When a build fails, the contents of t/test-results and the trash
directories can be quite useful for debugging. This is particularly
true when the failures occur only in Koji, where we can't get a shell
and poke around.
Create a compressed tarball and encode it with base64 to allow it to be
output along with the normal build output. Include instruction on how
to extract the base64-encoded content from the build log inline.
The tar archive is compressed with zstd which provides a good balance of
speed and size. The compression level of 17 was chosen after a number
of tests against real test failures, as opposed to entirely random
selection. ;)
Add mod_http2 BuildRequires for t5559-http-fetch-smart-http2; skip it on
EL7, which lacks it. Ignore the expected 'missing HTTP2' output from
t5551-http-fetch-smart. Use a strict pattern to avoid unintended
matches.
Sadly, we must also disable t5559 for now. It fails very often across
all architectures. The most common failure is "large fetch-pack
requests can be sent using chunked encoding" (t5559.30), but earlier
tests have also failed. Until these failures are understood and
resolved, the entire test is disabled globally. (It's also disabled for
EL-7, which is redundant now but won't be after we re-enable the test
globally in the near future.)
We can't simply skip the mod_http2 dependency here because we set
GIT_TEST_HTTPD=true. Per upstream 73c49a4474 (t: run t5551 tests with
both HTTP and HTTP/2, 2022-11-11):
If HTTP/2 isn't supported on a given platform, then t5559 should
bail during the webserver setup, and gracefully skip all tests
(unless GIT_TEST_HTTPD has been changed from "auto" to "yes", where
the point is to complain when webserver setup fails).
Also ignore the 'missing BUILTIN_TXT_$builtin' output which comes from
upstream a0c3244796 (doc SYNOPSIS & -h: use "-" to separate words in
labels, not "_", 2022-10-13). We may want to loosen this in the future,
but for now ignore it because it doesn't help us identify missing test
dependencies.
Release notes:
https://github.com/git/git/raw/v2.39.0-rc0/Documentation/RelNotes/2.39.0.txt
The license data was gathered from the 2.38.1 tarball. The licensecheck
tool was run:
find -type f -regextype egrep ! -regex '^(Documentation/.*\.txt$|(t/(chainlint|perf/p[0-9]{4}|t[0-9]{4}).*))' \
-exec licensecheck --shortname-scheme spdx {} + | LANG=C sort >licensecheck
The contents were reviewed, removing files which are not shipped or were
UNKNOWN to licensecheck. Of the UNKNOWN files, most lacked a specific
license header and are thus treated as GPL-2.0-only. The code in
reftable/ is licensed as BSD 3-Clause per reftable/LICENSE.
This is Go source code which requires compilation to be used. It is
licensed differently than git; shipping it changes the License tag.
Let's avoid it for now. If it turns out to be widely used, we can
restore it later (and ship it in binary form).
From the release notes for 2.30.6¹
* CVE-2022-39253:
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis. The
fix was authored by Taylor Blau, with help from Johannes Schindelin.
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.
¹ https://github.com/git/git/raw/v2.38.1/Documentation/RelNotes/2.30.6.txt
Newer rpmlint rightly points out this minor gitweb issue.
Fixing it is a low priority as we need to arrange the change only for
newer releases, keeping the old layout on existing systems. This is
tracked in bug 479613.
We removed '%{_emacs_version}' in 3395646 (remove --with/--without emacs
build conditional, 2022-06-13). Drop the unnecessary filter from the
rpmlint config.
Add filters for several new checks in rpmlint 2.x: files-duplicate;
package-with-huge-docs; and potential-bashisms.
Also ignore unused-direct-shlib-dependency for libpcre2. While this
is accurate, the additional linking would be tricky to remove from the
upstream Makefile. It would almost certainly not be worth the effort.
Lastly (even though it's the first line in the file), drop the unneeded
'from Config import *' directive. The rpmlint config is no longer
loaded directly as python code (yay!).
In 986b772 (Split 'git subtree' into a separate package, 2018-02-07), I
mistakenly created the package as arch-specific. It should have been
noarch; it is merely a shell script.
