The Makefiles for contrib/{contacts,subtree} don't include various
asciidoc, docbook, and xmlto options which are added to docs built from
the Documentation dir. Without these options the man page generated
for git-contacts has formatting issues.
Move the contrib/{contacts,subtree} docs to the Documentation dir to be
built along with the other doc files.
Now that Fedora 30 defaults to gnupg2 as /bin/gpg we don't need to
install gnupg for the test suite. We already require gnupg2 to verify
the source files.
Having the output of the config.mak file in the build output is very
convenient, particularly when building in koji or copr where it is not
possible to directly access the buildroot.
GnuPG2 requires gpg-agent and tries to start it on demand. The agent
uses a socket for communication and the path to this socket must be
shorter than sun_path [108 characters, per unix(7)].
Adjust the location of the temporary directories used by the test suite
by passing the --root option via GIT_TEST_OPTS.
One potential downside to this is that we use mktemp to create the
directory and this will differ between builds. If/when we want to make
our builds entirely reproducible we will need to revisit this. With
luck, gnupg will be better behaved by that time¹.
An alternate solution I tested was to rename the two problematic tests
(t5573 and t7612). This is a brittle solution as new tests may be added
which cause the same path length issue for gpg-agent.
Also drop the redundant killing of gpg-agent. This doesn't break
anything but it can only slow the test suite (however slightly).
¹ A ticket was filed to improve gpg-agent's handling of long paths in
GNUPGHOME (but it's nearly 2 years old): https://dev.gnupg.org/T2964.
In addition to the gnupg2-smime BR, patch an issue which prevents the
gpgsm tests from running. Only include gpgsm on Fedora and RHEL > 8.
On RHEL < 8 the gnupg2-smime package is too old to run the tests.
The test suite uses is_IS.UTF-8 and is_IS.ISO8859-1 (via the
GETTEXT_LOCALE and GETTEXT_ISO_LOCALE prereq's. Ensure these locales
are available. Installing glibc-langpack-is is insufficient as it does
not provide is_IS.ISO8859-1, glibc-all-langpacks is also needed.
Now that we're installing additional langpacks, update the macro name
which was added in a6a24cf ("Add glibc-langpack-en BuildRequires for
en_US.UTF-8 locale", 2018-11-05).
The pcre BR was added in 6dc6285 ("Improve test suite coverage",
2017-11-10), which seems to have been an oversight. The test suite
improvements were worked on over a long period of time. It is quite
likely that the pcre BR was needed before 6dc6285 was finalized.
Regardless, we began building against pcre2 in 595b682 ("Use pcre2
library", 2017-07-22).
Note that pcre remains in the minimal buildroot due to dependencies in
glib2 and grep.
When preparing the srpm in mock or other minimal environments, the use
of %{_emacs_version} causes a spurious warning:
Possible unexpanded macro in: Requires: emacs-filesystem >= %{_emacs_version}
Prevent the warning with a check that the macro is defined before use.
(There is another use of %{_emacs_version}, but it only applies to EL-6
where the warning is not present. Just ignore it.)
Make it easier to tell what %if conditions are being ended. This is
particularly useful with nested conditions since we lack any indentation
to visually denote the conditional blocks.
The %{without ...} macro is easier to read than '! %{with ...}', use it
consistently.
(Note that using %without_* and %_without_* macros is still not
advised.)
The verification was simplified slightly in 903d8f3 ("Remove EL-5 and
old Fedora conditionals", 2017-07-22).
Further simplifications:
- do away with unneeded variables
- drop '--batch' and '>/dev/null' from gpg2 --dearmor
- check tarball signature via stdin
The "noisy output from GnuPG 2.0" alluded to on EL <= 7 is no longer
present. This has been tested in mock for el6, el7, and fedora
releases.
The chroot is a bit quicker to create and slightly smaller when building
'--without tests' if the BuildRequires needed to run the tests are
skipped.
Add pod2man dependency when documentation is enabled (the default).
Since git-2.17.0, pod2man is needed to build Git.3pm. The pod2man
command is in perl-podlators on Fedora and EL >= 7, but in perl on EL-6.
