.git.metadata

@@ -1,2 +1,2 @@
-996c0be58e901deb4ef9d0145e7bf98cdf6a0fb3 SOURCES/git-2.27.0.tar.xz
+7577a22e233e892dba5cf19a3a57cef2062d01e6 SOURCES/git-2.43.5.tar.sign
-097b8da13939ac9f51f97a5659184c1d96fb0973 SOURCES/gpgkey-junio.asc
+31decef72034ae36c8098a9e6bb13a7dd4859fd9 SOURCES/git-2.43.5.tar.xz

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/git-2.27.0.tar.xz
+SOURCES/git-2.43.5.tar.sign
-SOURCES/gpgkey-junio.asc
+SOURCES/git-2.43.5.tar.xz

SOURCES/0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch

@@ -0,0 +1,73 @@
+From aedeaaf788bd8a7fc5a1887196b6f6d8a5c31362 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Sun, 21 Aug 2022 13:49:57 -0400
+Subject: [PATCH] t/lib-httpd: try harder to find a port for apache
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When running multiple builds concurrently, tests which run daemons, like
+apache httpd, sometimes conflict with each other, leading to spurious
+failures:
+
+    ++ /usr/sbin/httpd -d '/tmp/git-t.ck9I/trash directory.t9118-git-svn-funky-branch-names/httpd' \
+       -f /builddir/build/BUILD/git-2.37.2/t/lib-httpd/apache.conf -DDAV -DSVN -c 'Listen 127.0.0.1:9118' \
+       -k start
+    (98)Address already in use: AH00072: make_sock: could not bind to address 127.0.0.1:9118
+    no listening sockets available, shutting down
+    AH00015: Unable to open logs
+    ++ test 1 -ne 0
+
+Try a bit harder to find an open port to use to avoid these intermittent
+failures.  If we fail to start httpd, increment the port number and try
+again.  By default, we make 3 attempts.  This may be overridden by
+setting GIT_TEST_START_HTTPD_TRIES to a different value.
+
+Helped-by: Ondřej Pohořelský <opohorel@redhat.com>
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-httpd.sh | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
+index 1f6b9b08d1..9279dcd659 100644
+--- a/t/lib-httpd.sh
++++ b/t/lib-httpd.sh
+@@ -175,19 +175,26 @@ prepare_httpd() {
+ }
+ 
+ start_httpd() {
+-	prepare_httpd >&3 2>&4
+-
+ 	test_atexit stop_httpd
+ 
+-	"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
+-		-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
+-		-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
+-		>&3 2>&4
+-	if test $? -ne 0
+-	then
+-		cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
+-		test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
+-	fi
++	i=0
++	while test $i -lt ${GIT_TEST_START_HTTPD_TRIES:-3}
++	do
++		i=$(($i + 1))
++		prepare_httpd >&3 2>&4
++		say >&3 "Starting httpd on port $LIB_HTTPD_PORT"
++		"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
++			-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
++			-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
++			>&3 2>&4
++		test $? -eq 0 && return
++		LIB_HTTPD_PORT=$(($LIB_HTTPD_PORT + 1))
++		export LIB_HTTPD_PORT
++		# clean up modules symlink, prepare_httpd will re-create it
++		rm -f "$HTTPD_ROOT_PATH/modules"
++	done
++	cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
++	test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
+ }
+ 
+ stop_httpd() {

SOURCES/0002-t-lib-git-daemon-try-harder-to-find-a-port.patch

@@ -0,0 +1,88 @@
+From 16750d024ce038b019ab2e9ee5639901e445af37 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Fri, 26 Aug 2022 18:28:44 -0400
+Subject: [PATCH] t/lib-git-daemon: try harder to find a port
+
+As with the previous commit, try harder to find an open port to avoid
+intermittent failures on busy/shared build systems.
+
+By default, we make 3 attempts.  This may be overridden by setting
+GIT_TEST_START_GIT_DAEMON_TRIES to a different value.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-git-daemon.sh | 60 ++++++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 23 deletions(-)
+
+diff --git a/t/lib-git-daemon.sh b/t/lib-git-daemon.sh
+index e62569222b..c3e8dda9ff 100644
+--- a/t/lib-git-daemon.sh
++++ b/t/lib-git-daemon.sh
+@@ -51,30 +51,44 @@ start_git_daemon() {
+ 		registered_stop_git_daemon_atexit_handler=AlreadyDone
+ 	fi
+ 
+-	say >&3 "Starting git daemon ..."
+-	mkfifo git_daemon_output
+-	${LIB_GIT_DAEMON_COMMAND:-git daemon} \
+-		--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
+-		--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
+-		--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+-		"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+-		>&3 2>git_daemon_output &
+-	GIT_DAEMON_PID=$!
+-	{
+-		read -r line <&7
+-		printf "%s\n" "$line" >&4
+-		cat <&7 >&4 &
+-	} 7<git_daemon_output &&
++	i=0
++	while test $i -lt ${GIT_TEST_START_GIT_DAEMON_TRIES:-3}
++	do
++		say >&3 "Starting git daemon on port $LIB_GIT_DAEMON_PORT ..."
++		mkfifo git_daemon_output
++		${LIB_GIT_DAEMON_COMMAND:-git daemon} \
++			--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
++			--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
++			--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
++			"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
++			>&3 2>git_daemon_output &
++		GIT_DAEMON_PID=$!
++		{
++			read -r line <&7
++			printf "%s\n" "$line" >&4
++			cat <&7 >&4 &
++		} 7<git_daemon_output &&
+ 
+-	# Check expected output
+-	if test x"$(expr "$line" : "\[[0-9]*\] \(.*\)")" != x"Ready to rumble"
+-	then
+-		kill "$GIT_DAEMON_PID"
+-		wait "$GIT_DAEMON_PID"
+-		unset GIT_DAEMON_PID
+-		test_skip_or_die GIT_TEST_GIT_DAEMON \
+-			"git daemon failed to start"
+-	fi
++		# Check expected output
++		output="$(expr "$line" : "\[[0-9]*\] \(.*\)")"
++		# Return if found
++		test x"$output" = x"Ready to rumble" && return
++		# Increment port for retry if not found
++		LIB_GIT_DAEMON_PORT=$(($LIB_GIT_DAEMON_PORT + 1))
++		export LIB_GIT_DAEMON_PORT
++		GIT_DAEMON_HOST_PORT=127.0.0.1:$LIB_GIT_DAEMON_PORT
++		GIT_DAEMON_URL=git://$GIT_DAEMON_HOST_PORT
++		# unset GIT_DAEMON_PID; remove the fifo & pid file
++		GIT_DAEMON_PID=
++		rm -f git_daemon_output "$GIT_DAEMON_PIDFILE"
++	done
++
++	# Clean up and return failure
++	kill "$GIT_DAEMON_PID"
++	wait "$GIT_DAEMON_PID"
++	unset GIT_DAEMON_PID
++	test_skip_or_die GIT_TEST_GIT_DAEMON \
++		"git daemon failed to start"
+ }
+ 
+ stop_git_daemon() {

