remove unused buildrequires

update to 2.52.0
Build with highlight on all arches on EL8+
2025-12-12 13:32:24 +01:00 · 2025-11-20 13:41:02 +01:00 · 2025-11-17 11:55:29 -05:00 · 2025-10-23 09:34:39 +02:00 · 2025-10-12 18:21:24 -04:00 · 2025-08-21 18:44:54 +02:00
11 changed files with 1125 additions and 934 deletions
--- a/0001-builtin-init-db-handle-bare-clones-when-core.bare-se.patch
+++ b/0001-builtin-init-db-handle-bare-clones-when-core.bare-se.patch
@ -1,81 +0,0 @@
-From 7fc363e4e64f095553e1a1ceed27caef3a33effd Mon Sep 17 00:00:00 2001
-From: "brian m. carlson" <sandals@crustytoothpaste.net>
-Date: Wed, 10 Mar 2021 01:11:20 +0000
-Subject: [PATCH] builtin/init-db: handle bare clones when core.bare set to
- false
-
-In 552955ed7f ("clone: use more conventional config/option layering",
-2020-10-01), clone learned to read configuration options earlier in its
-execution, before creating the new repository.  However, that led to a
-problem: if the core.bare setting is set to false in the global config,
-cloning a bare repository segfaults.  This happens because the
-repository is falsely thought to be non-bare, but clone has set the work
-tree to NULL, which is then dereferenced.
-
-The code to initialize the repository already considers the fact that a
-user might want to override the --bare option for git init, but it
-doesn't take into account clone, which uses a different option.  Let's
-just check that the work tree is not NULL, since that's how clone
-indicates that the repository is bare.  This is also the case for git
-init, so we won't be regressing that case.
-
-Reported-by: Joseph Vusich <jvusich@amazon.com>
-Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
-Signed-off-by: Junio C Hamano <gitster@pobox.com>
-(cherry picked from commit 75555676ad3908b0f847a9ae154c35e12114c82f)
---
- builtin/init-db.c        | 4 ++--
- t/t5606-clone-options.sh | 8 ++++++++
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/builtin/init-db.c b/builtin/init-db.c
-index dcc45bef51..f82efe4aff 100644
--- a/builtin/init-db.c
-+++ b/builtin/init-db.c
-@@ -212,6 +212,7 @@ static int create_default_files(const char *template_path,
- 	int reinit;
- 	int filemode;
- 	struct strbuf err = STRBUF_INIT;
-+	const char *work_tree = get_git_work_tree();
- 
- 	/* Just look for `init.templatedir` */
- 	init_db_template_dir = NULL; /* re-set in case it was set before */
-@@ -235,7 +236,7 @@ static int create_default_files(const char *template_path,
- 	 * We must make sure command-line options continue to override any
- 	 * values we might have just re-read from the config.
