The NetBSD Project

CVS log for pkgsrc/devel/libgit2/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / devel / libgit2

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.60 / (download) - annotate - [select for diffs], Wed Jan 25 13:44:47 2023 UTC (12 days, 12 hours ago) by taca
Branch: MAIN
CVS Tags: HEAD
Changes since 1.59: +2 -3 lines
Diff to previous 1.59 (colored)

devel/libgit2: update to 1.5.1

1.5.1 (2023-01-20)

libgit2, when compiled using the optional, included libssh2 backend, fails
to verify SSH keys by default.

Description

When using an SSH remote with the optional, included libssh2 backend,
libgit2 does not perform certificate checking by default.  Prior versions of
libgit2 require the caller to set the certificate_check field of libgit2's
git_remote_callbacks structure - if a certificate check callback is not set,
libgit2 does not perform any certificate checking.  This means that by
default - without configuring a certificate check callback, clients will not
perform validation on the server SSH keys and may be subject to a
man-in-the-middle attack.

Beginning in libgit2 v1.4.5 and v1.5.1, libgit2 will now perform host key
checking by default.  Users can still override the default behavior using
the certificate_check function.

The libgit2 security team would like to thank the Julia and Rust security
teams for responsibly disclosing this vulnerability and assisting with
fixing the vulnerability.

Users are encouraged to upgrade to v1.4.5 or v1.5.1.

Revision 1.59 / (download) - annotate - [select for diffs], Tue Jan 24 18:36:23 2023 UTC (13 days, 8 hours ago) by wiz
Branch: MAIN
Changes since 1.58: +3 -3 lines
Diff to previous 1.58 (colored)

*: convert to cmake/build.mk

Revision 1.58 / (download) - annotate - [select for diffs], Wed Oct 26 10:31:22 2022 UTC (3 months, 1 week ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4
Changes since 1.57: +2 -1 lines
Diff to previous 1.57 (colored)

*: bump PKGREVISION for libunistring shlib major bump

Revision 1.57 / (download) - annotate - [select for diffs], Sat Sep 3 14:53:35 2022 UTC (5 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3
Changes since 1.56: +2 -3 lines
Diff to previous 1.56 (colored)

devel/libgit2: update to 1.5.0

Update from 1.2.0 to 1.5.0 are too many write here, please refer:
<https://github.com/libgit2/libgit2/releases>.

Revision 1.56 / (download) - annotate - [select for diffs], Thu Jun 30 11:18:15 2022 UTC (7 months, 1 week ago) by nia
Branch: MAIN
Changes since 1.55: +2 -1 lines
Diff to previous 1.55 (colored)

*: Revbump packages that use Python at runtime without a PKGNAME prefix

Revision 1.55 / (download) - annotate - [select for diffs], Sun Dec 12 14:48:44 2021 UTC (13 months, 3 weeks ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1, pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.54: +3 -4 lines
Diff to previous 1.54 (colored)

devel/libgit2: update to 1.2.0

libgit2 1.3.0 is already released, but I'm not sure ruby-rugged 1.2.0
support it.

1.2.0 (2021-09-02)

Changes are too many to write here, please refer
<https://github.com/libgit2/libgit2/releases/tag/v1.2.0>.

Revision 1.54 / (download) - annotate - [select for diffs], Wed Dec 8 16:04:01 2021 UTC (13 months, 4 weeks ago) by adam
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)

revbump for icu and libffi

Revision 1.53 / (download) - annotate - [select for diffs], Wed Sep 29 19:00:32 2021 UTC (16 months, 1 week ago) by adam
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)

revbump for boost-libs

Revision 1.52 / (download) - annotate - [select for diffs], Wed Apr 21 13:24:34 2021 UTC (21 months, 2 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3, pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.51: +2 -1 lines
Diff to previous 1.51 (colored)

revbump for boost-libs

Revision 1.51 / (download) - annotate - [select for diffs], Mon Oct 19 17:53:40 2020 UTC (2 years, 3 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1, pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.50: +3 -3 lines
Diff to previous 1.50 (colored)

libgit2: Update to 1.1.0

v1.1
----

This is release v1.1, "Fernweh".

### Changes or improvements

* Our bundled PCRE dependency has been updated to 8.44.

* The `refs/remotes/origin/HEAD` file will be created at clone time to
  point to the origin's default branch.

* libgit2 now uses the `__atomic_` intrinsics instead of `__sync_`
  intrinsics on supported gcc and clang versions.

* The `init.defaultBranch` setting is now respected and `master` is
  no longer the hardcoded as the default branch name.

* Patch files that do not contain an `index` line can now be parsed.

* Configuration files with multi-line values can now contain quotes
  split across multiple lines.

* Windows clients now attempt to use TLS1.3 when available.

* Servers that request an upgrade to a newer HTTP version are
  silently ignored instead of erroneously failing.

* Users can pass `NULL` to the options argument to
  `git_describe_commit`.

* Clones and fetches of very large packfiles now succeeds on 32-bit
  platforms.

* Custom reference database backends can now handle the repository's
  `HEAD` correctly.

* Repositories with a large number of packfiles no longer exhaust the
  number of file descriptors.

* The test framework now supports TAP output when the `-t` flag is
  specified.

* The test framework can now specify an exact match to a test
  function using a trailing `$`.

* All checkout types support `GIT_CHECKOUT_DISABLE_PATHSPEC_MATCH`.

* `git_blame` now can ignore whitespace changes using the option
  `GIT_BLAME_IGNORE_WHITESPACE`.

* Several new examples have been created, including an examples for
  commit, add and push.

* Mode changes during rename are now supported in patch application.

* `git_checkout_head` now correctly removes untracked files in a
  subdirectory when the `FORCE | REMOVE_UNTRACKED` options are specified.

Revision 1.50 / (download) - annotate - [select for diffs], Tue Aug 25 16:21:58 2020 UTC (2 years, 5 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.49: +2 -1 lines
Diff to previous 1.49 (colored)

libgit2: Requires C99.

Revision 1.49 / (download) - annotate - [select for diffs], Tue Jun 9 11:04:56 2020 UTC (2 years, 7 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.48: +2 -5 lines
Diff to previous 1.48 (colored)

libgit2: Update to 1.0.1

v1.0.1
------

This is a bugfix release with the following changes:

- Calculating information about renamed files during merges is more
  efficient because dissimilarity about files is now being cached and
  no longer needs to be recomputed.

- The `git_worktree_prune_init_options` has been correctly restored for
  backward compatibility.  In v1.0 it was incorrectly deprecated with a
  typo.

- The optional ntlmclient dependency now supports NetBSD.

- A bug where attempting to stash on a bare repository may have failed
  has been fixed.

- Configuration files that are unreadable due to permissions are now
  silently ignored, and treated as if they do not exist.  This matches
  git's behavior; previously this case would have been an error.

- v4 index files are now correctly written; previously we would read
  them correctly but would not write the prefix-compression accurately,
  causing corruption.

- A bug where the smart HTTP transport could not read large data packets
  has been fixed.  Previously, fetching from servers like Gerrit, that
  sent large data packets, would error.

Revision 1.48 / (download) - annotate - [select for diffs], Fri May 22 10:56:04 2020 UTC (2 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)

revbump after updating security/nettle

Revision 1.47 / (download) - annotate - [select for diffs], Wed May 6 14:04:27 2020 UTC (2 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.46: +2 -1 lines
Diff to previous 1.46 (colored)

revbump after boost update

Revision 1.46 / (download) - annotate - [select for diffs], Mon Apr 6 08:33:40 2020 UTC (2 years, 10 months ago) by wiz
Branch: MAIN
Changes since 1.45: +2 -3 lines
Diff to previous 1.45 (colored)

libgit2: update to 1.0.0.

v1.0
----

This is release v1.0 "Luftschloss", which is the first stabe release of
libgit2. The API will stay compatible across all releases of the same major
version. This release includes bugfixes only and supersedes v0.99, which will
stop being maintained. Both v0.27 and v0.28 stay supported in accordance with
our release policy.

### Changes or improvements

- CMake was converted to make use of the GNUInstallDirs module for both our
  pkgconfig and install targets in favor of our custom build options
  `BIN_INSTALL_DIR`, `LIB_INSTALL_DIR` and `INCLUDE_INSTALL_DIR`. Instead, you
  can now use CMakes standard variables `CMAKE_INSTALL_BINDIR`,
  `CMAKE_INSTALL_LIBDIR` and `CMAKE_INSTALL_INCLUDEDIR`.

- Some CMake build options accepted either a specific value or a boolean value
  to disable the option altogether or use automatic detection. We only accepted
  "ON" or "OFF", but none of the other values CMake recognizes as boolean. This
  was aligned with CMake's understanding of booleans.

- The installed pkgconfig file contained incorrect values for both `libdir` and
  `includedir` variables.

- If using pcre2 for regular expressions, then we incorrectly added "pcre2"
  instead of "pcre2-8" to our pkgconfig dependencies, which was corrected.

- Fixed building the bundled ntlmclient dependency on FreeBSD, OpenBSD and
  SunOS.

- When writing symlinks on Windows, we incorrectly handled relative symlink
  targets, which was corrected.

- When using the HTTP protocol via macOS' SecureTransport implementation, reads
  could stall at the end of the session and only continue after a timeout of 60
  seconds was reached.

- The filesystem-based reference callback didn't corectly initialize the backend
  version.

- A segmentation fault was fixed when calling `git_blame_buffer()` for files
  that were modified and added to the index.

- A backwards-incompatible change was introduced when we moved some structures
  from "git2/credentials.h" into "git2/sys/credentials.h". This was fixed in the
  case where you do not use hard deprecation.

- Improved error handling in various places.

Revision 1.45 / (download) - annotate - [select for diffs], Sun Mar 8 16:49:15 2020 UTC (2 years, 11 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.44: +2 -1 lines
Diff to previous 1.44 (colored)

*: recursive bump for libffi

Revision 1.44 / (download) - annotate - [select for diffs], Sat Feb 29 11:39:53 2020 UTC (2 years, 11 months ago) by nia
Branch: MAIN
Changes since 1.43: +5 -3 lines
Diff to previous 1.43 (colored)

libgit2: Update to 0.99.0

v0.99
-----

This is v0.99 "Torschlusspanik".  This will be the last minor release
before libgit2 v1.0.  We expect to only respond to bugs in this release,
to stabilize it for next major release.