SOURCES/0003-t-lib-git-svn-try-harder-to-find-a-port.patch

@@ -0,0 +1,85 @@
+From aa5105dc115b43edc6c9c11714b092583f1221aa Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Fri, 26 Aug 2022 18:28:44 -0400
+Subject: [PATCH] t/lib-git-svn: try harder to find a port
+
+As with the previous commits, try harder to find an open port to avoid
+intermittent failures on busy/shared build systems.
+
+By default, we make 3 attempts.  This may be overridden by setting
+GIT_TEST_START_SVNSERVE_TRIES to a different value.
+
+Run svnserve in daemon mode and use 'test_atexit' to stop it.  This is
+cleaner than running in the foreground with --listen-once and having to
+manage the PID ourselves.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-git-svn.sh                    | 34 +++++++++++++++++++++++++----
+ t/t9113-git-svn-dcommit-new-file.sh |  1 -
+ 2 files changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/t/lib-git-svn.sh b/t/lib-git-svn.sh
+index ea28971e8e..04e660e2ba 100644
+--- a/t/lib-git-svn.sh
++++ b/t/lib-git-svn.sh
+@@ -17,6 +17,7 @@ fi
+ GIT_DIR=$PWD/.git
+ GIT_SVN_DIR=$GIT_DIR/svn/refs/remotes/git-svn
+ SVN_TREE=$GIT_SVN_DIR/svn-tree
++SVNSERVE_PIDFILE="$PWD"/daemon.pid
+ test_set_port SVNSERVE_PORT
+ 
+ svn >/dev/null 2>&1
+@@ -119,10 +120,35 @@ require_svnserve () {
+ }
+ 
+ start_svnserve () {
+-	svnserve --listen-port $SVNSERVE_PORT \
+-		 --root "$rawsvnrepo" \
+-		 --listen-once \
+-		 --listen-host 127.0.0.1 &
++	test_atexit stop_svnserve
++
++	i=0
++	while test $i -lt ${GIT_TEST_START_SVNSERVE_TRIES:-3}
++	do
++		say >&3 "Starting svnserve on port $SVNSERVE_PORT ..."
++		svnserve --listen-port $SVNSERVE_PORT \
++			 --root "$rawsvnrepo" \
++			 --daemon --pid-file="$SVNSERVE_PIDFILE" \
++			 --listen-host 127.0.0.1
++		ret=$?
++		# increment port and retry if unsuccessful
++		if test $ret -ne 0
++		then
++			SVNSERVE_PORT=$(($SVNSERVE_PORT + 1))
++			export SVNSERVE_PORT
++		else
++			break
++		fi
++	done
++}
++
++stop_svnserve () {
++	say >&3 "Stopping svnserve ..."
++	SVNSERVE_PID="$(cat "$SVNSERVE_PIDFILE")"
++	if test -n "$SVNSERVE_PID"
++	then
++		kill "$SVNSERVE_PID" 2>/dev/null
++	fi
+ }
+ 
+ prepare_utf8_locale () {
+diff --git a/t/t9113-git-svn-dcommit-new-file.sh b/t/t9113-git-svn-dcommit-new-file.sh
+index e8479cec7a..5925891f5d 100755
+--- a/t/t9113-git-svn-dcommit-new-file.sh
++++ b/t/t9113-git-svn-dcommit-new-file.sh
+@@ -28,7 +28,6 @@ test_expect_success 'create files in new directory with dcommit' "
+ 	echo hello > git-new-dir/world &&
+ 	git update-index --add git-new-dir/world &&
+ 	git commit -m hello &&
+-	start_svnserve &&
+ 	git svn dcommit
+ 	"
+ 

SOURCES/git-2.43.0-core-crypto-hmac.patch

@@ -1,16 +1,16 @@
-diff -ur a/builtin/receive-pack.c b/builtin/receive-pack.c
+diff -ur b/builtin/receive-pack.c a/builtin/receive-pack.c
---- a/builtin/receive-pack.c	2020-06-01 17:49:27.000000000 +0200
+--- b/builtin/receive-pack.c	2023-11-20 03:07:41.000000000 +0100
-+++ b/builtin/receive-pack.c	2020-06-15 15:28:48.149268576 +0200
++++ a/builtin/receive-pack.c	2023-12-06 15:34:28.294170714 +0100
-@@ -29,6 +29,8 @@
+@@ -40,6 +40,8 @@
- #include "commit-reach.h"
  #include "worktree.h"
  #include "shallow.h"
+ #include "parse-options.h"
 +#include <openssl/hmac.h>	
 +#include <openssl/evp.h>
  
  static const char * const receive_pack_usage[] = {
  	N_("git receive-pack <git-dir>"),
-@@ -419,43 +421,11 @@
+@@ -538,43 +540,11 @@
  	return 0;
  }
  
@@ -56,11 +56,11 @@ diff -ur a/builtin/receive-pack.c b/builtin/receive-pack.c
  }
  
  static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
-diff -ur a/Makefile b/Makefile
+diff -ur b/Makefile a/Makefile
---- a/Makefile	2020-06-01 17:49:27.000000000 +0200
+--- b/Makefile	2023-11-20 03:07:41.000000000 +0100
-+++ b/Makefile	2020-06-15 15:00:45.212758547 +0200
++++ a/Makefile	2023-12-06 15:35:08.506316431 +0100
-@@ -1830,6 +1830,8 @@
+@@ -2123,6 +2123,8 @@
- 	BASIC_CFLAGS += -DHAVE_GETDELIM
+ 	EXTLIBS += -lcrypto -lssl
  endif
  
 +EXTLIBS += -lcrypto

SOURCES/git-2.43.0-slow-shallow-clones.patch

@@ -0,0 +1,115 @@
+From 51441e6460b505c07b4a8a6deeaa7de4bf6e8e33 Mon Sep 17 00:00:00 2001
+From: Junio C Hamano <gitster@pobox.com>
+Date: Fri, 3 May 2024 08:34:27 -0700
+Subject: [PATCH] stop using HEAD for attributes in bare repository by default
+
+With 23865355 (attr: read attributes from HEAD when bare repo,
+2023-10-13), we started to use the HEAD tree as the default
+attribute source in a bare repository.  One argument for such a
+behaviour is that it would make things like "git archive" run in
+bare and non-bare repositories for the same commit consistent.
+This changes was merged to Git 2.43 but without an explicit mention
+in its release notes.
+
+It turns out that this change destroys performance of shallowly
+cloning from a bare repository.  As the "server" installations are
+expected to be mostly bare, and "git pack-objects", which is the
+core of driving the other side of "git clone" and "git fetch" wants
+to see if a path is set not to delta with blobs from other paths via
+the attribute system, the change forces the server side to traverse
+the tree of the HEAD commit needlessly to find if each and every
+paths the objects it sends out has the attribute that controls the
+deltification.  Given that (1) most projects do not configure such
+an attribute, and (2) it is dubious for the server side to honor
+such an end-user supplied attribute anyway, this was a poor choice
+of the default.
+
+To mitigate the current situation, let's revert the change that uses
+the tree of HEAD in a bare repository by default as the attribute
+source.  This will help most people who have been happy with the
+behaviour of Git 2.42 and before.
+
+Two things to note:
+
+ * If you are stuck with versions of Git 2.43 or newer, that is
+   older than the release this fix appears in, you can explicitly
+   set the attr.tree configuration variable to point at an empty
+   tree object, i.e.
+
+	$ git config attr.tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904
+
+ * If you like the behaviour we are reverting, you can explicitly
+   set the attr.tree configuration variable to HEAD, i.e.
+
+	$ git config attr.tree HEAD
+
+The right fix for this is to optimize the code paths that allow
+accesses to attributes in tree objects, but that is a much more
+involved change and is left as a longer-term project, outside the
+scope of this "first step" fix.
+
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ attr.c                  |  7 -------
+ t/t0003-attributes.sh   | 10 ++++++++--
+ t/t5001-archive-attr.sh |  3 ++-
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/attr.c b/attr.c
+index e62876dfd3e9be..02ab8436266289 100644
+--- a/attr.c
++++ b/attr.c
+@@ -1213,13 +1213,6 @@ static void compute_default_attr_source(struct object_id *attr_source)
+ 		ignore_bad_attr_tree = 1;
+ 	}
+ 
+-	if (!default_attr_source_tree_object_name &&
+-	    startup_info->have_repository &&
+-	    is_bare_repository()) {
+-		default_attr_source_tree_object_name = "HEAD";
+-		ignore_bad_attr_tree = 1;
+-	}
+-
+ 	if (!default_attr_source_tree_object_name || !is_null_oid(attr_source))
+ 		return;
+ 
+diff --git a/t/t0003-attributes.sh b/t/t0003-attributes.sh
+index aee2298f01331a..5de46ddf67f7ff 100755
+--- a/t/t0003-attributes.sh
++++ b/t/t0003-attributes.sh
+@@ -384,13 +384,19 @@ test_expect_success 'bad attr source defaults to reading .gitattributes file' '
+ 	)
+ '
+ 
+-test_expect_success 'bare repo defaults to reading .gitattributes from HEAD' '
++test_expect_success 'bare repo no longer defaults to reading .gitattributes from HEAD' '
+ 	test_when_finished rm -rf test bare_with_gitattribute &&
+ 	git init test &&
+ 	test_commit -C test gitattributes .gitattributes "f/path test=val" &&
+ 	git clone --bare test bare_with_gitattribute &&
+-	echo "f/path: test: val" >expect &&
++
++	echo "f/path: test: unspecified" >expect &&
+ 	git -C bare_with_gitattribute check-attr test -- f/path >actual &&
++	test_cmp expect actual &&
++
++	echo "f/path: test: val" >expect &&
++	git -C bare_with_gitattribute -c attr.tree=HEAD \
++		check-attr test -- f/path >actual &&
+ 	test_cmp expect actual
+ '
+ 
+diff --git a/t/t5001-archive-attr.sh b/t/t5001-archive-attr.sh
+index eaf959d8f63f15..7310774af5efea 100755
+--- a/t/t5001-archive-attr.sh
++++ b/t/t5001-archive-attr.sh
+@@ -133,7 +133,8 @@ test_expect_success 'git archive vs. bare' '
+ '
+ 
+ test_expect_success 'git archive with worktree attributes, bare' '
+-	(cd bare && git archive --worktree-attributes HEAD) >bare-worktree.tar &&
++	(cd bare &&
++	git -c attr.tree=HEAD archive --worktree-attributes HEAD) >bare-worktree.tar &&
+ 	(mkdir bare-worktree && cd bare-worktree && "$TAR" xf -) <bare-worktree.tar
+ '
+ 

