From 83ca71dc73f5fc3de48e01d432a0ceec458a837c Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 29 May 2020 15:56:45 -0400 Subject: [PATCH 1/3] revert to protocol v0 by default The default fetch protocol was changed to v2 in 2.26.0. Subsequently, users of the linux-next and other kernel repositories have reported significantly higher than expected sizes when fetching. The cause was tracked down and 2.27.0 will include a fix this issue. Revert the protocol v0 by default in 2.26.0 using the patch from Jonathan Nieder. References: https://github.com/git/git/commit/11c7f2a30b https://lore.kernel.org/git/20200422084254.GA27502@furthur.local/ --- ...-fetch-default-to-protocol-version-2.patch | 48 +++++++++++++++++++ git.spec | 9 +++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 0001-Revert-fetch-default-to-protocol-version-2.patch diff --git a/0001-Revert-fetch-default-to-protocol-version-2.patch b/0001-Revert-fetch-default-to-protocol-version-2.patch new file mode 100644 index 0000000..3efbbdf --- /dev/null +++ b/0001-Revert-fetch-default-to-protocol-version-2.patch @@ -0,0 +1,48 @@ +From 11c7f2a30b9dadcccc7bde66a34e0cb0cb5cf52c Mon Sep 17 00:00:00 2001 +From: Jonathan Nieder +Date: Wed, 22 Apr 2020 08:50:47 -0700 +Subject: [PATCH] Revert "fetch: default to protocol version 2" + +This reverts commit 684ceae32dae726c6a5c693b257b156926aba8b7. + +Users fetching from linux-next and other kernel remotes are reporting +that the limited ref advertisement causes negotiation to reach +MAX_IN_VAIN, resulting in too-large fetches. + +Reported-by: Lubomir Rintel +Reported-by: "Dixit, Ashutosh" +Reported-by: Jiri Slaby +Reported-by: Konstantin Ryabitsev +Signed-off-by: Jonathan Nieder +Signed-off-by: Junio C Hamano +--- + Documentation/config/protocol.txt | 2 +- + protocol.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Documentation/config/protocol.txt b/Documentation/config/protocol.txt +index 756591d77b080..0b40141613e3d 100644 +--- a/Documentation/config/protocol.txt ++++ b/Documentation/config/protocol.txt +@@ -48,7 +48,7 @@ protocol.version:: + If set, clients will attempt to communicate with a server + using the specified protocol version. If the server does + not support it, communication falls back to version 0. +- If unset, the default is `2`. ++ If unset, the default is `0`. + Supported versions: + + + -- +diff --git a/protocol.c b/protocol.c +index 803bef5c87e00..d390391ebac80 100644 +--- a/protocol.c ++++ b/protocol.c +@@ -39,7 +39,7 @@ enum protocol_version get_protocol_version_config(void) + return env; + } + +- return protocol_v2; ++ return protocol_v0; + } + + enum protocol_version determine_protocol_version_server(void) diff --git a/git.spec b/git.spec index bebca5a..c9412e4 100644 --- a/git.spec +++ b/git.spec @@ -85,7 +85,7 @@ Name: git Version: 2.26.2 -Release: 1%{?rcrev}%{?dist} +Release: 2%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -124,6 +124,10 @@ Patch1: 0001-sequencer-don-t-abbreviate-a-command-if-it-doesn-t-h.patch # https://github.com/git/git/commit/de9f1d3ef4 Patch2: 0002-t3432-test-merge-with-rebase.abbreviateCommands-true.patch +# Revert to protocol v0. Discussion in the thread starting at: +# https://lore.kernel.org/git/20200422084254.GA27502@furthur.local/ +Patch3: https://github.com/git/git/commit/11c7f2a30b.patch#/0001-Revert-fetch-default-to-protocol-version-2.patch + %if %{with docs} # pod2man is needed to build Git.3pm BuildRequires: %{_bindir}/pod2man @@ -1060,6 +1064,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Fri May 29 2020 Todd Zullinger - 2.26.2-2 +- revert to protocol v0 by default + * Mon Apr 20 2020 Todd Zullinger - 2.26.2-1 - update to 2.26.2 (CVE-2020-11008) From e3f4910f7a22ef040289e8fd501425b4c3790092 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Tue, 9 Mar 2021 13:56:42 -0500 Subject: [PATCH 2/3] update to 2.26.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This release includes a fix for CVE-2021-21300¹. Release notes: https://github.com/git/git/raw/v2.26.3/Documentation/RelNotes/2.26.3.txt ¹ Per the 2.17.6 release notes on CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. --- git.spec | 7 +++++-- sources | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/git.spec b/git.spec index c9412e4..ae10b11 100644 --- a/git.spec +++ b/git.spec @@ -84,8 +84,8 @@ #global rcrev .rc0 Name: git -Version: 2.26.2 -Release: 2%{?rcrev}%{?dist} +Version: 2.26.3 +Release: 1%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -1064,6 +1064,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Tue Mar 09 2021 Todd Zullinger - 2.26.3-1 +- update to 2.26.3 (CVE-2021-21300) + * Fri May 29 2020 Todd Zullinger - 2.26.2-2 - revert to protocol v0 by default diff --git a/sources b/sources index 