It contains significant refactorings, but is expected to be API-compatible
with v0.28.0.

### Changes or improvements

* When fetching from an anonymous remote using a URL with authentication
  information provided in the URL (eg `https://foo:bar@example.com/repo`),
  we would erroneously include the literal URL in the FETCH_HEAD file.
  We now remove that to match git's behavior.

* Some credential structures, enums and values have been renamed:
  `git_cred` is now `git_credential`.  `git_credtype_t` is now
  `git_credential_t`.  Functions and types beginning with
  `git_cred_` now begin with `git_credential`, and constants beginning
  with `GIT_CREDTYPE` now begin with `GIT_CREDENTIAL`.  The former names
  are deprecated.

* Several function signatures have been changed to return an `int` to
  indicate error conditions.  We encourage you to check them for errors
  in the standard way.

  * `git_attr_cache_flush`
  * `git_error_set_str`
  * `git_index_name_clear`
  * `git_index_reuc_clear`
  * `git_libgit2_version`
  * `git_mempack_reset`
  * `git_oid_cpy`
  * `git_oid_fmt`
  * `git_oid_fromraw`
  * `git_oid_nfmt`
  * `git_oid_pathfmt`
  * `git_remote_stop`
  * `git_remote_disconnect`
  * `git_repository__cleanup`
  * `git_repository_set_config`
  * `git_repository_set_index`
  * `git_repository_set_odb`
  * `git_repository_set_refdb`
  * `git_revwalk_reset`
  * `git_revwalk_simplify_first_parent`
  * `git_revwalk_sorting`
  * `git_treebuilder_clear`
  * `git_treebuilder_filter`

* The NTLM and Negotiate authentication mechanisms are now supported when
  talking to git implementations hosted on Apache or nginx servers.

* The `HEAD` symbolic reference can no longer be deleted.

* `git_merge_driver_source_repo` no longer returns a `const git_repository *`,
  it now returns a non-`const` `git_repository *`.

* Relative symbolic links are now supported on Windows when `core.symlinks`
  is enabled.

* Servers that provide query parameters with a redirect are now supported.

* `git_submodule_sync` will now resolve relative URLs.

* When creating git endpoint URLs, double-slashes are no longer used when
  the given git URL has a trailing slash.

* On Windows, a `DllMain` function is no longer included and thread-local
  storage has moved to fiber-local storage in order to prevent race
  conditions during shutdown.

* The tracing mechanism (`GIT_TRACE`) is now enabled by default and does
  not need to be explicitly enabled in CMake.

* The size of Git objects is now represented by `git_object_size_t`
  instead of `off_t`.

* Binary patches without data can now be parsed.

* A configuration snapshot can now be created from another configuration
  snapshot, not just a "true" configuration object.

* The `git_commit_with_signature` API will now ensure that referenced
  objects exist in the object database.

* Stash messages containing newlines will now be replaced with spaces;
  they will no longer be (erroneously) written to the repository.

* `git_commit_create_with_signature` now verifies the commit information
  to ensure that it points to a valid tree and valid parents.

* `git_apply` has an option `GIT_APPLY_CHECK` that will only do a dry-run.
  The index and working directory will remain unmodified, and application
  will report if it would have worked.

* Patches produced by Mercurial (those that lack some git extended headers)
  can now be parsed and applied.

* Reference locks are obeyed correctly on POSIX platforms, instead of
  being removed.

* Patches with empty new files can now be read and applied.

* `git_apply_to_tree` can now correctly apply patches that add new files.

* The program data configuration on Windows (`C:\ProgramData\Git\config`)
  must be owned by an administrator, a system account or the current user
  to be read.

* `git_blob_filtered_content` is now deprecated in favor of `git_blob_filter`.

* Configuration files can now be included conditionally using the
  `onbranch` conditional.

* Checkout can now properly create and remove symbolic links to directories
  on Windows.

* Stash no longer recomputes trees when committing a worktree, for
  improved performance.

* Repository templates can now include a `HEAD` file to default the
  initial default branch.

* Some configuration structures, enums and values have been renamed:
  `git_cvar_map` is now `git_configmap`, `git_cvar_t` is now
  `git_configmap_t`, `GIT_CVAR_FALSE` is now `GIT_CONFIGMAP_FALSE`,
  `GIT_CVAR_TRUE` is now `GIT_CONFIGMAP_TRUE`, `GIT_CVAR_INT32` is now
  `GIT_CONFIGMAP_INT32`, and `GIT_CVAR_STRING` is now `GIT_CONFIGMAP_STRING`.
  The former names are deprecated.

* Repositories can now be created at the root of a Windows drive.

* Configuration lookups are now more efficiently cached.

* `git_commit_create_with_signature` now supports a `NULL` signature,
  which will create a commit without adding a signature.

* When a repository lacks an `info` "common directory", we will no
  longer erroneously return `GIT_ENOTFOUND` for all attribute lookups.

* Several attribute macros have been renamed: `GIT_ATTR_TRUE` is now
  `GIT_ATTR_IS_TRUE`, `GIT_ATTR_FALSE` is now `GIT_ATTR_IS_FALSE`,
  `GIT_ATTR_UNSPECIFIED` is now `GIT_ATTR_IS_UNSPECIFIED`.  The
  attribute enum `git_attr_t` is now `git_attr_value_t` and its
  values have been renamed: `GIT_ATTR_UNSPECIFIED_T` is now
  `GIT_ATTR_VALUE_UNSPECIFIED`, `GIT_ATTR_TRUE_T` is now
  `GIT_ATTR_VALUE_TRUE`, `GIT_ATTR_FALSE_T` is now `GIT_ATTR_VALUE_FALSE`,
  and `GIT_ATTR_VALUE_T` is now `GIT_ATTR_VALUE_STRING`.  The
  former names are deprecated.

* `git_object__size` is now `git_object_size`.  The former name is
  deprecated.

* `git_tag_create_frombuffer` is now `git_tag_create_from_buffer`.  The
  former name is deprecated.

* Several blob creation functions have been renamed:
  `git_blob_create_frombuffer` is now named `git_blob_create_from_buffer`,
  `git_blob_create_fromdisk` is now named `git_blob_create_from_disk`,
  `git_blob_create_fromworkdir` is now named `git_blob_create_from_workdir`,
  `git_blob_create_fromstream` is now named `git_blob_create_from_stream`,
  and `git_blob_create_fromstream_commit` is now named
  `git_blob_create_from_stream_commit`.  The former names are deprecated.

* The function `git_oid_iszero` is now named `git_oid_is_zero`.  The
  former name is deprecated.

* Pattern matching is now done using `wildmatch` instead of `fnmatch`
  for compatibility with git.

* The option initialization functions suffixed by `init_options` are now
  suffixed with `options_init`.  (For example, `git_checkout_init_options`
  is now `git_checkout_options_init`.)  The former names are deprecated.

* NTLM2 authentication is now supported on non-Windows platforms.

* The `git_cred_sign_callback` callback is now named `git_cred_sign_cb`.
  The `git_cred_ssh_interactive_callback` callback is now named
  `git_cred_ssh_interactive_cb`.

* Ignore files now:

  * honor escaped trailing whitespace.
  * do not incorrectly negate sibling paths of a negated pattern.
  * honor rules that stop ignoring files after a wildcard

* Attribute files now:

  * honor leading and trailing whitespace.
  * treat paths beginning with `\` as absolute only on Windows.
  * properly handle escaped characters.
  * stop reading macros defined in subdirectories

* The C locale is now correctly used when parsing regular expressions.

* The system PCRE2 or PCRE regular expression libraries are now used
  when `regcomp_l` is not available on the system.  If none of these
  are available on the system, an included version of PCRE is used.

* Wildcards in reference specifications are now supported beyond simply
  a bare wildcard (`*`) for compatibility with git.

* When `git_ignore_path_is_ignored` is provided a path with a trailing
  slash (eg, `dir/`), it will now treat it as a directory for the
  purposes of ignore matching.

* Patches that add or remove a file with a space in the path can now
  be correctly parsed.

* The `git_remote_completion_type` type is now `git_remote_completion_t`.
  The former name is deprecated.

* The `git_odb_backend_malloc` is now `git_odb_backend_data_alloc`.  The
  former name is deprecated.

* The `git_transfer_progress_cb` callback is now `git_indexer_progress_cb`
  and the `git_transfer_progress` structure is now `git_indexer_progress`.
  The former names are deprecated.

* The example projects are now contained in a single `lg2` executable
  for ease of use.

* libgit2 now correctly handles more URLs, such as
  `http://example.com:/repo.git` (colon but no port),
  `http://example.com` (no path),
  and `http://example.com:8080/` (path is /, nonstandard port).

* A carefully constructed commit object with a very large number
  of parents may lead to potential out-of-bounds writes or
  potential denial of service.

* The ProgramData configuration file is always read for compatibility
  with Git for Windows and Portable Git installations.  The ProgramData
  location is not necessarily writable only by administrators, so we
  now ensure that the configuration file is owned by the administrator
  or the current user.

### API additions

* The SSH host key now supports SHA-256 when `GIT_CERT_SSH_SHA256` is set.

* The diff format option `GIT_DIFF_FORMAT_PATCH_ID` can now be used to
  emit an output like `git patch-id`.

* The `git_apply_options_init` function will initialize a
  `git_apply_options` structure.

* The remote callbacks structure adds a `git_url_resolve_cb` callback
  that is invoked when connecting to a server, so that applications
  may edit or replace the URL before connection.

* The information about the original `HEAD` in a rebase operation is
  available with `git_rebase_orig_head_name`.  Its ID is available with
  `git_rebase_orig_head_id`.  The `onto` reference name is available with
  `git_rebase_onto_name` and its ID is available with `git_rebase_onto_id`.

* ODB backends can now free backend data when an error occurs during its
  backend data creation using `git_odb_backend_data_free`.