Use %{_bindir}/pod2man to ensure the dependency is found regardless of
what package provides it.
The dependency is only missed when building without the test deps, as
the many perl requirements pulled in for the test suite bring in
pod2man.
From the upstream release announcement:
These releases fix a security flaw (CVE-2018-17456), which allowed an
attacker to execute arbitrary code by crafting a malicious .gitmodules
file in a project cloned with --recurse-submodules.
When running "git clone --recurse-submodules", Git parses the supplied
.gitmodules file for a URL field and blindly passes it as an argument
to a "git clone" subprocess. If the URL field is set to a string that
begins with a dash, this "git clone" subprocess interprets the URL as
an option. This can lead to executing an arbitrary script shipped in
the superproject as the user who ran "git clone".
In addition to fixing the security issue for the user running "clone",
the 2.17.2, 2.18.1 and 2.19.1 releases have an "fsck" check which can
be used to detect such malicious repository content when fetching or
accepting a push. See "transfer.fsckObjects" in git-config(1).
Credit for finding and fixing this vulnerability goes to joernchen
and Jeff King, respectively.
References:
https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/
While rpmbuild and mock have --nocheck to disable the %check section,
'fedpkg mockbuild' lacks this convenient option.
Add %bcond_without tests to allow 'fedpkg mockbuild --without tests' to
not run the test suite. Disabling the test suite cuts the build time by
approximately 60%, which is very useful while working on changes to the
packaging.
With curl-7.61.1 cookies are sorted by creation-time¹. Sort the output
used in the 'cookies stored in http.cookiefile when http.savecookies
set' test before comparing it to the expected cookies.
¹ https://github.com/curl/curl/commit/e2ef8d6fa ("cookies: support
creation-time attribute for cookies", 2018-08-28)
When building with options "--without docs --without p4 --without cvs"
the build fails with the following errors:
error: Installed (but unpackaged) file(s) found:
/usr/share/doc/git/git-cvsexportcommit.txt
/usr/share/doc/git/git-cvsimport.txt
/usr/share/doc/git/git-cvsserver.txt
/usr/share/doc/git/git-p4.txt
Installed (but unpackaged) file(s) found:
/usr/share/doc/git/git-cvsexportcommit.txt
/usr/share/doc/git/git-cvsimport.txt
/usr/share/doc/git/git-cvsserver.txt
/usr/share/doc/git/git-p4.txt
The .txt files were not caught by the %files entry in the main git
package when cvs/p4 were disabled -- from 9cd8ee7 ("Disable CVS support
on EL > 7", 2018-03-14. Those only applied when documentation was not
disabled.
Remove git-cvs* and git-p4* files from Documentation as well as the
%{buildroot}. Simplify the find path by dropping %{_bindir} and
%{gitexecdir}. Tighten the git-p4 glob to avoid unintended matches.
Drop the conditional inclusion of cvs/p4 docs in the main git package in
favor of removing the files entirely.
Gives possibility to add dependencies for git-instaweb http daemon,
without having to install all dependencies at each git install.
Currently, lighttpd is required by the git-instaweb package.
The git-instaweb script supports other httpd daemons (httpd, mongoose,
plackup [in perl(Plack)], and webrick [in rub-libs]). lighttpd is the
default, works without any configuration, and is only ~1M installed.
Add a conditional to allow merging from master to f29. The obsoletes
should be removed when f29 is EOL. It was added in 2d1c8b1 ("Remove
obsolete gnome-keyring credential helper", 2018-01-09). The comment was
improved in 4a06e99 ("clarify comment for obsolete git-gnome-keyring",
2018-09-04).
Avoid shipping scripts which require python2 when building without
python2. The following scripts/directories are removed:
contrib/fast-import/import-zips.py
contrib/hg-to-git
contrib/svn-fe
A future release of git will likely remove contrib/svn-fe and
git-remote-testsvn¹. The git-remote-testsvn binary is the only noarch
file in the git-svn package. Seeing that it's utility is very
questionable, remove it so git-svn can return to a noarch package.