- 	 */
-	is_bare_repository_cfg = init_is_bare_repository;
-+	is_bare_repository_cfg = init_is_bare_repository || !work_tree;
- 	if (init_shared_repository != -1)
- 		set_shared_repository(init_shared_repository);
- 
-@@ -299,7 +300,6 @@ static int create_default_files(const char *template_path,
- 	if (is_bare_repository())
- 		git_config_set("core.bare", "true");
- 	else {
-		const char *work_tree = get_git_work_tree();
- 		git_config_set("core.bare", "false");
- 		/* allow template config file to override the default */
- 		if (log_all_ref_updates == LOG_REFS_UNSET)
-diff --git a/t/t5606-clone-options.sh b/t/t5606-clone-options.sh
-index 1da6ddb2c5..428b0aac93 100755
--- a/t/t5606-clone-options.sh
-+++ b/t/t5606-clone-options.sh
-@@ -104,6 +104,14 @@ test_expect_success 'redirected clone -v does show progress' '
- 
- '
- 
-+test_expect_success 'clone does not segfault with --bare and core.bare=false' '
-+	test_config_global core.bare false &&
-+	git clone --bare parent clone-bare &&
-+	echo true >expect &&
-+	git -C clone-bare rev-parse --is-bare-repository >actual &&
-+	test_cmp expect actual
-+'
-+
- test_expect_success 'chooses correct default initial branch name' '
- 	GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME= \
- 	git -c init.defaultBranch=foo init --bare empty &&
-- 
-2.31.1
-
--- a/0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
+++ b/0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
@ -0,0 +1,73 @@
+From 89ccbc15948db9ddbf74530e3fd66dd78ae897ae Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Sun, 21 Aug 2022 13:49:57 -0400
+Subject: [PATCH] t/lib-httpd: try harder to find a port for apache
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When running multiple builds concurrently, tests which run daemons, like
+apache httpd, sometimes conflict with each other, leading to spurious
+failures:
+
+    ++ /usr/sbin/httpd -d '/tmp/git-t.ck9I/trash directory.t9118-git-svn-funky-branch-names/httpd' \
+       -f /builddir/build/BUILD/git-2.37.2/t/lib-httpd/apache.conf -DDAV -DSVN -c 'Listen 127.0.0.1:9118' \
+       -k start
+    (98)Address already in use: AH00072: make_sock: could not bind to address 127.0.0.1:9118
+    no listening sockets available, shutting down
+    AH00015: Unable to open logs
+    ++ test 1 -ne 0
+
+Try a bit harder to find an open port to use to avoid these intermittent
+failures.  If we fail to start httpd, increment the port number and try
+again.  By default, we make 3 attempts.  This may be overridden by
+setting GIT_TEST_START_HTTPD_TRIES to a different value.
+
+Helped-by: Ondřej Pohořelský <opohorel@redhat.com>
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-httpd.sh | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
+index 2fb1b2ae56..4afdf5a6aa 100644
+--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
+@@ -206,19 +206,26 @@ enable_cgipassauth () {
+ }
+ 
+ start_httpd() {
+-	prepare_httpd >&3 2>&4
+-
+ 	test_atexit stop_httpd
+ 
+-	"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
+-		-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
+-		-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
+-		>&3 2>&4
+-	if test $? -ne 0
+-	then
+-		cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
+-		test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
+-	fi
+	i=0
+	while test $i -lt ${GIT_TEST_START_HTTPD_TRIES:-3}
+	do
+		i=$(($i + 1))
+		prepare_httpd >&3 2>&4
+		say >&3 "Starting httpd on port $LIB_HTTPD_PORT"
+		"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
+			-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
+			-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
+			>&3 2>&4
+		test $? -eq 0 && return
+		LIB_HTTPD_PORT=$(($LIB_HTTPD_PORT + 1))
+		export LIB_HTTPD_PORT
+		# clean up modules symlink, prepare_httpd will re-create it
+		rm -f "$HTTPD_ROOT_PATH/modules"
+	done
+	cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
+	test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
+ }
+ 
+ stop_httpd() {
--- a/0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
+++ b/0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
@ -0,0 +1,88 @@
+From e90e1068ddc9cfa3badd23b16a46c57ed6d8308a Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Fri, 26 Aug 2022 18:28:44 -0400
+Subject: [PATCH] t/lib-git-daemon: try harder to find a port
+
+As with the previous commit, try harder to find an open port to avoid
+intermittent failures on busy/shared build systems.
+
+By default, we make 3 attempts.  This may be overridden by setting
+GIT_TEST_START_GIT_DAEMON_TRIES to a different value.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-git-daemon.sh | 60 ++++++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 23 deletions(-)
+
+diff --git a/t/lib-git-daemon.sh b/t/lib-git-daemon.sh
+index e62569222b..c3e8dda9ff 100644
+--- a/t/lib-git-daemon.sh
+++ b/t/lib-git-daemon.sh
+@@ -51,30 +51,44 @@ start_git_daemon() {
+ 		registered_stop_git_daemon_atexit_handler=AlreadyDone
+ 	fi
+ 
+-	say >&3 "Starting git daemon ..."