* Options may be specified to `git_repository_foreach_head` to control
  its behavior: `GIT_REPOSITORY_FOREACH_HEAD_SKIP_REPO` will not skip
  the main repository's HEAD reference, while
  `GIT_REPOSITORY_FOREACH_HEAD_SKIP_WORKTREES` will now skip the
  worktree HEAD references.

* The `GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS` option can be specified to
  `git_libgit2_opts()` to avoid looking for `.keep` files that correspond
  to packfiles.  This setting can improve performance when packfiles are
  stored on high-latency filesystems like network filesystems.

* Blobs can now be filtered with `git_blob_filter`, which allows for
  options to be set with `git_blob_filter_options`, including
  `GIT_FILTER_NO_SYSTEM_ATTRIBUTES` to disable filtering with system-level
  attributes in `/etc/gitattributes` and `GIT_ATTR_CHECK_INCLUDE_HEAD` to
  enable filtering with `.gitattributes` files in the HEAD revision.

### API removals

* The unused `git_headlist_cb` function declaration was removed.

* The unused `git_time_monotonic` API is removed.

* The erroneously exported `inttypes.h` header was removed.

# Security Fixes

- CVE-2019-1348: the fast-import stream command "feature
  export-marks=path" allows writing to arbitrary file paths. As
  libgit2 does not offer any interface for fast-import, it is not
  susceptible to this vulnerability.

- CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
  alternate filesystreams, it is possible to cause submodules to
  be written into pre-existing directories during a recursive
  clone using git. As libgit2 rejects cloning into non-empty
  directories by default, it is not susceptible to this
  vulnerability.

- CVE-2019-1350: recursive clones may lead to arbitrary remote
  code executing due to improper quoting of command line
  arguments. As libgit2 uses libssh2, which does not require us
  to perform command line parsing, it is not susceptible to this
  vulnerability.

- CVE-2019-1351: Windows provides the ability to substitute
  drive letters with arbitrary letters, including multi-byte
  Unicode letters. To fix any potential issues arising from
  interpreting such paths as relative paths, we have extended
  detection of DOS drive prefixes to accomodate for such cases.

- CVE-2019-1352: by using NTFS-style alternative file streams for
  the ".git" directory, it is possible to overwrite parts of the
  repository. While this has been fixed in the past for Windows,
  the same vulnerability may also exist on other systems that
  write to NTFS filesystems. We now reject any paths starting
  with ".git:" on all systems.

- CVE-2019-1353: by using NTFS-style 8.3 short names, it was
  possible to write to the ".git" directory and thus overwrite
  parts of the repository, leading to possible remote code
  execution. While this problem was already fixed in the past for
  Windows, other systems accessing NTFS filesystems are
  vulnerable to this issue too. We now enable NTFS protecions by
  default on all systems to fix this attack vector.

- CVE-2019-1354: on Windows, backslashes are not a valid part of
  a filename but are instead interpreted as directory separators.
  As other platforms allowed to use such paths, it was possible
  to write such invalid entries into a Git repository and was
  thus an attack vector to write into the ".git" dierctory. We
  now reject any entries starting with ".git\" on all systems.

- CVE-2019-1387: it is possible to let a submodule's git
  directory point into a sibling's submodule directory, which may
  result in overwriting parts of the Git repository and thus lead
  to arbitrary command execution. As libgit2 doesn't provide any
  way to do submodule clones natively, it is not susceptible to
  this vulnerability. Users of libgit2 that have implemented
  recursive submodule clones manually are encouraged to review
  their implementation for this vulnerability.

### Breaking API changes

* The "private" implementation details of the `git_cred` structure have been
  moved to a dedicated `git2/sys/cred.h` header, to clarify that the underlying
  structures are only provided for custom transport implementers.
  The breaking change is that the `username` member of the underlying struct
  is now hidden, and a new `git_cred_get_username` function has been provided.

### Breaking CMake configuration changes

* The CMake option to use a system http-parser library, instead of the
  bundled dependency, has changed.  This is due to a deficiency in
  http-parser that we have fixed in our implementation.  The bundled
  library is now the default, but if you wish to force the use of the
  system http-parser implementation despite incompatibilities, you can
  specify `-DUSE_HTTP_PARSER=system` to CMake.

* The interactions between `USE_HTTPS` and `SHA1_BACKEND` have been
  streamlined. The detection was moved to a new `USE_SHA1`, modeled after
  `USE_HTTPS`, which takes the values "CollisionDetection/Backend/Generic", to
  better match how the "hashing backend" is selected, the default (ON) being
  "CollisionDetection". If you were using `SHA1_BACKEND` previously, you'll
  need to check the value you've used, or switch to the autodetection.

### Authors

The following individuals provided changes that were included in this
release:

* Aaron Patterson
* Alberto Fanjul
* Anders Borum
* Augie Fackler
* Augustin Fabre
* Ayush Shridhar
* brian m. carlson
* buddyspike
* Carlos Martín Nieto
* cheese1
* Dan Skorupski
* Daniel Cohen Gindi
* Dave Lee
* David Brooks
* David Turner
* Denis Laxalde
* Dhruva Krishnamurthy
* Dominik Ritter
* Drew DeVault
* Edward Thomson
* Eric Huss
* Erik Aigner
* Etienne Samson
* Gregory Herrero
* Heiko Voigt
* Ian Hattendorf
* Jacques Germishuys
* Janardhan Pulivarthi
* Jason Haslam
* Johannes Schindelin
* Jordan Wallet
* Josh Bleecher Snyder
* kas
* kdj0c
* Laurence McGlashan
* lhchavez
* Lukas Berk
* Max Kostyukevich
* Patrick Steinhardt
* pcpthm
* Remy Suen
* Robert Coup
* romkatv
* Scott Furry
* Sebastian Henke
* Stefan Widgren
* Steve King Jr
* Sven Strickroth
* Tobias Nieen
* Tyler Ang-Wanek
* Tyler Wanek

Revision 1.43 / (download) - annotate - [select for diffs], Sat Jan 18 21:49:11 2020 UTC (3 years ago) by jperkin
Branch: MAIN
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)

*: Recursive revision bump for openssl 1.1.1.

Revision 1.42 / (download) - annotate - [select for diffs], Sun Jan 12 20:20:11 2020 UTC (3 years ago) by ryoon
Branch: MAIN
Changes since 1.41: +2 -1 lines
Diff to previous 1.41 (colored)

*: Recursive revbump from devel/boost-libs

Revision 1.39.2.2 / (download) - annotate - [select for diffs], Mon Dec 16 13:12:31 2019 UTC (3 years, 1 month ago) by bsiegert
Branch: pkgsrc-2019Q3
Changes since 1.39.2.1: +1 -1 lines
Diff to previous 1.39.2.1 (colored) to branchpoint 1.39 (colored) next main 1.40 (colored)

Pullup ticket #6102 - requested by nia
devel/libgit2: security fix

Revisions pulled up:
- devel/libgit2/Makefile                                        1.41
- devel/libgit2/distinfo                                        1.19

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Sat Dec 14 02:57:02 UTC 2019

   Modified Files:
   	pkgsrc/devel/libgit2: Makefile distinfo

   Log Message:
   libgit2: Update to 0.28.4

   v0.28.4
   --------

   This is a security release fixing the following issues:

   - CVE-2019-1348: the fast-import stream command "feature
     export-marks=path" allows writing to arbitrary file paths. As
     libgit2 does not offer any interface for fast-import, it is not
     susceptible to this vulnerability.

   - CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
     alternate filesystreams, it is possible to cause submodules to
     be written into pre-existing directories during a recursive
     clone using git. As libgit2 rejects cloning into non-empty
     directories by default, it is not susceptible to this
     vulnerability.

   - CVE-2019-1350: recursive clones may lead to arbitrary remote
     code executing due to improper quoting of command line
     arguments. As libgit2 uses libssh2, which does not require us
     to perform command line parsing, it is not susceptible to this
     vulnerability.

   - CVE-2019-1351: Windows provides the ability to substitute
     drive letters with arbitrary letters, including multi-byte
     Unicode letters. To fix any potential issues arising from
     interpreting such paths as relative paths, we have extended
     detection of DOS drive prefixes to accomodate for such cases.

   - CVE-2019-1352: by using NTFS-style alternative file streams for
     the ".git" directory, it is possible to overwrite parts of the
     repository. While this has been fixed in the past for Windows,
     the same vulnerability may also exist on other systems that
     write to NTFS filesystems. We now reject any paths starting
     with ".git:" on all systems.

   - CVE-2019-1353: by using NTFS-style 8.3 short names, it was
     possible to write to the ".git" directory and thus overwrite
     parts of the repository, leading to possible remote code
     execution. While this problem was already fixed in the past for
     Windows, other systems accessing NTFS filesystems are
     vulnerable to this issue too. We now enable NTFS protecions by
     default on all systems to fix this attack vector.

   - CVE-2019-1354: on Windows, backslashes are not a valid part of
     a filename but are instead interpreted as directory separators.
     As other platforms allowed to use such paths, it was possible
     to write such invalid entries into a Git repository and was
     thus an attack vector to write into the ".git" dierctory. We
     now reject any entries starting with ".git\" on all systems.

   - CVE-2019-1387: it is possible to let a submodule's git
     directory point into a sibling's submodule directory, which may
     result in overwriting parts of the Git repository and thus lead
     to arbitrary command execution. As libgit2 doesn't provide any
     way to do submodule clones natively, it is not susceptible to
     this vulnerability. Users of libgit2 that have implemented
     recursive submodule clones manually are encouraged to review
     their implementation for this vulnerability.

Revision 1.41 / (download) - annotate - [select for diffs], Sat Dec 14 02:57:02 2019 UTC (3 years, 1 month ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)

libgit2: Update to 0.28.4

v0.28.4
--------

This is a security release fixing the following issues:

- CVE-2019-1348: the fast-import stream command "feature
  export-marks=path" allows writing to arbitrary file paths. As
  libgit2 does not offer any interface for fast-import, it is not
  susceptible to this vulnerability.

- CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
  alternate filesystreams, it is possible to cause submodules to
  be written into pre-existing directories during a recursive
  clone using git. As libgit2 rejects cloning into non-empty
  directories by default, it is not susceptible to this
  vulnerability.

