Resolves: CVE-2014-9938

do not put unsanitized branch names in $PS1

.gitignore

@@ -1,8 +1,6 @@
 *~
-*.gpg
 *.rpm
-*.sign
+*.tar.gz
 *.tar.xz
 /.build*.log
 /git-*/
-/results_git/

.mailmap

@@ -1,18 +0,0 @@
-<atkac@redhat.com> <atkac@fedoraproject.org>
-<atkac@redhat.com> <vonsch@gmail.com>
-<bernie@codewiz.org> <bernie@fedoraproject.org>
-<Christian.Iseli@licr.org> <c4chris@fedoraproject.org>
-<dennis@ausil.us> <ausil@fedoraproject.org>
-<dwmw2@infradead.org> <David.Woodhouse@intel.com>
-James Bowes <jbowes@redhat.com> <jbowes@fedoraproject.org>
-<jkeating@redhat.com> <jkeating@fedoraproject.org>
-Josh Boyer <jwboyer@gmail.com> <jwboyer@fedoraproject.org>
-<katzj@redhat.com> <katzj@fedoraproject.org>
-<lkundrak@redhat.com> <lkundrak@fedoraproject.org>
-<mmaslano@redhat.com> <mmaslano@fedoraproject.org>
-<releng@fedoraproject.org> <rel-eng@lists.fedoraproject.org>
-<skasal@redhat.com> <kasal@fedoraproject.org>
-<tmraz@redhat.com> <tmraz@fedoraproject.org>
-<tmz@pobox.com> <tmz@fedoraproject.org>
-<ville.skytta@iki.fi> <scop@fedoraproject.org>
-<xavier@bachelot.org> <xavierb@fedoraproject.org>

0001-Drop-DESTDIR-from-python-instlibdir.patch

@@ -0,0 +1,29 @@
+From d40d33173dc24d9b7ad6f5071994f90b5f9a71e8 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Wed, 27 Mar 2013 14:01:57 -0400
+Subject: [PATCH] Drop DESTDIR from python instlibdir
+
+When building packages, we install to DESTDIR but we don't want this to
+end up hard-coded in the scripts.
+
+This needs discussed upstream to find a proper solution.
+---
+ git_remote_helpers/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/git_remote_helpers/Makefile b/git_remote_helpers/Makefile
+index 3d12232..36d40b5 100644
+--- a/git_remote_helpers/Makefile
++++ b/git_remote_helpers/Makefile
+@@ -38,7 +38,7 @@ install: $(pysetupfile)
+ 	$(PYTHON_PATH) $(pysetupfile) install --prefix $(DESTDIR_SQ)$(prefix)
+ 
+ instlibdir: $(pysetupfile)
+-	@echo "$(DESTDIR_SQ)$(prefix)/$(PYLIBDIR)"
++	@echo "$(prefix)/$(PYLIBDIR)"
+ 
+ clean:
+ 	$(QUIET)$(PYTHON_PATH) $(pysetupfile) $(QUIETSETUP) clean -a
+-- 
+1.8.1
+

0001-Fix-CVE-2016-2315-CVE-2016-2324.patch

@@ -0,0 +1,116 @@
+From 5857966a36f9c553e73e375455a246896aeba73f Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Fri, 18 Mar 2016 17:14:32 +0100
+Subject: [PATCH] Fix CVE-2016-2315 CVE-2016-2324
+
+- added upstream macros for detecting size_t overflow (much more just
+  for easier related changes in future, if we want to do some yet)
+- upstream solution removes function path_name() and modify all related
+  part of code to replace this function. However, it's too hard for
+  backport to such old version of git without unchanged behaviour,
+  so application just die with error message instead.
+---
+ diff.h            |  4 ++--
+ git-compat-util.h | 34 ++++++++++++++++++++++++++++++++++
+ revision.c        | 11 ++++++++---
+ 3 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/diff.h b/diff.h
+index 78b4091..18dabf0 100644
+--- a/diff.h
++++ b/diff.h
+@@ -201,8 +201,8 @@ struct combine_diff_path {
+ 	} parent[FLEX_ARRAY];
+ };
+ #define combine_diff_path_size(n, l) \
+-	(sizeof(struct combine_diff_path) + \
+-	 sizeof(struct combine_diff_parent) * (n) + (l) + 1)
++	st_add4(sizeof(struct combine_diff_path), (l), 1, \
++		st_mult(sizeof(struct combine_diff_parent), (n)))
+ 
+ extern void show_combined_diff(struct combine_diff_path *elem, int num_parent,
+ 			      int dense, struct rev_info *);
+diff --git a/git-compat-util.h b/git-compat-util.h
+index ad47624..77a7031 100644
+--- a/git-compat-util.h
++++ b/git-compat-util.h
+@@ -46,6 +46,14 @@
+ #define unsigned_add_overflows(a, b) \
+     ((b) > maximum_unsigned_value_of_type(a) - (a))
+ 
++/*
++ * Returns true if the multiplication of "a" and "b" will
++ * overflow. The types of "a" and "b" must match and must be unsigned.
++ * Note that this macro evaluates "a" twice!
++ */
++#define unsigned_mult_overflows(a, b) \
++    ((a) && (b) > maximum_unsigned_value_of_type(a) / (a))
++
+ #ifdef __GNUC__
+ #define TYPEOF(x) (__typeof__(x))
+ #else
+@@ -490,6 +498,32 @@ static inline void *gitmempcpy(void *dest, const void *src, size_t n)
+ }
+ #endif
+ 
++static inline size_t st_add(size_t a, size_t b)
++{
++	if (unsigned_add_overflows(a, b))
++		die("size_t overflow: %"PRIuMAX" + %"PRIuMAX,
++		    (uintmax_t)a, (uintmax_t)b);
++	return a + b;
++}
++#define st_add3(a,b,c)   st_add((a),st_add((b),(c)))
++#define st_add4(a,b,c,d) st_add((a),st_add3((b),(c),(d)))
++
++static inline size_t st_mult(size_t a, size_t b)
++{
++	if (unsigned_mult_overflows(a, b))
++		die("size_t overflow: %"PRIuMAX" * %"PRIuMAX,
++		    (uintmax_t)a, (uintmax_t)b);
++	return a * b;
++}
++
++static inline size_t st_sub(size_t a, size_t b)
++{
++	if (a < b)
++		die("size_t underflow: %"PRIuMAX" - %"PRIuMAX,
++		    (uintmax_t)a, (uintmax_t)b);
++	return a - b;
++}
++
+ #ifdef NO_INET_PTON
+ int inet_pton(int af, const char *src, void *dst);
+ #endif
+diff --git a/revision.c b/revision.c
+index 9df13ca..7e358ef 100644
+--- a/revision.c
++++ b/revision.c
+@@ -21,16 +21,21 @@ char *path_name(const struct name_path *path, const char *name)
+ {
+ 	const struct name_path *p;
+ 	char *n, *m;
+-	int nlen = strlen(name);
+-	int len = nlen + 1;
++	size_t nlen = strlen(name);
++	size_t len = st_add(nlen, 1);
++
++	if(len >= INT_MAX)
++		die("path_name(): path is too long.");
+ 
+ 	for (p = path; p; p = p->up) {
+ 		if (p->elem_len)
+ 			len += p->elem_len + 1;
++			if(len >= INT_MAX)
++				die("path_name(): path is too long.");
+ 	}
+ 	n = xmalloc(len);
+ 	m = n + len - (nlen + 1);
+-	strcpy(m, name);
++	memcpy(m, name, nlen + 1);
+ 	for (p = path; p; p = p->up) {
+ 		if (p->elem_len) {
+ 			m -= p->elem_len + 1;
+-- 
+2.8.1
+

0001-git-subtree-Use-gitexecdir-instead-of-libexecdir.patch

@@ -0,0 +1,42 @@
+From 86c3e2b5188579bff1ff981910462ad5e563044b Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Fri, 4 Jan 2013 11:54:21 -0500
+Subject: [PATCH] git-subtree: Use gitexecdir instead of libexecdir
+
+When the git subtree Makefile includes config.mak from the toplevel,
+it's useful to have the same variables set globally applied.  Using
+gitexecdir instead of libexecdir respects the global settings more
+consistently.
+
+Remove the unused gitdir variable as well.
+---
+ contrib/subtree/Makefile |    5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/subtree/Makefile b/contrib/subtree/Makefile
+index 36ae3e4..f87b945 100644
+--- a/contrib/subtree/Makefile
++++ b/contrib/subtree/Makefile
+@@ -2,9 +2,8 @@
+ -include ../../config.mak
+ 
+ prefix ?= /usr/local
++gitexecdir ?= $(prefix)/libexec/git-core
+ mandir ?= $(prefix)/share/man
+-libexecdir ?= $(prefix)/libexec/git-core
+-gitdir ?= $(shell git --exec-path)
+ man1dir ?= $(mandir)/man1
+ 
+ gitver ?= $(word 3,$(shell git --version))
+@@ -30,7 +29,7 @@ $(GIT_SUBTREE): $(GIT_SUBTREE_SH)
+ doc: $(GIT_SUBTREE_DOC)
+ 
+ install: $(GIT_SUBTREE)
+-	$(INSTALL) -m 755 $(GIT_SUBTREE) $(DESTDIR)$(libexecdir)
++	$(INSTALL) -m 755 $(GIT_SUBTREE) $(DESTDIR)$(gitexecdir)
+ 
+ install-doc: install-man
+ 
+-- 
+1.7.6
+

0001-submodule-allow-only-certain-protocols-for-submodule.patch

@@ -0,0 +1,104 @@
+From 6d69680505dbbc484178105815ed624fab40b2de Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 28 Oct 2015 15:03:01 +0100
+Subject: [PATCH 1/5] submodule: allow only certain protocols for submodule
+ fetches
+
+Some protocols (like git-remote-ext) can execute arbitrary
+code found in the URL. The URLs that submodules use may come
+from arbitrary sources (e.g., .gitmodules files in a remote
+repository). Let's restrict submodules to fetching from a
+known-good subset of protocols.
+
+Note that we apply this restriction to all submodule
+commands, whether the URL comes from .gitmodules or not.
+This is more restrictive than we need to be; for example, in
+the tests we run:
+
+  git submodule add ext::...
+
+which should be trusted, as the URL comes directly from the
+command line provided by the user. But doing it this way is
+simpler, and makes it much less likely that we would miss a
+case. And since such protocols should be an exception
+(especially because nobody who clones from them will be able
+to update the submodules!), it's not likely to inconvenience
+anyone in practice.
+---
+ git-submodule.sh            |  9 +++++++++
+ t/t5815-submodule-protos-sh | 43 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+)
+ create mode 100644 t/t5815-submodule-protos-sh
+
+diff --git a/git-submodule.sh b/git-submodule.sh
+index 79bfaac..bec3362 100755
+--- a/git-submodule.sh
++++ b/git-submodule.sh
+@@ -19,6 +19,15 @@ OPTIONS_SPEC=
+ . git-parse-remote
+ require_work_tree
+ 
++# Restrict ourselves to a vanilla subset of protocols; the URLs
++# we get are under control of a remote repository, and we do not
++# want them kicking off arbitrary git-remote-* programs.
++#
++# If the user has already specified a set of allowed protocols,
++# we assume they know what they're doing and use that instead.
++: ${GIT_ALLOW_PROTOCOL=file:git:http:https:ssh}
++export GIT_ALLOW_PROTOCOL
++
+ command=
+ branch=
+ force=
+diff --git a/t/t5815-submodule-protos-sh b/t/t5815-submodule-protos-sh
+new file mode 100644
+index 0000000..06f55a1
+--- /dev/null
++++ b/t/t5815-submodule-protos-sh
+@@ -0,0 +1,43 @@
++#!/bin/sh
++
++test_description='test protocol whitelisting with submodules'
++. ./test-lib.sh
++. "$TEST_DIRECTORY"/lib-proto-disable.sh
++
++setup_ext_wrapper
++setup_ssh_wrapper
++
++test_expect_success 'setup repository with submodules' '
++	mkdir remote &&
++	git init remote/repo.git &&
++	(cd remote/repo.git && test_commit one) &&
++	# submodule-add should probably trust what we feed it on the cmdline,
++	# but its implementation is overly conservative.
++	GIT_ALLOW_PROTOCOL=ssh git submodule add remote:repo.git ssh-module &&
++	GIT_ALLOW_PROTOCOL=ext git submodule add "ext::fake-remote %S repo.git" ext-module &&
++	git commit -m "add submodules"
++'
++
++test_expect_success 'clone with recurse-submodules fails' '
++	test_must_fail git clone --recurse-submodules . dst
++'
++
++test_expect_success 'setup individual updates' '
++	rm -rf dst &&
++	git clone . dst &&
++	git -C dst submodule init
++'
++
++test_expect_success 'update of ssh allowed' '
++	git -C dst submodule update ssh-module
++'
++
++test_expect_success 'update of ext not allowed' '
++	test_must_fail git -C dst submodule update ext-module
++'
++
++test_expect_success 'user can override whitelist' '
++	GIT_ALLOW_PROTOCOL=ext git -C dst submodule update ext-module
++'
++
++test_done
+-- 
+2.1.0
+

