The %_package_note_file definition added in 1dc07e7 (set path to linker
script in %_package_note_file, 2022-01-24) does not support release
candidates. Fix it.
Add 'fsmonitor--daemon is not supported on this platform' and 'missing
!REFFILES' to git.skip-test-patterns to match new test prerequisites
which are not relevant for our builds.
Adjust number of t5541 "push 2000 tags over http" test. It was shifted
from 35 to 36 by upstream c36c62859a (tests: use "test_hook" for misc
"mkdir -p" and "chmod" cases, 2022-03-17).
Replace `%__make test` with `%__make -C t all` to avoid re-compiling in
%check. This is an issue I have yet to fully diagnose. I suspect that
it is related to the nice work Ævar Arnfjörð Bjarmason has done upstream
to improve the efficiency and correctness of the build process. Work
around it for the moment.
Release notes:
https://github.com/git/git/raw/v2.36.0-rc0/Documentation/RelNotes/2.36.0.txt
Add openssh-clients BuildRequires, for ssh-add. Upstream 350a2518c8
(ssh signing: support non ssh-* keytypes, 2021-11-19), added `ssh-add`
as a requirement of t7528-signed-commit-ssh's "sign commits using
literal public keys with ssh-agent" test.
Replace the openssh BR added in e8896ce (update to 2.34.0, 2021-11-15)
with openssh-clients. The latter requires the former.
Apply Taylor Blau's patch to fix a use-after-free bug in fmt-merge-msg¹.
Add `missing !LONG_IS_64BIT,EXPENSIVE` to git.skip-test-patterns. It is
used in t1051-large-conversion after upstream 596b5e77c9 (clean/smudge:
allow clean filters to process extremely large files, 2021-11-02).
Release notes:
https://github.com/git/git/raw/v2.35.0-rc0/Documentation/RelNotes/2.35.0.txt
¹ https://lore.kernel.org/git/CAHk-=whXPxWL7z3GiPkaDt+yygrRmagrYUnib7Lx=Vvrqx2ufg@mail.gmail.com/
Release notes:
https://github.com/git/git/raw/v2.34.0/Documentation/RelNotes/2.34.0.txt
Add `BuildRequires: openssh` for the `ssh-keygen` command; it is needed
to test the newly-added ssh signing support¹. Refer to the `gpg.format`
and `gpg.ssh.*` variables in git-config(1) for details.
[Unfortunately, openssh-8.7 has a bug in the requisite `ssh-keygen -Y
find-principals` command, which will limit the usefulness of this
feature on Fedora 35/36 until openssh is either rebased to 8.8 or the
patch² is backported. The git testsuite has been taught to skip the
tests when this bug is present, in upstream ca7a5bf4bd (t/lib-gpg: avoid
broken versions of ssh-keygen, 2021-11-10), but that won't help users
who try out this new feature. Hopefully we can get openssh-8.7 in
Fedora 35 & 36 patched or updated before too long.]
We have `Requires: openssh-clients` in git-core already. The
openssh-clients package requires openssh so we don't _need_ to add an
install-time requirement to ensure the `ssh-keygen` command is
available.
Ignore RUNTIME_PREFIX and SYMLINKS_WINDOWS test prerequisites when
looking for missing test suite BuildRequires³.
The RUNTIME_PREFIX prerequisite was added in b7d11a0f5d (tests: exercise
the RUNTIME_PREFIX feature, 2021-07-24)⁴. It is used to build binaries
which can be easily relocated, which we don't need in our builds.
The SYMLINKS_WINDOWS prerequisite was added in 3e7d4888e5 (mingw: align
symlinks-related rmdir() behavior with Linux, 2021-08-02)⁵. It is, as
the name implies, Windows-specific.
¹ https://github.com/git/git/commit/b5726a5d9c (ssh signing: preliminary
refactoring and clean-up, 2021-09-10) and the commits which follow.
² https://github.com/openssh/openssh-portable/commit/ca0e455b93,
https://github.com/openssh/openssh-portable/commit/4afe431da9, and
https://www.mail-archive.com/source-changes@openbsd.org/msg127496.html
(plus the replies, which point out the typo in the first patch)
³ fa92661 (Add grep patterns for checking skipped tests, 2019-02-02)
⁴ https://github.com/git/git/commit/b7d11a0f5d
⁵ https://github.com/git/git/commit/3e7d4888e5
contrib/hooks/multimail is no longer distributed with git
The multimail hook was removed from the git contrib tree. From the
upstream commit f74d11471f (multimail: stop shipping a copy,
2021-06-10):
The multimail project is developed independently and has its own project
page. Traditionally, we shipped a copy in contrib/.
However, such a copy is prone to become stale, and users are much better
served to be directed to the actual project instead.
This release includes a fix for CVE-2021-21300¹ in addition to the other
changes along the path to the final 2.31.0 release.
Release notes:
https://github.com/git/git/raw/v2.31.0-rc2/Documentation/RelNotes/2.31.0.txt
¹ Per the 2.17.6 release notes on CVE-2021-21300:
On case-insensitive file systems with support for symbolic links, if
Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running remote
code during a clone.
The update to 2.29.1 is pointless on its own¹, but a subsequent commit
will add some additional post-release fixes for 2.29. Once we're
pushing an update, we might as well pick up the latest point release to
avoid anyone wondering why we've skipped an update.
Release notes:
https://github.com/git/git/raw/v2.29.1/Documentation/RelNotes/2.29.1.txt
¹ The only change in 2.29.1 is a Makefile fix for users of the
non-default SKIP_DASHED_BUILT_INS installation option.
Release notes:
https://github.com/git/git/raw/v2.28.0-rc0/Documentation/RelNotes/2.28.0.txt
Update git.skip-test-patterns to catch the 2GB clone test. The output
of the skipped test was changed (for the better) in upstream commit
d63ae31962 (t5608: avoid say() and use "skip_all" instead for
consistency, 2020-05-22).
From the upstream release notes¹:
With a crafted URL that contains a newline or empty host, or lacks
a scheme, the credential helper machinery can be fooled into
providing credential information that is not appropriate for the
protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt
From the upstream release notes¹:
With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for
a wrong host. The attack has been made impossible by forbidding
a newline character in any value passed via the credential
protocol.
¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.4.txt