- CVE-2019-1350: recursive clones may lead to arbitrary remote
  code executing due to improper quoting of command line
  arguments. As libgit2 uses libssh2, which does not require us
  to perform command line parsing, it is not susceptible to this
  vulnerability.

- CVE-2019-1351: Windows provides the ability to substitute
  drive letters with arbitrary letters, including multi-byte
  Unicode letters. To fix any potential issues arising from
  interpreting such paths as relative paths, we have extended
  detection of DOS drive prefixes to accomodate for such cases.

- CVE-2019-1352: by using NTFS-style alternative file streams for
  the ".git" directory, it is possible to overwrite parts of the
  repository. While this has been fixed in the past for Windows,
  the same vulnerability may also exist on other systems that
  write to NTFS filesystems. We now reject any paths starting
  with ".git:" on all systems.

- CVE-2019-1353: by using NTFS-style 8.3 short names, it was
  possible to write to the ".git" directory and thus overwrite
  parts of the repository, leading to possible remote code
  execution. While this problem was already fixed in the past for
  Windows, other systems accessing NTFS filesystems are
  vulnerable to this issue too. We now enable NTFS protecions by
  default on all systems to fix this attack vector.

- CVE-2019-1354: on Windows, backslashes are not a valid part of
  a filename but are instead interpreted as directory separators.
  As other platforms allowed to use such paths, it was possible
  to write such invalid entries into a Git repository and was
  thus an attack vector to write into the ".git" dierctory. We
  now reject any entries starting with ".git\" on all systems.

- CVE-2019-1387: it is possible to let a submodule's git
  directory point into a sibling's submodule directory, which may
  result in overwriting parts of the Git repository and thus lead
  to arbitrary command execution. As libgit2 doesn't provide any
  way to do submodule clones natively, it is not susceptible to
  this vulnerability. Users of libgit2 that have implemented
  recursive submodule clones manually are encouraged to review
  their implementation for this vulnerability.

Revision 1.39.2.1 / (download) - annotate - [select for diffs], Mon Oct 7 09:14:47 2019 UTC (3 years, 4 months ago) by bsiegert
Branch: pkgsrc-2019Q3
Changes since 1.39: +2 -3 lines
Diff to previous 1.39 (colored)

Pullup ticket #6068 - requested by nia
devel/libgit2: security fix

Revisions pulled up:
- devel/libgit2/Makefile                                        1.40
- devel/libgit2/distinfo                                        1.18

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Sun Oct  6 12:18:30 UTC 2019

   Modified Files:
   	pkgsrc/devel/libgit2: Makefile distinfo

   Log Message:
   libgit2: Update to 0.28.3

   This is a security release fixing the following issues:

       A carefully constructed commit object with a very large number
       of parents may lead to potential out-of-bounds writes or
       potential denial of service.

       The ProgramData configuration file is always read for compatibility
       with Git for Windows and Portable Git installations. The ProgramData
       location is not necessarily writable only by administrators, so we
       now ensure that the configuration file is owned by the administrator
       or the current user.

Revision 1.40 / (download) - annotate - [select for diffs], Sun Oct 6 12:18:30 2019 UTC (3 years, 4 months ago) by nia
Branch: MAIN
Changes since 1.39: +2 -3 lines
Diff to previous 1.39 (colored)

libgit2: Update to 0.28.3

This is a security release fixing the following issues:

    A carefully constructed commit object with a very large number
    of parents may lead to potential out-of-bounds writes or
    potential denial of service.

    The ProgramData configuration file is always read for compatibility
    with Git for Windows and Portable Git installations. The ProgramData
    location is not necessarily writable only by administrators, so we
    now ensure that the configuration file is owned by the administrator
    or the current user.

Revision 1.39 / (download) - annotate - [select for diffs], Thu Aug 22 12:23:02 2019 UTC (3 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base
Branch point for: pkgsrc-2019Q3
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)

Recursive revbump from boost-1.71.0

Revision 1.38 / (download) - annotate - [select for diffs], Sat Jul 20 22:46:16 2019 UTC (3 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)

*: recursive bump for nettle 3.5.1

Revision 1.37 / (download) - annotate - [select for diffs], Mon Jul 1 04:08:05 2019 UTC (3 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.36: +2 -1 lines
Diff to previous 1.36 (colored)

Recursive revbump from boost-1.70.0

Revision 1.36 / (download) - annotate - [select for diffs], Mon May 27 14:35:25 2019 UTC (3 years, 8 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.35: +2 -3 lines
Diff to previous 1.35 (colored)

libgit2: update to 0.28.2.

v0.28.2
-------

This is a bugfix release with the following changes:

* Fix include directory ordering when using bundled dependencies.

* Fix infinite loop when searching for a non-existing repository with
  Windows-style paths including drive prefixes.

* Fix paths with a trailing "/" not always being treated as
  directories when computing ignores.

* Fix false negatives when computing ignores where ignore rules
  that are a prefix to a negative ignore rule exist.

* Fix patches with CRLF line endings not being parsed correctly.

* Fix segfault when parsing patches with file addition (deletion)
  where the added (deleted) file name contains a space.

* Fix assertion failure when trying to write to a non-existent
  locked configuration file.

Revision 1.35 / (download) - annotate - [select for diffs], Thu Apr 25 07:32:47 2019 UTC (3 years, 9 months ago) by maya
Branch: MAIN
Changes since 1.34: +2 -1 lines
Diff to previous 1.34 (colored)

PKGREVISION bump for anything using python without a PYPKGPREFIX.

This is a semi-manual PKGREVISION bump.

Revision 1.34 / (download) - annotate - [select for diffs], Mon Feb 25 09:21:36 2019 UTC (3 years, 11 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.33: +3 -2 lines
Diff to previous 1.33 (colored)

libgit2: Requires C99.

Revision 1.33 / (download) - annotate - [select for diffs], Sun Feb 24 10:15:26 2019 UTC (3 years, 11 months ago) by wiz
Branch: MAIN
Changes since 1.32: +2 -3 lines
Diff to previous 1.32 (colored)

libgit2: update to 0.28.1.

v0.28.1
-------

This is a bugfix release with the following change:

* The deprecated functions (`git_buf_free` and the `giterr_` family of
  functions) are now exported properly.  In the v0.28 release, they were
  not given the correct external attributes and they did not have the
  correct linkage visibility in the v0.28 library.

v0.28
-----

### Changes or improvements

* The library is now always built with cdecl calling conventions on
  Windows; the ability to build a stdcall library has been removed.

* Reference log creation now honors `core.logallrefupdates=always`.

* Fix some issues with the error-reporting in the OpenSSL backend.

* HTTP proxy support is now builtin; libcurl is no longer used to support
  proxies and is removed as a dependency.

* Certificate and credential callbacks can now return `GIT_PASSTHROUGH`
  to decline to act; libgit2 will behave as if there was no callback set
  in the first place.

* The line-ending filtering logic - when checking out files - has been
  updated to match newer git (>= git 2.9) for proper interoperability.

* Symbolic links are now supported on Windows when `core.symlinks` is set
  to `true`.

* Submodules with names which attempt to perform path traversal now have their
  configuration ignored. Such names were blindly appended to the
  `$GIT_DIR/modules` and a malicious name could lead to an attacker writing to
  an arbitrary location. This matches git's handling of CVE-2018-11235.

* Object validation is now performed during tree creation in the
  `git_index_write_tree_to` API.

* Configuration variable may now be specified on the same line as a section
  header; previously this was erroneously a parser error.

* When an HTTP server supports both NTLM and Negotiate authentication
  mechanisms, we would previously fail to authenticate with any mechanism.

* The `GIT_OPT_SET_PACK_MAX_OBJECTS` option can now set the maximum
  number of objects allowed in a packfile being downloaded; this can help
  limit the maximum memory used when fetching from an untrusted remote.

* Line numbers in diffs loaded from patch files were not being populated;
  they are now included in the results.

* The repository's index is reloaded from disk at the beginning of
  `git_merge` operations to ensure that it is up-to-date.

* Mailmap handling APIs have been introduced, and the new commit APIs
  `git_commit_committer_with_mailmap` and `git_commit_author_with_mailmap`
  will use the mailmap to resolve the committer and author information.
  In addition, blame will use the mailmap given when the
  `GIT_BLAME_USE_MAILMAP` option.

* Ignore handling for files in ignored folders would be ignored.

* Worktrees can now be backed by bare repositories.

* Trailing spaces are supported in `.gitignore` files, these spaces were
  previously (and erroneously) treated as part of the pattern.

* The library can now be built with mbedTLS support for HTTPS.

* The diff status character 'T' will now be presented by the
  `git_diff_status_char` API for diff entries that change type.

* Revision walks previously would sometimes include commits that should
  have been ignored; this is corrected.

* Revision walks are now more efficient when the output is unsorted;
  we now avoid walking all the way to the beginning of history unnecessarily.

* Error-handling around index extension loading has been fixed. We were
  previously always misreporting a truncated index (#4858).

### API additions

* The index may now be iterated atomically using `git_index_iterator`.

* Remote objects can now be created with extended options using the
  `git_remote_create_with_opts` API.

* Diff objects can now be applied as changes to the working directory,
  index or both, emulating the `git apply` command.  Additionally,
  `git_apply_to_tree` can apply those changes to a tree object as a
  fully in-memory operation.

* You can now swap out memory allocators via the
  `GIT_OPT_SET_ALLOCATOR` option with `git_libgit2_opts()`.

* You can now ensure that functions do not discard unwritten changes to the
  index via the `GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY` option to
  `git_libgit2_opts()`.  This will cause functions that implicitly re-read
  the index (eg, `git_checkout`) to fail if you have staged changes to the
  index but you have not written the index to disk.  (Unless the checkout
  has the FORCE flag specified.)

  At present, this defaults to off, but we intend to enable this more
  broadly in the future, as a warning or error.  We encourage you to
  examine your code to ensure that you are not relying on the current
  behavior that implicitly removes staged changes.

* Reference specifications can be parsed from an arbitrary string with
  the `git_refspec_parse` API.