+-	mkfifo git_daemon_output
+-	${LIB_GIT_DAEMON_COMMAND:-git daemon} \
+-		--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
+-		--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
+-		--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+-		"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+-		>&3 2>git_daemon_output &
+-	GIT_DAEMON_PID=$!
+-	{
+-		read -r line <&7
+-		printf "%s\n" "$line" >&4
+-		cat <&7 >&4 &
+-	} 7<git_daemon_output &&
+	i=0
+	while test $i -lt ${GIT_TEST_START_GIT_DAEMON_TRIES:-3}
+	do
+		say >&3 "Starting git daemon on port $LIB_GIT_DAEMON_PORT ..."
+		mkfifo git_daemon_output
+		${LIB_GIT_DAEMON_COMMAND:-git daemon} \
+			--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
+			--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
+			--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+			"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
+			>&3 2>git_daemon_output &
+		GIT_DAEMON_PID=$!
+		{
+			read -r line <&7
+			printf "%s\n" "$line" >&4
+			cat <&7 >&4 &
+		} 7<git_daemon_output &&
+ 
+-	# Check expected output
+-	if test x"$(expr "$line" : "\[[0-9]*\] \(.*\)")" != x"Ready to rumble"
+-	then
+-		kill "$GIT_DAEMON_PID"
+-		wait "$GIT_DAEMON_PID"
+-		unset GIT_DAEMON_PID
+-		test_skip_or_die GIT_TEST_GIT_DAEMON \
+-			"git daemon failed to start"
+-	fi
+		# Check expected output
+		output="$(expr "$line" : "\[[0-9]*\] \(.*\)")"
+		# Return if found
+		test x"$output" = x"Ready to rumble" && return
+		# Increment port for retry if not found
+		LIB_GIT_DAEMON_PORT=$(($LIB_GIT_DAEMON_PORT + 1))
+		export LIB_GIT_DAEMON_PORT
+		GIT_DAEMON_HOST_PORT=127.0.0.1:$LIB_GIT_DAEMON_PORT
+		GIT_DAEMON_URL=git://$GIT_DAEMON_HOST_PORT
+		# unset GIT_DAEMON_PID; remove the fifo & pid file
+		GIT_DAEMON_PID=
+		rm -f git_daemon_output "$GIT_DAEMON_PIDFILE"
+	done
+
+	# Clean up and return failure
+	kill "$GIT_DAEMON_PID"
+	wait "$GIT_DAEMON_PID"
+	unset GIT_DAEMON_PID
+	test_skip_or_die GIT_TEST_GIT_DAEMON \
+		"git daemon failed to start"
+ }
+ 
+ stop_git_daemon() {
--- a/0003-t-lib-git-svn-try-harder-to-find-a-port.patch
+++ b/0003-t-lib-git-svn-try-harder-to-find-a-port.patch
@ -0,0 +1,85 @@
+From 41423d666fd52eaa6aa2b44a0de1b81d0857ca06 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Fri, 26 Aug 2022 18:28:44 -0400
+Subject: [PATCH] t/lib-git-svn: try harder to find a port
+
+As with the previous commits, try harder to find an open port to avoid
+intermittent failures on busy/shared build systems.
+
+By default, we make 3 attempts.  This may be overridden by setting
+GIT_TEST_START_SVNSERVE_TRIES to a different value.