SOURCES/git-2.43.5-sanitize-sideband-channel-messages.patch

@@ -0,0 +1,219 @@
+From 13bb730859857c97f298e9a8c7b68fe00074b3d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
+Date: Thu, 3 Apr 2025 14:46:53 +0200
+Subject: [PATCH] Adds the option to sanitize sideband channel messages
+
+CVE-2024-52005 wasn't fixed by upstream. This patch adds the option
+to harden Git against it.
+The default behaviour of Git remains unchanged.
+
+Changes are taken from Git for Windows. The only differences are that
+by default we are allowing all control characters, the documentation
+reflects it and one of the tests has to be invoked with a config
+change: `sideband.allowControlCharacters=color`
+
+These commits can also be seen in this upstream PR:
+https://github.com/gitgitgadget/git/pull/1853
+---
+ Documentation/config.txt            |  2 +
+ Documentation/config/sideband.txt   | 16 ++++++
+ sideband.c                          | 78 ++++++++++++++++++++++++++++-
+ t/t5409-colorize-remote-messages.sh | 30 +++++++++++
+ 4 files changed, 124 insertions(+), 2 deletions(-)
+ create mode 100644 Documentation/config/sideband.txt
+
+diff --git a/Documentation/config.txt b/Documentation/config.txt
+index e3a74dd1c1..5b8bbdee82 100644
+--- a/Documentation/config.txt
++++ b/Documentation/config.txt
+@@ -513,6 +513,8 @@ include::config/sequencer.txt[]
+ 
+ include::config/showbranch.txt[]
+ 
++include::config/sideband.txt[]
++
+ include::config/sparse.txt[]
+ 
+ include::config/splitindex.txt[]
+diff --git a/Documentation/config/sideband.txt b/Documentation/config/sideband.txt
+new file mode 100644
+index 0000000000..1adc831667
+--- /dev/null
++++ b/Documentation/config/sideband.txt
+@@ -0,0 +1,16 @@
++sideband.allowControlCharacters::
++	By default, control characters that are delivered via the sideband
++	are NOT masked. Use this config setting to prevent potentially
++	unwanted ANSI escape sequences from being sent to the terminal:
+++
++--
++	color::
++		Allow ANSI color sequences, line feeds and horizontal tabs,
++		but mask all other control characters.
++	false::
++		Mask all control characters other than line feeds and
++		horizontal tabs.
++	true::
++		Allow all control characters to be sent to the terminal.
++        This is the default.
++--
+\ No newline at end of file
+diff --git a/sideband.c b/sideband.c
+index 266a67342b..316a401a5d 100644
+--- a/sideband.c
++++ b/sideband.c
+@@ -23,6 +23,12 @@ static struct keyword_entry keywords[] = {
+ 	{ "error",	GIT_COLOR_BOLD_RED },
+ };
+ 
++static enum {
++	ALLOW_NO_CONTROL_CHARACTERS = 0,
++	ALLOW_ALL_CONTROL_CHARACTERS = 1,
++	ALLOW_ANSI_COLOR_SEQUENCES = 2
++} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
++
+ /* Returns a color setting (GIT_COLOR_NEVER, etc). */
+ static int use_sideband_colors(void)
+ {
+@@ -36,6 +42,25 @@ static int use_sideband_colors(void)
+ 	if (use_sideband_colors_cached >= 0)
+ 		return use_sideband_colors_cached;
+ 
++	switch (git_config_get_maybe_bool("sideband.allowcontrolcharacters", &i)) {
++	case 0: /* Boolean value */
++		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
++			ALLOW_NO_CONTROL_CHARACTERS;
++		break;
++	case -1: /* non-Boolean value */
++		if (git_config_get_string_tmp("sideband.allowcontrolcharacters",
++							&value))
++			; /* huh? `get_maybe_bool()` returned -1 */
++		else if (!strcmp(value, "color"))
++			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
++		else
++			warning(_("unrecognized value for `sideband."
++					"allowControlCharacters`: '%s'"), value);
++		break;
++	default:
++		break; /* not configured */
++	}
++
+ 	if (!git_config_get_string(key, &value)) {
+ 		use_sideband_colors_cached = git_config_colorbool(key, value);
+ 	} else if (!git_config_get_string("color.ui", &value)) {
+@@ -64,6 +89,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
+ 		list_config_item(list, prefix, keywords[i].keyword);
+ }
+ 
++static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
++{
++	int i;
++
++	/*
++	 * Valid ANSI color sequences are of the form
++	 *
++	 * ESC [ [<n> [; <n>]*] m
++	 */
++
++	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
++	    n < 3 || src[0] != '\x1b' || src[1] != '[')
++		return 0;
++
++	for (i = 2; i < n; i++) {
++		if (src[i] == 'm') {
++			strbuf_add(dest, src, i + 1);
++			return i;
++		}
++		if (!isdigit(src[i]) && src[i] != ';')
++			break;
++	}
++
++	return 0;
++}
++
++static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
++{
++	int i;
++
++	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
++			strbuf_add(dest, src, n);
++			return;
++		}
++	
++	strbuf_grow(dest, n);
++	for (; n && *src; src++, n--) {
++		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
++			strbuf_addch(dest, *src);
++		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
++				src += i;
++				n -= i;
++		} else {
++			strbuf_addch(dest, '^');
++			strbuf_addch(dest, 0x40 + *src);
++		}
++	}
++}
++
+ /*
+  * Optionally highlight one keyword in remote output if it appears at the start
+  * of the line. This should be called for a single line only, which is
+@@ -79,7 +153,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
+ 	int i;
+ 
+ 	if (!want_color_stderr(use_sideband_colors())) {
+-		strbuf_add(dest, src, n);
++		strbuf_add_sanitized(dest, src, n);
+ 		return;
+ 	}
+ 
+@@ -112,7 +186,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
+ 		}
+ 	}
+ 
+-	strbuf_add(dest, src, n);
++	strbuf_add_sanitized(dest, src, n);
+ }
+ 
+ 
+diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
+index fa5de4500a..3b5ff00363 100755
+--- a/t/t5409-colorize-remote-messages.sh
++++ b/t/t5409-colorize-remote-messages.sh
+@@ -98,4 +98,34 @@ test_expect_success 'fallback to color.ui' '
+ 	grep "<BOLD;RED>error<RESET>: error" decoded
+ '
+ 
++test_expect_success 'disallow (color) control sequences in sideband' '
++	write_script .git/color-me-surprised <<-\EOF &&
++	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
++	exec "$@"
++	EOF
++	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
++	test_commit need-at-least-one-commit &&
++	git -c sideband.allowControlCharacters=color \
++		clone --no-local . throw-away 2>stderr &&
++	test_decode_color <stderr >decoded &&
++	test_grep RED decoded &&
++	test_grep "\\^G" stderr &&
++	tr -dc "\\007" <stderr >actual &&
++	test_must_be_empty actual &&
++
++	rm -rf throw-away &&
++	git -c sideband.allowControlCharacters=false \
++		clone --no-local . throw-away 2>stderr &&
++	test_decode_color <stderr >decoded &&
++	test_grep ! RED decoded &&
++	test_grep "\\^G" stderr &&
++
++	rm -rf throw-away &&
++	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
++	test_decode_color <stderr >decoded &&
++	test_grep RED decoded &&
++	tr -dc "\\007" <stderr >actual &&
++	test_file_not_empty actual
++'
++
+ test_done
+-- 
+2.49.0
+