* You can now get the name and path of worktrees using the
  `git_worktree_name` and `git_worktree_path` APIs, respectively.

* The `ref` field has been added to `git_worktree_add_options` to enable
  the creation of a worktree from a pre-existing branch.

* It's now possible to analyze merge relationships between any two
  references, not just against `HEAD`, using `git_merge_analysis_for_ref`.

### API removals

* The `git_buf_free` API is deprecated; it has been renamed to
  `git_buf_dispose` for consistency.  The `git_buf_free` API will be
  retained for backward compatibility for the foreseeable future.

* The `git_otype` enumeration and its members are deprecated and have
  been renamed for consistency.  The `GIT_OBJ_` enumeration values are
  now prefixed with `GIT_OBJECT_`.  The old enumerations and macros
  will be retained for backward compatibility for the foreseeable future.

* Several index-related APIs have been renamed for consistency.  The
  `GIT_IDXENTRY_` enumeration values and macros have been renamed to
  be prefixed with `GIT_INDEX_ENTRY_`.  The `GIT_INDEXCAP` enumeration
  values are now prefixed with `GIT_INDEX_CAPABILITY_`.  The old
  enumerations and macros will be retained for backward compatibility
  for the foreseeable future.

* The error functions and enumeration values have been renamed for
  consistency.  The `giterr_` functions and values prefix have been
  renamed to be prefixed with `git_error_`; similarly, the `GITERR_`
  constants have been renamed to be prefixed with `GIT_ERROR_`.
  The old enumerations and macros will be retained for backward
  compatibility for the foreseeable future.

### Breaking API changes

* The default checkout strategy changed from `DRY_RUN` to `SAFE` (#4531).

* Adding a symlink as .gitmodules into the index from the workdir or checking
  out such files is not allowed as this can make a Git implementation write
  outside of the repository and bypass the fsck checks for CVE-2018-11235.

Revision 1.32 / (download) - annotate - [select for diffs], Thu Dec 13 19:51:48 2018 UTC (4 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.31: +2 -1 lines
Diff to previous 1.31 (colored)

revbump for boost 1.69.0

Revision 1.31 / (download) - annotate - [select for diffs], Sat Dec 1 20:18:18 2018 UTC (4 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)

libgit2: update to 0.27.7.

v0.27.7
-------

This is a bugfix release with the following changes or improvements:

- Our continuous integration environment has switched from Travis and
  AppVeyor to Azure Pipelines CI.

- Fix adding worktrees for bare repositories.

- Fix parsed patches not computing the old respectively new line
  numbers correctly.

- Fix parsing configuration variables which do not have a section.

- Fix a zero-byte allocation when trying to detect file renames and
  copies of a diff without any hunks.

- Fix a zero-byte allocation when trying to resize or duplicate
  vectors.

- Fix return value when trying to unlock worktrees which aren't
  locked.

- Fix returning an unitialized error code when preparing a revision
  walk without any pushed commits.

- Fix return value of `git_remote_lookup` when lookup of
  "remote.$remote.tagopt" fails.

- Fix the revision walk always labelling commits as interesting due
  to a mishandling of the commit date.

- Fix the packbuilder inserting uninteresting blobs when adding a
  tree containing references to such blobs.

- Ignore unsupported authentication schemes in HTTP transport.

- Improve performane of `git_remote_prune`.

- Fix detection of whether `qsort_r` has a BSD or GNU function
  signature.

- Fix detection of iconv if it is provided by libc.

v0.27.6
-------

This as a security release fixing the following list of issues:

- The function family `git__strtol` is used to parse integers
  from a buffer. As the functions do not take a buffer length as
  argument, they will scan either until the end of the current
  number or until a NUL byte is encountered. Many callers have
  been misusing the function and called it on potentially
  non-NUL-terminated buffers, resulting in possible out-of-bounds
  reads. Callers have been fixed to use `git__strntol` functions
  instead and `git__strtol` functions were removed.

- The function `git__strntol64` relied on the undefined behavior
  of signed integer overflows. While the code tried to detect
  such overflows after they have happened, this is unspecified
  behavior and may lead to weird behavior on uncommon platforms.

- In the case where `git__strntol32` was unable to parse an
  integer because it doesn't fit into an `int32_t`, it printed an
  error message containing the string that is currently being
  parsed. The code didn't truncate the string though, which
  caused it to print the complete string until a NUL byte is
  encountered and not only the currently parsed number. In case
  where the string was not NUL terminated, this could have lead
  to an out-of-bounds read.

- When parsing tags, all unknown fields that appear before the
  tag message are skipped. This skipping is done by using a plain
  `strstr(buffer, "\n\n")` to search for the two newlines that
  separate tag fields from tag message. As it is not possible to
  supply a buffer length to `strstr`, this call may skip over the
  buffer's end and thus result in an out of bounds read. As
  `strstr` may return a pointer that is out of bounds, the
  following computation of `buffer_end - buffer` will overflow
  and result in an allocation of an invalid length. Note that
  when reading objects from the object database, we make sure to
  always NUL terminate them, making the use of `strstr` safe.

- When parsing the "encoding" field of a commit, we may perform
  an out of bounds read due to using `git__prefixcmp` instead of
  `git__prefixncmp`. This can result in the parsed commit object
  containing uninitialized data in both its message encoding and
  message fields. Note that when reading objects from the object
  database, we make sure to always NUL terminate them, making the
  use of `strstr` safe.

Revision 1.28.2.1 / (download) - annotate - [select for diffs], Sat Oct 20 16:18:20 2018 UTC (4 years, 3 months ago) by spz
Branch: pkgsrc-2018Q3
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored) next main 1.29 (colored)

Pullup ticket #5848 - requested by bsiegert
devel/libgit2: security update

Revisions pulled up:
- devel/libgit2/Makefile                                        1.29
- devel/libgit2/distinfo                                        1.14

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Thu Oct 18 14:43:01 UTC 2018

   Modified Files:
           pkgsrc/devel/libgit2: Makefile distinfo

   Log Message:
   devel/libgit2: update to 0.27.5

   libgit2 0.27.5 (2018/10/5)

   This is a security release fixing the following list of issues:

   * Submodule URLs and paths with a leading "-" are now ignored.  This is due to
     the recently discovered CVE-2018-17456, which can lead to arbitrary code
     execution in upstream git.  While libgit2 itself is not vulnerable, it can
     be used to inject options in an implementation which performs a recursive
     clone by executing an external command.

   * When running repack while doing repo writes, packfile_load__cb() could see
     some temporary files in the directory that were bigger than the usual, and
     makes memcmp overflow on the p->pack_name string.  This issue was reported
     and fixed by bisho.

   * The configuration file parser used unbounded recursion to parse multiline
     variables, which could lead to a stack overflow.  The issue was reported by
     the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.

   * The fix to the unbounded recursion introduced a memory leak in the config
     parser.  While this leak was never in a public release, the oss-fuzz project
     reported this as issue 10127.  The fix was implemented by Nelson Elhage and
     Patrick Steinhardt.

   * When parsing "ok" packets received via the smart protocol, our parsing code
     did not correctly verify the bounds of the packets, which could result in a
     heap-buffer overflow.  The issue was reported by the oss-fuzz project, issue
     9749 and fixed by Patrick Steinhardt.

   * The parsing code for the smart protocol has been tightened in general,
     fixing heap-buffer overflows when parsing the packet type as well as for
     "ACK" and "unpack" packets.  The issue was discovered and fixed by Patrick
     Steinhardt.

   * Fixed potential integer overflows on platforms with 16 bit integers when
     parsing packets for the smart protocol.  The issue was discovered and fixed
     by Patrick Steinhardt.

   * Fixed potential NULL pointer dereference when parsing configuration files
     which have "include.path" or "includeIf..path" statements without a value.


   To generate a diff of this commit:
   cvs rdiff -u -r1.28 -r1.29 pkgsrc/devel/libgit2/Makefile
   cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libgit2/distinfo

Revision 1.30 / (download) - annotate - [select for diffs], Fri Oct 19 12:29:57 2018 UTC (4 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)

Update HOMEPAGE

Revision 1.29 / (download) - annotate - [select for diffs], Thu Oct 18 14:43:01 2018 UTC (4 years, 3 months ago) by taca
Branch: MAIN
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)

devel/libgit2: update to 0.27.5

libgit2 0.27.5 (2018/10/5)

This is a security release fixing the following list of issues:

* Submodule URLs and paths with a leading "-" are now ignored.  This is due to
  the recently discovered CVE-2018-17456, which can lead to arbitrary code
  execution in upstream git.  While libgit2 itself is not vulnerable, it can
  be used to inject options in an implementation which performs a recursive
  clone by executing an external command.

* When running repack while doing repo writes, packfile_load__cb() could see
  some temporary files in the directory that were bigger than the usual, and
  makes memcmp overflow on the p->pack_name string.  This issue was reported
  and fixed by bisho.

* The configuration file parser used unbounded recursion to parse multiline
  variables, which could lead to a stack overflow.  The issue was reported by
  the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.

* The fix to the unbounded recursion introduced a memory leak in the config
  parser.  While this leak was never in a public release, the oss-fuzz project
  reported this as issue 10127.  The fix was implemented by Nelson Elhage and
  Patrick Steinhardt.

* When parsing "ok" packets received via the smart protocol, our parsing code
  did not correctly verify the bounds of the packets, which could result in a
  heap-buffer overflow.  The issue was reported by the oss-fuzz project, issue
  9749 and fixed by Patrick Steinhardt.

* The parsing code for the smart protocol has been tightened in general,
  fixing heap-buffer overflows when parsing the packet type as well as for
  "ACK" and "unpack" packets.  The issue was discovered and fixed by Patrick
  Steinhardt.

* Fixed potential integer overflows on platforms with 16 bit integers when
  parsing packets for the smart protocol.  The issue was discovered and fixed
  by Patrick Steinhardt.

* Fixed potential NULL pointer dereference when parsing configuration files
  which have "include.path" or "includeIf..path" statements without a value.

