E5A713660A7 2011-10-01 [SC]
Key fingerprint = 96E0 7AF2 5771 9559 80DA D100 20D0 4E5A 7136 60A7
uid Junio C Hamano <gitster@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <junio@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <jch@google.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/B0B5E88696AFE6CB 2011-10-03 [S] [expired: 2015-09-21]
Key fingerprint = E1F0 36B1 FEE7 221F C778 ECEF B0B5 E886 96AF E6CB
sig 20D04E5A713660A7 2014-09-21 never Junio C Hamano <gitster@pobox.com>
and after:
pub rsa4096/20D04E5A713660A7 2011-10-01 [SC]
Key fingerprint = 96E0 7AF2 5771 9559 80DA D100 20D0 4E5A 7136 60A7
uid Junio C Hamano <gitster@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <junio@pobox.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
uid Junio C Hamano <jch@google.com>
sig 3 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/B0B5E88696AFE6CB 2011-10-03 [S] [expires: 2020-07-26]
Key fingerprint = E1F0 36B1 FEE7 221F C778 ECEF B0B5 E886 96AF E6CB
sig 20D04E5A713660A7 2017-07-27 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/86B76D5D833262C4 2011-10-01 [E]
Key fingerprint = 1843 AEC2 2DD5 6B75 E554 3FEF 86B7 6D5D 8332 62C4
sig 20D04E5A713660A7 2011-10-01 never Junio C Hamano <gitster@pobox.com>
sub rsa4096/7594EEC7B3F7CAC9 2014-09-20 [S] [expires: 2020-07-26]
Key fingerprint = DC3D 6C01 251E CA4B 1200 A7EE 7594 EEC7 B3F7 CAC9
sig 20D04E5A713660A7 2017-07-27 never Junio C Hamano <gitster@pobox.com>
¹ The full gpg2 command used was:
gpg2 --no-options --keyid-format long --with-fingerprint --with-subkey-fingerprint --list-options "show-sig-expire show-sig-subpackets show-unusable-uids show-unusable-subkeys no-show-uid-validity" --list-sigs 20D04E5A713660A7
From the release announcement¹
A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.
Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.
¹ https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/
git-1.7-el5-emacs-support.patch was dropped in 903d8f3 (Remove EL-5 and
old Fedora conditionals, 2017-07-22).
git-infinite-loop.patch was dropped in f5bc9a8 (Check upstream GPG
signatures in %prep, 2016-03-27).
Setting 'PYTHON_PATH = %{__python2}' in config.mak should work, but
doing so causes the remote svn tests in t9020 (which use a python script
to similate svnrdump) to fail. Just fix the git-p4 shebang until the
svn test failures can be resolved.
The pcre1 library is only maintained for serious bugs and
vulnerabilities at this point. Further improvements are happening in
pcre2. In a future release git will make this the default library for
pcre support.
EL-5 has been EOL for several months now. We can drop all the
conditionals needed to build there, as well as some conditionals for
long-expired Fedora releases.
Without EL-5 we also no longer use the prebuilt documentation. Remove
these sources and simplify the gpg check for the remaining source.
Links in docfiles are now automatically checked for correct paths
by linkchecker. The test is available only for Fedora 25+ system,
because the utility is not available for RHEL.
We have not supported git-archimport in many years and have removed the
files from the documentation. Removing it from the command list ensures
that git will not generate a link to the command in the documentation.
This avoids leaving a broken link in the html docs.
Move documentation files from all subpackages into the %{_pkgdocdir}
directory, so links inside doc and man files are correct
Resolves: #1357438
- excluded *py[co] files from doc/* subdirectories, as these files
are not expected to be executed (thanks tmz)
The grep tests succeed and fail intermittently on s390x. Until that
arch is more established and works (or fails) consistently, skip these
tests rather than let s390x hold back ever other arch.
Upstream changed the default SHA1 implementation in 2.13.0 to one which
detects collisions¹. It may be slightly slower than BLK_SHA1 in some
cases, but the added safety it provides in the face of the SHAttered²
attack should be worth the cost.
We overrode the default SHA1 implementation in b796934 (Update to
git-1.6.5.rc2 - Enable Linus' block-sha1 implementation.) The main
reason was to avoid linking against openssl's libcrypto for most
binaries, which saved a measurable amount of space. Using the new
DC_SHA1 default provides the same benefit.
¹ https://github.com/git/git/commit/e6b07da278
² https://shattered.io/
Since the libsecret replaces the libgnome-keyring,
the libgnome-keyring is not necessary to keep it in the git package.
In addition, gnome-keyring is deprecated and according to people
from GNOME, they do not expect that anyone would want to use the old
library when libsecret is installed. So drop credentials for
libgnome-keyring.
However, I keep that credential in spec for older systems where it
has been originally, but it is split into the separate rpm, so at
least it will not be required by the git package. It can be removed
later.
Usually in Fedora this change will not change paths in current
packages, because both macros has same value now (/var). However,
the first one is "more recommended", because some build environments
redefine path in this macro for own purposes, in contrast with
%{_var} which is usually kept as it is.
- missing libcurl requirement for git-core
- git-email & git-cvs should require 'perl(Git)' according
to guidelines
- perl-generators are required during build only for Fedora 21+