¹ https://public-inbox.org/git/20180817190310.GA5360@sigill.intra.peff.net/
9125e65 ("Use new INSTALL_SYMLINKS setting", 2018-05-30) broke builds
using --without cvs. /usr/libexec/git-core/git-cvsserver became a
symlink instead of hardlink. Adapt the find command used to exclude
'git-cvs*' files to detect symlinks as well.
We want to build all documentation in the %build phase rather than
falling through to the %install phase and building it as a dependency of
install-doc.
The git-contacts script was added to SubmittingPatches recently. Make
it easier for users who read about it in the documentation to make use
of the command.
The default target in contrib/credential/netrc/Makefile is, and has
always been, test. Running 'make -C contrib/credential/netrc/' in
%build is not needed.
Additionally, the tests recently were changed and require perl-Git to be
installed before running. The tests also exit cleanly regardless of any
failures encountered, which makes them unreliable. A fix for these
issues will be submitted upstream, but rather than apply it here, simply
drop the unneeded 'make' call.
Ideally, the tests will be run in %check once fixed. This does present
a small wrinkle due to the deletion of contrib/credential in %install.
Cross that bridge when we get there. :)
Replace NO_CROSS_DIRECTORY_HARDLINKS and NO_INSTALL_HARDLINKS with
INSTALL_SYMLINKS. The result is slightly improved; all symlinks will
point directly to the target rather than via multiple levels of
symlinks.
The rationale was covered in slightly more detail in d56cfc6 ("Use
symlinks instead of hardlinks for installed binaries", 2018-03-15).
Adjust the dangling-relative-symlink filter in the rpmlint config for
the new target of the git-difftool symlink.
The USE_LIBPCRE setting now defaults to pcre2; use it. It's still
valid to set USE_LIBPCRE2, but using the default should be cleaner in
the long-run.
The (long-unmaintained) emacs support has been dropped upstream in favor
of better alternatives. From the upstream commit¹:
The git-blame.el mode has been superseded by Emacs's own
vc-annotate (invoked by C-x v g). Users of the git.el mode are now
much better off using either Magit or the Git backend for Emacs's own
VC mode.
These modes were added over 10 years ago when Emacs's own Git support
was much less mature, and there weren't other mature modes in the wild
or shipped with Emacs itself.
These days these modes have few if any users, and users of git aren't
well served by us shipping these (some OS's install them alongside git
by default, which is confusing and leads users astray).
¹ 6d5ed4836d ("git{,-blame}.el: remove old bitrotting Emacs code", 2018-04-11)
https://git.kernel.org/pub/scm/git/git.git/commit/?id=6d5ed4836d
Also drop DESTDIR and INSTALL from config.mak; they are both handled via
%make_install.
Remove the rpmlint filter for %buildroot usage which was only needed due
to DESTDIR's use in config.mak.
Specifically, t5512-ls-remote.sh has a test which starts a jgit daemon.
This has failed to exit on a number of occasions, only on s390x. We
could disable just that test with "GIT_SKIP_TESTS=t5512.28", but the
test number can and does change as more ls-remote tests are added.
Dropping the jgit BuildRequires is cleaner and only causes 3 tests to be
skipped, the offending t5512 test and two others in t5310-pack-bitmaps.
Access to s390x might help better debug this, but it does not occur
consistently and may be limited to koji. The issue could be a problem
in jgit as well. While looking at a hung build, Kevin Fenzi found a few
errors in t5512-ls-remote.out:
/usr/bin/build-classpath: Could not find xz-java Java extension for this JVM
/usr/bin/build-classpath: error: Some specified jars were not found
Unfortunately, it appears we need to carry this patch longer than
expected. Return to using %autosetup so other patches are easier to
manage. Use %apply_patch to manually apply the zlib patch only on
aarch64, as that is the only arch where it is required at this time.
A recent zlib build with optimization for ARM exposed an issue in git's
packfile handling.
Thanks to Pavel Cahyna for the initial report and debugging and Jeremy
Linton for further diagnosis and the subsequent patch.
The patch is currently being discussed upstream¹. Until it is accepted,
apply it only on aarch64 to avoid any unexpected issues with other
arches.