Revision 1.28 / (download) - annotate - [select for diffs], Sun Sep 23 15:11:42 2018 UTC (4 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base
Branch point for: pkgsrc-2018Q3
Changes since 1.27: +2 -3 lines
Diff to previous 1.27 (colored)

devel/libgit2: update to 0.27.4

v0.27.4
-------

This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.

When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to `strchr`, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.

The issue was discovered by the oss-fuzz project, issue 9406.

v0.27.3
-------

This is a security release fixing out-of-bounds reads when
reading objects from a packfile. This corresponds to
CVE-2018-10887 and CVE-2018-10888, which were both reported by
Riccardo Schirone.

When packing objects into a single so-called packfile, objects
may not get stored as complete copies but instead as deltas
against another object "base". A specially crafted delta object
could trigger an integer overflow and thus bypass our input
validation, which may result in copying memory before or after
the base object into the final deflated object. This may lead to
objects containing copies of system memory being written into the
object database. As the hash of those objects cannot be easily
controlled by the attacker, it is unlikely that any of those
objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function
`git_apply__patch`. But as this function is not in use outside of
our test suite, it is not a possible attack vector.

Revision 1.27 / (download) - annotate - [select for diffs], Thu Aug 16 18:54:41 2018 UTC (4 years, 5 months ago) by adam
Branch: MAIN
Changes since 1.26: +2 -1 lines
Diff to previous 1.26 (colored)

revbump after boost-libs update

Revision 1.26 / (download) - annotate - [select for diffs], Tue Jun 5 18:48:22 2018 UTC (4 years, 8 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.25: +2 -3 lines
Diff to previous 1.25 (colored)

libgit2: update to 0.27.1.

v0.27.1
---------

This is a security release fixing insufficient validation of submodule names
(CVE-2018-11235, reported by Etienne Stalmans) and disallows `.gitmodules` files
as symlinks.

While submodule names come from the untrusted ".gitmodules" file, we blindly
append the name to "$GIT_DIR/modules" to construct the final path of the
submodule repository. In case the name contains e.g. "../", an adversary would
be able to escape your repository and write data at arbitrary paths. In
accordance with git, we now enforce some rules for submodule names which will
cause libgit2 to ignore these malicious names.

Adding a symlink as `.gitmodules` into the index from the workdir or checking
out such files is not allowed as this can make a Git implementation write
outside of the repository and bypass the `fsck` checks for CVE-2018-11235.

libgit2 is not susceptible to CVE-2018-11233.

Revision 1.25 / (download) - annotate - [select for diffs], Sun Apr 29 21:31:33 2018 UTC (4 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.24: +2 -1 lines
Diff to previous 1.24 (colored)

revbump for boost-libs update

Revision 1.24 / (download) - annotate - [select for diffs], Tue Apr 17 10:50:24 2018 UTC (4 years, 9 months ago) by wiz
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)

libgit2: update to 0.27.0.

v0.27
---------

### Changes or improvements

* Improved `p_unlink` in `posix_w32.c` to try and make a file writable
  before sleeping in the retry loop to prevent unnecessary calls to sleep.

* The CMake build infrastructure has been improved to speed up building time.

* A new CMake option "-DUSE_HTTPS=<backend>" makes it possible to explicitly
  choose an HTTP backend.

* A new CMake option "-DSHA1_BACKEND=<backend>" makes it possible to explicitly
  choose an SHA1 backend. The collision-detecting backend is now the default.

* A new CMake option "-DUSE_BUNDLED_ZLIB" makes it possible to explicitly use
  the bundled zlib library.

* A new CMake option "-DENABLE_REPRODUCIBLE_BUILDS" makes it possible to
  generate a reproducible static archive. This requires support from your
  toolchain.

* The minimum required CMake version has been bumped to 2.8.11.

* Writing to a configuration file now preserves the case of the key given by the
  caller for the case-insensitive portions of the key (existing sections are
  used even if they don't match).

* We now support conditional includes in configuration files.

* Fix for handling re-reading of configuration files with includes.

* Fix for reading patches which contain exact renames only.

* Fix for reading patches with whitespace in the compared files' paths.

* We will now fill `FETCH_HEAD` from all passed refspecs instead of overwriting
  with the last one.

* There is a new diff option, `GIT_DIFF_INDENT_HEURISTIC` which activates a
  heuristic which takes into account whitespace and indentation in order to
  produce better diffs when dealing with ambiguous diff hunks.

* Fix for pattern-based ignore rules where files ignored by a rule cannot be
  un-ignored by another rule.

* Sockets opened by libgit2 are now being closed on exec(3) if the platform
  supports it.

* Fix for peeling annotated tags from packed-refs files.

* Fix reading huge loose objects from the object database.

* Fix files not being treated as modified when only the file mode has changed.

* We now explicitly reject adding submodules to the index via
  `git_index_add_frombuffer`.

* Fix handling of `GIT_DIFF_FIND_RENAMES_FROM_REWRITES` raising `SIGABRT` when
  one file has been deleted and another file has been rewritten.

* Fix for WinHTTP not properly handling NTLM and Negotiate challenges.

* When using SSH-based transports, we now repeatedly ask for the passphrase to
  decrypt the private key in case a wrong passphrase is being provided.

* When generating conflict markers, they will now use the same line endings as
  the rest of the file.

### API additions

* The `git_merge_file_options` structure now contains a new setting,
  `marker_size`.  This allows users to set the size of markers that
  delineate the sides of merged files in the output conflict file.
  By default this is 7 (`GIT_MERGE_CONFLICT_MARKER_SIZE`), which
  produces output markers like `<<<<<<<` and `>>>>>>>`.

* `git_remote_create_detached()` creates a remote that is not associated
  to any repository (and does not apply configuration like 'insteadof' rules).
  This is mostly useful for e.g. emulating `git ls-remote` behavior.

* `git_diff_patchid()` lets you generate patch IDs for diffs.

* `git_status_options` now has an additional field `baseline` to allow creating
  status lists against different trees.

* New family of functions to allow creating notes for a specific notes commit
  instead of for a notes reference.

* New family of functions to allow parsing message trailers. This API is still
  experimental and may change in future releases.

### API removals

### Breaking API changes

* Signatures now distinguish between +0000 and -0000 UTC offsets.

* The certificate check callback in the WinHTTP transport will now receive the
  `message_cb_payload` instead of the `cred_acquire_payload`.

* We are now reading symlinked directories under .git/refs.

* We now refuse creating branches named "HEAD".

* We now refuse reading and writing all-zero object IDs into the
  object database.

* We now read the effective user's configuration file instead of the real user's
  configuration in case libgit2 runs as part of a setuid binary.

* The `git_odb_open_rstream` function and its `readstream` callback in the
  `git_odb_backend` interface have changed their signatures to allow providing
  the object's size and type to the caller.

Revision 1.23 / (download) - annotate - [select for diffs], Sun Mar 25 08:23:50 2018 UTC (4 years, 10 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.22: +2 -3 lines
Diff to previous 1.22 (colored)

Update to 0.26.3

* Fix some security bugs

Changelog:
0.26.3
This is a bugfix release. It includes the following non-exclusive list of
improvements, which have been backported from the master branch:

    Fix cloning of the libgit2 project with git clone --recursive by removing an
    invalid submodule from our testing data.

    Fix endianness of the port in p_getaddrinfo().

    Fix handling of negative gitignore rules with wildcards.

    Fix handling of case-insensitive negative gitignore rules.

    Fix resolving references to a tag if the reference is stored with its fully
    resolved OID in the packed-refs file.

    Fix checkout not treating worktree files as modified when only their mode has
    changed.

    Fix rename detection with GIT_DIFF_FIND_RENAMES_FROM_REWRITES.

    Enable Windows 7 and earlier to use TLS 1.2.

0.26.2
This is a security release fixing memory handling issues when reading crafted
repository index files. The issues allow for possible denial of service due to
allocation of large memory and out-of-bound reads.

As the index is never transferred via the network, exploitation requires an
attacker to have access to the local repository.

0.26.1
This is a security release that includes an update to the bundled zlib
to update it to 1.2.11. Users who build the bundled zlib are vulnerable
to security issues in the prior version.

This does not affect you if you rely on a system-installed version of zlib.
All users of v0.26.0 who use the bundled zlib should upgrade to this release.

Revision 1.22 / (download) - annotate - [select for diffs], Mon Jan 1 21:18:21 2018 UTC (5 years, 1 month ago) by adam
Branch: MAIN
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)

Revbump after boost update

Revision 1.21 / (download) - annotate - [select for diffs], Mon Nov 20 23:04:05 2017 UTC (5 years, 2 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4
Changes since 1.20: +2 -1 lines
Diff to previous 1.20 (colored)

libgit2: remove python from bl3.mk

cmake says it's only needed for tests

Revision 1.20 / (download) - annotate - [select for diffs], Thu Aug 24 20:03:11 2017 UTC (5 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.19: +2 -1 lines
Diff to previous 1.19 (colored)

Revbump for boost update

Revision 1.19 / (download) - annotate - [select for diffs], Mon Jul 31 14:18:20 2017 UTC (5 years, 6 months ago) by taca
Branch: MAIN
Changes since 1.18: +2 -3 lines
Diff to previous 1.18 (colored)

Update libgit2 to 0.26.0.

libgit2 2017/6/19


This is the first release of the v0.26 series, "Aufschub". The changelog follows.

Changes or improvements

Support for opening, creating and modifying worktrees.

We can now detect SHA1 collisions resulting from the SHAttered attack. These
checks can be enabled at build time via -DUSE_SHA1DC.

Fix for missing implementation of git_merge_driver_source getters.

Fix for installed pkg-config file being broken when the prefix contains
spaces.

We now detect when the hashsum of on-disk objects does not match their
expected hashsum.

We now support open-ended ranges (e.g. "master..", "...master") in our
revision range parsing code.

We now correctly compute ignores with leading "/" in subdirectories.

We now optionally call fsync on loose objects, packfiles and their indexes,
loose references and packed reference files.

We can now build against OpenSSL v1.1 and against LibreSSL.

GIT_MERGE_OPTIONS_INIT now includes a setting to perform rename detection.
This aligns this structure with the default by git_merge and
git_merge_trees when NULL was provided for the options.

Improvements for reading index v4 files.