0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch

@@ -1,73 +0,0 @@
-From 89ccbc15948db9ddbf74530e3fd66dd78ae897ae Mon Sep 17 00:00:00 2001
-From: Todd Zullinger <tmz@pobox.com>
-Date: Sun, 21 Aug 2022 13:49:57 -0400
-Subject: [PATCH] t/lib-httpd: try harder to find a port for apache
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When running multiple builds concurrently, tests which run daemons, like
-apache httpd, sometimes conflict with each other, leading to spurious
-failures:
-
-    ++ /usr/sbin/httpd -d '/tmp/git-t.ck9I/trash directory.t9118-git-svn-funky-branch-names/httpd' \
-       -f /builddir/build/BUILD/git-2.37.2/t/lib-httpd/apache.conf -DDAV -DSVN -c 'Listen 127.0.0.1:9118' \
-       -k start
-    (98)Address already in use: AH00072: make_sock: could not bind to address 127.0.0.1:9118
-    no listening sockets available, shutting down
-    AH00015: Unable to open logs
-    ++ test 1 -ne 0
-
-Try a bit harder to find an open port to use to avoid these intermittent
-failures.  If we fail to start httpd, increment the port number and try
-again.  By default, we make 3 attempts.  This may be overridden by
-setting GIT_TEST_START_HTTPD_TRIES to a different value.
-
-Helped-by: Ondřej Pohořelský <opohorel@redhat.com>
-Signed-off-by: Todd Zullinger <tmz@pobox.com>
----
- t/lib-httpd.sh | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
-index 2fb1b2ae56..4afdf5a6aa 100644
---- a/t/lib-httpd.sh
-+++ b/t/lib-httpd.sh
-@@ -206,19 +206,26 @@ enable_cgipassauth () {
- }
- 
- start_httpd() {
--	prepare_httpd >&3 2>&4
--
- 	test_atexit stop_httpd
- 
--	"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
--		-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
--		-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
--		>&3 2>&4
--	if test $? -ne 0
--	then
--		cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
--		test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
--	fi
-+	i=0
-+	while test $i -lt ${GIT_TEST_START_HTTPD_TRIES:-3}
-+	do
-+		i=$(($i + 1))
-+		prepare_httpd >&3 2>&4
-+		say >&3 "Starting httpd on port $LIB_HTTPD_PORT"
-+		"$LIB_HTTPD_PATH" -d "$HTTPD_ROOT_PATH" \
-+			-f "$TEST_PATH/apache.conf" $HTTPD_PARA \
-+			-c "Listen 127.0.0.1:$LIB_HTTPD_PORT" -k start \
-+			>&3 2>&4
-+		test $? -eq 0 && return
-+		LIB_HTTPD_PORT=$(($LIB_HTTPD_PORT + 1))
-+		export LIB_HTTPD_PORT
-+		# clean up modules symlink, prepare_httpd will re-create it
-+		rm -f "$HTTPD_ROOT_PATH/modules"
-+	done
-+	cat "$HTTPD_ROOT_PATH"/error.log >&4 2>/dev/null
-+	test_skip_or_die GIT_TEST_HTTPD "web server setup failed"
- }
- 
- stop_httpd() {

0002-t-lib-git-daemon-try-harder-to-find-a-port.patch

@@ -1,88 +0,0 @@
-From e90e1068ddc9cfa3badd23b16a46c57ed6d8308a Mon Sep 17 00:00:00 2001
-From: Todd Zullinger <tmz@pobox.com>
-Date: Fri, 26 Aug 2022 18:28:44 -0400
-Subject: [PATCH] t/lib-git-daemon: try harder to find a port
-
-As with the previous commit, try harder to find an open port to avoid
-intermittent failures on busy/shared build systems.
-
-By default, we make 3 attempts.  This may be overridden by setting
-GIT_TEST_START_GIT_DAEMON_TRIES to a different value.
-
-Signed-off-by: Todd Zullinger <tmz@pobox.com>
----
- t/lib-git-daemon.sh | 60 ++++++++++++++++++++++++++++-----------------
- 1 file changed, 37 insertions(+), 23 deletions(-)
-
-diff --git a/t/lib-git-daemon.sh b/t/lib-git-daemon.sh
-index e62569222b..c3e8dda9ff 100644
---- a/t/lib-git-daemon.sh
-+++ b/t/lib-git-daemon.sh
-@@ -51,30 +51,44 @@ start_git_daemon() {
- 		registered_stop_git_daemon_atexit_handler=AlreadyDone
- 	fi
- 
--	say >&3 "Starting git daemon ..."
--	mkfifo git_daemon_output
--	${LIB_GIT_DAEMON_COMMAND:-git daemon} \
--		--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
--		--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
--		--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
--		"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
--		>&3 2>git_daemon_output &
--	GIT_DAEMON_PID=$!
--	{
--		read -r line <&7
--		printf "%s\n" "$line" >&4
--		cat <&7 >&4 &
--	} 7<git_daemon_output &&
-+	i=0
-+	while test $i -lt ${GIT_TEST_START_GIT_DAEMON_TRIES:-3}
-+	do
-+		say >&3 "Starting git daemon on port $LIB_GIT_DAEMON_PORT ..."
-+		mkfifo git_daemon_output
-+		${LIB_GIT_DAEMON_COMMAND:-git daemon} \
-+			--listen=127.0.0.1 --port="$LIB_GIT_DAEMON_PORT" \
-+			--reuseaddr --verbose --pid-file="$GIT_DAEMON_PIDFILE" \
-+			--base-path="$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
-+			"$@" "$GIT_DAEMON_DOCUMENT_ROOT_PATH" \
-+			>&3 2>git_daemon_output &
-+		GIT_DAEMON_PID=$!
-+		{
-+			read -r line <&7
-+			printf "%s\n" "$line" >&4
-+			cat <&7 >&4 &
-+		} 7<git_daemon_output &&
- 
--	# Check expected output
--	if test x"$(expr "$line" : "\[[0-9]*\] \(.*\)")" != x"Ready to rumble"
--	then
--		kill "$GIT_DAEMON_PID"
--		wait "$GIT_DAEMON_PID"
--		unset GIT_DAEMON_PID
--		test_skip_or_die GIT_TEST_GIT_DAEMON \
--			"git daemon failed to start"
--	fi
-+		# Check expected output
-+		output="$(expr "$line" : "\[[0-9]*\] \(.*\)")"
-+		# Return if found
-+		test x"$output" = x"Ready to rumble" && return
-+		# Increment port for retry if not found
-+		LIB_GIT_DAEMON_PORT=$(($LIB_GIT_DAEMON_PORT + 1))
-+		export LIB_GIT_DAEMON_PORT
-+		GIT_DAEMON_HOST_PORT=127.0.0.1:$LIB_GIT_DAEMON_PORT
-+		GIT_DAEMON_URL=git://$GIT_DAEMON_HOST_PORT
-+		# unset GIT_DAEMON_PID; remove the fifo & pid file
-+		GIT_DAEMON_PID=
-+		rm -f git_daemon_output "$GIT_DAEMON_PIDFILE"
-+	done
-+
-+	# Clean up and return failure
-+	kill "$GIT_DAEMON_PID"
-+	wait "$GIT_DAEMON_PID"
-+	unset GIT_DAEMON_PID
-+	test_skip_or_die GIT_TEST_GIT_DAEMON \
-+		"git daemon failed to start"
- }
- 
- stop_git_daemon() {