SOURCES/gpgkey-junio.asc

@@ -0,0 +1,144 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBE6GdewBEADE3szNmKeUAUad22z1tWkLjLzyDcJpF7IzEnLs8bD1y0I6iqH0
+169ru5iXKn29wc+YAuxWorb4P5a2i2B/vs32hJy/rXE7dpvsAqlHLSGSDUJXiFzM
+Bb9SfJO0EY2r+vqzeQgSUmhp/b4dAXVnMATFM37V83H/mq8REl5Wwb2rxP3pcv6W
+F6i51+tPEWIUgo1N74QkR4wdLcPztDO9v7ZIaFKl+2GEGkx6Z+YjECTqQuyushjq
+41K3UVmv+AmLhJYKA78HY5KqCkXrz8rCgoi+Ih+ZT2sgjx637yT84Dr/QDh7BkIB
+blmpRQ+yoJlVDWI5/bI8rcdrPz+NmxaJ7dKEBg0qTclbwquacpwG1DCCD8NgQrwL
+WVLGVdsT2qwek+KkmOs+iNBXY1TgKPAeuv0ZDKKYrCwYpN1K90oXk431g79bKsH5
+8Tybg5uW+e2i+H5gnDeyl481HOt8aHOPu9qIB/zIek6lDH69q3nGcf7k3prxDf3I
+qYy6CPcpjTfpN4i/7gxQDNI+AIgbs21EE5Kg1TPUe0XgfdJMtIF+D6wTjbrLtDnn
+09Iwz0SfIZR52IrZHxUlFXZFjk10RXYATtdMqEFgYgjYvYXxL9EEr7T5Dgso+qaE
+wV0rrg0VDKrf/afrjGOeffumlhBhJnBnns1T+p65Vz5hyQl7SFKLw+Ix7wARAQAB
+tCJKdW5pbyBDIEhhbWFubyA8Z2l0c3RlckBwb2JveC5jb20+iQI7BBMBAgAlAhsD
+BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCToZ45QIZAQAKCRAg0E5acTZgp1TF
+EACr+QRpfDmbGnUY1Rqy50Ap1eG0061vAapCMLmU+4kxqIRKm5/00YGmb7VxRCLD
+pKNa0hkH+ftA4QmnPU4j4UEsh/vAa2BGCXRjB9RixTokvQf9iOXUGiHYv1kn+p3l
+xg66bLnKV3dWScjV2IueDP4ypLEZHlWD9I/Unmrg2mJEAcz4gSAfBHWLOf/+JYAq
+6j6erIxPS5ZtIz/twQf6MCoXXAXuM6tgUhdptJqG82WzSZMuWOfzmS6DSTuqK05h
+9gpwdj5nz4jdh4u5sp+LKOqFw94JIRcE+wj5cljOOlX3Fqi84ADC8b/OzC3V9KGa
+rNnBzWdnkIoNxbNBNF6wD1dgn1peueufaP9q5CO9ljKNSOGUClwvtJFrpZZL5Phe
+NNFFkPSZpkmStcB6s8RHsyz5zuqxQUOWuvLVUDRW58yZR0WC1Xc/yi+cEFSUiKI5
+OqPNwC1v0xh7a/MObJQxTQCEKHLyVYlnohsf2RxzxaOOjgWmY2O+yH5G5ymfBie/
+Uw7zcSsJ89ovLAEG/10tkJVqIfza5Wexj3VAZbI+i7vx2gtlLqM23gGykqcv7VWm
+FD5lFWGC4Sw8M7Jikm8vn99dxZnsBKjMqksjENUX1JeUZI+FHg2CNSVBX0J8yLnm
+d8eJBkYXkU79J3GVex/WTzbFnSkPmw16MtAu/E9EKNbAILQgSnVuaW8gQyBIYW1h
+bm8gPGp1bmlvQHBvYm94LmNvbT6JAjgEEwECACIFAk6GeL4CGwMGCwkIBwMCBhUI
+AgkKCwQWAgMBAh4BAheAAAoJECDQTlpxNmCn6GMQAJ0V0jmyQ7Lvi5FBBgNTdY8q
+fVbLFxEUVAsKf2x9QxhsOcL2heQRVkp10JKv4/VQLfDwr6Pv98FQchXlBmFiySAb
+VihUVC+VJ3FhyKBtI14RXT6Nkwd18PXDvWXy2fKeiK9GPDWkufac0h/giz0T1xP7
+CHxDErQATMmYbkinyyM+xd1Nir6DUYcHJQIK2Dg2VPChkI0XXCQETLDbrC9fDwWg
+1vP36PQZ+nw/cIRt+2xkq8HHUzB7kOnXHqPt1kb/Ry8hZwPnfV7g/V0MogoMLtz2
+33pqwuguLXP7zY3jTwAZZ9VTpuCTsdVWXJDlznMNurYi1yurCNuUvq/O/9JC8WBt
+dVUuvFZGjRZWfP24W57iq/qz8CV6dThq5r4WygE83tMC3DaarNJ4f9dQUA4KpL7j
+2EMXkgoXcEy1mieUCypdNiZj96hV8Q7apSLk2V4jtvLkJfzX053glqRJI35SX8Ok
+SazZGYZHX6QfZlvznnrCF5x/xBzhbfr2Geo4rxL0BQsp2DQodqUCB23QzsPhWWff
+YtkATaD5vovGeQ9Acd1u72jH3DO8tVMH85jMO4f+oc0h3lnkPS4F33QqlnErRo/I
+Rm6jCsI/NgMZUYdh0EY5Iiq/e8e+u8gdo0akkwHlNvR4KrYrK/1K4h+i+UBIbJDZ
+pqT/iH+yhJRQ3CAan8KStB9KdW5pbyBDIEhhbWFubyA8amNoQGdvb2dsZS5jb20+
+iQI4BBMBAgAiBQJOhnjVAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAg
+0E5acTZgp4SyD/9slQ1IkYqz+VXPnmHCQFhurYcHD8t1iGBqiXxI+gpA1Y3L1QL+
+aj0fplW4KuEPbJ7xlYdLA4J+M9kgkwt3Jufw+lM1pQM9tSB627rAbxUyczj4AFjZ
+9v8GpqyZ3XPDe8NknI/V4Xlhsr+e3AHJPr355XacMkFGc3Rtw1quFVgrECttdzUD
+6xtrhwYYVAYAnKr65943UtMLsVXkJLfjq8c1NZOCov9SwSb0N9IkEhSyihd/92Z2
+NH4d+B1QTIyWagL3GNN8LXXEHK+x+oA/nbhGbFg7bqhxUW4d2JaxKPy4U3nfdtSm
+Mbiy16eUfMbbMyvB0jtLf6UFrxF5bJnYkiG18DcLSaX7Hsby8IVzZQZHYvkx5+7p
+K2SBsdek3bu3punP3dWLJoMw+Vmm5Bk0Yl7pxzvsYQWhPV7+tpgglUSFQuIeXFrw
+jVXP8Q+Ph9nO0vKIaeTcn1ISuq2XaoqhkLH+Zw1I/ruRtk2DJbZsg5BBGfA26BkZ