Perform additional retries for filesystem operations on Windows when files
are temporarily locked by other processes.

API additions

New family of functions to handle worktrees:

git_worktree_list() lets you look up worktrees for a repository.
git_worktree_lookup() lets you get a specific worktree.
git_worktree_open_from_repository() lets you get the associated worktree of a repository.
git_worktree_add lets you create new worktrees.
git_worktree_prune lets you remove worktrees from disk.
git_worktree_lock() and git_worktree_unlock() let you lock and unlock a worktree, respectively.
git_repository_open_from_worktree() lets you open a repository via
git_repository_head_for_worktree() lets you get the current HEAD for a
linked worktree.
git_repository_head_detached_for_worktree() lets you check whether a
linked worktree is in detached HEAD mode.
git_repository_item_path() lets you retrieve paths for various repository
files.

git_repository_commondir() lets you retrieve the common directory of a
repository.

git_branch_is_checked_out() allows you to check whether a branch is checked
out in a repository or any of its worktrees.

git_repository_submodule_cache_all() and
git_repository_submodule_cache_clear() functions allow you to prime or clear
the submodule cache of a repository.

You can disable strict hash verifications via the
GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION option with git_libgit2_opts().

You can enable us calling fsync for various files inside the ".git"
directory by setting the GIT_OPT_ENABLE_FSYNC_GITDIR option with
git_libgit2_opts().

You can now enable "offset deltas" when creating packfiles and negotiating
packfiles with a remote server by setting GIT_OPT_ENABLE_OFS_DELTA option
with GIT_libgit2_opts().

You can now set the default share mode on Windows for opening files using
GIT_OPT_SET_WINDOWS_SHAREMODE option with git_libgit2_opts().
You can query the current share mode with GIT_OPT_GET_WINDOWS_SHAREMODE.

git_transport_smart_proxy_options() enables you to get the proxy options for
smart transports.

The GIT_FILTER_INIT macro and the git_filter_init function are provided
to initialize a git_filter structure.

Breaking API changes

clone_checkout_strategy has been removed from
git_submodule_update_option. The checkout strategy used to clone will
be the same strategy specified in checkout_opts.

Revision 1.18 / (download) - annotate - [select for diffs], Sun Apr 30 01:21:33 2017 UTC (5 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.17: +2 -1 lines
Diff to previous 1.17 (colored)

Recursive revbump from boost update

Revision 1.13.2.1 / (download) - annotate - [select for diffs], Fri Jan 13 20:34:41 2017 UTC (6 years ago) by bsiegert
Branch: pkgsrc-2016Q4
Changes since 1.13: +3 -4 lines
Diff to previous 1.13 (colored) next main 1.14 (colored)

Pullup ticket #5191 - requested by taca
devel/libgit2: security fix

Revisions pulled up:
- devel/libgit2/Makefile                                        1.14-1.16
- devel/libgit2/PLIST                                           1.6
- devel/libgit2/distinfo                                        1.8

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sun Jan  1 14:44:09 UTC 2017

   Modified Files:
   	[...]
   	pkgsrc/devel/libgit2: Makefile
   	[...]

   Log Message:
   Add python-3.6 to incompatible versions.

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Sun Jan  1 16:06:40 UTC 2017

   Modified Files:
   	[...]
   	pkgsrc/devel/libgit2: Makefile
   	[...]

   Log Message:
   Revbump after boost update

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Wed Jan 11 00:11:24 UTC 2017

   Modified Files:
   	pkgsrc/devel/libgit2: Makefile PLIST distinfo

   Log Message:
   Update libgit2 to 0.25.1, it includes security problem.

   For full changes, please refer CHANGESLOG.md file.

   * libgit2 v0.24.6 and libgit2 v0.25.1, January 9th, 2017

   Includes two fixes, one performs extra sanitization for some edge cases in
   the Git Smart Protocol which can lead to attempting to parse outside of the
   buffer.

   The second fix affects the certificate check callback. It provides a valid
   parameter to indicate whether the native cryptographic library considered
   the certificate to be correct. This parameter is always 1/true before these
   releases leading to a possible MITM.

   This does not affect you if you do not use the custom certificate callback
   or if you do not take this value into account. This does affect you if you
   use pygit2 or git2go regardless of whether you specify a certificate check
   callback.

Revision 1.17 / (download) - annotate - [select for diffs], Wed Jan 11 14:25:42 2017 UTC (6 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.16: +4 -2 lines
Diff to previous 1.16 (colored)

Add test target.

Allow all python versions.

Revision 1.16 / (download) - annotate - [select for diffs], Wed Jan 11 00:11:24 2017 UTC (6 years ago) by taca
Branch: MAIN
Changes since 1.15: +2 -3 lines
Diff to previous 1.15 (colored)

Update libgit2 to 0.25.1, it includes security problem.

For full changes, please refer CHANGESLOG.md file.

* libgit2 v0.24.6 and libgit2 v0.25.1, January 9th, 2017

Includes two fixes, one performs extra sanitization for some edge cases in
the Git Smart Protocol which can lead to attempting to parse outside of the
buffer.

The second fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library considered
the certificate to be correct. This parameter is always 1/true before these
releases leading to a possible MITM.

This does not affect you if you do not use the custom certificate callback
or if you do not take this value into account. This does affect you if you
use pygit2 or git2go regardless of whether you specify a certificate check
callback.

Revision 1.15 / (download) - annotate - [select for diffs], Sun Jan 1 16:06:09 2017 UTC (6 years, 1 month ago) by adam
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)

Revbump after boost update

Revision 1.14 / (download) - annotate - [select for diffs], Sun Jan 1 14:43:31 2017 UTC (6 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)

Add python-3.6 to incompatible versions.

Revision 1.13 / (download) - annotate - [select for diffs], Fri Oct 7 18:25:43 2016 UTC (6 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base
Branch point for: pkgsrc-2016Q4
Changes since 1.12: +2 -1 lines
Diff to previous 1.12 (colored)

Revbump post boost update

Revision 1.12 / (download) - annotate - [select for diffs], Tue Aug 30 10:24:40 2016 UTC (6 years, 5 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.11: +5 -5 lines
Diff to previous 1.11 (colored)

Update libgit2 to 0.24.1.

pkgsrc changes:

- re-enable libssh2 support
- ensure pkgsrc curl and http-parser are picked up and enabled

Upstream changes:

2f2575c Updating http parser to accept a `+` in the schema
ff8e3f0 Handle git+ssh:// and ssh+git:// protocols support
fa8b1a8 Adding spec coverage for ssh+git and git+ssh protocols
429155d Updating change to http_parser to reflect PR for nodejs/http-parser
e44f658 Removing #define for SSH_PREFIX_COUNT and using ARRAY_SIZE instead
b8dc15f Adding test cases that actually test the functionality of the new transport
4a93a7f Tabs
8ec3d88 Avoid subtraction overflow in git_indexer_commit
e3862c9 Buffer sideband packet data
cdded63 Remove duplicated calls to git_mwindow_close
eb09ead odb: improved not found error messages
9ee498e Only buffer if necessary.
4ebf745 mwindow: free unused windows if we fail to mmap
ffb1f41 describe: handle error code returned by git_pqueue_insert
e39ad74 config_file: handle missing quotation marks in section header
0370dae Check for __CLANG_INTTYPES_H
faf823d tests: transport: fix memory leaks with registering transports
fa4b93a backport git_oid__cpy_prefix
d0780b8 object: avoid call of memset with ouf of bounds pointer
e114bba index: assert required OID are non-NULL
1a16e8b pack-objects: fix memory leak on overflow
d96c063 submodule: avoid passing NULL pointers to strncmp
851c51a diff_tform: fix potential NULL pointer access
0b357e2 coverity: report errors when uploading tarball
8d3ee96 refdb_fs: fail if refcache returns NULL pointer
dd78d7d blame_git: handle error returned by `git_commit_parent`
f17ed63 blame: handle error when resoling HEAD in normalize_options
18c4ae7 filebuf: handle write error in `lock_file`
89e7604 config_cache: check return value of `git_config__lookup_entry`
c1ec732 Setup better defaults for OpenSSL ciphers
4e91020 Start error string with lower case character
cdde081 Use general cl_git_fail because the error is generic
f587f38 CMake: do not overwrite but only append to CMAKE_C_FLAGS_DEBUG
9a668ab Option "LIBGIT2_PREFIX" to set the CMAKE's TARGET_PROPERTIES PREFIX
d8fcafb Split the page size from the mmap alignment
e97d2d7 commit: fix extraction of single-line signatures
a1cf264 win32: free thread-local data on thread exit
c86a65b config: don't special-case multivars that don't exist yet
3ec0f2e xdiff/xprepare: use the XDF_DIFF_ALG() macro to access flag bits
56da07c xdiff/xprepare: fix a memory leak
fe1f477 Add a no-op size_t typedef for the doc parser
ab062a3 tests: fix core/stream test when built with openssl off
3e2e824 refs: provide a more general error message for dwim
ba52879 reset: use real ids for the tests
b6130fe refs::create: strict object creation on by default
e8d5df9 config: show we write a spurious duplicated section header
a13c1ec config: don't write section header if we're in it
21d8832 config::write::repeated: init our buffer
1778908 ignore: don't use realpath to canonicalize path
26f2cef tree: re-use the id and filename in the odb object
13ebf7b tree: store the entries in a growable array
af753ab tree: drop the now-unnecessary entries vector
1d59c85 status: update test to include valid OID
5cc7a5c tests: skip the unreadable file tests as root
2c1bc36 Plug a few leaks
6a35e74 leaks: fix some leaks in the tests
ccfacb8 leaks: call `xdl_free_classifier`
8edadbf index::racy: force racy entry

Revision 1.11 / (download) - annotate - [select for diffs], Sat Jul 9 13:03:39 2016 UTC (6 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)

Remove python33: adapt all packages that refer to it.

Revision 1.10 / (download) - annotate - [select for diffs], Tue Mar 8 15:33:14 2016 UTC (6 years, 11 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.9: +2 -3 lines
Diff to previous 1.9 (colored)

Update libgit2 to 0.24.0.

v0.24
-------

### Changes or improvements

* Custom filters can now be registered with wildcard attributes, for
  example `filter=*`.  Consumers should examine the attributes parameter
  of the `check` function for details.