+
+Run svnserve in daemon mode and use 'test_atexit' to stop it.  This is
+cleaner than running in the foreground with --listen-once and having to
+manage the PID ourselves.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+---
+ t/lib-git-svn.sh                    | 34 +++++++++++++++++++++++++----
+ t/t9113-git-svn-dcommit-new-file.sh |  1 -
+ 2 files changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/t/lib-git-svn.sh b/t/lib-git-svn.sh
+index ea28971e8e..04e660e2ba 100644
+--- a/t/lib-git-svn.sh
+++ b/t/lib-git-svn.sh
+@@ -17,6 +17,7 @@ fi
+ GIT_DIR=$PWD/.git
+ GIT_SVN_DIR=$GIT_DIR/svn/refs/remotes/git-svn
+ SVN_TREE=$GIT_SVN_DIR/svn-tree
+SVNSERVE_PIDFILE="$PWD"/daemon.pid
+ test_set_port SVNSERVE_PORT
+ 
+ svn >/dev/null 2>&1
+@@ -119,10 +120,35 @@ require_svnserve () {
+ }
+ 
+ start_svnserve () {
+-	svnserve --listen-port $SVNSERVE_PORT \
+-		 --root "$rawsvnrepo" \
+-		 --listen-once \
+-		 --listen-host 127.0.0.1 &
+	test_atexit stop_svnserve
+
+	i=0
+	while test $i -lt ${GIT_TEST_START_SVNSERVE_TRIES:-3}
+	do
+		say >&3 "Starting svnserve on port $SVNSERVE_PORT ..."
+		svnserve --listen-port $SVNSERVE_PORT \
+			 --root "$rawsvnrepo" \
+			 --daemon --pid-file="$SVNSERVE_PIDFILE" \
+			 --listen-host 127.0.0.1
+		ret=$?
+		# increment port and retry if unsuccessful
+		if test $ret -ne 0
+		then
+			SVNSERVE_PORT=$(($SVNSERVE_PORT + 1))
+			export SVNSERVE_PORT
+		else
+			break
+		fi
+	done
+}
+
+stop_svnserve () {
+	say >&3 "Stopping svnserve ..."
+	SVNSERVE_PID="$(cat "$SVNSERVE_PIDFILE")"
+	if test -n "$SVNSERVE_PID"
+	then
+		kill "$SVNSERVE_PID" 2>/dev/null
+	fi
+ }
+ 
+ prepare_utf8_locale () {
+diff --git a/t/t9113-git-svn-dcommit-new-file.sh b/t/t9113-git-svn-dcommit-new-file.sh
+index e8479cec7a..5925891f5d 100755
+--- a/t/t9113-git-svn-dcommit-new-file.sh
+++ b/t/t9113-git-svn-dcommit-new-file.sh
+@@ -28,7 +28,6 @@ test_expect_success 'create files in new directory with dcommit' "
+ 	echo hello > git-new-dir/world &&
+ 	git update-index --add git-new-dir/world &&
+ 	git commit -m hello &&
+-	start_svnserve &&
+ 	git svn dcommit
+ 	"
+ 
--- a/git-2.52-sanitize-sideband-channel-messages.patch
+++ b/git-2.52-sanitize-sideband-channel-messages.patch
@ -0,0 +1,275 @@
+From 65e88e659008e2cbf79cf44975406ff0d569a3a9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
+Date: Thu, 20 Nov 2025 12:24:59 +0100
+Subject: [PATCH] sideband: mask control characters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The output of `git clone` is a vital component for understanding what
+has happened when things go wrong. However, these logs are partially
+under the control of the remote server (via the "sideband", which
+typically contains what the remote `git pack-objects` process sends to
+`stderr`), and is currently not sanitized by Git.
+
+This makes Git susceptible to ANSI escape sequence injection (see
+CWE-150, https://cwe.mitre.org/data/definitions/150.html), which allows
+attackers to corrupt terminal state, to hide information, and even to
+insert characters into the input buffer (i.e. as if the user had typed
+those characters).
+
+To plug this vulnerability, disallow any control character in the
+sideband, replacing them instead with the common `^<letter/symbol>`
+(e.g. `^[` for `\x1b`, `^A` for `\x01`).