+WJXlO6h33emPwkJ0FanlzRtMTqZ/4RiTXv5G1L/lypX1iq6fF2V+WTh2JmEKyY+2
+l0/19XRANfaDiYULoBvJEdCcIXLbaRTqjem+70ZGvAiCaGO52YvUhBo+XCgjucjc
+qhxiF3wc24kzj1ZycrwbDa7VjftZAApN01CJ38mXGpZXiWZU4hjJx41wCbkCDQRO
+iUo5ARAA8l5PToapmK0IHBpY5ohie53ZczLV5ojWKZXNsmVYNuSBBKpwC6VH2X85
+9dVd59HigAYsS1TbDCUNGC1bM0thJ9Y92fa1WnlEqyYQZDmJ4rt283DT2Gmrkng6
+XPjvr8PZeHKtvw7uLywfdm4x0WrGrH34g17BL82u/7k0JUOgJoPulIkO9Mls35UJ
+SY/Zwk1EdkM4hHKmqJFIiW/DlPYh0Tj5x9Sukk0ATH/R/QdtpjvwJJZyph6gMhbi
+YB+G+nR/WZy9vB+bFwPPaa0EudADoIZ9LkQzU/55KqNnKH9dPqPVWEOBZVZvPqiR
+iyRuffMIJ0t9mtvc/jruS1qiTZdJoy2vl6K4Uqc+huvlHeCCYR0lGCeDB+Ixuz9x
+d2ZdUxMgwgcNiQOCW70YWtxf0LF2seSJdLItHDBOu/f3cqKwNGUvcC3d/9qVb0wP
+SI1mq18S02MGcvDySsjGtX7o4kujUqE2ZNCW6ORLJUC6zEYu3TRNWrXeS3uAP21x
+UrEPkuTiJL7SCS12FYJt5agx5NIUKI7bkIUbLbiuhC4z47MFajW9Y5jUQk86dk7b
+jGqVrXYIu92Dhxc2CND2fWaMpYRhwvHR6KQU1yYHYkGVlMHiozM5D+4dCRRVI8x3
+p/+ypFBZmZr7yTpv/qD0N8HHl2NAYvGRQdzjyFQOXERwaXuzjCkAEQEAAYkEWwQY
+AQoAJgIbAhYhBJbgevJXcZVZgNrRACDQTlpxNmCnBQJeHMcfBQkenRjmAinBXSAE
+GQECAAYFAk6JSjkACgkQsLXohpav5sukpRAAywCaKmo0HH77yNkqormnKtRBrz8j
+tx68e//pq/AyCrghKUh91iLGYji3/E1qQe7p7Ne7WAn3uFZs22zrNKIDGxtMMCQT
+C0Ne4BAvMh1NzwzzBCCyirs1ccLj5gKkoFkKfTo5U5NWNznYPM8uib1uY5vdRqIJ
+2vJ7JJykNdcW5od42TtWsOxH2zTp4SRNmX8QPaRbfOxPdlKsbp0eIO6kk+Lx6gEv
+WAtEda5xSd1PwyK7SfGadTm+8Rw5UeP1kRtuKQPm7sRBB0coXDVHpFi/nMWHzVxv
+/NKhLAkzIbGOV6rL8ihVhXGqEgiD5Q+QdbaNsiLtHo5niBzpbnzvSopBYcOftrhc
+PNDY0RYXYb/5JZUid/JBWKwV+zREEnbgtsYDbwFEDnCVIGyXAoxyas/S3b14izat
+qgINxiYuxpDY+w1O5RywjOTdLPUWlL5YhH1W/gwbdyGiL4sh0v/fzNy0vKR5zPt1
+hICEA9YvCI7k3b74O6eiDB5fMIRPkNr6ubZWe0T6x4eL2EjSFRXIEmbmnAh93pdp
+WFrXH+Sf1LKhBZzojgUsQU/rzB2R94S7Vx0Z+tzgDZ8fJe47ZUEfzJccyyGve/QA
+sLLgTWRwRP3MSa1rC4wuWtDDMk/drw9CpmeFeRFn0oDIBo/m2mBv+UNAxSdijREz
+vPRiwROma/RawVcJECDQTlpxNmCnTLQP/A1WNmgPCCyFqp812Zvgh0pAqceaM+dg
+FlvNi5j5Jyw7/hicx2e0BXgKt64TEodphknCFzZIFDq3jJSdLt1l9NHpiLVM0Hf0
+cLFGF3eRHOID7PeGJGztLJ0CGhhSXaPh7nNLK0G9zXCAasedpowX4ZUntv+p/+Fr
+jQ8eSgyyljvrlywK+tH07F1W6t6eMNOw7/AHx7fkOux4CDem1FsNbhZWX8YPUATo
+vP1YLBXcrQgpJPpypG6up56D70ewTs4l+qNOISr3phG2egeEhYNwv6GUv8aelh69
+iaUHscT+DOXrFKq+RSHBMzGFFTrDJFDSu3d3A5Rg8KxJMcOxc00L3GMPchrFiJH7
+QShAQdU/ocF0MAA6n56g/QynxafFI/MRMXVTmF+lMBW/kK63pD3AJkIgvdLdht5o
+s7aKlddPrmIulaELIDdF2MSicMmgWJcqFkqZH2HIC+gx26Fafn2vfiUqsEc4NTpZ
+qhf66F9UjPKfYFfLhbGrmq/giAk1qjiGnBzCUQ9hXVqpmFfnVDjmQrk8KB9skDms
+PJgZ4hzmj5AarCpFtDmE4W7Tvi/xqgrFZkPX/SDhTWInJGcWaOTvlc5dkjAxKT6X
+LUGLScJHxhaovTGVzq1GWhhNCFhCs4AkWqPKhYfeZuWiuiMLZaEyJPfTufT7Svab
+pOhlaD1YY8fvuQINBE6GdewBEADxm56jO5pnVRH13BsG38o1qD9mJppXhf0mb6dB
+ORP1b3YJNaknQtxVPXSlXNAYNStYs9bWwn+RrYmOEfy0MWekqOBqgHDEf50ktZaz
+hFd89dt58IA+WIFo7BFk1XIr4USdSEQeL7Pb4oSg5AYn8C3OlT7T3nxWBh9aEbat
+EfiUMFKikLVVLdbEL7FBzEkypHfQCslDlq+ggAAVBzqrMIBn/idto87UrF2x/qd2
+P2PJl9pUf744pL9yzX+cNbQld0Yf6gQW9/r0UUW/CCU4qpPDvycyGIx3Y7PV/MjA
+lre4qJv4khoSFasAAjDXzyUIYhw7yMmaAE/lEOVN7M6reYDvhaDCcWfEn8sjH03/
+Wa92vVx7boMx5RAEh8YE2KZHEZkAODlW4pnDKyaH38lj8pa0dh77RXAD6X1XPGwi
+zpmjfrBBPGvUNGsdIpJaY4KEaZ0+v3bhvfU0DWB4dmJB3aPxC6CFtVA0QBGcbw16
+jUeA+2LUJgWMs86npHaPzD99J4Q+Smw9mZPfyT5O5yymYXOwIp50aUjkGCQcHtt7
+jisNkU52bFD2JcQJr8o67JIcqFNdhPAnxC+BN0QDtCyXT+wxC1Uvh9E//r3JPEQD