0002-transport-add-a-protocol-whitelist-environment-varia.patch

@@ -0,0 +1,207 @@
+From cfa4e13f09d07f679ffacdddfbe0ef44d1de32d9 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 28 Oct 2015 15:21:08 +0100
+Subject: [PATCH 2/5] transport: add a protocol-whitelist environment variable
+
+If we are cloning an untrusted remote repository into a
+sandbox, we may also want to fetch remote submodules in
+order to get the complete view as intended by the other
+side. However, that opens us up to attacks where a malicious
+user gets us to clone something they would not otherwise
+have access to (this is not necessarily a problem by itself,
+but we may then act on the cloned contents in a way that
+exposes them to the attacker).
+
+Ideally such a setup would sandbox git entirely away from
+high-value items, but this is not always practical or easy
+to set up (e.g., OS network controls may block multiple
+protocols, and we would want to enable some but not others).
+
+We can help this case by providing a way to restrict
+particular protocols. We use a whitelist in the environment.
+This is more annoying to set up than a blacklist, but
+defaults to safety if the set of protocols git supports
+grows). If no whitelist is specified, we continue to default
+to allowing all protocols (this is an "unsafe" default, but
+since the minority of users will want this sandboxing
+effect, it is the only sensible one).
+
+A note on the tests: ideally these would all be in a single
+test file, but the git-daemon and httpd test infrastructure
+is an all-or-nothing proposition rather than a test-by-test
+prerequisite. By putting them all together, we would be
+unable to test the file-local code on machines without
+apache.
+---
+ Documentation/git.txt | 32 ++++++++++++++++++++++++++++++++
+ connect.c             |  4 ++++
+ transport-helper.c    |  2 ++
+ transport.c           | 21 ++++++++++++++++++++-
+ transport.h           |  7 +++++++
+ 5 files changed, 65 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/git.txt b/Documentation/git.txt
+index 443d88f..179a0e8 100644
+--- a/Documentation/git.txt
++++ b/Documentation/git.txt
+@@ -847,6 +847,38 @@ GIT_LITERAL_PATHSPECS::
+ 	literal paths to Git (e.g., paths previously given to you by
+ 	`git ls-tree`, `--raw` diff output, etc).
+ 
++`GIT_ALLOW_PROTOCOL`::
++   If set, provide a colon-separated list of protocols which are
++   allowed to be used with fetch/push/clone. This is useful to
++   restrict recursive submodule initialization from an untrusted
++   repository. Any protocol not mentioned will be disallowed (i.e.,
++   this is a whitelist, not a blacklist). If the variable is not
++   set at all, all protocols are enabled.  The protocol names
++   currently used by git are:
++
++     - `file`: any local file-based path (including `file://` URLs,
++       or local paths)
++
++     - `git`: the anonymous git protocol over a direct TCP
++       connection (or proxy, if configured)
++
++     - `ssh`: git over ssh (including `host:path` syntax,
++       `git+ssh://`, etc).
++
++     - `rsync`: git over rsync
++
++     - `http`: git over http, both "smart http" and "dumb http".
++       Note that this does _not_ include `https`; if you want both,
++       you should specify both as `http:https`.
++
++     - any external helpers are named by their protocol (e.g., use
++       `hg` to allow the `git-remote-hg` helper)
+++
++Note that this controls only git's internal protocol selection.
++If libcurl is used (e.g., by the `http` transport), it may
++redirect to other protocols. There is not currently any way to
++restrict this.
++
+ 
+ Discussion[[Discussion]]
+ ------------------------
+diff --git a/connect.c b/connect.c
+index f57efd0..6d4ea13 100644
+--- a/connect.c
++++ b/connect.c
+@@ -6,6 +6,7 @@
+ #include "run-command.h"
+ #include "remote.h"
+ #include "url.h"
++#include "transport.h"
+ 
+ static char *server_capabilities;
+ 
+@@ -587,6 +588,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
+ 		 * cannot connect.
+ 		 */
+ 		char *target_host = xstrdup(host);
++		transport_check_allowed("git");
+ 		if (git_use_proxy(host))
+ 			conn = git_proxy_connect(fd, host);
+ 		else
+@@ -623,6 +625,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
+ 	if (protocol == PROTO_SSH) {
+ 		const char *ssh = getenv("GIT_SSH");
+ 		int putty = ssh && strcasestr(ssh, "plink");
++		transport_check_allowed("ssh");
+ 		if (!ssh) ssh = "ssh";
+ 
+ 		*arg++ = ssh;
+@@ -639,6 +642,7 @@ struct child_process *git_connect(int fd[2], const char *url_orig,
+ 		/* remove repo-local variables from the environment */
+ 		conn->env = local_repo_env;
+ 		conn->use_shell = 1;
++		transport_check_allowed("file");
+ 	}
+ 	*arg++ = cmd.buf;
+ 	*arg = NULL;
+diff --git a/transport-helper.c b/transport-helper.c
+index 522d791..be8402a 100644
+--- a/transport-helper.c
++++ b/transport-helper.c
+@@ -932,6 +932,8 @@ int transport_helper_init(struct transport *transport, const char *name)
+ 	struct helper_data *data = xcalloc(sizeof(*data), 1);
+ 	data->name = name;
+ 
++	transport_check_allowed(name);
++
+ 	if (getenv("GIT_TRANSPORT_HELPER_DEBUG"))
+ 		debug = 1;
+ 
+diff --git a/transport.c b/transport.c
+index ba5d8af..733717d 100644
+--- a/transport.c
++++ b/transport.c
+@@ -894,6 +894,20 @@ static int external_specification_len(const char *url)
+ 	return strchr(url, ':') - url;
+ }
+ 
++void transport_check_allowed(const char *type)
++{
++	struct string_list allowed = STRING_LIST_INIT_DUP;
++	const char *v = getenv("GIT_ALLOW_PROTOCOL");
++
++	if (!v)
++		return;
++
++	string_list_split(&allowed, v, ':', -1);
++	if (!unsorted_string_list_has_string(&allowed, type))
++		die("transport '%s' not allowed", type);
++	string_list_clear(&allowed, 0);
++}
++
+ struct transport *transport_get(struct remote *remote, const char *url)
+ {
+ 	const char *helper;
+@@ -925,12 +939,14 @@ struct transport *transport_get(struct remote *remote, const char *url)
+ 	if (helper) {
+ 		transport_helper_init(ret, helper);
+ 	} else if (!prefixcmp(url, "rsync:")) {
++		transport_check_allowed("rsync");
+ 		ret->get_refs_list = get_refs_via_rsync;
+ 		ret->fetch = fetch_objs_via_rsync;
+ 		ret->push = rsync_transport_push;
+ 		ret->smart_options = NULL;
+ 	} else if (is_local(url) && is_file(url) && is_bundle(url, 1)) {
+ 		struct bundle_transport_data *data = xcalloc(1, sizeof(*data));
++		transport_check_allowed("file");
+ 		ret->data = data;
+ 		ret->get_refs_list = get_refs_from_bundle;
+ 		ret->fetch = fetch_refs_from_bundle;
+@@ -942,7 +958,10 @@ struct transport *transport_get(struct remote *remote, const char *url)
+ 		|| !prefixcmp(url, "ssh://")
+ 		|| !prefixcmp(url, "git+ssh://")
+ 		|| !prefixcmp(url, "ssh+git://")) {
+-		/* These are builtin smart transports. */
++		/*
++		 * These are builtin smart transports; "allowed" transports
++		 * will be checked individually in git_connect.
++		 */
+ 		struct git_transport_data *data = xcalloc(1, sizeof(*data));
+ 		ret->data = data;
+ 		ret->set_option = NULL;
+diff --git a/transport.h b/transport.h
+index fcb1d25..2beda7d 100644
+--- a/transport.h
++++ b/transport.h
+@@ -113,6 +113,13 @@ struct transport {
+ /* Returns a transport suitable for the url */
+ struct transport *transport_get(struct remote *, const char *);
+ 
++/*
++ * Check whether a transport is allowed by the environment,
++ * and die otherwise. type should generally be the URL scheme,
++ * as described in Documentation/git.txt
++ */
++void transport_check_allowed(const char *type);
++
+ /* Transport options which apply to git:// and scp-style URLs */
+ 
+ /* The program to use on the remote side to send a pack */
+-- 
+2.1.0
+

0003-t-lib-git-svn-try-harder-to-find-a-port.patch

@@ -1,85 +0,0 @@
-From 41423d666fd52eaa6aa2b44a0de1b81d0857ca06 Mon Sep 17 00:00:00 2001
-From: Todd Zullinger <tmz@pobox.com>
-Date: Fri, 26 Aug 2022 18:28:44 -0400
-Subject: [PATCH] t/lib-git-svn: try harder to find a port
-
-As with the previous commits, try harder to find an open port to avoid
-intermittent failures on busy/shared build systems.
-
-By default, we make 3 attempts.  This may be overridden by setting
-GIT_TEST_START_SVNSERVE_TRIES to a different value.
-
-Run svnserve in daemon mode and use 'test_atexit' to stop it.  This is
-cleaner than running in the foreground with --listen-once and having to
-manage the PID ourselves.
-
-Signed-off-by: Todd Zullinger <tmz@pobox.com>
----
- t/lib-git-svn.sh                    | 34 +++++++++++++++++++++++++----
- t/t9113-git-svn-dcommit-new-file.sh |  1 -
- 2 files changed, 30 insertions(+), 5 deletions(-)
-
-diff --git a/t/lib-git-svn.sh b/t/lib-git-svn.sh
-index ea28971e8e..04e660e2ba 100644
---- a/t/lib-git-svn.sh
-+++ b/t/lib-git-svn.sh
-@@ -17,6 +17,7 @@ fi
- GIT_DIR=$PWD/.git
- GIT_SVN_DIR=$GIT_DIR/svn/refs/remotes/git-svn
- SVN_TREE=$GIT_SVN_DIR/svn-tree
-+SVNSERVE_PIDFILE="$PWD"/daemon.pid
- test_set_port SVNSERVE_PORT
- 
- svn >/dev/null 2>&1
-@@ -119,10 +120,35 @@ require_svnserve () {
- }
- 
- start_svnserve () {
--	svnserve --listen-port $SVNSERVE_PORT \
--		 --root "$rawsvnrepo" \
--		 --listen-once \
--		 --listen-host 127.0.0.1 &
-+	test_atexit stop_svnserve
-+
-+	i=0
-+	while test $i -lt ${GIT_TEST_START_SVNSERVE_TRIES:-3}
-+	do
-+		say >&3 "Starting svnserve on port $SVNSERVE_PORT ..."
-+		svnserve --listen-port $SVNSERVE_PORT \
-+			 --root "$rawsvnrepo" \
-+			 --daemon --pid-file="$SVNSERVE_PIDFILE" \
-+			 --listen-host 127.0.0.1
-+		ret=$?
-+		# increment port and retry if unsuccessful
-+		if test $ret -ne 0
-+		then
-+			SVNSERVE_PORT=$(($SVNSERVE_PORT + 1))
-+			export SVNSERVE_PORT
-+		else
-+			break
-+		fi
-+	done
-+}
-+
-+stop_svnserve () {
-+	say >&3 "Stopping svnserve ..."
-+	SVNSERVE_PID="$(cat "$SVNSERVE_PIDFILE")"
-+	if test -n "$SVNSERVE_PID"
-+	then
-+		kill "$SVNSERVE_PID" 2>/dev/null
-+	fi
- }
- 
- prepare_utf8_locale () {
-diff --git a/t/t9113-git-svn-dcommit-new-file.sh b/t/t9113-git-svn-dcommit-new-file.sh
-index e8479cec7a..5925891f5d 100755
---- a/t/t9113-git-svn-dcommit-new-file.sh
-+++ b/t/t9113-git-svn-dcommit-new-file.sh
-@@ -28,7 +28,6 @@ test_expect_success 'create files in new directory with dcommit' "
- 	echo hello > git-new-dir/world &&
- 	git update-index --add git-new-dir/world &&
- 	git commit -m hello &&
--	start_svnserve &&
- 	git svn dcommit
- 	"
- 

0003-transport-refactor-protocol-whitelist-code.patch

@@ -0,0 +1,107 @@
+From 9b9aabe6ab5d07227c1c02781f03a3c38fbc27b0 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Tue, 22 Sep 2015 18:03:49 -0400
+Subject: [PATCH 3/5] transport: refactor protocol whitelist code
+
+The current callers only want to die when their transport is
+prohibited. But future callers want to query the mechanism
+without dying.
+
+Let's break out a few query functions, and also save the
+results in a static list so we don't have to re-parse for
+each query.
+
+Based-on-a-patch-by: Blake Burkhart <bburky@bburky.com>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ transport.c | 38 ++++++++++++++++++++++++++++++--------
+ transport.h | 15 +++++++++++++--
+ 2 files changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/transport.c b/transport.c
+index 733717d..2dbdca0 100644
+--- a/transport.c
++++ b/transport.c
+@@ -894,18 +894,40 @@ static int external_specification_len(const char *url)
+ 	return strchr(url, ':') - url;
+ }
+ 
+-void transport_check_allowed(const char *type)
++static const struct string_list *protocol_whitelist(void)
+ {
+-	struct string_list allowed = STRING_LIST_INIT_DUP;
+-	const char *v = getenv("GIT_ALLOW_PROTOCOL");
++	static int enabled = -1;
++	static struct string_list allowed = STRING_LIST_INIT_DUP;
++
++	if (enabled < 0) {
++		const char *v = getenv("GIT_ALLOW_PROTOCOL");
++		if (v) {
++			string_list_split(&allowed, v, ':', -1);
++			sort_string_list(&allowed);
++			enabled = 1;
++		} else {
++			enabled = 0;
++		}
++	}
+ 
+-	if (!v)
+-		return;
++	return enabled ? &allowed : NULL;
++}
++
++int is_transport_allowed(const char *type)
++{
++	const struct string_list *allowed = protocol_whitelist();
++	return !allowed || string_list_has_string(allowed, type);
++}
+ 
+-	string_list_split(&allowed, v, ':', -1);
+-	if (!unsorted_string_list_has_string(&allowed, type))
++void transport_check_allowed(const char *type)
++{
++	if (!is_transport_allowed(type))
+ 		die("transport '%s' not allowed", type);
+-	string_list_clear(&allowed, 0);
++}
++
++int transport_restrict_protocols(void)
++{
++	return !!protocol_whitelist();
+ }
+ 
+ struct transport *transport_get(struct remote *remote, const char *url)
+diff --git a/transport.h b/transport.h
+index 2beda7d..7707c27 100644
+--- a/transport.h
++++ b/transport.h
+@@ -114,12 +114,23 @@ struct transport {
+ struct transport *transport_get(struct remote *, const char *);
+ 
+ /*
++ * Check whether a transport is allowed by the environment. Type should
++ * generally be the URL scheme, as described in Documentation/git.txt
++ */
++int is_transport_allowed(const char *type);
++
++/*
+  * Check whether a transport is allowed by the environment,
+- * and die otherwise. type should generally be the URL scheme,
+- * as described in Documentation/git.txt
++ * and die otherwise.
+  */
+ void transport_check_allowed(const char *type);
+ 
++/*
++ * Returns true if the user has attempted to turn on protocol
++ * restrictions at all.
++ */
++int transport_restrict_protocols(void);
++
+ /* Transport options which apply to git:// and scp-style URLs */
+ 
+ /* The program to use on the remote side to send a pack */
+-- 
+2.1.0
+