+
+There is likely a need for more fine-grained controls instead of using a
+"heavy hammer" like this, which will be introduced subsequently.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+sideband: introduce an "escape hatch" to allow control characters
+
+The preceding commit fixed the vulnerability whereas sideband messages
+(that are under the control of the remote server) could contain ANSI
+escape sequences that would be sent to the terminal verbatim.
+
+However, this fix may not be desirable under all circumstances, e.g.
+when remote servers deliberately add coloring to their messages to
+increase their urgency.
+
+To help with those use cases, give users a way to opt-out of the
+protections: `sideband.allowControlCharacters`.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+sideband: do allow ANSI color sequences by default
+
+The preceding two commits introduced special handling of the sideband
+channel to neutralize ANSI escape sequences before sending the payload
+to the terminal, and `sideband.allowControlCharacters` to override that
+behavior.
+
+However, some `pre-receive` hooks that are actively used in practice
+want to color their messages and therefore rely on the fact that Git
+passes them through to the terminal.
+
+In contrast to other ANSI escape sequences, it is highly unlikely that
+coloring sequences can be essential tools in attack vectors that mislead
+Git users e.g. by hiding crucial information.
+
+Therefore we can have both: Continue to allow ANSI coloring sequences to
+be passed to the terminal, and neutralize all other ANSI escape
+sequences.
+
+Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+sideband: default to allowControlCharacters=true
+
+We don't want to change the default Git behaviour, just add the option
+to filter control characters.
+
+Signed-off-by: Ondřej Pohořelský <opohorel@redhat.com>
+---
+ Documentation/config.adoc           |  2 +
+ Documentation/config/sideband.adoc  | 16 ++++++
+ sideband.c                          | 78 ++++++++++++++++++++++++++++-
+ t/t5409-colorize-remote-messages.sh | 31 ++++++++++++
+ 4 files changed, 125 insertions(+), 2 deletions(-)
+ create mode 100644 Documentation/config/sideband.adoc
+
+diff --git a/Documentation/config.adoc b/Documentation/config.adoc
+index 62eebe7c54..dcea3c0c15 100644
+--- a/Documentation/config.adoc
+++ b/Documentation/config.adoc
+@@ -523,6 +523,8 @@ include::config/sequencer.adoc[]
+ 
+ include::config/showbranch.adoc[]
+ 
+include::config/sideband.adoc[]
+
+ include::config/sparse.adoc[]
+ 
+ include::config/splitindex.adoc[]
+diff --git a/Documentation/config/sideband.adoc b/Documentation/config/sideband.adoc
+new file mode 100644
+index 0000000000..c9ba24a02c
+--- /dev/null
+++ b/Documentation/config/sideband.adoc
+@@ -0,0 +1,16 @@
+sideband.allowControlCharacters::
+	By default, control characters that are delivered via the sideband
+	are NOT masked. Use this config setting to prevent potentially
+	unwanted ANSI escape sequences from being sent to the terminal:
++
+--
+	color::
+		Allow ANSI color sequences, line feeds and horizontal tabs,
+		but mask all other control characters.
+	false::
+		Mask all control characters other than line feeds and
+		horizontal tabs.
+	true::
+		Allow all control characters to be sent to the terminal.
+		This is the default.