+REfEUb3l+3Sarz1KCm3LUhx1XE82Z6c96tHopUfiOiwbtxv+8UypXT2ntKfprz1U
+dMb5jwARAQABiQIfBBgBAgAJBQJOhnXsAhsMAAoJECDQTlpxNmCnFKYP/j6dmEQW
+ZliWE8le9Qzh1WqTbHd5elaGJuW0KGQ+g9okWBkh+sLlPxxTk2f0b79Pc7K3OPy7
+89OcIsrbHD3jDp7TS9IVpX7kVZnvnts5oV3XcK5q84XDEQqa6UIlfiZkZJCzIX8N
+kSAbv0UmmKKLKS+ANIEIZBKBrWxpYwvG2wBoWPkpNv5mdEuR9h3pZ1aCSZRXysMl
+WXo5cMYuZUhabrOqTNP5efEm8iBREHzNSotsiOhHuu7OIPmvZJTUjMrR1wZMCw+Y
+uNO2kT3t+ZFTxCx2aeRzqnI55LYFQVBpgSsap/seqRZfj7j7SBb2bSbCuhNedbAw
+b3kDWSfJGy/IN6vPdsc3NdsYFK+X8cnypCu4pZDK2IU+CkVrq/ukR8TNdrpAYfEY
+XbLq0XFOT0s4jIcjf3dAtlGW36hA0AKPw1BL3cyEGfv2sq75gkw1/jIYMXGc8URJ
+y5AfgELIrO1dIjMsm6vFFLeHpAobEP87UEpqIyJtwEIfWdcV5YHYmlFkGd21Lnxp
+f2dBAh5dc4MJpYmFZGScSDtTcYCDEXICTgedVOt4WCaV5mwpPeSEzr2TOVm6d1nU
+lGBJCV6QPMEdyx03hRkwaTMth0D/SYCvUrjlGQ1VC4WuTveSBhTH7iDrjGSoXNJu
+P2Oq+jb/iAfZxuetjpKFD6TCMR0Bcs/cEZuXuQINBFQduiABEACYnNg+kGmtkPmt
+kQ/75P8lLsljMk9IIwXGmnFILLpHBM/tN+7wGDxODLY/pPZ2Qfmp7PZLr5Ok5Qnt
+v/g+YCtVaTu5Cajt2TOsyH+AYDqtrjjHIt8d2kVloq79ONsCUojFtbFD1nf5W9Sk
+WQgntHYRYY1MaCkNd3oUp74TQugzk8Q6UBDamAn1r4nfm6QNXstItqyWsCgQhixW
+Qi4WzQc4iA/83t+qUJ+32smjk6J+rGUbbEH8zTASXmcDWYBuPgjo3YEjV+3/qNar
+zncYneJfQXwFSgvcR9oUuBQ3ydWJd7sfiImuAnQdRfEC/JFb0iR9sJ395Pw5WQfM
+Esrp0uL/Uig52mSrFyIfanxhrJP4j+CyCcJp1TaFINag5/YwHX3GzoikwXUukb+h
+KxXxK9Vu8Eu2gAlKFaHt2x5Sc3D1d+nr2QyMkIThC6/d3+XUjgOIMWkCK5dgkuz6
+rs60cRQr8YBGf4Jgk/Xrkk/SjBjBlcTz9lrC06wBRCsa+0XxCAHlM7gVp0HvMn+h
+Kx9ny7dPqaqhg8WXuBL0n8yAXXDSgDAin55mRbiKq2bNuMaEJvwKNFU6ENHGSngT
+w/Pt6B0dbeB1SBVxJPGbGmk74BL8m5V67Kb7MDP05OLSZsUyNLQCpfSgYsUA14uV
+GHE/vE6haP9/DwMLdyJ/CxSjQJMk+wARAQABiQRbBBgBCgAmAhsCFiEEluB68ldx
+lVmA2tEAINBOWnE2YKcFAl4cxyAFCRkIqP8CKcFdIAQZAQIABgUCVB26IAAKCRB1
+lO7Hs/fKyah/D/wJ3v4WdqGo7KgW0kmWfFVWZLKwtb+16gcy6nIm7F7VUcODv+qR
+LA/4UUg72yabVCXnMBi/eEHtkVZWlB/+tzg643DiRvXTCZiwoS5c6fTze55e/Z87
+qY7okf40aTR+qWuMgligI/LeXunr1Pu2jlJLMcUVh5QLxLZ8bDqpDgQM9zcdFmKQ
+/ofUnK7y6gYyUl2KYJDYi0alzjTm+73/S0Mc7z08Yp/s+dtKPbU9imKCnNRkPTQp
+cwlYHWJv0YPQ0TdOkid6HJC7CmZEPH845D+qojAjYBPogNIj/RaByaT3kN32zu8+
+jaZJSCnBM0l2lSh/qO7sQBZhqPX5pJDjjj7d/ATY7XxJCnK/2cZVSuVhMXPIFIAQ
+G4ZYFUaQssjQKLN7BXJUo7+ec1AMkTiwDUocPza8h+fitcpOsWWJWWvZvkSObbuP
+KGn7BgoTzEehO2Rz0QsNjgOa5SXxmc0zX7sbB1XiMxSe7gBZBOnYjhPVcidO3tWu
+M/jXGfZAL9ISq6Zf47ebXA7Y+6Bx3oquMgtSN10gbdoJvjqEBJNN65wadvBP8+Sr
+L+nWRGhsfmu8jupXdJe8h8ysXCboVkpXHuSu+lDjeL9WLqpwc/XkaOy7B6PfwIRa
+YYHnsKs8ogvDuTRJPV4khizyt+A6aiQ1PQqxSKWGY+lzxbmBkPhp5v1N5wkQINBO
+WnE2YKdkRQ//ZKvUegOZTtfivAZI888o4Ocpig3CFxJGlXa52JUnDhYFFpRtXRTP
+gIdQ0zBvhNjmBnELNv5/D1ubnjqWBTaJpZgUXIljJufuWL7VdD57nAAMw2VLvNUe
+38iytUYTAPevaJtLQ4jfj3E9MYH4tcMBmlZ75ZKqiHHH+7+V5J8TD/S01xROK7H1
+kGkXo49deB7K9oT4uno8kE5+AgmEMI80XiKjfQkh6tiG5I0W58DLeAOIxCRkm3kH
+Bi22PpuAKhRelRQnAF9dLdlhZECy5eYl7JKQzOS/dQ0Z3zg+HuDBRyhrmV/go/9C
+npFGUZBa+FOC1GMO07GKH8tZY99D5tDCAH6r6S+RrYS690mWpjXhqouBtJezld+X
+dsgKwgKHk3IEM4m916O0E75kiNk/AD7vZowwEBvPsgN+CDXCPgH4J5x0p9uyxnKH
+omLBd7cuJpio6gf4O1KTl1tlVGcb8f+AUR/MIe70NXyEtpYWMiPW3/0dKwt9APgW
+KSX0c8Mp2XKH/vAEDx86XTfBNrnXyUanOQhbLQciYzolJjiPrB0C2NgFFFXSHPwC
+ikyT5n2RehAJVmg3eufB1ZOKQgo7ue3ynkW4JidgyCUtsoYSmipl9Nhw1hA3ZNK1
+FVCx7tcmy0ZHFO+PV+p17oAC8ZCxSRE0oTeHKcgpF5+DRhQM/+UnmKg=
+=7hTI
+-----END PGP PUBLIC KEY BLOCK-----