0004-http-limit-redirection-to-protocol-whitelist.patch

@@ -0,0 +1,77 @@
+From 0f032880eddc09abd1850533422c9b0bb80a010c Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Sun, 1 Nov 2015 20:23:07 +0100
+Subject: [PATCH] http-limit-redirection-to-protocol-whitelist
+
+Previously, libcurl would follow redirection to any protocol
+it was compiled for support with. This is desirable to allow
+redirection from HTTP to HTTPS. However, it would even
+successfully allow redirection from HTTP to SFTP, a protocol
+that git does not otherwise support at all. Furthermore
+git's new protocol-whitelisting could be bypassed by
+following a redirect within the remote helper, as it was
+only enforced at transport selection time.
+
+This patch limits redirects within libcurl to HTTP, HTTPS,
+FTP and FTPS. If there is a protocol-whitelist present, this
+list is limited to those also allowed by the whitelist. As
+redirection happens from within libcurl, it is impossible
+for an HTTP redirect to a protocol implemented within
+another remote helper.
+
+When the curl version git was compiled with is too old to
+support restrictions on protocol redirection, we warn the
+user if GIT_ALLOW_PROTOCOL restrictions were requested. This
+is a little inaccurate, as even without that variable in the
+environment, we would still restrict SFTP, etc, and we do
+not warn in that case. But anything else means we would
+literally warn every time git accesses an http remote.
+---
+ http.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/http.c b/http.c
+index d9d1aad..744e5a1 100644
+--- a/http.c
++++ b/http.c
+@@ -5,6 +5,7 @@
+ #include "url.h"
+ #include "credential.h"
+ #include "version.h"
++#include "transport.h"
+ 
+ int active_requests;
+ int http_is_verbose;
+@@ -246,6 +247,7 @@ static int has_cert_password(void)
+ static CURL *get_curl_handle(void)
+ {
+ 	CURL *result = curl_easy_init();
++	long allowed_protocols = 0;
+ 
+ 	if (!curl_ssl_verify) {
+ 		curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0);
+@@ -296,6 +298,21 @@ static CURL *get_curl_handle(void)
+ #elif LIBCURL_VERSION_NUM >= 0x071101
+ 	curl_easy_setopt(result, CURLOPT_POST301, 1);
+ #endif
++#if LIBCURL_VERSION_NUM >= 0x071304
++	if (is_transport_allowed("http"))
++		allowed_protocols |= CURLPROTO_HTTP;
++	if (is_transport_allowed("https"))
++		allowed_protocols |= CURLPROTO_HTTPS;
++	if (is_transport_allowed("ftp"))
++		allowed_protocols |= CURLPROTO_FTP;
++	if (is_transport_allowed("ftps"))
++		allowed_protocols |= CURLPROTO_FTPS;
++	curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols);
++#else
++	if (transport_restrict_protocols())
++		warning("protocol restrictions not applied to curl redirects because\n"
++			"your curl version is too old (>= 7.19.4)");
++#endif
+ 
+ 	if (getenv("GIT_CURL_VERBOSE"))
+ 		curl_easy_setopt(result, CURLOPT_VERBOSE, 1);
+-- 
+2.4.3
+

0005-http-limit-redirection-depth.patch

@@ -0,0 +1,31 @@
+From 7f3bfdbc2670b4960242fa1b229dde6bcb2b463b Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Fri, 23 Oct 2015 17:39:59 +0200
+Subject: [PATCH 5/5] http: limit redirection depth
+
+By default, libcurl will follow circular http redirects
+forever. Let's put a cap on this so that somebody who can
+trigger an automated fetch of an arbitrary repository (e.g.,
+for CI) cannot convince git to loop infinitely.
+
+The value chosen is 20, which is the same default that
+Firefox uses.
+---
+ http.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/http.c b/http.c
+index 235c2d5..a1c7dcb 100644
+--- a/http.c
++++ b/http.c
+@@ -298,6 +298,7 @@ static CURL *get_curl_handle(void)
+ 	}
+ 
+ 	curl_easy_setopt(result, CURLOPT_FOLLOWLOCATION, 1);
++	curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20);
+ #if LIBCURL_VERSION_NUM >= 0x071301
+ 	curl_easy_setopt(result, CURLOPT_POSTREDIR, CURL_REDIR_POST_ALL);
+ #elif LIBCURL_VERSION_NUM >= 0x071101
+-- 
+2.1.0
+

0007-git-prompt.patch

@@ -0,0 +1,53 @@
+From 7e546ae76da784185ba9515ed86e435ba17fdd65 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 29 Mar 2017 13:08:28 +0200
+Subject: [PATCH] git-prompt.sh: don't put unsanitized branch names in $PS1
+
+---
+ contrib/completion/git-prompt.sh | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/completion/git-prompt.sh b/contrib/completion/git-prompt.sh
+index eaf5c36..2c872e5 100644
+--- a/contrib/completion/git-prompt.sh
++++ b/contrib/completion/git-prompt.sh
+@@ -360,8 +360,11 @@ __git_ps1 ()
+ 		fi
+ 
+ 		local f="$w$i$s$u"
++		b=${b##refs/heads/}
+ 		if [ $pcmode = yes ]; then
+ 			local gitstring=
++			__git_ps1_branch_name=$b
++			b="\${__git_ps1_branch_name}"
+ 			if [ -n "${GIT_PS1_SHOWCOLORHINTS-}" ]; then
+ 				local c_red='\e[31m'
+ 				local c_green='\e[32m'
+@@ -371,7 +374,7 @@ __git_ps1 ()
+ 				local ok_color=$c_green
+ 				local branch_color="$c_clear"
+ 				local flags_color="$c_lblue"
+-				local branchstring="$c${b##refs/heads/}"
++				local branchstring="$c$b"
+ 
+ 				if [ $detached = no ]; then
+ 					branch_color="$ok_color"
+@@ -400,13 +403,13 @@ __git_ps1 ()
+ 				fi
+ 				gitstring="$gitstring\[$c_clear\]$r$p"
+ 			else
+-				gitstring="$c${b##refs/heads/}${f:+ $f}$r$p"
++				gitstring="$c$b${f:+ $f}$r$p"
+ 			fi
+ 			gitstring=$(printf -- "$printf_format" "$gitstring")
+ 			PS1="$ps1pc_start$gitstring$ps1pc_end"
+ 		else
+ 			# NO color option unless in PROMPT_COMMAND mode
+-			printf -- "$printf_format" "$c${b##refs/heads/}${f:+ $f}$r$p"
++			printf -- "$printf_format" "$c$b${f:+ $f}$r$p"
+ 		fi
+ 	fi
+ }
+-- 
+2.5.5
+

git-1.5-gitweb-home-link.patch

@@ -0,0 +1,12 @@
+diff -up git-1.7.2/gitweb/gitweb.perl.orig git-1.7.2/gitweb/gitweb.perl
+--- git-1.7.2/gitweb/gitweb.perl.orig	2010-07-21 23:35:25.000000000 +0200
++++ git-1.7.2/gitweb/gitweb.perl	2010-07-22 10:49:50.385707086 +0200
+@@ -79,7 +79,7 @@ our $projectroot = "++GITWEB_PROJECTROOT
+ our $project_maxdepth = "++GITWEB_PROJECT_MAXDEPTH++";
+ 
+ # string of the home link on top of all pages
+-our $home_link_str = "++GITWEB_HOME_LINK_STR++";
++our $home_link_str = $ENV{'SERVER_NAME'} ? "git://" . $ENV{'SERVER_NAME'} : "projects";
+ 
+ # name of your site or organization to appear in page titles
+ # replace this with something more descriptive for clearer bookmarks

