Release notes:
https://github.com/git/git/raw/v2.34.0/Documentation/RelNotes/2.34.0.txt
Add `BuildRequires: openssh` for the `ssh-keygen` command; it is needed
to test the newly-added ssh signing support¹. Refer to the `gpg.format`
and `gpg.ssh.*` variables in git-config(1) for details.
[Unfortunately, openssh-8.7 has a bug in the requisite `ssh-keygen -Y
find-principals` command, which will limit the usefulness of this
feature on Fedora 35/36 until openssh is either rebased to 8.8 or the
patch² is backported. The git testsuite has been taught to skip the
tests when this bug is present, in upstream ca7a5bf4bd (t/lib-gpg: avoid
broken versions of ssh-keygen, 2021-11-10), but that won't help users
who try out this new feature. Hopefully we can get openssh-8.7 in
Fedora 35 & 36 patched or updated before too long.]
We have `Requires: openssh-clients` in git-core already. The
openssh-clients package requires openssh so we don't _need_ to add an
install-time requirement to ensure the `ssh-keygen` command is
available.
Ignore RUNTIME_PREFIX and SYMLINKS_WINDOWS test prerequisites when
looking for missing test suite BuildRequires³.
The RUNTIME_PREFIX prerequisite was added in b7d11a0f5d (tests: exercise
the RUNTIME_PREFIX feature, 2021-07-24)⁴. It is used to build binaries
which can be easily relocated, which we don't need in our builds.
The SYMLINKS_WINDOWS prerequisite was added in 3e7d4888e5 (mingw: align
symlinks-related rmdir() behavior with Linux, 2021-08-02)⁵. It is, as
the name implies, Windows-specific.
¹ https://github.com/git/git/commit/b5726a5d9c (ssh signing: preliminary
refactoring and clean-up, 2021-09-10) and the commits which follow.
² https://github.com/openssh/openssh-portable/commit/ca0e455b93,
https://github.com/openssh/openssh-portable/commit/4afe431da9, and
https://www.mail-archive.com/source-changes@openbsd.org/msg127496.html
(plus the replies, which point out the typo in the first patch)
³ fa92661 (Add grep patterns for checking skipped tests, 2019-02-02)
⁴ https://github.com/git/git/commit/b7d11a0f5d
⁵ https://github.com/git/git/commit/3e7d4888e5
contrib/hooks/multimail is no longer distributed with git
The multimail hook was removed from the git contrib tree. From the
upstream commit f74d11471f (multimail: stop shipping a copy,
2021-06-10):
The multimail project is developed independently and has its own project
page. Traditionally, we shipped a copy in contrib/.
However, such a copy is prone to become stale, and users are much better
served to be directed to the actual project instead.
This release includes a fix for CVE-2021-21300¹ in addition to the other
changes along the path to the final 2.31.0 release.
Release notes:
https://github.com/git/git/raw/v2.31.0-rc2/Documentation/RelNotes/2.31.0.txt
¹ Per the 2.17.6 release notes on CVE-2021-21300:
On case-insensitive file systems with support for symbolic links, if
Git is configured globally to apply delay-capable clean/smudge
filters (such as Git LFS), Git could be fooled into running remote
code during a clone.
The update to 2.29.1 is pointless on its own¹, but a subsequent commit
will add some additional post-release fixes for 2.29. Once we're
pushing an update, we might as well pick up the latest point release to
avoid anyone wondering why we've skipped an update.
Release notes:
https://github.com/git/git/raw/v2.29.1/Documentation/RelNotes/2.29.1.txt
¹ The only change in 2.29.1 is a Makefile fix for users of the
non-default SKIP_DASHED_BUILT_INS installation option.
Release notes:
https://github.com/git/git/raw/v2.28.0-rc0/Documentation/RelNotes/2.28.0.txt
Update git.skip-test-patterns to catch the 2GB clone test. The output
of the skipped test was changed (for the better) in upstream commit
d63ae31962 (t5608: avoid say() and use "skip_all" instead for
consistency, 2020-05-22).
From the upstream release notes¹:
With a crafted URL that contains a newline or empty host, or lacks
a scheme, the credential helper machinery can be fooled into
providing credential information that is not appropriate for the
protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt
From the upstream release notes¹:
With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for
a wrong host. The attack has been made impossible by forbidding
a newline character in any value passed via the credential
protocol.
¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.4.txt
Adjust skipped test number in t5541-http-push-smart.sh (skipped on
aarch64, %{arm}, and %{power64}). A new test was added in upstream
6f1194246a ("remote-curl: pass on atomic capability to remote side",
2019-10-16), resulting in the "push 2000 tags over http" test number
changing.
Release notes:
https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.24.0.txt