¹ https://public-inbox.org/git/20180525231713.23047-1-lintonrjeremy@gmail.com/T/#u
Fixes two security issues, described in the 2.13.7 release notes¹:
* Submodule "names" come from the untrusted .gitmodules file, but we
blindly append them to $GIT_DIR/modules to create our on-disk repo
paths. This means you can do bad things by putting "../" into the
name. We now enforce some rules for submodule names which will cause
Git to ignore these malicious names (CVE-2018-11235).
Credit for finding this vulnerability and the proof of concept from
which the test script was adapted goes to Etienne Stalmans.
* It was possible to trick the code that sanity-checks paths on NTFS
into reading random piece of memory (CVE-2018-11233).
¹ https://mirrors.edge.kernel.org/pub/software/scm/git/docs/RelNotes/2.13.7.txt
The unknown, but temporary, breakage in fedora-28-x86_64 buildroots
appears to be resolved.
The test was disabled in a998227 ("Disable t5000-tar-tree.sh on x86 in
f28", 2018-01-18).
The spec file is a bit easier to read with as few conditional blocks as
required. Use %bcond_(with|without) to allow easier toggling of the
link checking.
Using stderr rather than syslog should be a mild improvement with the
systemd journal. The reasons are detailed in the upstream commit
0c591cacba ("daemon: add --log-destination=(stderr|syslog|none)",
2018-02-04)¹:
The combination of --inetd with --log-destination=stderr is useful, for
instance, when running `git daemon` as an instanced systemd service
(with associated socket unit). In this case, log messages sent via
syslog are received by the journal daemon, but run the risk of being
processed at a time when the `git daemon` process has already exited
(especially if the process was very short-lived, e.g. due to client
error), so that the journal daemon can no longer read its cgroup and
attach the message to the correct systemd unit (see systemd/systemd#2913
[1]). Logging to stderr instead can solve this problem, because systemd
can connect stderr directly to the journal daemon, which then already
knows which unit is associated with this stream.
[1]: https://github.com/systemd/systemd/issues/2913
While here, wrap the git-daemon command line to improve readability.
¹ https://github.com/git/git/commit/0c591cacba
Move all Requires to their own lines for better readability.
We can safely drop the 'perl(Git)' requires from the cvs and email
packages because the perl rpm dependency generator already add it.
We can also drop 'perl-Git = %{version}-%{release}' from the email
package because it requires 'git = %{version}-%{release}' which in turn
requires the matching 'perl-Git' package.
Git tries very hard to rely on as few non-core modules as possible. The
few that it does (currently Error and Mail::Address) are bundled. We've
disabled such bundling since it became an option in 2.17.0.
Go a step further and remove the Git::LoadCPAN wrapper. This allows
rpm's automatic dependency generator to find and add the needed
requirements.
With this change we can remove the manual 'Requires:' for perl(Error)
and perl(Mail::Address).
'Requires: perl(Error)' in the main git package has been unneeded for
many years. It was added in edddb83 ("Update to latest upstream
release. Fix some bugs at the same time", 2007-11-27), which was
git-1.5.3.6. It was needed for 'git svn' and 'git remote'. 'git svn'
requires perl(Git), which in turn requires perl(Error).
In git-1.5.5, 'git remote' was converted to a builtin command in C
rather than perl, removing the perl(Error) dependency.
Lastly, move the 'BuildRequires: perl(Error)' from perl-Git to the main
list of BuildRequires.
The bare p4 entry was a bit concerning; it's easy to imagine false
positives from such a short string. Remove git-remote-(bzr|hg) from the
pattern. The scripts and placeholders were removed in git-2.0.0.
While here, group all the git-* patterns and be more explicit with the
svn files.
Python 2 end of life is approaching, prepare for dropping it
along with all python2 scripts and subpackages requiring it.
Helped-by: Sebastian Kisela <skisela@redhat.com>
Helped-by: Pavel Cahyna <pcahyna@redhat.com>
The previous commit disabled the cvs subpackage on EL > 7. Convert to
the %bcond_with(out) macro to allow the subpackage to be toggled easily
via a --with/--without option at build time.