git-1.7-el5-emacs-support.patch

@@ -0,0 +1,252 @@
+From 424058e0607b4b3c558d19633090e06e7bd2b851 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Wed, 2 Feb 2011 21:24:44 -0500
+Subject: [PATCH] Restore vc-git.el for basic compatibility on EL-5
+
+This is the vc-git.el from 1.6.4.1, the last version to include it.
+Most uses will be better served by the vc-git.el which is provided by
+emacs >= 22.2, but on EL-5 we don't have the luxury of a modern emacs.
+---
+ contrib/emacs/Makefile  |    2 +-
+ contrib/emacs/vc-git.el |  216 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 217 insertions(+), 1 deletions(-)
+ create mode 100644 contrib/emacs/vc-git.el
+
+diff --git a/contrib/emacs/Makefile b/contrib/emacs/Makefile
+index 24d9312..a48540a 100644
+--- a/contrib/emacs/Makefile
++++ b/contrib/emacs/Makefile
+@@ -2,7 +2,7 @@
+ 
+ EMACS = emacs
+ 
+-ELC = git.elc git-blame.elc
++ELC = git.elc vc-git.elc git-blame.elc
+ INSTALL ?= install
+ INSTALL_ELC = $(INSTALL) -m 644
+ prefix ?= $(HOME)
+diff --git a/contrib/emacs/vc-git.el b/contrib/emacs/vc-git.el
+new file mode 100644
+index 0000000..b8f6be5
+--- /dev/null
++++ b/contrib/emacs/vc-git.el
+@@ -0,0 +1,216 @@
++;;; vc-git.el --- VC backend for the git version control system
++
++;; Copyright (C) 2006 Alexandre Julliard
++
++;; This program is free software; you can redistribute it and/or
++;; modify it under the terms of the GNU General Public License as
++;; published by the Free Software Foundation; either version 2 of
++;; the License, or (at your option) any later version.
++;;
++;; This program is distributed in the hope that it will be
++;; useful, but WITHOUT ANY WARRANTY; without even the implied
++;; warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
++;; PURPOSE.  See the GNU General Public License for more details.
++;;
++;; You should have received a copy of the GNU General Public
++;; License along with this program; if not, write to the Free
++;; Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
++;; MA 02111-1307 USA
++
++;;; Commentary:
++
++;; This file contains a VC backend for the git version control
++;; system.
++;;
++;; To install: put this file on the load-path and add GIT to the list
++;; of supported backends in `vc-handled-backends'; the following line,
++;; placed in your ~/.emacs, will accomplish this:
++;;
++;;     (add-to-list 'vc-handled-backends 'GIT)
++;;
++;; TODO
++;;  - changelog generation
++;;  - working with revisions other than HEAD
++;;
++
++(eval-when-compile (require 'cl))
++
++(defvar git-commits-coding-system 'utf-8
++  "Default coding system for git commits.")
++
++(defun vc-git--run-command-string (file &rest args)
++  "Run a git command on FILE and return its output as string."
++  (let* ((ok t)
++         (str (with-output-to-string
++                (with-current-buffer standard-output
++                  (unless (eq 0 (apply #'call-process "git" nil '(t nil) nil
++                                       (append args (list (file-relative-name file)))))
++                    (setq ok nil))))))
++    (and ok str)))
++
++(defun vc-git--run-command (file &rest args)
++  "Run a git command on FILE, discarding any output."
++  (let ((name (file-relative-name file)))
++    (eq 0 (apply #'call-process "git" nil (get-buffer "*Messages") nil (append args (list name))))))
++
++(defun vc-git-registered (file)
++  "Check whether FILE is registered with git."
++  (with-temp-buffer
++    (let* ((dir (file-name-directory file))
++           (name (file-relative-name file dir)))
++      (and (ignore-errors
++             (when dir (cd dir))
++             (eq 0 (call-process "git" nil '(t nil) nil "ls-files" "-c" "-z" "--" name)))
++           (let ((str (buffer-string)))
++             (and (> (length str) (length name))
++                  (string= (substring str 0 (1+ (length name))) (concat name "\0"))))))))
++
++(defun vc-git-state (file)
++  "git-specific version of `vc-state'."
++  (let ((diff (vc-git--run-command-string file "diff-index" "-z" "HEAD" "--")))
++    (if (and diff (string-match ":[0-7]\\{6\\} [0-7]\\{6\\} [0-9a-f]\\{40\\} [0-9a-f]\\{40\\} [ADMU]\0[^\0]+\0" diff))
++        'edited
++      'up-to-date)))
++
++(defun vc-git-workfile-version (file)
++  "git-specific version of `vc-workfile-version'."
++  (let ((str (with-output-to-string
++               (with-current-buffer standard-output
++                 (call-process "git" nil '(t nil) nil "symbolic-ref" "HEAD")))))
++    (if (string-match "^\\(refs/heads/\\)?\\(.+\\)$" str)
++        (match-string 2 str)
++      str)))
++
++(defun vc-git-symbolic-commit (commit)
++  "Translate COMMIT string into symbolic form.
++Returns nil if not possible."
++  (and commit
++       (with-temp-buffer
++	 (and
++	  (zerop
++	   (call-process "git" nil '(t nil) nil "name-rev"
++			 "--name-only" "--tags"
++			 commit))
++	  (goto-char (point-min))
++	  (= (forward-line 2) 1)
++	  (bolp)
++	  (buffer-substring-no-properties (point-min) (1- (point-max)))))))
++
++(defun vc-git-previous-version (file rev)
++  "git-specific version of `vc-previous-version'."
++  (let ((default-directory (file-name-directory (expand-file-name file)))
++	(file (file-name-nondirectory file)))
++    (vc-git-symbolic-commit
++     (with-temp-buffer
++       (and
++	(zerop
++	 (call-process "git" nil '(t nil) nil "rev-list"
++		       "-2" rev "--" file))
++	(goto-char (point-max))
++	(bolp)
++	(zerop (forward-line -1))
++	(not (bobp))
++	(buffer-substring-no-properties
++	   (point)
++	   (1- (point-max))))))))
++
++(defun vc-git-next-version (file rev)
++  "git-specific version of `vc-next-version'."
++  (let* ((default-directory (file-name-directory
++			     (expand-file-name file)))
++	(file (file-name-nondirectory file))
++	(current-rev
++	 (with-temp-buffer
++	   (and
++	    (zerop
++	     (call-process "git" nil '(t nil) nil "rev-list"
++			   "-1" rev "--" file))
++	    (goto-char (point-max))
++	    (bolp)
++	    (zerop (forward-line -1))
++	    (bobp)
++	    (buffer-substring-no-properties
++	     (point)
++	     (1- (point-max)))))))
++    (and current-rev
++	 (vc-git-symbolic-commit
++	  (with-temp-buffer
++	    (and
++	     (zerop
++	      (call-process "git" nil '(t nil) nil "rev-list"
++			    "HEAD" "--" file))
++	     (goto-char (point-min))
++	     (search-forward current-rev nil t)
++	     (zerop (forward-line -1))
++	     (buffer-substring-no-properties
++	      (point)
++	      (progn (forward-line 1) (1- (point))))))))))
++
++(defun vc-git-revert (file &optional contents-done)
++  "Revert FILE to the version stored in the git repository."
++  (if contents-done
++      (vc-git--run-command file "update-index" "--")
++    (vc-git--run-command file "checkout" "HEAD")))
++
++(defun vc-git-checkout-model (file)
++  'implicit)
++
++(defun vc-git-workfile-unchanged-p (file)
++  (let ((sha1 (vc-git--run-command-string file "hash-object" "--"))
++        (head (vc-git--run-command-string file "ls-tree" "-z" "HEAD" "--")))
++    (and head
++         (string-match "[0-7]\\{6\\} blob \\([0-9a-f]\\{40\\}\\)\t[^\0]+\0" head)
++         (string= (car (split-string sha1 "\n")) (match-string 1 head)))))
++
++(defun vc-git-register (file &optional rev comment)
++  "Register FILE into the git version-control system."
++  (vc-git--run-command file "update-index" "--add" "--"))
++
++(defun vc-git-print-log (file &optional buffer)
++  (let ((name (file-relative-name file))
++        (coding-system-for-read git-commits-coding-system))
++    (vc-do-command buffer 'async "git" name "rev-list" "--pretty" "HEAD" "--")))
++
++(defun vc-git-diff (file &optional rev1 rev2 buffer)
++  (let ((name (file-relative-name file))
++        (buf (or buffer "*vc-diff*")))
++    (if (and rev1 rev2)
++        (vc-do-command buf 0 "git" name "diff-tree" "-p" rev1 rev2 "--")
++      (vc-do-command buf 0 "git" name "diff-index" "-p" (or rev1 "HEAD") "--"))
++    ; git-diff-index doesn't set exit status like diff does
++    (if (vc-git-workfile-unchanged-p file) 0 1)))
++
++(defun vc-git-checkin (file rev comment)
++  (let ((coding-system-for-write git-commits-coding-system))
++    (vc-git--run-command file "commit" "-m" comment "--only" "--")))
++
++(defun vc-git-checkout (file &optional editable rev destfile)
++  (if destfile
++      (let ((fullname (substring
++                       (vc-git--run-command-string file "ls-files" "-z" "--full-name" "--")
++                       0 -1))
++            (coding-system-for-read 'no-conversion)
++            (coding-system-for-write 'no-conversion))
++        (with-temp-file destfile
++          (eq 0 (call-process "git" nil t nil "cat-file" "blob"
++                              (concat (or rev "HEAD") ":" fullname)))))
++    (vc-git--run-command file "checkout" (or rev "HEAD"))))
++
++(defun vc-git-annotate-command (file buf &optional rev)
++  ; FIXME: rev is ignored
++  (let ((name (file-relative-name file)))
++    (call-process "git" nil buf nil "blame" name)))
++
++(defun vc-git-annotate-time ()
++  (and (re-search-forward "[0-9a-f]+ (.* \\([0-9]+\\)-\\([0-9]+\\)-\\([0-9]+\\) \\([0-9]+\\):\\([0-9]+\\):\\([0-9]+\\) \\([-+0-9]+\\) +[0-9]+)" nil t)
++       (vc-annotate-convert-time
++        (apply #'encode-time (mapcar (lambda (match) (string-to-number (match-string match))) '(6 5 4 3 2 1 7))))))
++
++;; Not really useful since we can't do anything with the revision yet
++;;(defun vc-annotate-extract-revision-at-line ()
++;;  (save-excursion
++;;    (move-beginning-of-line 1)
++;;    (and (looking-at "[0-9a-f]+")
++;;         (buffer-substring (match-beginning 0) (match-end 0)))))
++
++(provide 'vc-git)
+-- 
+1.7.3.4
+