Adjust number of t5541 "push 2000 tags over http" test, which we skip on
aarch64 and ppc64le arches. It was shifted from 36 to 37 by upstream
b0c4adcdd7 (remote-curl: send Accept-Language header to server,
2022-07-11).
Release notes:
https://github.com/git/git/raw/v2.38.0-rc0/Documentation/RelNotes/2.38.0.txt
When running multiple builds, we frequently see failures due to port
conflicts, particularly with httpd tests. Retry with a different port
when the test function start_httpd() fails to reduce these spurious
failures.
We should not need to skip t9115-git-svn-dcommit-funky-renames as a
result. Remove it from GIT_SKIP_TESTS.
Similarly, adjust the git-daemon and svnserve start functions.
We have not shipped git-archimport since 3f0dc97 (Drop git-arch on
fedora >= 16, 2011-07-26). Replace the scattered references to it in
the spec file with a small group of commands in %prep to remove it
entirely.
The `BuildRequires: systemd` was added in d7389e7 (use systemd instead
of xinetd (bz 737183), 2013-04-30). Since then, the systemd macros have
been split into a subpackage¹. Adjust our BuildRequires (with an
exception for EL-7).
Replace `Requires*: systemd` in git-daemon with %{?systemd_requires}.
¹ https://src.fedoraproject.org/rpms/systemd/c/c9030f0 (Split out the
rpm macros into systemd-rpm-macros subpackage, 2018-11-02),
From the release notes for 2.30.5¹:
This release contains minor fix-ups for the changes that went into
Git 2.30.3 and 2.30.4, addressing CVE-2022-29187.
* The safety check that verifies a safe ownership of the Git
worktree is now extended to also cover the ownership of the Git
directory (and the `.git` file, if there is any).
Carlo Marcelo Arenas Belón (1):
setup: tighten ownership checks post CVE-2022-24765
Additionally, from the release notes for 2.37.1²:
* Rewrite of "git add -i" in C that appeared in Git 2.25 didn't
correctly record a removed file to the index, which is an old
regression but has become widely known because the C version has
become the default in the latest release.
¹ https://github.com/git/git/raw/v2.37.1/Documentation/RelNotes/2.30.5.txt
² https://github.com/git/git/raw/v2.37.1/Documentation/RelNotes/2.37.1.txt
The emacs bcond support was added cdea01a (drop emacs-git stub for
fedora >= 34 (#1882360), 2020-10-10). Now that Fedora 34 is EOL, we no
longer need the conditional.
The GIT_SKIP_TESTS variable does not support brace expansion. It was my
mistake thinking that it did. List the tests to skip properly.
If we had a longer list and *really* wanted to use brace expansion, we
could do something like this:
GIT_SKIP_TESTS="$GIT_SKIP_TESTS $(echo t5300.{10,12,14} t5303.{5,7,11} t6300.{35,91,92})"
In this case, that's more characters _and_ more complexity, so it makes
no sense to use it. (Even if it were shorter, it doesn't necessarily
justify the extra complexity.)
Expand the list of tests to skip to cover those which fail due to the
earlier skipped tests.
Additionally, GIT_SKIP_TESTS is (unintentionally) set on systems other
than EL8. Fix the conditional to only skip these tests on s390x on EL8.
Per the release announcement¹, these patches...
address usability issues in the recent releases 'v2.35.2',
'v2.34.2', 'v2.33.2', 'v2.32.1', 'v2.31.2', and 'v2.30.3', where
each "safe" directory has to be listed on the safe.directory
configuration variables. A broader escape hatch has been added so
that the value '*' can be used to declare "my colleagues and their
repositories I may ever visit are all trustworthy".
¹ https://lore.kernel.org/git/xmqq1qy04iqa.fsf@gitster.g/
These tests fail on s390x, but only with EL8. They succeed on Fedora
and EL9. This suggests the issue is not with git. Skip them to avoid
blocking the Fedora releases which we care most about while still
allowing builds in COPR and elsewhere for all Fedora/EPEL releases.