+--
+\ No newline at end of file
+diff --git a/sideband.c b/sideband.c
+index ea7c25211e..88d1b44a7a 100644
+--- a/sideband.c
+++ b/sideband.c
+@@ -26,6 +26,12 @@ static struct keyword_entry keywords[] = {
+ 	{ "error",	GIT_COLOR_BOLD_RED },
+ };
+ 
+static enum {
+	ALLOW_NO_CONTROL_CHARACTERS = 0,
+	ALLOW_ALL_CONTROL_CHARACTERS = 1,
+	ALLOW_ANSI_COLOR_SEQUENCES = 2
+} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
+
+ /* Returns a color setting (GIT_COLOR_NEVER, etc). */
+ static enum git_colorbool use_sideband_colors(void)
+ {
+@@ -39,6 +45,25 @@ static enum git_colorbool use_sideband_colors(void)
+ 	if (use_sideband_colors_cached != GIT_COLOR_UNKNOWN)
+ 		return use_sideband_colors_cached;
+ 
+	switch (repo_config_get_maybe_bool(the_repository, "sideband.allowcontrolcharacters", &i)) {
+	case 0: /* Boolean value */
+		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
+			ALLOW_NO_CONTROL_CHARACTERS;
+		break;
+	case -1: /* non-Boolean value */
+		if (repo_config_get_string_tmp(the_repository, "sideband.allowcontrolcharacters",
+					      &value))
+			; /* huh? `get_maybe_bool()` returned -1 */
+		else if (!strcmp(value, "color"))
+			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
+		else
+			warning(_("unrecognized value for `sideband."
+				  "allowControlCharacters`: '%s'"), value);
+		break;
+	default:
+		break; /* not configured */
+	}
+
+ 	if (!repo_config_get_string_tmp(the_repository, key, &value))
+ 		use_sideband_colors_cached = git_config_colorbool(key, value);
+ 	else if (!repo_config_get_string_tmp(the_repository, "color.ui", &value))
+@@ -66,6 +91,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
+ 		list_config_item(list, prefix, keywords[i].keyword);
+ }
+ 
+static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
+{
+	int i;
+
+	/*
+	 * Valid ANSI color sequences are of the form
+	 *
+	 * ESC [ [<n> [; <n>]*] m
+	 */
+
+	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
+	    n < 3 || src[0] != '\x1b' || src[1] != '[')
+		return 0;
+
+	for (i = 2; i < n; i++) {
+		if (src[i] == 'm') {
+			strbuf_add(dest, src, i + 1);
+			return i;
+		}
+		if (!isdigit(src[i]) && src[i] != ';')
+			break;
+	}
+
+	return 0;
+}
+
+static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
+{
+	int i;
+
+	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
+		strbuf_add(dest, src, n);
+		return;
+	}
+
+	strbuf_grow(dest, n);
+	for (; n && *src; src++, n--) {
+		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
+			strbuf_addch(dest, *src);
+		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
+			src += i;
+			n -= i;
+		} else {
+			strbuf_addch(dest, '^');
+			strbuf_addch(dest, 0x40 + *src);
+		}
+	}
+}
+
+ /*
+  * Optionally highlight one keyword in remote output if it appears at the start
+  * of the line. This should be called for a single line only, which is
+@@ -81,7 +155,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
+ 	int i;
+ 
+ 	if (!want_color_stderr(use_sideband_colors())) {
+-		strbuf_add(dest, src, n);
+		strbuf_add_sanitized(dest, src, n);
+ 		return;
+ 	}
+ 
+@@ -114,7 +188,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
+ 		}
+ 	}
+ 
+-	strbuf_add(dest, src, n);
+	strbuf_add_sanitized(dest, src, n);
+ }
+ 
+ 
+diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
+index fa5de4500a..2d40d8c640 100755
+--- a/t/t5409-colorize-remote-messages.sh
+++ b/t/t5409-colorize-remote-messages.sh