When setting NO_PERL_CPAN_FALLBACKS to avoid bundled perl modules, we
must take care to ensure the dependencies are required. The code which
handles modules via Git::LoadCPAN prevents the normal perl dependency
generator from identifying them. Thankfully, there should not be many
modules loaded this way.
Prior to 2.17.0 and NO_PERL_CPAN_FALLBACKS we were falling back to not
using Mail::Address, which is partly why the lack of the dependency
wasn't spotted with rpmdiff with and without NO_PERL_CPAN_FALLBACKS.
Using a simple glob in contrib/hooks/* to match contributed hook scripts
was valid when it was added in 762cf11 ("Update to git-1.6.3.3 - Move
contributed hooks to %{_datadir}/git-core/contrib/hooks (bug 500137)",
2009-06-28). With the addition of the multimail directory in git-1.8.4
it was no longer doing what was intended.
However, the scripts in contrib/hooks all ship with the execute bit set,
making the "chmod +x" unnecessary. If we did descend into the multimail
directory with a chmod (whether via "chmod -R" or "find | xargs ..."),
we would need to exclude the non-script files within that directory.
Fedora 28 prints a deprecation notice if /usr/bin/python is called in an
rpm build¹, which is done by default when byte-compiling python files
outside of %{_libdir}/pythonX.X.
Avoid the issue by dropping the .py extension from the multimail hook
script. The hook script is not used as a module and therefore has no
need to use the extension or be byte-compiled.
¹ https://fedoraproject.org/wiki/Changes/Avoid_usr_bin_python_in_RPM_Build
Ensure find and xargs are required. While findutils is currently in the
default buildroot, we should still be explicit about the requirement.
Also improve the 'find | xargs' calls to handle files which may contain
spaces, quotes, or other characters which might cause spurious failures.
The gitweb httpd config file was added long before git gained support
for smart http, in c97cf8e ("Add git-daemon and gitweb packages",
2007-08-04).
Now, users who want to enable git's smart http support with apache will
often want to use /etc/httpd/conf.d/git.conf as the path.
Make this easier by giving the gitweb httpd config file a more logical
name going forward. Keep the current config file name in previous
releases.
The perl install process was updated to remove the need for
ExtUtils::MakeMaker. The main change for us is setting perllibdir to
keep the files installed in %{perl_vendorlib}.
Manpages for non-public portions of the Git perl modules are no longer
built. Anyone who wishes to make use of these modules can read the
source files or use pod2man.
Set NO_PERL_CPAN_FALLBACKS to ensure we don't package the bundled
fallback modules.
Also drop now-unneeded commands to remove *.bs, .packlist, and
perllocal.pod files. The new install method does not produce these
artifacts.
A recent discussion on the git list¹ suggested that using symlinks
should be clearer and have no drawbacks (except on filesystems where
symlinks are not well supported, e.g. on Windows).
This shrinks the git-core package by nearly 25% and saves almost 6MB in
the debuginfo package.
See also 6ef5f1f ("Disable cross-directory hardlinks", 2017-11-10).
¹ https://public-inbox.org/git/87y3iwp2z0.fsf@evledraar.gmail.com/#t
Ensure all binaries are hardened when building on EL-6 & EL-7. On EL-7
use the %{_hardened_build} macro. On EL-6 update %{optflags} and set
%{__global_ldflags}.
For EL-7 this could also be put in the existing Fedora and EL >= 7
condition, e.g.: %{!?_hardened_build: %global _hardened_build 1}. I
think this is a bit uglier than needed and is better in an %if condition
which only applied to EL-7.
The guidelines require all required packages to be explicitly listed.
This list may not be complete, but it's a start.
Additionally, a proposed change for Fedora 29 removes gcc from the
default BuildRoot.
While at it, sort a few BuildRequires in alphabetical order.
The use of %defattr has been unneeded since rpm-4.4. It was removed
from the guidelines 6 years ago¹. It was kept to allow builds on EL-5,
which has been EOL since March of last year.
¹ https://pagure.io/packaging-committee/issue/77
%defattr is no longer needed in Fedora