Regarding CVE-2022-24765, the release announcement says:
On multi-user machines, Git users might find themselves
unexpectedly in a Git worktree, e.g. when another user created a
repository in `C:\.git`, in a mounted network drive or in a
scratch space. Merely having a Git-aware prompt that runs `git
status` (or `git diff`) and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an
editor or IDE such as VS Code or Atom, will potentially run
commands defined by that other user.
The new `safe.directory` setting may be used in either the system or
global configuration to list directories which git should consider safe
even if they are owned by someone other than the current user.
Release notes:
https://github.com/git/git/raw/v2.36.0-rc2/Documentation/RelNotes/2.36.0.txt
The httpd package was slimmed down per rhbz#2070517. Use the new
httpd-core package for the test suite requirements on F37+.
While here, adjust a nearby '# endif' comment to match reality.
The %_package_note_file definition added in 1dc07e7 (set path to linker
script in %_package_note_file, 2022-01-24) does not support release
candidates. Fix it.
Add 'fsmonitor--daemon is not supported on this platform' and 'missing
!REFFILES' to git.skip-test-patterns to match new test prerequisites
which are not relevant for our builds.
Adjust number of t5541 "push 2000 tags over http" test. It was shifted
from 35 to 36 by upstream c36c62859a (tests: use "test_hook" for misc
"mkdir -p" and "chmod" cases, 2022-03-17).
Replace `%__make test` with `%__make -C t all` to avoid re-compiling in
%check. This is an issue I have yet to fully diagnose. I suspect that
it is related to the nice work Ævar Arnfjörð Bjarmason has done upstream
to improve the efficiency and correctness of the build process. Work
around it for the moment.
Release notes:
https://github.com/git/git/raw/v2.36.0-rc0/Documentation/RelNotes/2.36.0.txt
The package-notes feature¹ creates a linker script in %{buildsubdir}.
Unfortunately, %{buildsubdir} is not set in %prep, leaving us with an
incorrect path to the linker script. The build then fails with:
/usr/bin/ld: cannot open linker script file
/builddir/build/BUILD/.package_note-git-2.35.0-0.2.rc2.fc36.3.x86_64.ld:
No such file or directory
Set the path to the linker script via %_package_note_file, per
suggestion by Zbigniew Jędrzejewski-Szmek².
References:
¹ https://fedoraproject.org/wiki/Changes/Package_information_on_ELF_objects
² https://bugzilla.redhat.com/2044028#c10
The scalar command is being worked on incrementally upstream.
As it matures, we may consider building and distributing it. Whether
that will happen before it graduates from contrib or not is anyone's
guess.
For the moment, remove it to avoid cruft in git-core-doc.
Git now requires C99 support and a zlib with uncompress2 by default.
On EL7, gcc-4.8.5 requires a flag to enable C99 support.
Compilation also fails without -fPIC on EL7, for reasons of which I am
not entirely clear. (I do not like making a change I cannot justify or
explain properly, but it is better than dropping EL7 support until I
have time to learn the reason(s).)
Update the %build_cflags macro when building on EL7 to enable C99
support and set -fPIC.
Define NO_UNCOMPRESS2 to use compat/zlib-uncompress2.c.
The git checkout command crashes when run multiple times, if
`.git/refs/remotes/origin/HEAD` is manually copied into
`.git/refs/heads/$branch-name`.
Strictly, this is repository corruption, but it has been silently
tolerated until upstream 9081a421 (checkout: fix "branch info" memory
leaks, 2021-11-16), which added some sanity checking of the data.
Loosen the check via Junio's upstream commit 519947b69a (checkout: avoid
BUG() when hitting a broken repository, 2022-01-21).
Add openssh-clients BuildRequires, for ssh-add. Upstream 350a2518c8
(ssh signing: support non ssh-* keytypes, 2021-11-19), added `ssh-add`
as a requirement of t7528-signed-commit-ssh's "sign commits using
literal public keys with ssh-agent" test.
Replace the openssh BR added in e8896ce (update to 2.34.0, 2021-11-15)
with openssh-clients. The latter requires the former.