+@@ -98,4 +98,35 @@ test_expect_success 'fallback to color.ui' '
+ 	grep "<BOLD;RED>error<RESET>: error" decoded
+ '
+ 
+test_expect_success 'disallow (color) control sequences in sideband' '
+	write_script .git/color-me-surprised <<-\EOF &&
+	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
+	exec "$@"
+	EOF
+	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
+	test_commit need-at-least-one-commit &&
+
+	git -c sideband.allowControlCharacters=color \
+		clone --no-local . throw-away 2>stderr &&
+	test_decode_color <stderr >decoded &&
+	test_grep RED decoded &&
+	test_grep "\\^G" stderr &&
+	tr -dc "\\007" <stderr >actual &&
+	test_must_be_empty actual &&
+
+	rm -rf throw-away &&
+	git -c sideband.allowControlCharacters=false \
+		clone --no-local . throw-away 2>stderr &&
+	test_decode_color <stderr >decoded &&
+	test_grep ! RED decoded &&
+	test_grep "\\^G" stderr &&
+
+	rm -rf throw-away &&
+	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
+	test_decode_color <stderr >decoded &&
+	test_grep RED decoded &&
+	tr -dc "\\007" <stderr >actual &&
+	test_file_not_empty actual
+'
+
+ test_done
+-- 
+2.51.1
+
--- a/git-test-apache-davlockdbtype-config.patch
+++ b/git-test-apache-davlockdbtype-config.patch
@ -0,0 +1,14 @@
+diff -ur b/t/lib-httpd/apache.conf a/t/lib-httpd/apache.conf
+--- b/t/lib-httpd/apache.conf	2024-01-09 11:06:46.660868023 +0100
+++ a/t/lib-httpd/apache.conf	2024-01-09 11:09:09.572713625 +0100
+@@ -272,7 +272,9 @@
+ <IfDefine DAV>
+ 	LoadModule dav_module modules/mod_dav.so
+ 	LoadModule dav_fs_module modules/mod_dav_fs.so
+-
+	<IfDirective DavLockDBType>
+   		DavLockDBType sdbm
+	</IfDirective>
+ 	DAVLockDB DAVLock
+ 	<Location /dumb/>
+ 		Dav on
--- a/git.rpmlintrc
+++ b/git.rpmlintrc
@ -1,5 +1,3 @@
-from Config import *
-
 # the dictionary is a bit limited
 addFilter("git.* spelling-error %description .* subpackages")
 addFilter("git-subtree.* spelling-error %description .* (subdirectory|subproject|subtree)")
@ -7,6 +5,9 @@ addFilter("git-subtree.* spelling-error %description .* (subdirectory|subproject
 # git-core-doc requires git-core, which provides the symlink target
 addFilter("git(-core-doc)?\..*: W: dangling-relative-symlink /usr/share/doc/git/contrib/hooks ../../../git-core/contrib/hooks")

+# gitk requires git, which provides the symlink target
+addFilter("gitk\.noarch: W: dangling-relative-symlink /usr/share/bash-completion/completions/gitk git")
+
 # git-gui requires git, which provides the git binary
 addFilter("git-gui.noarch: W: desktopfile-without-binary /usr/share/applications/git-gui.desktop git")

@ -23,5 +24,19 @@ addFilter("git-core\..*: W: no-manual-page-for-binary")
 # similarly ignore the warning when git-cvs and git-p4 are disabled
 addFilter("git.* obsolete-not-provided git-(cvs|gnome-keyring|p4)")

-# we BR emacs which requires emacs-common and provides %{_emacs_version}
-addFilter("git.(spec|src): .* Possible unexpanded macro in: Requires:.*emacs-filesystem >= %{_emacs_version}")
+# git-svn has both man and html docs and only a single command
+addFilter('git-svn\..*: W: package-with-huge-docs')
+
+# ignore potential "bashisms" in docs
+addFilter('git-core-doc\.noarch: W: potential-bashisms /usr/share/doc/git/')
+
+# ignore unused-direct-shlib-dependency for libpcre; while it probably could be
+# removed from some binaries, the cost of doing so isn't worth the gain.