git-2.52-sanitize-sideband-channel-messages.patch

@@ -1,275 +0,0 @@
-From 65e88e659008e2cbf79cf44975406ff0d569a3a9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= <opohorel@redhat.com>
-Date: Thu, 20 Nov 2025 12:24:59 +0100
-Subject: [PATCH] sideband: mask control characters
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The output of `git clone` is a vital component for understanding what
-has happened when things go wrong. However, these logs are partially
-under the control of the remote server (via the "sideband", which
-typically contains what the remote `git pack-objects` process sends to
-`stderr`), and is currently not sanitized by Git.
-
-This makes Git susceptible to ANSI escape sequence injection (see
-CWE-150, https://cwe.mitre.org/data/definitions/150.html), which allows
-attackers to corrupt terminal state, to hide information, and even to
-insert characters into the input buffer (i.e. as if the user had typed
-those characters).
-
-To plug this vulnerability, disallow any control character in the
-sideband, replacing them instead with the common `^<letter/symbol>`
-(e.g. `^[` for `\x1b`, `^A` for `\x01`).
-
-There is likely a need for more fine-grained controls instead of using a
-"heavy hammer" like this, which will be introduced subsequently.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
-sideband: introduce an "escape hatch" to allow control characters
-
-The preceding commit fixed the vulnerability whereas sideband messages
-(that are under the control of the remote server) could contain ANSI
-escape sequences that would be sent to the terminal verbatim.
-
-However, this fix may not be desirable under all circumstances, e.g.
-when remote servers deliberately add coloring to their messages to
-increase their urgency.
-
-To help with those use cases, give users a way to opt-out of the
-protections: `sideband.allowControlCharacters`.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
-sideband: do allow ANSI color sequences by default
-
-The preceding two commits introduced special handling of the sideband
-channel to neutralize ANSI escape sequences before sending the payload
-to the terminal, and `sideband.allowControlCharacters` to override that
-behavior.
-
-However, some `pre-receive` hooks that are actively used in practice
-want to color their messages and therefore rely on the fact that Git
-passes them through to the terminal.
-
-In contrast to other ANSI escape sequences, it is highly unlikely that
-coloring sequences can be essential tools in attack vectors that mislead
-Git users e.g. by hiding crucial information.
-
-Therefore we can have both: Continue to allow ANSI coloring sequences to
-be passed to the terminal, and neutralize all other ANSI escape
-sequences.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
-sideband: default to allowControlCharacters=true
-
-We don't want to change the default Git behaviour, just add the option
-to filter control characters.
-
-Signed-off-by: Ondřej Pohořelský <opohorel@redhat.com>
----
- Documentation/config.adoc           |  2 +
- Documentation/config/sideband.adoc  | 16 ++++++
- sideband.c                          | 78 ++++++++++++++++++++++++++++-
- t/t5409-colorize-remote-messages.sh | 31 ++++++++++++
- 4 files changed, 125 insertions(+), 2 deletions(-)
- create mode 100644 Documentation/config/sideband.adoc
-
-diff --git a/Documentation/config.adoc b/Documentation/config.adoc
-index 62eebe7c54..dcea3c0c15 100644
---- a/Documentation/config.adoc
-+++ b/Documentation/config.adoc
-@@ -523,6 +523,8 @@ include::config/sequencer.adoc[]
- 
- include::config/showbranch.adoc[]
- 
-+include::config/sideband.adoc[]
-+
- include::config/sparse.adoc[]
- 
- include::config/splitindex.adoc[]
-diff --git a/Documentation/config/sideband.adoc b/Documentation/config/sideband.adoc
-new file mode 100644
-index 0000000000..c9ba24a02c
---- /dev/null
-+++ b/Documentation/config/sideband.adoc
-@@ -0,0 +1,16 @@
-+sideband.allowControlCharacters::
-+	By default, control characters that are delivered via the sideband
-+	are NOT masked. Use this config setting to prevent potentially
-+	unwanted ANSI escape sequences from being sent to the terminal:
-++
-+--
-+	color::
-+		Allow ANSI color sequences, line feeds and horizontal tabs,
-+		but mask all other control characters.
-+	false::
-+		Mask all control characters other than line feeds and
-+		horizontal tabs.
-+	true::
-+		Allow all control characters to be sent to the terminal.
-+		This is the default.
-+--
-\ No newline at end of file
-diff --git a/sideband.c b/sideband.c
-index ea7c25211e..88d1b44a7a 100644
---- a/sideband.c
-+++ b/sideband.c
-@@ -26,6 +26,12 @@ static struct keyword_entry keywords[] = {
- 	{ "error",	GIT_COLOR_BOLD_RED },
- };
- 
-+static enum {
-+	ALLOW_NO_CONTROL_CHARACTERS = 0,
-+	ALLOW_ALL_CONTROL_CHARACTERS = 1,
-+	ALLOW_ANSI_COLOR_SEQUENCES = 2
-+} allow_control_characters = ALLOW_ALL_CONTROL_CHARACTERS;
-+
- /* Returns a color setting (GIT_COLOR_NEVER, etc). */
- static enum git_colorbool use_sideband_colors(void)
- {
-@@ -39,6 +45,25 @@ static enum git_colorbool use_sideband_colors(void)
- 	if (use_sideband_colors_cached != GIT_COLOR_UNKNOWN)
- 		return use_sideband_colors_cached;
- 
-+	switch (repo_config_get_maybe_bool(the_repository, "sideband.allowcontrolcharacters", &i)) {
-+	case 0: /* Boolean value */
-+		allow_control_characters = i ? ALLOW_ALL_CONTROL_CHARACTERS :
-+			ALLOW_NO_CONTROL_CHARACTERS;
-+		break;
-+	case -1: /* non-Boolean value */
-+		if (repo_config_get_string_tmp(the_repository, "sideband.allowcontrolcharacters",
-+					      &value))
-+			; /* huh? `get_maybe_bool()` returned -1 */
-+		else if (!strcmp(value, "color"))
-+			allow_control_characters = ALLOW_ANSI_COLOR_SEQUENCES;
-+		else
-+			warning(_("unrecognized value for `sideband."
-+				  "allowControlCharacters`: '%s'"), value);
-+		break;
-+	default:
-+		break; /* not configured */
-+	}
-+
- 	if (!repo_config_get_string_tmp(the_repository, key, &value))
- 		use_sideband_colors_cached = git_config_colorbool(key, value);
- 	else if (!repo_config_get_string_tmp(the_repository, "color.ui", &value))
-@@ -66,6 +91,55 @@ void list_config_color_sideband_slots(struct string_list *list, const char *pref
- 		list_config_item(list, prefix, keywords[i].keyword);
- }
- 
-+static int handle_ansi_color_sequence(struct strbuf *dest, const char *src, int n)
-+{
-+	int i;
-+
-+	/*
-+	 * Valid ANSI color sequences are of the form
-+	 *
-+	 * ESC [ [<n> [; <n>]*] m
-+	 */
-+
-+	if (allow_control_characters != ALLOW_ANSI_COLOR_SEQUENCES ||
-+	    n < 3 || src[0] != '\x1b' || src[1] != '[')
-+		return 0;
-+
-+	for (i = 2; i < n; i++) {
-+		if (src[i] == 'm') {
-+			strbuf_add(dest, src, i + 1);
-+			return i;
-+		}
-+		if (!isdigit(src[i]) && src[i] != ';')
-+			break;
-+	}
-+
-+	return 0;
-+}
-+
-+static void strbuf_add_sanitized(struct strbuf *dest, const char *src, int n)
-+{
-+	int i;
-+
-+	if (allow_control_characters == ALLOW_ALL_CONTROL_CHARACTERS) {
-+		strbuf_add(dest, src, n);
-+		return;
-+	}
-+
-+	strbuf_grow(dest, n);
-+	for (; n && *src; src++, n--) {
-+		if (!iscntrl(*src) || *src == '\t' || *src == '\n')
-+			strbuf_addch(dest, *src);
-+		else if ((i = handle_ansi_color_sequence(dest, src, n))) {
-+			src += i;
-+			n -= i;
-+		} else {
-+			strbuf_addch(dest, '^');
-+			strbuf_addch(dest, 0x40 + *src);
-+		}
-+	}
-+}
-+
- /*
-  * Optionally highlight one keyword in remote output if it appears at the start
-  * of the line. This should be called for a single line only, which is
-@@ -81,7 +155,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
- 	int i;
- 
- 	if (!want_color_stderr(use_sideband_colors())) {
--		strbuf_add(dest, src, n);
-+		strbuf_add_sanitized(dest, src, n);
- 		return;
- 	}
- 
-@@ -114,7 +188,7 @@ static void maybe_colorize_sideband(struct strbuf *dest, const char *src, int n)
- 		}
- 	}
- 
--	strbuf_add(dest, src, n);
-+	strbuf_add_sanitized(dest, src, n);
- }
- 
- 
-diff --git a/t/t5409-colorize-remote-messages.sh b/t/t5409-colorize-remote-messages.sh
-index fa5de4500a..2d40d8c640 100755
---- a/t/t5409-colorize-remote-messages.sh
-+++ b/t/t5409-colorize-remote-messages.sh
-@@ -98,4 +98,35 @@ test_expect_success 'fallback to color.ui' '
- 	grep "<BOLD;RED>error<RESET>: error" decoded
- '
- 
-+test_expect_success 'disallow (color) control sequences in sideband' '
-+	write_script .git/color-me-surprised <<-\EOF &&
-+	printf "error: Have you \\033[31mread\\033[m this?\\a\\n" >&2
-+	exec "$@"
-+	EOF
-+	test_config_global uploadPack.packObjectshook ./color-me-surprised &&
-+	test_commit need-at-least-one-commit &&
-+
-+	git -c sideband.allowControlCharacters=color \
-+		clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep RED decoded &&
-+	test_grep "\\^G" stderr &&
-+	tr -dc "\\007" <stderr >actual &&
-+	test_must_be_empty actual &&
-+
-+	rm -rf throw-away &&
-+	git -c sideband.allowControlCharacters=false \
-+		clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep ! RED decoded &&
-+	test_grep "\\^G" stderr &&
-+
-+	rm -rf throw-away &&
-+	git -c sideband.allowControlCharacters clone --no-local . throw-away 2>stderr &&
-+	test_decode_color <stderr >decoded &&
-+	test_grep RED decoded &&
-+	tr -dc "\\007" <stderr >actual &&
-+	test_file_not_empty actual
-+'
-+
- test_done
--- 
-2.51.1
-

git-init.el

@@ -0,0 +1,5 @@
+;; Git VC backend
+(add-to-list 'vc-handled-backends 'GIT t)
+(autoload 'git-status "git" "GIT mode." t)
+(autoload 'git-blame-mode "git-blame"
+ 	"Minor mode for incremental blame for Git." t)

git-test-apache-davlockdbtype-config.patch

@@ -1,14 +0,0 @@
-diff -ur b/t/lib-httpd/apache.conf a/t/lib-httpd/apache.conf
---- b/t/lib-httpd/apache.conf	2024-01-09 11:06:46.660868023 +0100
-+++ a/t/lib-httpd/apache.conf	2024-01-09 11:09:09.572713625 +0100
-@@ -272,7 +272,9 @@
- <IfDefine DAV>
- 	LoadModule dav_module modules/mod_dav.so
- 	LoadModule dav_fs_module modules/mod_dav_fs.so
--
-+	<IfDirective DavLockDBType>
-+   		DavLockDBType sdbm
-+	</IfDirective>
- 	DAVLockDB DAVLock
- 	<Location /dumb/>
- 		Dav on

git.rpmlintrc

@@ -1,42 +0,0 @@
-# the dictionary is a bit limited
-addFilter("git.* spelling-error %description .* subpackages")
-addFilter("git-subtree.* spelling-error %description .* (subdirectory|subproject|subtree)")
-
-# git-core-doc requires git-core, which provides the symlink target
-addFilter("git(-core-doc)?\..*: W: dangling-relative-symlink /usr/share/doc/git/contrib/hooks ../../../git-core/contrib/hooks")
-
-# gitk requires git, which provides the symlink target
-addFilter("gitk\.noarch: W: dangling-relative-symlink /usr/share/bash-completion/completions/gitk git")
-
-# git-gui requires git, which provides the git binary
-addFilter("git-gui.noarch: W: desktopfile-without-binary /usr/share/applications/git-gui.desktop git")
-
-# ignore no binary warning for main git package; making it noarch isn't trivial
-# since we have arch-specific subpackages
-addFilter("git\..*: E: no-binary$")
-
-# ignore no doc/manpage warnings where we don't expect any documentation
-addFilter("git-(all|core|credential-libsecret)\..*: W: no-documentation")
-addFilter("perl-Git-SVN.noarch: W: no-documentation")
-addFilter("git-core\..*: W: no-manual-page-for-binary")
-
-# nothing provides git-gnome-keyring, it's simply obsolete
-# similarly ignore the warning when git-cvs and git-p4 are disabled
-addFilter("git.* obsolete-not-provided git-(cvs|gnome-keyring|p4)")
-
-# git-svn has both man and html docs and only a single command
-addFilter('git-svn\..*: W: package-with-huge-docs')
-
-# ignore potential "bashisms" in docs
-addFilter('git-core-doc\.noarch: W: potential-bashisms /usr/share/doc/git/')
-
-# ignore unused-direct-shlib-dependency for libpcre; while it probably could be
-# removed from some binaries, the cost of doing so isn't worth the gain.
-addFilter('git-(core|daemon)\..*: W: unused-direct-shlib-dependency .* /lib64/libpcre2-.*')
-
-# ignore duplicate gvimdiff/nvimdiff files; they are only 29 bytes, sourcing the same base
-# vimdiff mergetool
-addFilter('git-core\..*: W: files-duplicate /usr/libexec/git-core/mergetools/[gn]vimdiff')
-
-# ignore non-standard-dir-in-var for gitweb (#479613)
-addFilter('gitweb.noarch: W: non-standard-dir-in-var www')

git.skip-test-patterns

@@ -1,33 +0,0 @@
-^ok 1 # SKIP enable client-side http/2 \(missing HTTP2\)$
-expensive 2GB clone test; enable with GIT_TEST_CLONE_2GB=true
-filesystem does not corrupt utf-8
-fsmonitor--daemon is not supported on this platform
-GIT_SKIP_TESTS
-missing AUTOIDENT
-missing BUILTIN_TXT_
-missing CASE_INSENSITIVE_FS
-missing DONTHAVEIT
-missing ([!]LONG_IS_64BIT,)?EXPENSIVE
-missing FSMONITOR_DAEMON
-missing JGIT
-missing !?LAZY_(TRUE|FALSE)
-missing MINGW
-missing NATIVE_CRLF
-missing !PCRE
-missing !PTHREADS
-missing !REFFILES
-missing RFC1991
-missing RUNTIME_PREFIX
-missing SYMLINKS_WINDOWS
-missing TAR_NEEDS_PAX_FALLBACK
-missing UTF8_NFD_TO_NFC
-missing WINDOWS
-skipped: skip all tests in t5559
-skipping case insensitive tests
-skipping git p4 tests
-skipping remote-svn tests, python not available
-skipping svn-info test
-skipping Windows-(only path|specific) tests
-Test requiring writable / skipped
-used to test external credential helpers
-You must set env var GIT_TEST_ALLOW_SUDO=YES in order to run this test

git.socket

@@ -1,9 +0,0 @@
-[Unit]
-Description=Git Activation Socket
-
-[Socket]
-ListenStream=9418
-Accept=true
-
-[Install]
-WantedBy=sockets.target

git.xinetd.in

@@ -8,7 +8,7 @@ service git
         socket_type     = stream
         wait            = no
         user            = nobody
-        server          = @GITEXECDIR@/git-daemon
+        server          = @GITCOREDIR@/git-daemon
         server_args     = --base-path=@BASE_PATH@ --export-all --user-path=public_git --syslog --inetd --verbose
         log_on_failure  += USERID
 }

git@.service.in

@@ -1,10 +0,0 @@
-[Unit]
-Description=Git Repositories Server Daemon
-Documentation=man:git-daemon(1)
-
-[Service]
-User=nobody
-ExecStart=-@GITEXECDIR@/git-daemon --base-path=@BASE_PATH@ --export-all \
-          --user-path=public_git --inetd --log-destination=stderr --verbose
-StandardInput=socket
-StandardError=journal