Apply Taylor Blau's patch to fix a use-after-free bug in fmt-merge-msg¹.
Add `missing !LONG_IS_64BIT,EXPENSIVE` to git.skip-test-patterns. It is
used in t1051-large-conversion after upstream 596b5e77c9 (clean/smudge:
allow clean filters to process extremely large files, 2021-11-02).
Release notes:
https://github.com/git/git/raw/v2.35.0-rc0/Documentation/RelNotes/2.35.0.txt
¹ https://lore.kernel.org/git/CAHk-=whXPxWL7z3GiPkaDt+yygrRmagrYUnib7Lx=Vvrqx2ufg@mail.gmail.com/
The output of gpgsm changed slightly in gnupg-2.3, causing the git tests
for x509 signatures to be skipped. Update the tests to use the
machine-parseable --with-colons output.
It also appears that we need to reload the gpg-agent in order to pick up
the changes the test library makes to the trustlist.txt file. It might
be better to store that file with the other gpg files in the test suite
rather than generating it.
While we're at it, reload all the gpg components rather than just
gpg-agent. Adjust the earlier gpgconf kill to use the 'all' keyword as
well.
Next up, gpgsm removed a debug line from it's output which exposes a
problem in git's gpg-interface code. The git code presumes that the
'[GNUPG:] SIG_CREATED' line will follow a newline. That is no longer
true. The debug line was removed from GnuPG in a6d2f3133 (sm: Replace
some debug message by log_error or log_info, 2020-04-21).
Finally, a minor bug in gpgsm causes the error message returned when a
certificate is not found to differ from previous versions¹. Extend the
grep pattern in the test suite to catch both error messages.
¹ https://lists.gnupg.org/pipermail/gnupg-devel/2021-November/034991.html
Release notes:
https://github.com/git/git/raw/v2.34.0/Documentation/RelNotes/2.34.0.txt
Add `BuildRequires: openssh` for the `ssh-keygen` command; it is needed
to test the newly-added ssh signing support¹. Refer to the `gpg.format`
and `gpg.ssh.*` variables in git-config(1) for details.
[Unfortunately, openssh-8.7 has a bug in the requisite `ssh-keygen -Y
find-principals` command, which will limit the usefulness of this
feature on Fedora 35/36 until openssh is either rebased to 8.8 or the
patch² is backported. The git testsuite has been taught to skip the
tests when this bug is present, in upstream ca7a5bf4bd (t/lib-gpg: avoid
broken versions of ssh-keygen, 2021-11-10), but that won't help users
who try out this new feature. Hopefully we can get openssh-8.7 in
Fedora 35 & 36 patched or updated before too long.]
We have `Requires: openssh-clients` in git-core already. The
openssh-clients package requires openssh so we don't _need_ to add an
install-time requirement to ensure the `ssh-keygen` command is
available.
Ignore RUNTIME_PREFIX and SYMLINKS_WINDOWS test prerequisites when
looking for missing test suite BuildRequires³.
The RUNTIME_PREFIX prerequisite was added in b7d11a0f5d (tests: exercise
the RUNTIME_PREFIX feature, 2021-07-24)⁴. It is used to build binaries
which can be easily relocated, which we don't need in our builds.
The SYMLINKS_WINDOWS prerequisite was added in 3e7d4888e5 (mingw: align
symlinks-related rmdir() behavior with Linux, 2021-08-02)⁵. It is, as
the name implies, Windows-specific.
¹ https://github.com/git/git/commit/b5726a5d9c (ssh signing: preliminary
refactoring and clean-up, 2021-09-10) and the commits which follow.
² https://github.com/openssh/openssh-portable/commit/ca0e455b93,
https://github.com/openssh/openssh-portable/commit/4afe431da9, and
https://www.mail-archive.com/source-changes@openbsd.org/msg127496.html
(plus the replies, which point out the typo in the first patch)
³ fa92661 (Add grep patterns for checking skipped tests, 2019-02-02)
⁴ https://github.com/git/git/commit/b7d11a0f5d
⁵ https://github.com/git/git/commit/3e7d4888e5