+addFilter('git-(core|daemon)\..*: W: unused-direct-shlib-dependency .* /lib64/libpcre2-.*')
+
+# ignore duplicate gvimdiff/nvimdiff files; they are only 29 bytes, sourcing the same base
+# vimdiff mergetool
+addFilter('git-core\..*: W: files-duplicate /usr/libexec/git-core/mergetools/[gn]vimdiff')
+
+# ignore non-standard-dir-in-var for gitweb (#479613)
+addFilter('gitweb.noarch: W: non-standard-dir-in-var www')
--- a/git.skip-test-patterns
+++ b/git.skip-test-patterns
@ -1,19 +1,28 @@
+^ok 1 # SKIP enable client-side http/2 \(missing HTTP2\)$
 expensive 2GB clone test; enable with GIT_TEST_CLONE_2GB=true
 filesystem does not corrupt utf-8
+fsmonitor--daemon is not supported on this platform
 GIT_SKIP_TESTS
 missing AUTOIDENT
+missing BUILTIN_TXT_
 missing CASE_INSENSITIVE_FS
 missing DONTHAVEIT
-missing EXPENSIVE
+missing ([!]LONG_IS_64BIT,)?EXPENSIVE
+missing FSMONITOR_DAEMON
 missing JGIT
 missing !?LAZY_(TRUE|FALSE)
 missing MINGW
 missing NATIVE_CRLF
 missing !PCRE
 missing !PTHREADS
+missing !REFFILES
 missing RFC1991
+missing RUNTIME_PREFIX
+missing SYMLINKS_WINDOWS
 missing TAR_NEEDS_PAX_FALLBACK
 missing UTF8_NFD_TO_NFC
+missing WINDOWS
+skipped: skip all tests in t5559
 skipping case insensitive tests
 skipping git p4 tests
 skipping remote-svn tests, python not available
@ -21,3 +30,4 @@ skipping svn-info test
 skipping Windows-(only path|specific) tests
 Test requiring writable / skipped
 used to test external credential helpers
+You must set env var GIT_TEST_ALLOW_SUDO=YES in order to run this test
--- a/git.spec
+++ b/git.spec
--- a/13
+++ b/13
@ -10,4 +10,17 @@ for exit_file in t/test-results/*.exit; do
    printf '\n%s\n%s\n%s\n' "$sep" "$out_file" "$sep"
    cat "$out_file"
 done
+
+# tar up test-results & $testdir, then print base64 encoded output
+#
+# copy $testdir contents to test-results to avoid absolute paths with tar
+cp -a $testdir/* t/test-results/
+begin='-----BEGIN BASE64 MESSAGE-----'
+end='-----END BASE64 MESSAGE-----'
+printf '\n%s\n' 'test-results and trash directory output follows; decode via:'
+printf '%s\n' "sed -n '/^${begin}$/,/^${end}$/{/^${begin}$/!{/^${end}$/!p}}' build.log | base64 -d >output.tar.zst"
+printf '%s\n' "$begin"
+tar -C t -cf - test-results/ | zstdmt -17 | base64
+printf '%s\n' "$end"
+
 exit 1
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (git-2.31.1.tar.xz) = 9aa334a3e8519700ff5d112153ec42677722980094caa9d22aa91afdb65166bd9a98fa445c0d327c428ebfa73bf4832e9b3836109a1d9319feafe3191cfd170e
-SHA512 (git-2.31.1.tar.sign) = 0a721876f9869d1dc9a43e7f83f8e63a3d8fa932ff2d2e69bb98f3e314e2e9a896c2171cb6a020d6c6e929fdf1af736dbeb3f25f93fb4d359a9aaa5b859069c3
+SHA512 (git-2.52.0.tar.xz) = 965e5ebb72d1f080d64e34bdb75f0bb1689c9dd41dcf63b020d986bad49808ac09bfb1115962bc0c5b95bac8622367ac4cd09aa89266f73d2137fe94c90dd3ed
+SHA512 (git-2.52.0.tar.sign) = a5a68ce131a5763650c477ec01a4de958dd6a946bdea0f613e26bdab41d2df6b3ca63f9028bbe603bf0c834bd415c86e6c616b1ff08cc48aa7c3c61a37b24b74