SPECS/git.spec

@@ -85,12 +85,15 @@
 %global build_ldflags       -Wl,-z,relro -Wl,-z,now
 %endif
 
+# Set path to the package-notes linker script
+%global _package_note_file  %{_builddir}/%{name}-%{version}/.package_note-%{name}-%{version}-%{release}.%{_arch}.ld
+
 # Define for release candidates
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.27.0
+Version:        2.43.5
-Release:        1%{?rcrev}%{?dist}
+Release:        3%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@@ -106,7 +109,7 @@ Source1:        https://www.kernel.org/pub/software/scm/git/%{?rcrev:testing/}%{
 #
 # https://git.kernel.org/cgit/git/git.git/tag/?h=junio-gpg-pub
 # https://git.kernel.org/cgit/git/git.git/blob/?h=junio-gpg-pub&id=7214aea37915ee2c4f6369eb9dea520aec7d855b
-Source9:        gpgkey-junio.asc
+Source2:        gpgkey-junio.asc
 
 # Local sources begin at 10 to allow for additional future upstream sources
 Source11:       git.xinetd.in
@@ -123,7 +126,29 @@ Source99:       print-failed-test-output
 Patch0:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
 Patch1:         0001-Switch-git-instaweb-default-to-apache-2.26.2.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1619113
-Patch2:         git-2.27.0-core-crypto-hmac.patch
+Patch2:         git-2.43.0-core-crypto-hmac.patch
+
+# https://bugzilla.redhat.com/2114531
+# tests: try harder to find open ports for apache, git, and svn
+#
+# https://github.com/tmzullinger/git/commit/aedeaaf788
+Patch3:         0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
+# https://github.com/tmzullinger/git/commit/16750d024c
+Patch4:         0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
+# https://github.com/tmzullinger/git/commit/aa5105dc11
+Patch5:         0003-t-lib-git-svn-try-harder-to-find-a-port.patch
+
+# attr: read attributes from HEAD when bare repo
+#
+# https://github.com/git/git/commit/2386535511d1181afd4e892e2a866ffe5e1d7d21
+Patch6:         git-2.43.0-slow-shallow-clones.patch
+
+# Adds the option to sanitize sideband channel messages
+# CVE-2024-52005 wasn't fixed by upstream. This patch adds the option to harden Git against it.
+# The default behaviour of Git remains unchanged.
+#
+# https://github.com/gitgitgadget/git/pull/1853
+Patch7:         git-2.43.5-sanitize-sideband-channel-messages.patch
 
 %if %{with docs}
 # pod2man is needed to build Git.3pm
@@ -135,6 +160,7 @@ BuildRequires:  rubygem-asciidoctor
 BuildRequires:  asciidoc >= 8.4.1
 %endif
 # endif with asciidoctor
+BuildRequires:  perl(File::Compare)
 BuildRequires:  xmlto
 %if %{with linkcheck}
 BuildRequires:  linkchecker
@@ -305,6 +331,7 @@ Requires:       git-credential-libsecret = %{version}-%{release}
 Requires:       git-cvs = %{version}-%{release}
 %endif
 # endif with cvs
+Requires:       git-daemon = %{version}-%{release}
 Requires:       git-email = %{version}-%{release}
 Requires:       git-gui = %{version}-%{release}
 %if %{with p4}
@@ -396,7 +423,22 @@ Summary:        Git tools for sending patches via email
 BuildArch:      noarch
 Requires:       git = %{version}-%{release}
 Requires:       perl(Authen::SASL)
+Requires:       perl(Cwd)
+Requires:       perl(File::Spec)
+Requires:       perl(File::Spec::Functions)
+Requires:       perl(File::Temp)
+Requires:       perl(IO::Socket::SSL)
+Requires:       perl(Mail::Address)
+Requires:       perl(MIME::Base64)
+Requires:       perl(MIME::QuotedPrint)
+Requires:       perl(Net::Domain)
+Requires:       perl(Net::SMTP)
 Requires:       perl(Net::SMTP::SSL)
+Requires:       perl(POSIX)
+Requires:       perl(Sys::Hostname)
+Requires:       perl(Term::ANSIColor)
+Requires:       perl(Term::ReadLine)
+Requires:       perl(Text::ParseWords)
 %description email
 %{summary}.
 
@@ -501,13 +543,11 @@ Requires:       subversion
 gpghome="$(mktemp -qd)" # Ensure we don't use any existing gpg keyrings
 # Convert the ascii-armored key to binary
 # (use --yes to ensure an existing dearmored key is overwritten)
-gpg2 --homedir "$gpghome" --dearmor --quiet --yes %{SOURCE9}
+gpg2 --homedir "$gpghome" --dearmor --quiet --yes %{SOURCE2}
 xz -dc %{SOURCE0} | # Upstream signs the uncompressed tarballs
-    gpgv2 --homedir "$gpghome" --quiet --keyring %{SOURCE9}.gpg %{SOURCE1} -
+    gpgv2 --homedir "$gpghome" --quiet --keyring %{SOURCE2}.gpg %{SOURCE1} -
 rm -rf "$gpghome" # Cleanup tmp gpg home dir
 
-# Ensure a blank line follows autosetup, el6 chokes otherwise
-# https://bugzilla.redhat.com/1310704
 %autosetup -p1 -n %{name}-%{version}%{?rcrev}
 
 # Install print-failed-test-output script
@@ -620,26 +660,17 @@ export SOURCE_DATE_EPOCH=$(date -r version +%%s 2>/dev/null)
 # Fix shebang in a few places to silence rpmlint complaints
 %if %{with python2}
 sed -i -e '1s@#! */usr/bin/env python$@#!%{__python2}@' \
-    contrib/fast-import/import-zips.py \
+    contrib/fast-import/import-zips.py
-    contrib/hg-to-git/hg-to-git.py \
-    contrib/hooks/multimail/git_multimail.py \
-    contrib/hooks/multimail/migrate-mailhook-config \
-    contrib/hooks/multimail/post-receive.example \
-    contrib/svn-fe/svnrdump_sim.py
 %else
-# Remove contrib/fast-import/import-zips.py, contrib/hg-to-git, and
+# Remove contrib/fast-import/import-zips.py which require python2.
-# contrib/svn-fe which all require python2.
+rm -rf contrib/fast-import/import-zips.py
-rm -rf contrib/fast-import/import-zips.py contrib/hg-to-git contrib/svn-fe
 %endif
 # endif with python2
 
-# The multimail hook is installed with git.  Use python3 to avoid an
+# Use python3 to avoid an unnecessary python2 dependency, if possible.
-# unnecessary python2 dependency, if possible.
 %if %{with python3}
 sed -i -e '1s@#!\( */usr/bin/env python\|%{__python2}\)$@#!%{__python3}@' \
-    contrib/hooks/multimail/git_multimail.py \
+    contrib/hg-to-git/hg-to-git.py
-    contrib/hooks/multimail/migrate-mailhook-config \
-    contrib/hooks/multimail/post-receive.example
 %endif
 # endif with python3
 
@@ -681,6 +712,9 @@ install -Dpm 0755 contrib/diff-highlight/diff-highlight \
     %{buildroot}%{_datadir}/git-core/contrib/diff-highlight
 rm -rf contrib/diff-highlight/{Makefile,diff-highlight,*.perl,t}
 
+# Remove contrib/scalar to avoid cruft in the git-core-doc docdir
+rm -rf contrib/scalar
+
 # Clean up contrib/subtree to avoid cruft in the git-core-doc docdir
 rm -rf contrib/subtree/{INSTALL,Makefile,git-subtree*,t}
 
@@ -744,9 +778,6 @@ mkdir -p %{buildroot}%{_datadir}/git-core/contrib/completion
 install -pm 644 contrib/completion/git-completion.tcsh \
     %{buildroot}%{_datadir}/git-core/contrib/completion/
 
-# Drop .py extension from git_multimail to avoid byte-compiling
-mv contrib/hooks/multimail/git_multimail{.py,}
-
 # Move contrib/hooks out of %%docdir
 mkdir -p %{buildroot}%{_datadir}/git-core/contrib
 mv contrib/hooks %{buildroot}%{_datadir}/git-core/contrib
@@ -782,7 +813,7 @@ chmod a-x Documentation/technical/api-index.sh
 find contrib -type f -print0 | xargs -r0 chmod -x
 
 # Split core files
-not_core_re="git-(add--interactive|contacts|credential-netrc|difftool|filter-branch|instaweb|request-pull|send-mail)|gitweb"
+not_core_re="git-(add--interactive|contacts|credential-netrc|filter-branch|instaweb|request-pull|send-mail)|gitweb"
 grep -vE "$not_core_re|%{_mandir}" bin-man-doc-files > bin-files-core
 touch man-doc-files-core
 %if %{with docs}
@@ -835,7 +866,17 @@ find %{buildroot}%{_pkgdocdir} -name "*.html" -print0 | xargs -r0 linkchecker
 # endif with docs && with linkcheck
 