gpgkey-junio.asc

@@ -1,144 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBE6GdewBEADE3szNmKeUAUad22z1tWkLjLzyDcJpF7IzEnLs8bD1y0I6iqH0
-169ru5iXKn29wc+YAuxWorb4P5a2i2B/vs32hJy/rXE7dpvsAqlHLSGSDUJXiFzM
-Bb9SfJO0EY2r+vqzeQgSUmhp/b4dAXVnMATFM37V83H/mq8REl5Wwb2rxP3pcv6W
-F6i51+tPEWIUgo1N74QkR4wdLcPztDO9v7ZIaFKl+2GEGkx6Z+YjECTqQuyushjq
-41K3UVmv+AmLhJYKA78HY5KqCkXrz8rCgoi+Ih+ZT2sgjx637yT84Dr/QDh7BkIB
-blmpRQ+yoJlVDWI5/bI8rcdrPz+NmxaJ7dKEBg0qTclbwquacpwG1DCCD8NgQrwL
-WVLGVdsT2qwek+KkmOs+iNBXY1TgKPAeuv0ZDKKYrCwYpN1K90oXk431g79bKsH5
-8Tybg5uW+e2i+H5gnDeyl481HOt8aHOPu9qIB/zIek6lDH69q3nGcf7k3prxDf3I
-qYy6CPcpjTfpN4i/7gxQDNI+AIgbs21EE5Kg1TPUe0XgfdJMtIF+D6wTjbrLtDnn
-09Iwz0SfIZR52IrZHxUlFXZFjk10RXYATtdMqEFgYgjYvYXxL9EEr7T5Dgso+qaE
-wV0rrg0VDKrf/afrjGOeffumlhBhJnBnns1T+p65Vz5hyQl7SFKLw+Ix7wARAQAB
-tCJKdW5pbyBDIEhhbWFubyA8Z2l0c3RlckBwb2JveC5jb20+iQI7BBMBAgAlAhsD
-BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCToZ45QIZAQAKCRAg0E5acTZgp1TF
-EACr+QRpfDmbGnUY1Rqy50Ap1eG0061vAapCMLmU+4kxqIRKm5/00YGmb7VxRCLD
-pKNa0hkH+ftA4QmnPU4j4UEsh/vAa2BGCXRjB9RixTokvQf9iOXUGiHYv1kn+p3l
-xg66bLnKV3dWScjV2IueDP4ypLEZHlWD9I/Unmrg2mJEAcz4gSAfBHWLOf/+JYAq
-6j6erIxPS5ZtIz/twQf6MCoXXAXuM6tgUhdptJqG82WzSZMuWOfzmS6DSTuqK05h
-9gpwdj5nz4jdh4u5sp+LKOqFw94JIRcE+wj5cljOOlX3Fqi84ADC8b/OzC3V9KGa
-rNnBzWdnkIoNxbNBNF6wD1dgn1peueufaP9q5CO9ljKNSOGUClwvtJFrpZZL5Phe
-NNFFkPSZpkmStcB6s8RHsyz5zuqxQUOWuvLVUDRW58yZR0WC1Xc/yi+cEFSUiKI5
-OqPNwC1v0xh7a/MObJQxTQCEKHLyVYlnohsf2RxzxaOOjgWmY2O+yH5G5ymfBie/
-Uw7zcSsJ89ovLAEG/10tkJVqIfza5Wexj3VAZbI+i7vx2gtlLqM23gGykqcv7VWm
-FD5lFWGC4Sw8M7Jikm8vn99dxZnsBKjMqksjENUX1JeUZI+FHg2CNSVBX0J8yLnm
-d8eJBkYXkU79J3GVex/WTzbFnSkPmw16MtAu/E9EKNbAILQgSnVuaW8gQyBIYW1h
-bm8gPGp1bmlvQHBvYm94LmNvbT6JAjgEEwECACIFAk6GeL4CGwMGCwkIBwMCBhUI
-AgkKCwQWAgMBAh4BAheAAAoJECDQTlpxNmCn6GMQAJ0V0jmyQ7Lvi5FBBgNTdY8q
-fVbLFxEUVAsKf2x9QxhsOcL2heQRVkp10JKv4/VQLfDwr6Pv98FQchXlBmFiySAb
-VihUVC+VJ3FhyKBtI14RXT6Nkwd18PXDvWXy2fKeiK9GPDWkufac0h/giz0T1xP7
-CHxDErQATMmYbkinyyM+xd1Nir6DUYcHJQIK2Dg2VPChkI0XXCQETLDbrC9fDwWg
-1vP36PQZ+nw/cIRt+2xkq8HHUzB7kOnXHqPt1kb/Ry8hZwPnfV7g/V0MogoMLtz2
-33pqwuguLXP7zY3jTwAZZ9VTpuCTsdVWXJDlznMNurYi1yurCNuUvq/O/9JC8WBt
-dVUuvFZGjRZWfP24W57iq/qz8CV6dThq5r4WygE83tMC3DaarNJ4f9dQUA4KpL7j
-2EMXkgoXcEy1mieUCypdNiZj96hV8Q7apSLk2V4jtvLkJfzX053glqRJI35SX8Ok
-SazZGYZHX6QfZlvznnrCF5x/xBzhbfr2Geo4rxL0BQsp2DQodqUCB23QzsPhWWff
-YtkATaD5vovGeQ9Acd1u72jH3DO8tVMH85jMO4f+oc0h3lnkPS4F33QqlnErRo/I
-Rm6jCsI/NgMZUYdh0EY5Iiq/e8e+u8gdo0akkwHlNvR4KrYrK/1K4h+i+UBIbJDZ
-pqT/iH+yhJRQ3CAan8KStB9KdW5pbyBDIEhhbWFubyA8amNoQGdvb2dsZS5jb20+
-iQI4BBMBAgAiBQJOhnjVAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAg
-0E5acTZgp4SyD/9slQ1IkYqz+VXPnmHCQFhurYcHD8t1iGBqiXxI+gpA1Y3L1QL+
-aj0fplW4KuEPbJ7xlYdLA4J+M9kgkwt3Jufw+lM1pQM9tSB627rAbxUyczj4AFjZ
-9v8GpqyZ3XPDe8NknI/V4Xlhsr+e3AHJPr355XacMkFGc3Rtw1quFVgrECttdzUD
-6xtrhwYYVAYAnKr65943UtMLsVXkJLfjq8c1NZOCov9SwSb0N9IkEhSyihd/92Z2
-NH4d+B1QTIyWagL3GNN8LXXEHK+x+oA/nbhGbFg7bqhxUW4d2JaxKPy4U3nfdtSm
-Mbiy16eUfMbbMyvB0jtLf6UFrxF5bJnYkiG18DcLSaX7Hsby8IVzZQZHYvkx5+7p
-K2SBsdek3bu3punP3dWLJoMw+Vmm5Bk0Yl7pxzvsYQWhPV7+tpgglUSFQuIeXFrw
-jVXP8Q+Ph9nO0vKIaeTcn1ISuq2XaoqhkLH+Zw1I/ruRtk2DJbZsg5BBGfA26BkZ
-WJXlO6h33emPwkJ0FanlzRtMTqZ/4RiTXv5G1L/lypX1iq6fF2V+WTh2JmEKyY+2
-l0/19XRANfaDiYULoBvJEdCcIXLbaRTqjem+70ZGvAiCaGO52YvUhBo+XCgjucjc
-qhxiF3wc24kzj1ZycrwbDa7VjftZAApN01CJ38mXGpZXiWZU4hjJx41wCbkCDQRO
-iUo5ARAA8l5PToapmK0IHBpY5ohie53ZczLV5ojWKZXNsmVYNuSBBKpwC6VH2X85
-9dVd59HigAYsS1TbDCUNGC1bM0thJ9Y92fa1WnlEqyYQZDmJ4rt283DT2Gmrkng6
-XPjvr8PZeHKtvw7uLywfdm4x0WrGrH34g17BL82u/7k0JUOgJoPulIkO9Mls35UJ
-SY/Zwk1EdkM4hHKmqJFIiW/DlPYh0Tj5x9Sukk0ATH/R/QdtpjvwJJZyph6gMhbi
-YB+G+nR/WZy9vB+bFwPPaa0EudADoIZ9LkQzU/55KqNnKH9dPqPVWEOBZVZvPqiR
-iyRuffMIJ0t9mtvc/jruS1qiTZdJoy2vl6K4Uqc+huvlHeCCYR0lGCeDB+Ixuz9x
-d2ZdUxMgwgcNiQOCW70YWtxf0LF2seSJdLItHDBOu/f3cqKwNGUvcC3d/9qVb0wP
-SI1mq18S02MGcvDySsjGtX7o4kujUqE2ZNCW6ORLJUC6zEYu3TRNWrXeS3uAP21x
-UrEPkuTiJL7SCS12FYJt5agx5NIUKI7bkIUbLbiuhC4z47MFajW9Y5jUQk86dk7b
-jGqVrXYIu92Dhxc2CND2fWaMpYRhwvHR6KQU1yYHYkGVlMHiozM5D+4dCRRVI8x3
-p/+ypFBZmZr7yTpv/qD0N8HHl2NAYvGRQdzjyFQOXERwaXuzjCkAEQEAAYkEWwQY
-AQoAJgIbAhYhBJbgevJXcZVZgNrRACDQTlpxNmCnBQJeHMcfBQkenRjmAinBXSAE
-GQECAAYFAk6JSjkACgkQsLXohpav5sukpRAAywCaKmo0HH77yNkqormnKtRBrz8j
-tx68e//pq/AyCrghKUh91iLGYji3/E1qQe7p7Ne7WAn3uFZs22zrNKIDGxtMMCQT
-C0Ne4BAvMh1NzwzzBCCyirs1ccLj5gKkoFkKfTo5U5NWNznYPM8uib1uY5vdRqIJ
-2vJ7JJykNdcW5od42TtWsOxH2zTp4SRNmX8QPaRbfOxPdlKsbp0eIO6kk+Lx6gEv
-WAtEda5xSd1PwyK7SfGadTm+8Rw5UeP1kRtuKQPm7sRBB0coXDVHpFi/nMWHzVxv
-/NKhLAkzIbGOV6rL8ihVhXGqEgiD5Q+QdbaNsiLtHo5niBzpbnzvSopBYcOftrhc
-PNDY0RYXYb/5JZUid/JBWKwV+zREEnbgtsYDbwFEDnCVIGyXAoxyas/S3b14izat
-qgINxiYuxpDY+w1O5RywjOTdLPUWlL5YhH1W/gwbdyGiL4sh0v/fzNy0vKR5zPt1
-hICEA9YvCI7k3b74O6eiDB5fMIRPkNr6ubZWe0T6x4eL2EjSFRXIEmbmnAh93pdp
-WFrXH+Sf1LKhBZzojgUsQU/rzB2R94S7Vx0Z+tzgDZ8fJe47ZUEfzJccyyGve/QA
-sLLgTWRwRP3MSa1rC4wuWtDDMk/drw9CpmeFeRFn0oDIBo/m2mBv+UNAxSdijREz
-vPRiwROma/RawVcJECDQTlpxNmCnTLQP/A1WNmgPCCyFqp812Zvgh0pAqceaM+dg
-FlvNi5j5Jyw7/hicx2e0BXgKt64TEodphknCFzZIFDq3jJSdLt1l9NHpiLVM0Hf0
-cLFGF3eRHOID7PeGJGztLJ0CGhhSXaPh7nNLK0G9zXCAasedpowX4ZUntv+p/+Fr
-jQ8eSgyyljvrlywK+tH07F1W6t6eMNOw7/AHx7fkOux4CDem1FsNbhZWX8YPUATo
-vP1YLBXcrQgpJPpypG6up56D70ewTs4l+qNOISr3phG2egeEhYNwv6GUv8aelh69
-iaUHscT+DOXrFKq+RSHBMzGFFTrDJFDSu3d3A5Rg8KxJMcOxc00L3GMPchrFiJH7
-QShAQdU/ocF0MAA6n56g/QynxafFI/MRMXVTmF+lMBW/kK63pD3AJkIgvdLdht5o
-s7aKlddPrmIulaELIDdF2MSicMmgWJcqFkqZH2HIC+gx26Fafn2vfiUqsEc4NTpZ
-qhf66F9UjPKfYFfLhbGrmq/giAk1qjiGnBzCUQ9hXVqpmFfnVDjmQrk8KB9skDms
-PJgZ4hzmj5AarCpFtDmE4W7Tvi/xqgrFZkPX/SDhTWInJGcWaOTvlc5dkjAxKT6X
-LUGLScJHxhaovTGVzq1GWhhNCFhCs4AkWqPKhYfeZuWiuiMLZaEyJPfTufT7Svab
-pOhlaD1YY8fvuQINBE6GdewBEADxm56jO5pnVRH13BsG38o1qD9mJppXhf0mb6dB
-ORP1b3YJNaknQtxVPXSlXNAYNStYs9bWwn+RrYmOEfy0MWekqOBqgHDEf50ktZaz
-hFd89dt58IA+WIFo7BFk1XIr4USdSEQeL7Pb4oSg5AYn8C3OlT7T3nxWBh9aEbat
-EfiUMFKikLVVLdbEL7FBzEkypHfQCslDlq+ggAAVBzqrMIBn/idto87UrF2x/qd2
-P2PJl9pUf744pL9yzX+cNbQld0Yf6gQW9/r0UUW/CCU4qpPDvycyGIx3Y7PV/MjA
-lre4qJv4khoSFasAAjDXzyUIYhw7yMmaAE/lEOVN7M6reYDvhaDCcWfEn8sjH03/
-Wa92vVx7boMx5RAEh8YE2KZHEZkAODlW4pnDKyaH38lj8pa0dh77RXAD6X1XPGwi
-zpmjfrBBPGvUNGsdIpJaY4KEaZ0+v3bhvfU0DWB4dmJB3aPxC6CFtVA0QBGcbw16
-jUeA+2LUJgWMs86npHaPzD99J4Q+Smw9mZPfyT5O5yymYXOwIp50aUjkGCQcHtt7
-jisNkU52bFD2JcQJr8o67JIcqFNdhPAnxC+BN0QDtCyXT+wxC1Uvh9E//r3JPEQD
-REfEUb3l+3Sarz1KCm3LUhx1XE82Z6c96tHopUfiOiwbtxv+8UypXT2ntKfprz1U
-dMb5jwARAQABiQIfBBgBAgAJBQJOhnXsAhsMAAoJECDQTlpxNmCnFKYP/j6dmEQW
-ZliWE8le9Qzh1WqTbHd5elaGJuW0KGQ+g9okWBkh+sLlPxxTk2f0b79Pc7K3OPy7
-89OcIsrbHD3jDp7TS9IVpX7kVZnvnts5oV3XcK5q84XDEQqa6UIlfiZkZJCzIX8N
-kSAbv0UmmKKLKS+ANIEIZBKBrWxpYwvG2wBoWPkpNv5mdEuR9h3pZ1aCSZRXysMl
-WXo5cMYuZUhabrOqTNP5efEm8iBREHzNSotsiOhHuu7OIPmvZJTUjMrR1wZMCw+Y
-uNO2kT3t+ZFTxCx2aeRzqnI55LYFQVBpgSsap/seqRZfj7j7SBb2bSbCuhNedbAw
-b3kDWSfJGy/IN6vPdsc3NdsYFK+X8cnypCu4pZDK2IU+CkVrq/ukR8TNdrpAYfEY
-XbLq0XFOT0s4jIcjf3dAtlGW36hA0AKPw1BL3cyEGfv2sq75gkw1/jIYMXGc8URJ
-y5AfgELIrO1dIjMsm6vFFLeHpAobEP87UEpqIyJtwEIfWdcV5YHYmlFkGd21Lnxp
-f2dBAh5dc4MJpYmFZGScSDtTcYCDEXICTgedVOt4WCaV5mwpPeSEzr2TOVm6d1nU
-lGBJCV6QPMEdyx03hRkwaTMth0D/SYCvUrjlGQ1VC4WuTveSBhTH7iDrjGSoXNJu
-P2Oq+jb/iAfZxuetjpKFD6TCMR0Bcs/cEZuXuQINBFQduiABEACYnNg+kGmtkPmt
-kQ/75P8lLsljMk9IIwXGmnFILLpHBM/tN+7wGDxODLY/pPZ2Qfmp7PZLr5Ok5Qnt
-v/g+YCtVaTu5Cajt2TOsyH+AYDqtrjjHIt8d2kVloq79ONsCUojFtbFD1nf5W9Sk
-WQgntHYRYY1MaCkNd3oUp74TQugzk8Q6UBDamAn1r4nfm6QNXstItqyWsCgQhixW
-Qi4WzQc4iA/83t+qUJ+32smjk6J+rGUbbEH8zTASXmcDWYBuPgjo3YEjV+3/qNar
-zncYneJfQXwFSgvcR9oUuBQ3ydWJd7sfiImuAnQdRfEC/JFb0iR9sJ395Pw5WQfM
-Esrp0uL/Uig52mSrFyIfanxhrJP4j+CyCcJp1TaFINag5/YwHX3GzoikwXUukb+h
-KxXxK9Vu8Eu2gAlKFaHt2x5Sc3D1d+nr2QyMkIThC6/d3+XUjgOIMWkCK5dgkuz6
-rs60cRQr8YBGf4Jgk/Xrkk/SjBjBlcTz9lrC06wBRCsa+0XxCAHlM7gVp0HvMn+h
-Kx9ny7dPqaqhg8WXuBL0n8yAXXDSgDAin55mRbiKq2bNuMaEJvwKNFU6ENHGSngT
-w/Pt6B0dbeB1SBVxJPGbGmk74BL8m5V67Kb7MDP05OLSZsUyNLQCpfSgYsUA14uV
-GHE/vE6haP9/DwMLdyJ/CxSjQJMk+wARAQABiQRbBBgBCgAmAhsCFiEEluB68ldx
-lVmA2tEAINBOWnE2YKcFAl4cxyAFCRkIqP8CKcFdIAQZAQIABgUCVB26IAAKCRB1
-lO7Hs/fKyah/D/wJ3v4WdqGo7KgW0kmWfFVWZLKwtb+16gcy6nIm7F7VUcODv+qR
-LA/4UUg72yabVCXnMBi/eEHtkVZWlB/+tzg643DiRvXTCZiwoS5c6fTze55e/Z87
-qY7okf40aTR+qWuMgligI/LeXunr1Pu2jlJLMcUVh5QLxLZ8bDqpDgQM9zcdFmKQ
-/ofUnK7y6gYyUl2KYJDYi0alzjTm+73/S0Mc7z08Yp/s+dtKPbU9imKCnNRkPTQp
-cwlYHWJv0YPQ0TdOkid6HJC7CmZEPH845D+qojAjYBPogNIj/RaByaT3kN32zu8+
-jaZJSCnBM0l2lSh/qO7sQBZhqPX5pJDjjj7d/ATY7XxJCnK/2cZVSuVhMXPIFIAQ
-G4ZYFUaQssjQKLN7BXJUo7+ec1AMkTiwDUocPza8h+fitcpOsWWJWWvZvkSObbuP
-KGn7BgoTzEehO2Rz0QsNjgOa5SXxmc0zX7sbB1XiMxSe7gBZBOnYjhPVcidO3tWu
-M/jXGfZAL9ISq6Zf47ebXA7Y+6Bx3oquMgtSN10gbdoJvjqEBJNN65wadvBP8+Sr
-L+nWRGhsfmu8jupXdJe8h8ysXCboVkpXHuSu+lDjeL9WLqpwc/XkaOy7B6PfwIRa
-YYHnsKs8ogvDuTRJPV4khizyt+A6aiQ1PQqxSKWGY+lzxbmBkPhp5v1N5wkQINBO
-WnE2YKdkRQ//ZKvUegOZTtfivAZI888o4Ocpig3CFxJGlXa52JUnDhYFFpRtXRTP
-gIdQ0zBvhNjmBnELNv5/D1ubnjqWBTaJpZgUXIljJufuWL7VdD57nAAMw2VLvNUe
-38iytUYTAPevaJtLQ4jfj3E9MYH4tcMBmlZ75ZKqiHHH+7+V5J8TD/S01xROK7H1
-kGkXo49deB7K9oT4uno8kE5+AgmEMI80XiKjfQkh6tiG5I0W58DLeAOIxCRkm3kH
-Bi22PpuAKhRelRQnAF9dLdlhZECy5eYl7JKQzOS/dQ0Z3zg+HuDBRyhrmV/go/9C
-npFGUZBa+FOC1GMO07GKH8tZY99D5tDCAH6r6S+RrYS690mWpjXhqouBtJezld+X
-dsgKwgKHk3IEM4m916O0E75kiNk/AD7vZowwEBvPsgN+CDXCPgH4J5x0p9uyxnKH
-omLBd7cuJpio6gf4O1KTl1tlVGcb8f+AUR/MIe70NXyEtpYWMiPW3/0dKwt9APgW
-KSX0c8Mp2XKH/vAEDx86XTfBNrnXyUanOQhbLQciYzolJjiPrB0C2NgFFFXSHPwC
-ikyT5n2RehAJVmg3eufB1ZOKQgo7ue3ynkW4JidgyCUtsoYSmipl9Nhw1hA3ZNK1
-FVCx7tcmy0ZHFO+PV+p17oAC8ZCxSRE0oTeHKcgpF5+DRhQM/+UnmKg=
-=7hTI
------END PGP PUBLIC KEY BLOCK-----