551ebf0..b6b1898 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.26.2.tar.xz) = 5d92d07b171c5cd6e89a29c1211c73c1c900cd51c74d690aebfb4a3d0e93b541b09b42b6d6a1a82f5c3d953096771f9a8605c63be139f559f58698c1a0eabcfc -SHA512 (git-2.26.2.tar.sign) = c53a607eda0bf83bf3593e8d68b833ef3ee99976434a97def5dcc25f31e79ff3e79f832b61508509d43d3111df106dde80ff6c9f7ada34ae53e7b4da17b06ed7 +SHA512 (git-2.26.3.tar.xz) = a88f8ab156f12770590110b30da83631f19a349f3b7af25fd0a5e8f03c78daec0a4935e9a1a5637f100c147cc57fca4aa3386e18756a6382983e7baa7456e398 +SHA512 (git-2.26.3.tar.sign) = a1ece2c1f12832e9ae017e1d7d6930bb8db9a1b73e638dd2a443eb45d61a4c09e5a74a5de1a424bd1b988e8ec4ac00d84659ff8690593ffb069e42f5a07a1fb5 From 3988c2d30fb543009850876c3f28668b3d72dd80 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Wed, 10 Mar 2021 12:02:59 -0500 Subject: [PATCH 3/3] Revert "revert to protocol v0 by default" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The patch applied to revert to protocol v0 by default causes at least one test failure¹. While I suspect this is an issue in the test suite, without taking the time to prove that I cannot reasonably push the change as an update. Since we've had no bug reports files for issues with protocol v2 by default, let's leave it as-is for the remainder of f32's life. This reverts commit 83ca71dc73f5fc3de48e01d432a0ceec458a837c. ¹ The failure is in t5500-fetch-pack's "fetch with --filter=blob:limit=0 and HTTP" test case. From the test logs: ++ git -C client fetch --filter=blob:limit=0 origin HEAD:somewhere error: http://127.0.0.1:5500/smart/server did not send all necessary objects error: last command exited with $?=1 --- ...-fetch-default-to-protocol-version-2.patch | 48 ------------------- git.spec | 9 ++-- 2 files changed, 4 insertions(+), 53 deletions(-) delete mode 100644 0001-Revert-fetch-default-to-protocol-version-2.patch diff --git a/0001-Revert-fetch-default-to-protocol-version-2.patch b/0001-Revert-fetch-default-to-protocol-version-2.patch deleted file mode 100644 index 3efbbdf..0000000 --- a/0001-Revert-fetch-default-to-protocol-version-2.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 11c7f2a30b9dadcccc7bde66a34e0cb0cb5cf52c Mon Sep 17 00:00:00 2001 -From: Jonathan Nieder -Date: Wed, 22 Apr 2020 08:50:47 -0700 -Subject: [PATCH] Revert "fetch: default to protocol version 2" - -This reverts commit 684ceae32dae726c6a5c693b257b156926aba8b7. - -Users fetching from linux-next and other kernel remotes are reporting -that the limited ref advertisement causes negotiation to reach -MAX_IN_VAIN, resulting in too-large fetches. - -Reported-by: Lubomir Rintel -Reported-by: "Dixit, Ashutosh" -Reported-by: Jiri Slaby -Reported-by: Konstantin Ryabitsev -Signed-off-by: Jonathan Nieder -Signed-off-by: Junio C Hamano ---- - Documentation/config/protocol.txt | 2 +- - protocol.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Documentation/config/protocol.txt b/Documentation/config/protocol.txt -index 756591d77b080..0b40141613e3d 100644 ---- a/Documentation/config/protocol.txt -+++ b/Documentation/config/protocol.txt -@@ -48,7 +48,7 @@ protocol.version:: - If set, clients will attempt to communicate with a server - using the specified protocol version. If the server does - not support it, communication falls back to version 0. -- If unset, the default is `2`. -+ If unset, the default is `0`. - Supported versions: - + - -- -diff --git a/protocol.c b/protocol.c -index 803bef5c87e00..d390391ebac80 100644 ---- a/protocol.c -+++ b/protocol.c -@@ -39,7 +39,7 @@ enum protocol_version get_protocol_version_config(void) - return env; - } - -- return protocol_v2; -+ return protocol_v0; - } - - enum protocol_version determine_protocol_version_server(void) diff --git a/git.spec b/git.spec index ae10b11..cdcb9bd 100644 --- a/git.spec +++ b/git.spec @@ -85,7 +85,7 @@ Name: git Version: 2.26.3 -Release: 1%{?rcrev}%{?dist} +Release: 2%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -124,10 +124,6 @@ Patch1: 0001-sequencer-don-t-abbreviate-a-command-if-it-doesn-t-h.patch # https://github.com/git/git/commit/de9f1d3ef4 Patch2: 0002-t3432-test-merge-with-rebase.abbreviateCommands-true.patch -# Revert to protocol v0. Discussion in the thread starting at: -# https://lore.kernel.org/git/20200422084254.GA27502@furthur.local/ -Patch3: https://github.com/git/git/commit/11c7f2a30b.patch#/0001-Revert-fetch-default-to-protocol-version-2.patch - %if %{with docs} # pod2man is needed to build Git.3pm BuildRequires: %{_bindir}/pod2man @@ -1064,6 +1060,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Wed Mar 10 2021 Todd Zullinger - 2.26.3-2 +- revert "revert to protocol v0 by default" + * Tue Mar 09 2021 Todd Zullinger - 2.26.3-1 - update to 2.26.3 (CVE-2021-21300)