* Symlinks are now followed when locking a file, which can be
  necessary when multiple worktrees share a base repository.

* You can now set your own user-agent to be sent for HTTP requests by
  using the `GIT_OPT_SET_USER_AGENT` with `git_libgit2_opts()`.

* You can set custom HTTP header fields to be sent along with requests
  by passing them in the fetch and push options.

* Tree objects are now assumed to be sorted. If a tree is not
  correctly formed, it will give bad results. This is the git approach
  and cuts a significant amount of time when reading the trees.

* Filter registration is now protected against concurrent
  registration.

* Filenames which are not valid on Windows in an index no longer cause
  to fail to parse it on that OS.

* Rebases can now be performed purely in-memory, without touching the
  repository's workdir.

* When adding objects to the index, or when creating new tree or commit
  objects, the inputs are validated to ensure that the dependent objects
  exist and are of the correct type.  This object validation can be
  disabled with the GIT_OPT_ENABLE_STRICT_OBJECT_CREATION option.

* The WinHTTP transport's handling of bad credentials now behaves like
  the others, asking for credentials again.

### API additions

* `git_config_lock()` has been added, which allow for
  transactional/atomic complex updates to the configuration, removing
  the opportunity for concurrent operations and not committing any
  changes until the unlock.

* `git_diff_options` added a new callback `progress_cb` to report on the
  progress of the diff as files are being compared. The documentation of
  the existing callback `notify_cb` was updated to reflect that it only
  gets called when new deltas are added to the diff.

* `git_fetch_options` and `git_push_options` have gained a `custom_headers`
  field to set the extra HTTP header fields to send.

* `git_stream_register_tls()` lets you register a callback to be used
  as the constructor for a TLS stream instead of the libgit2 built-in
  one.

* `git_commit_header_field()` allows you to look up a specific header
  field in a commit.

* `git_commit_extract_signature()` extracts the signature from a
  commit and gives you both the signature and the signed data so you
  can verify it.

### API removals

* No APIs were removed in this version.

### Breaking API changes

* The `git_merge_tree_flag_t` is now `git_merge_flag_t`.  Subsequently,
  its members are no longer prefixed with `GIT_MERGE_TREE_FLAG` but are
  now prefixed with `GIT_MERGE_FLAG`, and the `tree_flags` field of the
  `git_merge_options` structure is now named `flags`.

* The `git_merge_file_flags_t` enum is now `git_merge_file_flag_t` for
  consistency with other enum type names.

* `git_cert` descendent types now have a proper `parent` member

* It is the responsibility of the refdb backend to decide what to do
  with the reflog on ref deletion. The file-based backend must delete
  it, a database-backed one may wish to archive it.

* `git_config_backend` has gained two entries. `lock` and `unlock`
  with which to implement the transactional/atomic semantics for the
  configuration backend.

* `git_index_add` and `git_index_conflict_add()` will now use the case
  as provided by the caller on case insensitive systems.  Previous
  versions would keep the case as it existed in the index.  This does
  not affect the higher-level `git_index_add_bypath` or
  `git_index_add_frombuffer` functions.

* The `notify_payload` field of `git_diff_options` was renamed to `payload`
  to reflect that it's also the payload for the new progress callback.

* The `git_config_level_t` enum has gained a higher-priority value
  `GIT_CONFIG_LEVEL_PROGRAMDATA` which represent a rough Windows equivalent
  to the system level configuration.

* `git_rebase_init()` not also takes a merge options.

* The index no longer performs locking itself. This is not something
  users of the library should have been relying on as it's not part of
  the concurrency guarantees.

Revision 1.9 / (download) - annotate - [select for diffs], Sat Mar 5 11:28:23 2016 UTC (6 years, 11 months ago) by jperkin
Branch: MAIN
Changes since 1.8: +2 -1 lines
Diff to previous 1.8 (colored)

Bump PKGREVISION for security/openssl ABI bump.

Revision 1.8 / (download) - annotate - [select for diffs], Sat Dec 5 21:25:35 2015 UTC (7 years, 2 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)

Extend PYTHON_VERSIONS_INCOMPATIBLE to 35

Revision 1.7 / (download) - annotate - [select for diffs], Tue Oct 6 14:56:12 2015 UTC (7 years, 4 months ago) by fhajny
Branch: MAIN
Changes since 1.6: +3 -7 lines
Diff to previous 1.6 (colored)

Update devel/libgit2 to 0.23.3.
Simplify Github distfile handling.
Backport a futimes fix from upstream master, fixes build on SunOS.

Changes since 0.23.2:
- blame: guard xdiff calls for large files
- diff: don't feed large files to xdiff
- merge_file: treat large files as binary
- xdiff: convert size variables to size_t
- GITERR_CHECK_ALLOC_ADDn: multi-arg adders

Revision 1.6 / (download) - annotate - [select for diffs], Sun Sep 13 12:21:13 2015 UTC (7 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.5: +4 -5 lines
Diff to previous 1.5 (colored)

Update libgit2 to 0.23.2.

Changes are too many to write here, please refer:
	<https://github.com/libgit2/libgit2/releases>.

Revision 1.5 / (download) - annotate - [select for diffs], Sun Jul 26 18:06:45 2015 UTC (7 years, 6 months ago) by nros
Branch: MAIN
Changes since 1.4: +2 -1 lines
Diff to previous 1.4 (colored)

Revbump because of security/libssh2 update.

Revision 1.4 / (download) - annotate - [select for diffs], Wed Jun 3 13:14:46 2015 UTC (7 years, 8 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.3: +6 -3 lines
Diff to previous 1.3 (colored)

Update libgit2 to 0.22.2 required by ruby-rugged.

libgit2 v0.22.2 Maintenance Release
@carlosmn carlosmn released this on 25 Mar
12 commits to maint/v0.22 since this release

The following fixes have been backported to this maintenance release.
All users of the library are encouraged to update.

1f25fe9 checkout: report correct invalid path
8633dd9 win32: further cleanups for 8.3 disabling
93be89c win32: cleanup 8.3 disabled tests
728a013 Fix test failures when 8.3 is disabled
1f726d0 git: make sure to close the network stream
3e163b6 checkout: free last created directory
3440c20 Initialize refs vector in git_remote_update_tips().
dcf6c0c Lower case the include directive of windows header
1dd5e28 http: do not try to use the cert callback on unencrypted streams
dd243fe indexer: set an error message on duplicate objects in pack
3a1dc42 Put back the number of expected references to 6 from the test repo
cf688ff Fixed active refspecs not reset by git_remote_upload()
7a5682f http: enforce the credential types
f008aeb branch: do capture the error code
283f31a git_branch_delete() should ignore errors from non-existing reflogs
aa409d5 Fix Mac build without OpenSSL
d884d1c Fix race in git_packfile_unpack.
277d647 Reinit `reader` pointer after reading included config file
3bdcea8 Check rebase options version on public entry points
7d8e4e3 mkdir: respect the root path
69455bc stat: don't remove trailing '/' from root on win32
7aee248 repo: ensure we can create repo at filesystem root
aa926fb Fix branch creation when branch name matches namespace of previously deleted branch
31ea8db Clarified git_repository_is_empty() documentation
ed64a1b Add libssh2's library and include directories.
5c3e01d Ensure the diff hunk callback is specified before trying to dereference it
fe61bb6 Ensure git_index_entry is not NULL before trying to free it
ae0cfac openssl: Add all required includes for AF_INET6 and in6_addr.
4738a33 Fixed git_repository_set_bare() not setting "core.bare" correctly
d0db408 Make sure sys/repository.h includes the required headers
eefe2e8 Fixed typo in git_repository_reinit_filesystem() documentation
8693335 Make binary detection work similar to vanilla git
d95c949 Include ws2tcpip.h in order to get in6_addr
e1314dd Include openssl headers last
09c2477 Fixed error when including git2/include/sys/stream.h
bd0a551 pathspec: do not try to dereference NULL
1ce9ea3 checkout tests: cleanup realpath impl on Win32
f9df7b6 checkout tests: emulate p_realpath poorly on Win32
8d65523 checkout: remove files before writing new ones
b295294 checkout: drop newline in error message
99367df checkout tests: nasty symlinks
9f1c873 checkout: don't recreate previous directory
1ca7fa9 git_path_join_unrooted: return base len
bd0e881 checkout: introduce git_checkout_perfdata
Downloads

libgit2 v0.21.5 Maintenance Release
@ethomson ethomson released this on 17 Jan

The following (critical) fixes have been backported to this maintenance release.
All users of the library are encouraged to update.

af769f4 checkout: introduce git_checkout_perfdata
fc478d2 git_path_join_unrooted: return base len
629a579 checkout: don't recreate previous directory
dd3c53f checkout tests: nasty symlinks
186177a checkout: drop newline in error message
7268a5a checkout: remove files before writing new ones
e517b62 checkout tests: emulate p_realpath poorly on Win32
9a8753d checkout tests: cleanup realpath impl on Win32
8433078 Introduce test for checkout case-changing rename
d853fb9 Always checkout with case sensitive iterator

Revision 1.3 / (download) - annotate - [select for diffs], Tue Jan 13 23:05:26 2015 UTC (8 years ago) by wiedi
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1
Changes since 1.2: +2 -1 lines
Diff to previous 1.2 (colored)

bulk build wants openssl

Revision 1.2 / (download) - annotate - [select for diffs], Wed Oct 29 14:13:27 2014 UTC (8 years, 3 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4
Changes since 1.1: +3 -1 lines
Diff to previous 1.1 (colored)

Explicitly disable libssh2 support, security/libssh2 is too old anyway.

Revision 1.1 / (download) - annotate - [select for diffs], Wed Oct 1 13:12:31 2014 UTC (8 years, 4 months ago) by fhajny
Branch: MAIN

Import devel/libgit2 based on wip/libgit2.

libgit2 is a portable, pure C implementation of the Git core methods provided as
a re-entrant linkable library with a solid API, allowing you to write native
speed custom Git applications in any language which supports C bindings.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>