 # Tests to skip on all releases and architectures
-GIT_SKIP_TESTS=""
+#
+# t5559-http-fetch-smart-http2 runs t5551-http-fetch-smart with
+# HTTP_PROTO=HTTP/2.  Unfortunately, it fails quite regularly.
+# https://lore.kernel.org/git/Y4fUntdlc1mqwad5@pobox.com/
+GIT_SKIP_TESTS="t5559"
+
+%if 0%{?rhel} && 0%{?rhel} < 8
+# Skip tests which require mod_http2 on el7
+GIT_SKIP_TESTS="$GIT_SKIP_TESTS t5559"
+%endif
+# endif rhel < 8
 
 %ifarch aarch64 %{arm} %{power64}
 # Skip tests which fail on aarch64, arm, and ppc
@@ -844,30 +885,39 @@ GIT_SKIP_TESTS=""
 # to limit the maximum stack size.
 # t5541.35 'push 2000 tags over http'
 # t5551.25 'clone the 2,000 tag repo to check OS command line overflow'
-GIT_SKIP_TESTS="$GIT_SKIP_TESTS t5541.35 t5551.25"
+GIT_SKIP_TESTS="$GIT_SKIP_TESTS t5541.37 t5551.25"
 %endif
 # endif aarch64 %%{arm} %%{power64}
 
-%ifarch %{power64}
+%if 0%{?rhel} == 8 && "%{_arch}" == "s390x"
-# Skip tests which fail on ppc
+# Skip tests which fail on s390x on rhel-8
 #
-# t9115-git-svn-dcommit-funky-renames is disabled because it frequently fails.
+# The following tests fail on s390x & el8.  The cause should be investigated.
-# The port it uses (9115) is already in use.  It is unclear if this is
+# However, it's a lower priority since the same tests work consistently on
-# due to an issue in the test suite or a conflict with some other process on
+# s390x with Fedora and RHEL-9.  The failures seem to originate in t5300.
-# the build host.  It only appears to occur on ppc-arches.
-GIT_SKIP_TESTS="$GIT_SKIP_TESTS t9115"
-%endif
-# endif %%{power64}
-
-%ifarch s390x
-# Skip tests which fail on s390x
 #
-# t7812-grep-icase-non-ascii's "PCRE v2: grep non-ASCII from invalid UTF-8
+# t5300.10 'unpack without delta'
-# data" test fails on big-endian arches.  This is known upstream and will
+# t5300.12 'unpack with REF_DELTA'
-# hopefully be resolved soon (2019/10/24, tmz)
+# t5300.13 'unpack with REF_DELTA'
-GIT_SKIP_TESTS="$GIT_SKIP_TESTS t7812.11"
+# t5300.14 'unpack with OFS_DELTA'
+# t5300.18 'compare delta flavors'
+# t5300.20 'use packed deltified (REF_DELTA) objects'
+# t5300.23 'verify pack'
+# t5300.24 'verify pack -v'
+# t5300.25 'verify-pack catches mismatched .idx and .pack files'
+# t5300.29 'verify-pack catches a corrupted sum of the index file itself'
+# t5300.30 'build pack index for an existing pack'
+# t5300.45 'make sure index-pack detects the SHA1 collision'
+# t5300.46 'make sure index-pack detects the SHA1 collision (large blobs)'
+# t5303.5  'create corruption in data of first object'
+# t5303.7  '... and loose copy of second object allows for partial recovery'
+# t5303.11 'create corruption in data of first delta'
+# t6300.35 'basic atom: head objectsize:disk'
+# t6300.91 'basic atom: tag objectsize:disk'
+# t6300.92 'basic atom: tag *objectsize:disk'
+GIT_SKIP_TESTS="$GIT_SKIP_TESTS t5300.1[02348] t5300.2[03459] t5300.30 t5300.4[56] t5303.[57] t5303.11 t6300.35 t6300.9[12]"
 %endif
-# endif s390x
+# endif rhel == 8 && arch == s390x
 
 export GIT_SKIP_TESTS
 
@@ -875,11 +925,13 @@ export GIT_SKIP_TESTS
 export LANG=en_US.UTF-8
 
 # Explicitly enable tests which may be skipped opportunistically
-# (Check for variables set via test_tristate in the test suite)
+# Check for variables set via test_bool_env in the test suite:
-export GIT_SVN_TEST_HTTPD=true
+#   git grep 'test_bool_env GIT_' -- t/{lib-,t[0-9]}*.sh |
+#       sed -r 's/.* (GIT_[^ ]+) .*/\1/g' | sort -u
 export GIT_TEST_GIT_DAEMON=true
 export GIT_TEST_HTTPD=true
 export GIT_TEST_SVNSERVE=true
+export GIT_TEST_SVN_HTTPD=true
 
 # Create tmpdir for test output and update GIT_TEST_OPTS
 # Also update GIT-BUILD-OPTIONS to keep make from any needless rebuilding
@@ -919,7 +971,6 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %endif
 # endif emacs_filesystem
 %{_datadir}/git-core/contrib/diff-highlight
-%{_datadir}/git-core/contrib/hooks/multimail
 %{_datadir}/git-core/contrib/hooks/update-paranoid
 %{_datadir}/git-core/contrib/hooks/setgitperms.perl
 %{_datadir}/git-core/templates/hooks/fsmonitor-watchman.sample
@@ -936,7 +987,6 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %license COPYING
 # exclude is best way here because of troubles with symlinks inside git-core/
 %exclude %{_datadir}/git-core/contrib/diff-highlight
-%exclude %{_datadir}/git-core/contrib/hooks/multimail
 %exclude %{_datadir}/git-core/contrib/hooks/update-paranoid
 %exclude %{_datadir}/git-core/contrib/hooks/setgitperms.perl
 %exclude %{_datadir}/git-core/templates/hooks/fsmonitor-watchman.sample
@@ -1061,6 +1111,43 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Fri Apr 04 2025 Ondřej Pohořelský <opohorel@redhat.com> - 2.43.5-3
+- add the option to sanitize sideband channel messages
+- Resolves: RHEL-74177
+
+* Fri Nov 15 2024 Ondřej Pohořelský <opohorel@redhat.com> - 2.43.5-2
+- Sync version with the hotfix branch
+- Related: RHEL-64984
+
+* Thu Nov 14 2024 Ondřej Pohořelský <opohorel@redhat.com> - 2.43.0-2
+- Add fix for extremely slow shallow clones
+- Repair t6300 on s390x
+- Resolves: RHEL-64984
+
+* Wed Dec 06 2023 Ondřej Pohořelský <opohorel@redhat.com> - 2.43.0-1
+- Update to 2.43.0
+- Resolves: RHEL-17103
+
+* Thu Apr 27 2023 Ondřej Pohořelský <opohorel@redhat.com> - 2.39.3-1
+- Update to 2.39.3
+- Resolves: #2188364, #2188373, #2190157, #2190158
+
+* Thu Jan 19 2023 Ondrej Pohorelsky <opohorel@redhat.com> - 2.39.1-1
+- Update to 2.39.1
+- Resolves: rhbz#2162064
+
+* Mon Dec 19 2022 Ondrej Pohorelsky <opohorel@redhat.com> - 2.39.0-1
+- Update to 2.39.0
+- Resolves: rhbz#2139378
+
+* Thu Nov 25 2021 Ondrej Pohorelsky <opohorel@redhat.com> - 2.31.1-2
+- Remove perl(Email::Valid) require from git-email
+- Related: rhbz#2021547
+
+* Fri Nov 19 2021 Ondrej Pohorelsky <opohorel@redhat.com> - 2.31.1-1
+- Update to release 2.31.1
+- Resolves: rhbz#2021547
+
 * Thu Jun 11 2020 Ondrej Pohorelsky <opohorel@redhat.com> - 2.27.0-1
 - Update to release 2.27.0
 - Resolves: rhbz#1825114