print-failed-test-output

@@ -1,26 +0,0 @@
-#!/bin/bash
-
-shopt -s failglob
-
-# Print output from failing tests
-printf -v sep "%0.s-" {1..80}
-for exit_file in t/test-results/*.exit; do
-    [ "$(< "$exit_file")" -eq 0 ] && continue
-    out_file="${exit_file%exit}out"
-    printf '\n%s\n%s\n%s\n' "$sep" "$out_file" "$sep"
-    cat "$out_file"
-done
-
-# tar up test-results & $testdir, then print base64 encoded output
-#
-# copy $testdir contents to test-results to avoid absolute paths with tar
-cp -a $testdir/* t/test-results/
-begin='-----BEGIN BASE64 MESSAGE-----'
-end='-----END BASE64 MESSAGE-----'
-printf '\n%s\n' 'test-results and trash directory output follows; decode via:'
-printf '%s\n' "sed -n '/^${begin}$/,/^${end}$/{/^${begin}$/!{/^${end}$/!p}}' build.log | base64 -d >output.tar.zst"
-printf '%s\n' "$begin"
-tar -C t -cf - test-results/ | zstdmt -17 | base64
-printf '%s\n' "$end"
-
-exit 1

sources

@@ -1,2 +1,3 @@
-SHA512 (git-2.52.0.tar.xz) = 965e5ebb72d1f080d64e34bdb75f0bb1689c9dd41dcf63b020d986bad49808ac09bfb1115962bc0c5b95bac8622367ac4cd09aa89266f73d2137fe94c90dd3ed
-SHA512 (git-2.52.0.tar.sign) = a5a68ce131a5763650c477ec01a4de958dd6a946bdea0f613e26bdab41d2df6b3ca63f9028bbe603bf0c834bd415c86e6c616b1ff08cc48aa7c3c61a37b24b74
+c529f6d4f1bf01fb919cb576c0dd58ae  git-1.8.2.3.tar.xz
+c4e9d1c84880ae60dcc32e140cfba2d2  git-htmldocs-1.8.2.3.tar.gz
+891481ec6ecd9ee530701378e5b61d3f  git-manpages-1.8.2.3.tar.gz